93051ece8f556a585b7a524b558276f25dd0780bea2558045dc3f02f0c537564

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pdfcompressor.exe
Size

15.3MB
MD5

c49995e16bc41dce2d713d1763f3d4b9
SHA1

d4fd536a691ab0c10bcfe748b7679c7f859dfaa2
SHA256

93051ece8f556a585b7a524b558276f25dd0780bea2558045dc3f02f0c537564
SHA512

0447fd3fc56735ddfc4eba162fb00eab7fd24ef787146dfc72201c6220e4ceaaaea1f1f9a2dbe1ee5eab99606eb6436db9dd2ec7beb8b0a1630eba87e2f04909
SSDEEP

393216:P+KLe0WDeNyBbvK6mdvMZ7Hpja2Olq3WMNREFABNWwN:P+KLGPtvKjMZ7HpjaDlqTN7

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\libstdc++-6.dll	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\pdftoxd.dll	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\gswin32c.exe	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-FG0R8.tmp	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\unins000.dat	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\qpdf.exe	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\qpdf3.dll	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\is-3R85B.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\is-0S6JM.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-1D4EQ.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\gs916\is-T636R.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\gs916\is-3710L.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\gs916\is-USE3U.tmp	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\gsdll32.dll	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\is-T114D.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-P4SGH.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-ORVEJ.tmp	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\libgcc_s_dw2-1.dll	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\pdfctl32.dll	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-SEVNV.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-N04AP.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-7NKTU.tmp	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\PDFCompressor.exe	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\gs916\gswin32c.exe	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-K3N59.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-B0D0J.tmp	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\zlib-flate.exe	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\gs916\gsdll32.dll	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\is-3BKBI.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-VRE4V.tmp	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\pdftk.exe	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\unins000.dat	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\is-CKVN6.tmp	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\pdftox.dll	pdfcompressor.tmp
File opened for modification	C:\Program Files (x86)\PDF Compressor\data\qpdf17.dll	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\is-12RF0.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\is-8TK3S.tmp	pdfcompressor.tmp
File created	C:\Program Files (x86)\PDF Compressor\data\is-6NTH3.tmp	pdfcompressor.tmp

Executes dropped EXE 5 IoCs

pid	Process
2136	pdfcompressor.tmp
5104	PDFCompressor.exe
1472	qpdf.exe
3100	qpdf.exe
5092	qpdf.exe

Loads dropped DLL 13 IoCs

pid	Process
4248	regsvr32.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
1472	qpdf.exe
1472	qpdf.exe
1472	qpdf.exe
1472	qpdf.exe
3100	qpdf.exe
3100	qpdf.exe
3100	qpdf.exe
5092	qpdf.exe
5092	qpdf.exe
5092	qpdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
412	1472	WerFault.exe	113
2892	3100	WerFault.exe	118
1300	5092	WerFault.exe	138

