hxxps://www[.]bing[.]com/ck/a?!&&p=697645bce860c0f9JmltdHM9MTcyMjgxNjAwMCZpZ3VpZD0wNDAzZTkzOC0xZmQzLTY1MjItMWVjNC1mZGExMWVmYTY0NzgmaW5zaWQ9NTIwMA&ptn=3&ver=2&hsh=3&fclid=0403e938-1fd3-6522-1ec4-fda11efa6478&psq=recorded+future+sandbox+triage&u=a1aHR0cHM6Ly90cmlhLmdlLw&ntb=1

Analysis

max time kernel
1800s
max time network
1153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.bing.com/ck/a?!&&p=697645bce860c0f9JmltdHM9MTcyMjgxNjAwMCZpZ3VpZD0wNDAzZTkzOC0xZmQzLTY1MjItMWVjNC1mZGExMWVmYTY0NzgmaW5zaWQ9NTIwMA&ptn=3&ver=2&hsh=3&fclid=0403e938-1fd3-6522-1ec4-fda11efa6478&psq=recorded+future+sandbox+triage&u=a1aHR0cHM6Ly90cmlhLmdlLw&ntb=1

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{2E8245F1-97E6-4254-8F95-C84336E1AD0C}	msedge.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1924	vlc.exe
2428	POWERPNT.EXE
568	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
4836	msedge.exe
4836	msedge.exe
1616	identity_helper.exe
1616	identity_helper.exe
4688	msedge.exe
4688	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1924	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2596	svchost.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
1924	vlc.exe
1924	vlc.exe
1924	vlc.exe
1924	vlc.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
1924	vlc.exe
1924	vlc.exe
1924	vlc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1924	vlc.exe
2428	POWERPNT.EXE
2428	POWERPNT.EXE
2428	POWERPNT.EXE
2428	POWERPNT.EXE
2428	POWERPNT.EXE
568	POWERPNT.EXE
568	POWERPNT.EXE
568	POWERPNT.EXE
568	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4608	4836	msedge.exe	83
PID 4836 wrote to memory of 4608	4836	msedge.exe	83
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 2676	4836	msedge.exe	84
PID 4836 wrote to memory of 4616	4836	msedge.exe	85
PID 4836 wrote to memory of 4616	4836	msedge.exe	85
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86
PID 4836 wrote to memory of 4424	4836	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bing.com/ck/a?!&&p=697645bce860c0f9JmltdHM9MTcyMjgxNjAwMCZpZ3VpZD0wNDAzZTkzOC0xZmQzLTY1MjItMWVjNC1mZGExMWVmYTY0NzgmaW5zaWQ9NTIwMA&ptn=3&ver=2&hsh=3&fclid=0403e938-1fd3-6522-1ec4-fda11efa6478&psq=recorded+future+sandbox+triage&u=a1aHR0cHM6Ly90cmlhLmdlLw&ntb=1
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2db746f8,0x7ffd2db74708,0x7ffd2db74718
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3456 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,4013425134126668251,651671004267629354,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5060 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\UnregisterFormat.potm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\FindUpdate.potx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
69KB

MD5
24a806fccb1d271a0e884e1897f2c1bc

SHA1
11bde7bb9cc39a5ef1bcddfc526f3083c9f2298a

SHA256
e83f90413d723b682d15972abeaaa71b9cead9b0c25bf8aac88485d4be46fb85

SHA512
33255665affcba0a0ada9cf3712ee237c92433a09cda894d63dd1384349e2159d0fe06fa09cca616668ef8fcbb8d0a73ef381d30702c20aad95fc5e9396101ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
41KB

MD5
ed3c7f5755bf251bd20441f4dc65f5bf

SHA1
3919a57831d103837e0cc158182ac10b903942c5

SHA256
55cbb893756192704a23a400bf8f874e29c0feee435f8831af9cbe975d0ef85d

SHA512
c79460ded439678b6ebf2def675cbc5f15068b9ea4b19263439c3cca4fa1083dc278149cde85f551cd2ffc2c77fd1dc193200c683fc1c3cdac254e533df84f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
1.2MB

MD5
027a77a637cb439865b2008d68867e99

SHA1
ba448ff5be0d69dbe0889237693371f4f0a2425e

SHA256
6f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd

SHA512
66f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
43KB

MD5
d9b427d32109a7367b92e57dae471874

SHA1
ce04c8aeb6d89d0961f65b28a6f4a03381fc9c39

SHA256
9b02f8fe6810cacb76fbbcefdb708f590e22b1014dcae2732b43896a7ac060f3

SHA512
dcabc4223745b69039ea6a634b2c5922f0a603e5eeb339f42160adc41c33b74911bb5a3daa169cd01c197aeaca09c5e4a34e759b64f552d15f7a45816105fb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
73KB

MD5
cf604c923aae437f0acb62820b25d0fd

SHA1
84db753fe8494a397246ccd18b3bb47a6830bc98

SHA256
e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4

SHA512
754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
18KB

MD5
cf1db65a9f1530ae41847a68a49b910a

SHA1
bb1f94f4888d6b7ab45f44698f9439ce4f08a58f

SHA256
c8b76214e3d94c9101434194a184b45e85731f5ee106798af2fa08b97ad1bbfc

SHA512
2b6338eaed3747a76a99301f9cea78474ae1af685e5b83865c9b704a47d190fe33ded434f852fa89c6646ea20f6acb329a33542d8f277340427b4e0ae0adc0e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
4b41ac42c844064da881bc15c68fa691

