hxxps://www[.]dropbox[.]com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0

Resubmissions

29-03-2024 12:16

240329-pfrh3sgd9x 8

29-03-2024 12:11

240329-pcrdxagd5v 8

27-03-2024 19:52

240327-ylpfcaaf83 10

27-03-2024 19:06

240327-xsc58add5x 10

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0

Score

8^/10

evasion ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

$uckyLocker.exe$uckyLocker.exe

pid process

4436 $uckyLocker.exe
5588 $uckyLocker.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

35 dropbox.com
36 dropbox.com
129 raw.githubusercontent.com
130 raw.githubusercontent.com

pid	process
4436	$uckyLocker.exe
5588	$uckyLocker.exe

flow	ioc
35	dropbox.com
36	dropbox.com
129	raw.githubusercontent.com
130	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

$uckyLocker.exe$uckyLocker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{64A388B4-D16E-413C-A17B-2D91498EE6C2}	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 569915.crdownload:SmartScreen msedge.exe
Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

736 WINWORD.EXE
736 WINWORD.EXE
5896 WINWORD.EXE
5896 WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 569915.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
3336	msedge.exe
3336	msedge.exe
4900	msedge.exe
4900	msedge.exe
4816	identity_helper.exe
4816	identity_helper.exe
4400	msedge.exe
4400	msedge.exe
2560	msedge.exe
2560	msedge.exe
5576	msedge.exe
5576	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
736	WINWORD.EXE
5896	WINWORD.EXE
5896	WINWORD.EXE
5896	WINWORD.EXE
5896	WINWORD.EXE
5896	WINWORD.EXE
5896	WINWORD.EXE
5896	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4900 wrote to memory of 632	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 632	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 2404	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 3336	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 3336	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe
PID 4900 wrote to memory of 1512	4900	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dropbox.com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8939d46f8,0x7ff8939d4708,0x7ff8939d4718
2⤵
PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
2⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
2⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
2⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
2⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
2⤵
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
2⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
2⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
2⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6016 /prefetch:8
2⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4888 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
2⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6172 /prefetch:8
2⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
2⤵
PID:5704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
2⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
2⤵
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
2⤵
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
2⤵
PID:6088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
2⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6944 /prefetch:8
2⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6728 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560

C:\Users\Admin\Downloads\$uckyLocker.exe
"C:\Users\Admin\Downloads\$uckyLocker.exe"
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:5588

C:\Users\Admin\Downloads\$uckyLocker.exe
"C:\Users\Admin\Downloads\$uckyLocker.exe"
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
2⤵
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
2⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2343482775052596883,7527407416069268382,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6160 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\OpenOut.dot"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:736

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5896

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
1⤵
PID:2172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
471B

MD5
ffdeae7f35885a993cfc038077256369

SHA1
650158353c5e0b3dc48b74bafaf5abd41553aa9c

SHA256
171012f8d350c70963537975da6898917ba10426356e92bd4dba6b5c4c7c6492

SHA512
20a8440dc90f3c501b3d18bf5914f471943909522e874ae1eef8be226525475d251b0e3ae4957c240ebfff37d187a593b34b235435ef844e9410aaab959b4fce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
412B

MD5
25cdce7d2632a31a4384f3183664a40f

SHA1
868a742d7a2a5b1352bdc7c2b0dd0c1acd22f201

SHA256
5418e84e1a0773d2dd2102fc2315678e2e09d82c99afc801eeb44ccef1d0b560

SHA512
fa8abc6c6a8a72feee3bc8bd90edf1e64874f28088bb7288eb4f8e2c1a262139c0c0cc2122a7b346876697867523039366a5ceb635a5759de218bfa0ecdd061d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
7KB

MD5
b10696a4926e016fd873f8c392362bf4

SHA1
1a4fb137000a21ca00cae3031c2c86b757a77adc

SHA256
c293a5687203b4f6d1d868ce613407b401387e2b5954804f4abdf57e9e34f316

SHA512
fa732fafa795a0b133dceec101afc5f15c50715214308ce5e7c0bf0404e97d84a66cdf88f62336dbd22d7f4c4d39577905fe615bc9fa3e434bee359820afaa8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
b58dc64e31f67b6bec08ed415def3239

SHA1
97053fcc38b75b2dee520fc38c7033b021a46b0b

SHA256
79904ce6623d14227b9e4cc006d7239aa21f3ba747e3831ba620bd4cb819350a

SHA512
824d003f97c7a22267c6b29b0940b6510bdbee68376f614449bdbe49cea1b670c2eedf84371b3fa929ea480f105a2e25b0335148b098cca68954df0f4d82647e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
3594a23c23f300af2e710859a1aca803