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.ListViewCtrl.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\ = "IListItems"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\ = "IListItem"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	PDFCompressor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ = "IImageCombo"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	PDFCompressor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Version\ = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	PDFCompressor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2\ = "Microsoft ImageComboBox Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip.2\ = "Microsoft TabStrip Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\ToolboxBitmap32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\ = "IPanel"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl\CLSID\ = "{8E3867A3-8586-11D1-B16A-00C0F0283628}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.SBarCtrl.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ = "ImageListEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ = "IImage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6595-857C-11D1-B16A-00C0F0283628}\ = "ITabStripEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ = "IImage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2136	pdfcompressor.tmp
2136	pdfcompressor.tmp
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5064	msedge.exe
5064	msedge.exe
3972	msedge.exe
3972	msedge.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
5104	PDFCompressor.exe
4276	msedge.exe
4276	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5104	PDFCompressor.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5028	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2136	pdfcompressor.tmp
5104	PDFCompressor.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe
2612	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5104	PDFCompressor.exe
5104	PDFCompressor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2136	2480	pdfcompressor.exe	87
PID 2480 wrote to memory of 2136	2480	pdfcompressor.exe	87
PID 2480 wrote to memory of 2136	2480	pdfcompressor.exe	87
PID 2136 wrote to memory of 4248	2136	pdfcompressor.tmp	95
PID 2136 wrote to memory of 4248	2136	pdfcompressor.tmp	95
PID 2136 wrote to memory of 4248	2136	pdfcompressor.tmp	95
PID 2136 wrote to memory of 5104	2136	pdfcompressor.tmp	99
PID 2136 wrote to memory of 5104	2136	pdfcompressor.tmp	99
PID 2136 wrote to memory of 5104	2136	pdfcompressor.tmp	99
PID 5104 wrote to memory of 3972	5104	PDFCompressor.exe	101
PID 5104 wrote to memory of 3972	5104	PDFCompressor.exe	101
PID 3972 wrote to memory of 4304	3972	msedge.exe	102
PID 3972 wrote to memory of 4304	3972	msedge.exe	102
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 2548	3972	msedge.exe	103
PID 3972 wrote to memory of 5064	3972	msedge.exe	104
PID 3972 wrote to memory of 5064	3972	msedge.exe	104
PID 3972 wrote to memory of 2468	3972	msedge.exe	105
PID 3972 wrote to memory of 2468	3972	msedge.exe	105
PID 3972 wrote to memory of 2468	3972	msedge.exe	105
PID 3972 wrote to memory of 2468	3972	msedge.exe	105
PID 3972 wrote to memory of 2468	3972	msedge.exe	105
PID 3972 wrote to memory of 2468	3972	msedge.exe	105
PID 3972 wrote to memory of 2468	3972	msedge.exe	105
PID 3972 wrote to memory of 2468	3972	msedge.exe	105
PID 3972 wrote to memory of 2468	3972	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\pdfcompressor.exe
"C:\Users\Admin\AppData\Local\Temp\pdfcompressor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\is-KNBN8.tmp\pdfcompressor.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KNBN8.tmp\pdfcompressor.tmp" /SL5="$90052,15632279,228352,C:\Users\Admin\AppData\Local\Temp\pdfcompressor.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\PDF Compressor\MSCOMCTL.OCX"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4248
- - C:\Program Files (x86)\PDF Compressor\PDFCompressor.exe
    "C:\Program Files (x86)\PDF Compressor\PDFCompressor.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pdfcompressor.net/tutorial.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb653346f8,0x7ffb65334708,0x7ffb65334718
        5⤵
        
        PID:4304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,997261092187085537,12069975476795684128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        5⤵
        
        PID:2548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,997261092187085537,12069975476795684128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,997261092187085537,12069975476795684128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
        5⤵
        
        PID:2468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,997261092187085537,12069975476795684128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        5⤵
        
        PID:3532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,997261092187085537,12069975476795684128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        
        PID:1520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,997261092187085537,12069975476795684128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
        5⤵
        
        PID:4324
  - - C:\Program Files (x86)\PDF Compressor\data\qpdf.exe
      "C:\Program Files (x86)\PDF Compressor\data\qpdf.exe" --decrypt c:\jpgtmp\0.pdf "c:\jpgtmp\StartRedo.pdf"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 276
        5⤵
        Program crash
        
        PID:412
  - - C:\Program Files (x86)\PDF Compressor\data\qpdf.exe
      "C:\Program Files (x86)\PDF Compressor\data\qpdf.exe" --decrypt c:\jpgtmp\1.pdf "c:\jpgtmp\StartRedo.pdf"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 240
        5⤵
        Program crash
        
        PID:2892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pdfcompressor.net/register.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb653346f8,0x7ffb65334708,0x7ffb65334718
        5⤵
        
        PID:3768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        5⤵
        
        PID:5048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
        5⤵
        
        PID:1388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        5⤵
        
        PID:3512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        5⤵
        
        PID:5076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
        5⤵
        
        PID:4824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
        5⤵
        
        PID:3628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
        5⤵
        
        PID:3888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
        5⤵
        
        PID:2000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
        5⤵
        
        PID:2560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
        5⤵
        
        PID:1604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
        5⤵
        
        PID:2692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
        5⤵
        
        PID:2340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2072,13832337290905187714,18360485520297815657,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5732 /prefetch:6
        5⤵
        
        PID:812
  - - C:\Program Files (x86)\PDF Compressor\data\qpdf.exe
      "C:\Program Files (x86)\PDF Compressor\data\qpdf.exe" --decrypt c:\jpgtmp\0.pdf "c:\jpgtmp\StartRedo.pdf"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 240
        5⤵
        Program crash
        
        PID:1300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1472 -ip 1472
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3100 -ip 3100
1⤵
PID:3884

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e4 0x424
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5092 -ip 5092
1⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\StartRedo.pdf
1⤵
PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb653346f8,0x7ffb65334708,0x7ffb65334718
  2⤵
  PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PDF Compressor\MSCOMCTL.OCX

Filesize
1.0MB

MD5
f7bbb7d79adb9e3adc13f3b3c33d3d4d

SHA1
cacb4b31d22419e6a9ddbffcf61ae42da0d5fb8a

SHA256
18a83d7a420a17fcb6f56eb3ba5362c975d32e5ded7553c6fd407f07bdb7b006

SHA512
4870ddbdf283d7f7f64d3f4bf556600a78804f6a94fc2ca7eb778e85d70b6d2d017aa35cbddf773b6a1b6d9a2813cd67fe54ede7859050a254a3e3c05616ae0e

Download Submit
C:\Program Files (x86)\PDF Compressor\PDFCompressor.exe

Filesize
871KB

MD5
037258001136ca409f49373f7476bb40

SHA1
30aa68a540bf42df5655337527f6d98b4c1c5ec7

SHA256
d6cb7b8e7c48b69d7d30ee22fb07524c89f2f9f40eac5871a989deb08758f6cb

SHA512
021569651ad47950135e55c311c4a8c17d12fb73805930960045da2a91a8961857064288b08c3afbb1b10c766959cb10835612fe6e7a3f956a7a8015e9df5859

Download Submit
C:\Program Files (x86)\PDF Compressor\PDFtoxd.dll

Filesize
1.7MB

MD5
7d82d53f9e19a3c37cd8a70bb656afb3

SHA1
fb99bfd679e6c41bfb7fa4b9850b3662f02a433e

SHA256
29b28f9d967108e2d84525e88e88a649e9fa44c4d6d54de02861ec9d51b81af6

SHA512
b3f95386efbf4b0999651196529012fc129e682d04ecaa8af1c4efa2771e16d7fa275083ca17b5a3bf5da7f757320866a61d96407a982ba59be36e10812344c6

Download Submit
C:\Program Files (x86)\PDF Compressor\data\libgcc_s_dw2-1.dll

Filesize
116KB

MD5
f914300b657c549d8b286cee0c0f152f

SHA1
e4101f2b5c3ea30ca2fa0dc764e1dfa2e5ad02bd

SHA256
ae19de88d6e4538130baa7c59ec59e9d8aeaa87831e7ecafeaf9c0dc1598b280

SHA512
67c3c60ffc7557a565439a6f12d2d0aecb2a4ac22a68c50acb64bea8d272a0289e63b9fa5af5661f19c9818cf4dd9dccffd5c822246f1387e9493fef90a14301

Download Submit
C:\Program Files (x86)\PDF Compressor\data\libstdc++-6.dll

Filesize
957KB

MD5
4048472fea975ba7104bea62e2f3c832

SHA1
4b912efb190ce0eea44d2447a467147445a123cf

SHA256
231b02cda9b8218b18eba373dd2c1e36de1d1eed3161782dfa82488ab0491f1c

SHA512
9a9090c232f674bdcee76fc4e77ccf9b0dda5f3f6f28383f412582ac363fb1249d5d192dcbbe04ff249de01db0bde3c9455d2ce4631a994a84a8977e23e9e4a0

Download Submit
C:\Program Files (x86)\PDF Compressor\data\qpdf.exe

Filesize
76KB

MD5
53c7e75cb8754eba10f79d31c25fd4fc

SHA1
4c222e98784c3085e75a2d661673ec1b711873fd

SHA256
d901bee7527a2ade37b707fca1e15db9955f112ac894b5f9485720777a5b124d

SHA512
93ca1fcb4ecfd9f5b23314346bc617eee7a226dca24463e2f22d9a6e151c0effa2e321ff8da857210e41e2c78fd76f02c230764d021191ff07f28d696a19f29b