SHA1
54808583261cdbfdf7c9a292c37604f389760161

SHA256
83c8ed47328330942ded29fcbd0af4b2de70cc7bbf09bc3c7edaacbd51d7d559

SHA512
3c93523ae0d2a7006f9df3ddb4d6ef491a0aa6fb72d28ef7a3055ad2d1c88b1796e3b98c4d88e7c963577c6959c7bf19e00c40040ace8f07733a1b76c6ac1a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a1f36cf375aa23c6134a7b0cb8c020c8

SHA1
5f995e87279eafe662495f8a774c4fe5ffbddbac

SHA256
16cb186af25f9fdc7921fe24b78351e6c5473518d8ec22b47e9b2e3b82a44f00

SHA512
64213535b0abea67f6ed72425e9425470ae76adaccf701630d1fb200b5ca4810a21e2ad43054c16cecef065bbb41215a89b980ae77718c412294aa1110f5735f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
11f47bdc8c2fca792031dce69509e9a6

SHA1
9b7cbe29c3ffd84c7681b1aefd5b2304f3743422

SHA256
b97e32d7c02624af48a2488bb22f6b03f3c479a14f2fd35991ff16e4c7f7dca9

SHA512
c294c5959de4350a454ea7e12db3a1d2bf5b74142244fa2c24fcb699a22e219cf9a21f74437b6c157946b37d137e33a1174233b2604bb22d8679703d0e6bc282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
31302b205acb3a140aea96c1c53be275

SHA1
0d79bff61932a7215ce1c88bb6cb435d8269248e

SHA256
9d32069040b0b931aebef83c72c4e4f955d6e33189db5e5748f257837e6161d0

SHA512
fece6715b2eeaa57cf4b106e5ff80d439b9edc8844160ca69ef8ec4d721d99e6133d719061bfc807b3b9179268723d820ddfc49a66e417cf70c75c21dc68b82f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
57b29109d0c0eb5a9a7109f836f35e91

SHA1
c3b824cc5803331dd3e4ce945eb517052ae40e27

SHA256
ebc0791b16aec77845e5a87ce9df415508c9cf932e48ab02d06ed14de84c4f7b

SHA512
3befba33002d905b8e879f2abb5cbc53e8a67980bc20ede0e2d8c0b47442b53b2bc9099078838df079ade32ab915c6997f29d683a54116698769079c0a3ad952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
7668b498b42f47663a555a0ed82abfe0

SHA1
6f3c77fa18ec0a50c37dff050c589e8780af1b2c

SHA256
0e2e17648646db20bcf0cdb534192c7506bbf48fd565d7f3e6c19cb970254ca9

SHA512
a001a40c391a6a4c91f1160627eb5c76f77fbc145a898fa117aa37ace9f22e3a2269636e6ec166146ab74f9afb8314ffb83c28a8c6237cecb65a5e080a69f018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
06ff8f11e4dd0679bf095664e3bc7efa

SHA1
e6e69a5d43412b6f638553d654e0da1b6cda4c9e

SHA256
f54f8c3be495b4915b95c40e9c317b1d39f61ece68bdf0ceee0bf02cf1bb08b5

SHA512
4e20a5092e0d89e87552c6185212f747e4ae330ec9f75208d2be103ed7538d480b52a1f5da724ebfb33af43659b82004f327c78ba5c1f4e149e91035d15277a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
cb93d7388c906b8eab4539000b261a4d

SHA1
72c7d25071f60599bf043b4991f834b0549fa40f

SHA256
19b620b62e0f02a24f6689bf7ac61ce6d1faf73bf379c1ee9c6da9f4827c16df

SHA512
1cdf6ad8735ce66ca1b31af907358c023e2d701262412ae5e152fbe4374d7eb96cd4ff585f3262d57dec555f6cd46e42180c77f3aef05c8c3c0a331200426e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
85400d55c049219c61d6102bd479f18c

SHA1
77cda9e336508383831d49379b095aaca36c42b0

SHA256
bda443023318f193b1cd426abae305437b53b443e5b44f3fe2c704050f5e5328

SHA512
1fb5889144283b4e258a5409dae3158711f43c21e7611cb455f7dd5ee549c28e3fc92d32ba52540a49d61b3d869f99eac3ae0e9c6177fe0974abe91c5c4f1e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
99412c6da1aad6ae735248595d458825