Download Submit
C:\Program Files (x86)\PDF Compressor\data\qpdf17.dll

Filesize
839KB

MD5
3d6740ac534a12a8396fd242bdca148a

SHA1
d3f20b59663141a2a367344a3a1dcae948d94078

SHA256
97ab332728f8fa505e097ddac16864e0bbc6703ac40d7125c0720df1c0c45f9c

SHA512
5e53021bc0c90a955477aadf68976cffcf9a747f042c11e332bcf3ed9268db6d13531b77dcf79beb652e428855e592838ee0722ae658f03245c007029fb97f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8c37967ad021145cea767b8d6a933b1c

SHA1
e08284996a1395978ec1964f886505c06cac3721

SHA256
33dfa63b58af51680add6cfd72e94b04ec5cbfea7fd33bf2c7b6b40b0c5a1b3b

SHA512
0a36d62e0e211f990bd30fcbb421bb04ff6f6798cb8e70089877c962f5c2c0f5417ff08fee9cfd73166b857710edad518637c30d82af6ba3b0862651abd69372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46229fc8795ebc9813ae2f5b10e8e952

SHA1
6b261f49207e766606a5485b4abc610716769ab2

SHA256
a7ce453ea546063bf333e699d4b4c3ecd7fc83341b17f9a4b25e1ed6cc03cfb5

SHA512
a1c8b9613bf700bebd94c6747c9da0870b98e6ed2500600934f3b24854299ff70c1468d766424665cef0511bf14678b00d43c90b90f2baf2155ed314bf2fbb8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
f8842213ee5badb7febc954155523d45

SHA1
61a61313e40d0704570de4dd5f8fe40c1bf7b7bd

SHA256
56ef24425343177e6af9e38924395ca8f884bd0d3e7e4902f4e0d0414785b0bc

SHA512
53ec4f94a8451be10dc0e384a8cc6090214f2fa91c12ee8beb64a55ee2f366228f4b8aa151785ab521a532282a3c4cc2608b05843bc67043e73f05f41960c13b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
0ac0495aee60de36b23fa2eb34180f31

SHA1
ea1462595a5523b2fb3310130fdbbcacd44d4af3

SHA256
5173b04d97ce686df72879da41cc33ae4bb73e76f3e102323f2043b91079f5cc

SHA512
81111bdf7da4f9d2893bc1877dd9d93d83a0c47e3acd234cc73d9b67048a40c2c0baf470ccbd7bdbb6e62a3d4db4216825a509d8715791e1fc6d0ffe56b2ab37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
87e854f6279f002b486ec8372e168293

SHA1
1391fa75d4a0ee9902c7e93bede11e13ea17d9d6

SHA256
12c57b7bbfb0fe8897b3c87dc044ad96a536b920a8e7a30ad68e34af8f55097c

SHA512
1efd0b02c5cef9fcb9a2ed8ba552d6e96a6696fe1bacf78d1b0603bca18329305794b413d1a12837a67dc9b0db505a7fd8254386cbb4e3ec630b1156e2a5fee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
2883f2a48a132d126ac90e60a7dbf2a2

SHA1
d4bd6b7a548867e52843c1bc05aaff077cc634a7

SHA256
f921b3bccf2a71754fdb011f2cb7cadf3170a3b37f37619dc4cc2d166bae59bd

SHA512
7f741eecd106ab0956f0f34ab43fc8d0c671ac748773c85844cb9134a0603782f2031307dc6f9027b0bb474611bd7d98511e30f119f5fdcffd67953fdef5ab40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
1c835b15682e079996e95eadedf1c698

SHA1
6973b65648193a7254b2edfacad663bc6022a7bb

SHA256
34b7f2fdade18ce2f4a1b6cbd1490e50aac59ae27010504482fe4b6dc1d0ff49

SHA512
2e50c6ea2f4a12ce4a48c0456af4df6a16e77139577257e857a811e2af10adf75744afd449578f927cdb9f60914d4137941d82ca784c17e062af8b9f90b843b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
d4fa5f723adcd5860da0ae29a805d510

SHA1
5e65b45f39558b33f5a867e01f86bf9782e40568

SHA256
6975dc910d7454e09da5909e81bf2385d7fb7b1a3811fd5923ab6c09d9fb5250

SHA512
87e4913f7303e03188df6de794ac2bf834e35f15e4198501b56e89127c05edb6fd46b85a1bc9a3e962daf39b2fe86e69e10793af23780f5a09e0462c165e7954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
235a0a6cd412a808b80701be58d2f61c

SHA1
180db774fdb7123dee64e9660af6068700c64183

SHA256
a8c212e71758605d21ce80d2ce0d4c4fab62b438c1b3508153f75655fe93d3fb

SHA512
0d4c5c9f8f178478785e1a02994bc84151c44f44c1f19e64081cd5fe69dbdb37da6d6eb9749246cc01380b85c3348a0ea8b5da6aea06183db77ac3e5252118ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
fda03f009a4b254f1ac15d6028ede94d

SHA1
43faa320d324f02d0d01ccdd7805712ea13117a1

SHA256
f69ebe686104c7957a01fec4e7b03338e8a5ba0b4913810c05917040a3d73138

SHA512
3c225f2cd3b5a00c1db9582a9497145ba4c357b77e2371137bec151e56e6eba1fae515df42f6bad4726310479be0b4969aa855ca050353818ca89ca6e1a11268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1003B

MD5
5aba4134067a13f658fc78bcdffd0ade

SHA1
9006b75f789a1c708f294de201136977cf462854

SHA256
a1a4a7877fac26eb5243b1ca8b9ce4993c8693d8a788d92509e55a39bee1f953

SHA512
34fc61adc60611d84222c1771c60f18f125886ee5481a888f7db0df4731d5955ea8ca8ef139696add03607900cfae3761eb56c0d2df87dbbfcc26f4ebc2c2af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
2f4f9353e42a3e4e098b6374f3bca4f6

SHA1
4f45f972c884fa996cb010e50bcb2e15d124f42d

SHA256
d4823bef08ae1345fda4e2293e6545c81f56e55e8d524a341fadc6b827591e9c

SHA512
bd65a8872e8311d8b9dc8d27f5ca6ea2bc41ab27e1bd41f451d9c19d3c7d0af499bb15fdb5daf097fab18e80a1ee7ee6cafa2f4d6a515064e86de5cc8f4e8345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
4d942101925e51e9016f7cc48ba15b5a

SHA1
695369ce186d164bdc8a2237624c4bbf1f0e2ce7

SHA256
c63bc9e88f6a77d1a639ec7f0b63c0bb13b292252cd48d7810272fc288eddf56

SHA512
30d9ac360691401dce285c4a3bbb55b335e0d585dcc55c82ee0c1c930045ed97fc7c1a08e78035743cf6a840385e33096ab1ccc5623f15a8571415a37947d777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
189B

MD5
6d35e895c1c9dba993106e25c2687904

SHA1
63a5167fd6a3220fcd720e6dc921141deb8c5f2c

SHA256
e58764de3e1acc5bcc4d5d9ee461aa01dfa2612385381b72d4703bd87081620e

SHA512
0628758ee560e328e6f135b24cc68dda44ff05125dbe4f7094215554510e510b83bb56febf91e400362a6f4b6a24e0b0f43fb2fe0ab441033fcdb9d3a608d312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
189B

MD5
9695e40a6db3b1a30901615c1ad8085e

SHA1
5c1ed5469624e0d09e3f6260c7818c54ff5cf11d

SHA256
eac17093d95d24a667b3caabbf2ef74d38c4e6488acec85a54ff1acd7d9c5ae1

SHA512
0f925402a78b2a5b506aa7fead378a5cf5004d1d60061a2c06fe26538e35d86100337cadb500754c7dd59b12efc9c87e926f22acc779aa415204af9fa7cb1423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8cd04bb534ac9de31b077aab9bebd090

SHA1
a085dc8ea1a08ff50e57ebfc41b138a132c3b41c

SHA256
0c3ede8dc532f3f2614219e807a1ec49a0f6986c948ce39a8ade2a7d05f73033

SHA512
3d6873119ee98f0bb73382272e41c454b748c60cc77d5d52eb2e944b3153495899cf76b6ab631cfa879ea04a9d94fd294c24ff9b09d472451921bbd8eab427f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31c18eb76db8fda48effd5015a7e9dc8