SHA1
b589e5efb620b4b6daccc47df387f896bee12f42

SHA256
e3d624efe351bad31b09e3f75441f413e6c5debcad8fdbcc1c3d20718e06b9d0

SHA512
a36bb65377788a2a172f09fac4852d777156ff81ece73fe158fe8e36b094a8368807e01369dd269a03b316e0acd4f4da133f3feaf8b053777761235c856d3530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
fa3bf88818684c69396429885b5b90b9

SHA1
d905f9759e8c8e96900ab9e41ba230bc9306fd54

SHA256
facb31f440c13157379f83ce07dc065c5f8477a5171e772f2af312fa043f9b6d

SHA512
c40bcbbc557a2d27afbcdffe44b18c627a6e310f44372ea9ced4a7b2f9bd79c231f48aa2f0444855c73c7cefe99a86106fd86d3752c3a8608eef362ae0669a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
fb143d7194d557bc9d69bb7c5c8d7b4a

SHA1
10b019b1e7657b6aa39bd52d0478477f216f4077

SHA256
ac591ea8ddc038019260c7db5767885ae519d9e55c11ad34606cb32718a692be

SHA512
f7e4c9132e48753d099edd1dab3db32e8409e10791e04f25e83d493aada5cb47f24e2d8a3a2685c70c3f742dc1682c0afd22fbbe3ba5acabd9924ab217d96709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c89f.TMP
Filesize
705B

MD5
9acfcd41b0ae2e3836369d9e78c39c8b

SHA1
ddc14ee856a8a7a6ea1aa1519097fd7221616600

SHA256
1ade39b9468a35a211cb1a226d05722c97a8f61d4e7acb13b380ba077aac45eb

SHA512
842aacce2801c19f4577a75d175e6208e23353fb36c69beef43b6a6bc7367e3299640d1f25d6c61a3ba858446b4f6e86e77b19626cc249389dfeed7a920bc1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1269c57a8bcb5672934fac323bd5386f

SHA1
320169cb4f362b90a99f7b3b50e8c9ad35880159

SHA256
be9de6a70798dda498b2493bcbc2dd11521e940d806d89e9cd7e3bb7f18dbcd8

SHA512
42b20e8965c8f93d88ac0bc0b646ba03eda8b580177238787193686020252e347e60ec30adc5bfaf4d3ffb433180a5b7a141374b6364a9c5f45d91458b42494d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
76b8fc25c5510e53551ad64ab93e5bf7

SHA1
fc75ccd43b632806b01e214cad0683630e94ed39

SHA256
59387c57edc358a407c1b80e1152ffe3ea82c1dd71e30e7a785ed76ac21f67bf

SHA512
ac05f57d61ec153b66d7d63620b837323468e95947f1ecb00043bc7f322347dc24847b8de073f45a3ba32658099a50f131809d5a896c9f061a2976e92b1fb820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c6d7e689fcf85556318f655735b90338

SHA1
5d57d87488b53197b19268baa143da2571f5650f

SHA256
afdea664d92eb6fa4fb3f18e5ba8e1f456323913ef913c268dad42ebd6afb6e5

SHA512
961bea8b77c2fbebe4dbfe6ac0c4b340c5ac6b7b3eac816ad43b7beed6d89899a2149bfc1d266b29e4991d7f398ab5653c0f93928f8f7f92eccd4c54305a4d9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f8d7a4482872ab49c97bc9f4c47e629a

SHA1
2040c55bedcc99e90e0270492d65e7f65c36971a

SHA256
c896aa050c84cb8818aef1de866607b1b62161db189be6db1a394145cbf02d1b

SHA512
46453f4afa91b85670379dc1b8a33c39393d900985aed42954adcda893dc04757c574dd3c3d003ad5082b34d7f68be05b5846a5ec86a18208dd8662652d35065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A97AA01F-6275-4AFE-9997-6CEE6850C7F4
Filesize
160KB

MD5
fe9f1f38ce827d97cbd11533398ffaa7

SHA1
039d467dbbd8053d91f5a9d5952564bb3c9054bc

SHA256
7477ca7525e64fab2c367fbc1419437073a21b198a1309e99c0dc5c5f8d3e8ae

SHA512
20d16be6fb922a954c27dd4239b2d068a0efa6d87e08fe2236cdacf8b4f33eb4a8168d58f4ad4d4aad264c69ba0aea6bfb07167623cf0e170bf115d37784acf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
4762ddd18b50f52d29d6f79af5f19e8e