SHA1
16348a29fbe24c05c1a95c34bc0ac6be8fc272dd

SHA256
633a56796ad5ed5e1e617a15893385c625a2cf985c5379735a39b93327c5d89f

SHA512
0164f27d97dcd79002c56b9446ff1522d4ca482ad1b45423e349ff7ac23138b6b7097c2d2be3aa7f2f7a8573535ed909abc7f57d22dd6ab7ae5ce879bc68b87e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc36f989145a0a64b835ba9a6aadf5a3

SHA1
9444e2c79863960f7994da0e988cd1f1cc034304

SHA256
650784d58391f4e81fc17fa9771cab470552adda0a2579b603cb29995134d131

SHA512
0ca86591981190f3a825e8488006786732d3f693466b063fbc382e06f20ba4919d7d3a9213d07aa6018332cd352e84ee111cd875bf973709bd0aa978c9c338a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec73cee59e04d0fdd202696f77c3d556

SHA1
5cef31c1935d09a866fb5ac2561c851ce5fb9648

SHA256
dd3ae0621d6565d311a1ea5147bcde362616793fa16b9382b5f2d27ee20b2ef6

SHA512
121cb5978ce60e67daf1ac59b4fd57bcdfa9edcd745d9c9dac60ec51bc9491d186e30230565071492ebc55b3f7bac77714f2037773d784f9f9be205819ed9b0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8880f36942abbd12ab3974029ddec255

SHA1
57e529ee11184751c08c1ab5af5059243bec51e8

SHA256
21a756431c2fd711f451c362bed6cc30bf58d9f535ec6cc105c1495986979b74

SHA512
7d7b67e95af8ee653d99d0e906b64dbd609445c0ab9a24694a5b552acb48d8e2c8c30b72fa23a8abd7f236ba51e5cfec756c51d1157e3fa09c523da09cf8c16b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
175B

MD5
6153ae3a389cfba4b2fe34025943ec59

SHA1
c5762dbae34261a19ec867ffea81551757373785

SHA256
93c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61

SHA512
f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
5c85295bba2ecf82b8aedc940797f586

SHA1
c25f4612161e35597400dc9c0c6e73e6a0e321a1

SHA256
d33a226a43ad10c160d87ecb7fe3daa188ac1fa2ca4bc3608a2d9e21bce888e3

SHA512
160def18d2ec7809ee8c3c97e6fde1a1ed3b5ff32f6ed04c26d5646f83aa88f4ef8a7ed7c351e4873ed7386235f639857e4a91b71d603d409caf6e49d79c16cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13356156646473392

Filesize
1KB

MD5
06f6acf204ce99a5861bdd5ea4630ddd

SHA1
d1bb677d8d3e48ce736da984d7d30a1524e635ec

SHA256
b38366800f4a6a1e182f9f13cfcb0eb8fc45c4691d5fcbd36489cd58e687ef3d

SHA512
9cbbef83320505769c265aec3081333646fb9bef2176d16f44770e6029df1632f17dcd1039c4bc0d684c8cd4ff152f26b28b76d71405813c1998d87ccd07d98a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
c07132cda0c78af1d456946e3a9fe314

SHA1
344a7e5f82255d7368b50eb2be1813955bacda3d

SHA256
139a13a49471d9fc86d782dddab7341cd6fa144d1ca14a2dd25492b9fcab07d8

SHA512
923cb5c6ac0df54a6945f3aa59606cb0d766520c08dfe347b31ed309bb249d2b6ec4c7fd4e140deffc1dd34791ce4678460c368f30c78ccede8b26f51424c949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
3ac1595ba90452e75cae61ebb21aedb1

SHA1
1df8fd2af61e4b507837bf4b49f028851f3504f4

SHA256
a864018e1cd88a6b2b8443105782369d82a73ae801403ca0db2f46090e73a86e

SHA512
2b2eccbc131c7528460308fbe34f3b188eeb5c39b6c01d3c5d924c75aea2799782d0f06de185511e2a92b089d10d2b776b947d42d652d0967ae8a33f0c39ea54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
61591901e6be0266adbf7bf03a13836b

SHA1
e9ff7f917ef704c3c37418d28bffdb04ddacb6cd

SHA256
95036f071c4a5184f6672877c57d2e93a6d915cd89db086e0d1e371535409332

SHA512
cc0cd82f943cedd2519f205ea3275c53a8c4e6ae4699260188e552aed507ed027304795609b28ab410faeeabdea6f86df98221bb0f594d74674f9e42f191eefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
73fe8bd69a4ab80add5411a86ede9336

SHA1
e1746f27982172d84769ef0b34c5d6ffabe6da7d

SHA256
bf0fa121c62d6fa61c89c2af206c52846008483a7f9f62d559fb9cfe21c552af

SHA512
59669761a09539e82d46976b48434d7a582f0900f2bffe778b6e8d098f53e0cee1cbb79aba9075789fe8975bb4f91e4decc7f1b9d3cff8740faa135a25cbc95f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
e1e9823c004a6ef8252f7f9c2f767a9a

SHA1
0feadb127078bfa9b8ae61e50317fb862b2bb3d8

SHA256
c40f87a2c9f3a1d0e91f48213aaa1e4ca1bbd562d7dc240bff2cd8232b83ae40

SHA512
143c09722ad4f0ec2ac058ee9555af83e065b547d3afde38e1f51ec6ea712a36871c4d1c7a02ed4093971345c85478ab81329c658110ce3bac81713b8707d986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
055d0b1f9211ec15f3fe652a5852bd39

SHA1
21643c64f1116ce5359f43dae42ad784b4723a13

SHA256
8e4d4a2bd49faa964004fe43c55cf9e5737692370f544877b312ca4ba45f071f

SHA512
219d3c2a010c9438c245a118fc6e5cdd6a0ca18c1eb4188c78069623c80ded00fd58ad3c7ee7b1b3a23b637e1b9e8f8defc69ba8a719f1bb9525a64b5d7968c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
899416ada1e09c2d99226f998e2da697

SHA1
de49f72923b0795dcac48c1cfe70137950b49eb3

SHA256
392a0a61febd5fbe1f1f8396625c15dda3bead8b7fda786d0182d4f8f907b2c7

SHA512
5fd6173656a7df1c5b08086b28d53093f3abc75c79c9f4eb0d9eb5ed69f04c3a224bf304b706f46d6210185b59dbc481a4ebe0efa027684cf3e41d757c6c7ff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
b399dc65942b74af2e35889a6385bd4d

SHA1
0215a6ed04b17bf931c52f97e43400320d1317ef

SHA256
bf06b45b6e3399fd768f0c4e0a2734482550b2400ced076a22351f7ec5242be8

SHA512
a9262f306180540c96499369e5f7b9137d43c28086ebb024ba893457d0fb2c575ec4a757d8f40e025d091d9d58e9920b91d0bfa99854c8fc457c3622f1521dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
fba9deb028082e5ef8ba491f78232840

SHA1
76a18ea4b6d3f665c860676d896dda2625e88982

SHA256
c420b1bebf62c30f321ecc4c468fd6badcb6765ca1393f8550817e4604dc68b2

SHA512
9cdb4b6417620c77b1547df9cc4031c8f9f462656114cddaf4697c576a6580c7de1c9400ebbc574600549f662e1886357bf838f167cf598fa3bd5e8c645e760a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
df0b06c2647be971886e49aa34ecefcf

SHA1
70134e4b82f231b3caddf15c19b2b48e816b3ad8

SHA256
a1873acb5d81804668e96117fbfb2de89d08457caf2c5f722178730672449501

SHA512
98adda521ff9c94143d61dd7fc283d1ca74be60ec6f0173e521f2e379274844d5a95c1d6e50dc0590eaf9f8d042f7e1f802a409369676bedfe37af633b7365a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
95e3025a4cd697d9896607e979815080

SHA1
6338df046d17199424d98722dcf926f4752c4298

SHA256
45888a54790d1194d03e3aa805b1e0bae28d95fb85e564050f18dba57c7cf2e8

SHA512
6393a4484db6d75ffe6086f90de429f23af20ee2017a138fc06e0483d714356f794cfc440cca7ae661b0d9d42fdf92205e4d09229855e6273f548c61a96b3f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ed910f813fa4bf8dd6579e2793e2df0c