SHA1
36530dc839a5f211211c81022d27c7ad174e6984

SHA256
b885d21c4c08108ea7bae7a26244c68de20a592293b60e33158c0fdd433b4bf8

SHA512
2f75ad981811891e04abbd0474e5e98032c8beff7a6537a5147310ba52fbb816c57a06d5a515516cafff87fcab2011ff6db7472fd3cc262794e81a5ea42959bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
ea3852ae2b02d9e1cd065e3cd99928dc

SHA1
8ac381cf9f7155f8eb079aff0ef13cd31afa949d

SHA256
addeb54b953c27f35647690d32470fb1c314a800a07d0cef4adcb73dd5a3b7d8

SHA512
ead851e898aceceb02b6e54b736a1cd332bffddcbb9a6a9cf1286f3498c7459668481a839459d297adf3d8db8948bb60d0a05e072657c0251859f9064d57f9a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize
4KB

MD5
f74e40f637499f18911e8fb818877b85

SHA1
368ed73b146d98572434b269ba3bb8cbe0d83ff9

SHA256
c137ff876532baecd972dd484d75d7dc4b3fd1cf1edf31abe0fa5289cfde3290

SHA512
236a4b0f4c78b11950376212851da8ccbf306607f10c3095881c3e1f8af6f8cc180772bad31b2d786feaa97f5b1b616e5321d8c305f5a4e43dcd92e07ce603ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
247B

MD5
f97bfe7ae459390dc1fa2b4e55b6ccae

SHA1
20124518d9bb7abfa409b5dc06ef5bd2c8e1e378

SHA256
cf9bee9add9c57b4aa066ebdc0d5964047618aa4890674c01146c3154efab9cd

SHA512
c45c031736bb2e44e426b912e0f807ef40e68be25c52501e8cff18a2536340db6fe26c3ac14cf72015cbbfb3e032b5cf13de15d555761dbd2a6c4c185786efeb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
247B

MD5
4d304e71fce4ea3fcc0b6d723fab1448

SHA1
4aa64c3749a253b851d9da9714f029b55a6ccb56

SHA256
e7f7e8b4e67fc9fbd852076f609bb79f069f00250bc77f07b087a21109b38249

SHA512
ff271072f7066203ce1009c9a334b8c96d516c047e0218546be8e08d02282b6c3db244c3159242dc23a1daee0280301d0009b164d14c4d44882b11a3f94c3948

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 569915.crdownload
Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
memory/736-822-0x00007FF85F540000-0x00007FF85F550000-memory.dmp

Filesize
64KB

Download
memory/736-819-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-808-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp

Filesize
64KB

Download
memory/736-810-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-811-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp

Filesize
64KB

Download
memory/736-809-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp

Filesize
64KB

Download
memory/736-812-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-813-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp

Filesize
64KB

Download
memory/736-815-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp

Filesize
64KB

Download
memory/736-814-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-816-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-817-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-818-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-873-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp

Filesize
64KB

Download
memory/736-820-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-821-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-875-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-823-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-825-0x00007FF85F540000-0x00007FF85F550000-memory.dmp

Filesize
64KB

Download
memory/736-824-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-826-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-876-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-874-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/736-870-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp

Filesize
64KB

Download
memory/736-871-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp

Filesize
64KB

Download
memory/736-872-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp

Filesize
64KB

Download
memory/2172-950-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/2172-934-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/2172-926-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/2172-928-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/2172-951-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/2172-930-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/2172-935-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/2172-931-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/2172-933-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/4436-680-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/4436-745-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4436-770-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/4436-763-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/4436-681-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4436-683-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/4436-694-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/5588-682-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/5588-684-0x0000000004C70000-0x0000000004C7A000-memory.dmp

Filesize
40KB

Download
memory/5588-677-0x0000000000200000-0x000000000026E000-memory.dmp

Filesize
440KB

Download
memory/5588-678-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/5588-695-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/5588-749-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/5588-679-0x00000000052E0000-0x0000000005884000-memory.dmp

Filesize
5.6MB

Download
memory/5588-750-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/5588-771-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/5896-907-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-888-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-902-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-894-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-893-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-892-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-891-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-890-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-889-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-908-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-886-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-885-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-883-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-906-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-895-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-904-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-978-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-979-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-980-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download
memory/5896-901-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp

Filesize
2.0MB

Download