SHA1
875c03df463b75654813472f3f76660f2bd2234d

SHA256
7b9cb4cb205ef3fa44aa055fa80050ce7b833c51f33d992dcf21c95d7702c41d

SHA512
ae32e18a890f8be59a376184183cd3ee84b09f01a89ffe95812e4ce377ac138d579863602a0a6bb9e5be30b622f35ac3afe390f6d582be2d38062db62e1e337b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a063deeba203df5672c50712127b939e

SHA1
9889b0cebb602ff379b8f7758476f9349b68a0e0

SHA256
254b2009a46d3959e53e5ae2dee98bdb129d9e7e26919c2cc04614c21dddcd94

SHA512
37837471268b23034ea4add94363aaa8f566014327b9b6e4579d3becb5a0a707bbc1babac24cee1ed4fe29df13c001f2a89219bf56e9b64e306f906a4d0570ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e0c39fe7e674c8236b69b504a3850f34

SHA1
ae5eaebcf939bfd3880d0ea712d7a8746fd65c54

SHA256
4c294c3af7ae05220840ac551a7c695c86585d044cd88142caabacb0421ec9fb

SHA512
84115270528164e6e1db07923aa14973193c4c315c5f8e14d30d9ece94f6f8818bb44188a7d2d71a1ee9a72df17e0d8b324709150a5c7e04533abd8e6961f8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
0ff13da8f354b8f6e269d779f6d0c484

SHA1
6a5e2fb8dd7e598c56ed88ad0cefeb93e075235c

SHA256
d99839b0b50835e248dca0ffd497b77daafb1c379253322eb18b55e9d358738d

SHA512
25dcd506e8e6f25018ae670ca5a1c51ffe45fdd1791753ae72407d634796746ddb73118ef05892ddff9c399b2c065bfb194d99357c2b71d1cfcf536258c012c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KNBN8.tmp\pdfcompressor.tmp

Filesize
1.2MB

MD5
ee5477ce6bd0583a4d4d754e0aca2467

SHA1
b56f9ab578d036d57f0fc375737036c40300c533

SHA256
b394200f0d162da4de64e9bc172049bc0fa2fcd2b23ed6bdf6edc578057b75ad

SHA512
b9781cbd8dde053d8994f44cfb993c3429819c03335b5f243964da3046d589858154648632f9325dc70734f823bd8c996f510882f1a9faffbc7e358d50ced2d7

Download Submit
C:\Users\Admin\AppData\Roaming\pcsound.dll

Filesize
701B

MD5
f91fc0522be58d2e19f6b417c12a34b7

SHA1
97d77fe01e00074f24ec2d8bbed4f24e30e89e04

SHA256
b3e1f21aed8ddfa1499b6cd5f2d86041c4f9e0c276436426bafa82d9fed23faa

SHA512
e6d2004781b52921e12847d92cb852f78799226260f26f042331f28b7577b797506017fbedf16b03765127331f0001da43bdb961b29b1644457e89b6486552bb

Download Submit
memory/1472-213-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1472-216-0x000000006FC40000-0x000000006FD36000-memory.dmp

Filesize
984KB

Download
memory/1472-211-0x0000000061340000-0x0000000061418000-memory.dmp

Filesize
864KB

Download
memory/1472-212-0x0000000061340000-0x0000000061418000-memory.dmp

Filesize
864KB

Download
memory/1472-214-0x000000006E940000-0x000000006E964000-memory.dmp

Filesize
144KB

Download
memory/2136-72-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2136-6-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2136-82-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2480-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2480-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2480-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3100-225-0x000000006E940000-0x000000006E964000-memory.dmp

Filesize
144KB

Download
memory/3100-226-0x000000006FC40000-0x000000006FD36000-memory.dmp

Filesize
984KB

Download
memory/3100-222-0x0000000061340000-0x0000000061418000-memory.dmp

Filesize
864KB

Download
memory/3100-223-0x0000000061340000-0x0000000061418000-memory.dmp

Filesize
864KB

Download
memory/5092-324-0x0000000061340000-0x0000000061418000-memory.dmp

Filesize
864KB

Download
memory/5092-326-0x000000006E940000-0x000000006E964000-memory.dmp

Filesize
144KB

Download
memory/5092-328-0x000000006FC40000-0x000000006FD36000-memory.dmp

Filesize
984KB

Download
memory/5092-323-0x0000000061340000-0x0000000061418000-memory.dmp

Filesize
864KB

Download