SHA1
1c0c73f890cbc9e5f51ef00cf9c0966b5dba80b5

SHA256
08125950fee1a82623a4202fe88106059f149cb79319eba564124ad73fe313b5

SHA512
00d28b560df9a087c9ea29d8db12953bbb1c3a809f6c0a14c182e69d205ad13fecb933fa60b1325656f2b445ac72f56ed6a8e250ebf46dc970833cba629b2e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ed59ee74735df472205be0a95a3c896c

SHA1
25e683a16ca2d09393f771c7732fe66d038670dd

SHA256
b8b5b8103fdbed23c6c5e04071d17c933cee87b782be4778f229da9c7f6f2f39

SHA512
cc4199fb930d2e6d352f4b4559e035b83cee3d820b4ac15356cdf066f23ed5be441c6c60ebf11958428806f7872b23d4d1d01c4df66fbaa8462e743da4aac742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
823B

MD5
afa04017bae15c432935bfbd750dd38b

SHA1
dfbaf7ec6864e2f90e147567f9db5b7930703c9c

SHA256
e562c636a1924df7dec8b0523c37fea5c7722a07c37d09dcc37ba7bec2db551c

SHA512
87333792cde8f492e1d2f0eb9a0d507ee2a3ff7dc31f055deca689e0c49b3f0ee6b961227e2403f0183007ccfaa21bf895fb30cd68d3bb3e57ab0d798d14d878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4faca48a4514bdb8e0372d37dc399e88

SHA1
225367db4cdaa997a597f744de2f257c6f195606

SHA256
44b2e57057030b031f939d9dbc26db8b9c6b727ca5539752c15b74398912844e

SHA512
a10a56606b10e8530630f212144a291f49cd22cf17b0e5d4f23d63cbead6a66337277a36b4794bdc4f16af4bfc45e7d95ff8315955ae57fb22bd75790877c5f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8e593f91d50de6386c6073c856c57d0f

SHA1
59e8409c1a521e1b2a9fe9c4e5352cda5df91003

SHA256
2f05e7f5acc58ac4c261380af263013414bd82a399e85e520ca5c79d09d99f75

SHA512
9f5c2df400aab8e62feaace22ba3219953d8019cf5c6c37fb60eb14eaa1d4f24ce7b4de00414e1a50d633464871db1d0be03c87aabb4d30c0198586951825abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d0dc0417802fa79541a96179bb48445

SHA1
8df1679e426205413121c4e8182172e43008aea1

SHA256
4d8a1e722196f88a7394c9b695be6e71328bf14621069a3e70dda26243f512ea

SHA512
95eba08b5e705e05611fa5957450559284ab2e0f463efb7136a8ad08f71a91bdb3882d91c0ea31ee9d735e314dd70f352cd45ba3d1e7ffb57d2adab21027aee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7c51fc3eeed8f7d02a7d7ecc541364fb

SHA1
da767d4ae9534b35a313c40d6e6028252ed843b3

SHA256
1afde786a8915b7952201e0c714c0d087d2ef174207e61d4e214b8b1d2df205d

SHA512
507e1be272f26a8ae0e1fd625ec37ec39e86f38e8c519bf8089e7f96cff0b3f9c0372817fa4fdbed010b9a8293bd57888f1af8ad9d6410c46ccf2928ce79b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
30ddf2ec732ce43307ee7d14aa6bfbcc

SHA1
177c6cfe97e48b5e08aae842e2bd7034f22135a0

SHA256
b729fcbc7f4cfe1d712898979d20b1a540bc4df15c7b3a654a5d9bdda7d5abed

SHA512
9c649a3a76c2902b582e37ef215f48e128ef7fa72bf08cfe6302cae2eb7b62810523d7bbbb9891a3390681ab228efcb5b301dd248312e0420c0ba3703ac8a781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7deb06c1640cc964890c99f5d5b6f9aa

SHA1
cf5bd3be989096ca1258d4ad3241260625374905

SHA256
2089ab5c661f7a343d3256a13a3c0b7da6e0a3d6f843f54c39c59dcc61e9022c

SHA512
a2747fa0ad18f335a9bc7b907fe9002b3dc91029dc39d976f1341ef511036d9423e13f7142b0975422d6920e27407bc541de78ae17c65940fc47419f1deb5979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d01f5906c5283aceaab605cd9b578d78

SHA1
db195ed8d999153153c0082e137799b0248a5dae

SHA256
3f3994e598ded9edda5e1253cc924dc2e61395ee6fdc2f91f155550ea3a5cb5b

SHA512
5102b57f3c85c8db826bbf5c0ae7802c5e648e7a40b3ae287339d13ed2098f564218f351b15e1cca48bcbfcf5890544bd945ddbcb18f368541bfd000eb786f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e9449154c2b19cb97e987b0a7c1a911d

SHA1
2a910309bfcff1b867cb4353e541f4e7352441a2

SHA256
e61fa59683138cc38ddfe48216751436cf74caa5466dc2bbef208f9a37de6bc5

SHA512
56d44062ce9c3e76e433ae82e14be3ea289902e5234c59da206f113f58a99b13f93059ee9fcdf418d8f5f94dc6aaf305e34148b05d1afb2894592f03a1a4f529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
f1d3910b8b7f899a6c1cea731b63c7d1

SHA1
de9562c8725330bfd071b54a27b070bc6edfd8cf

SHA256
fedbc9418f7918681fcc0115ec80b9706c55dfa11f3901132a1ddc3bfc548c3c

SHA512
d8e4a9d96b08b7d2929d4c4ef9eb96949f8b6add15eea059841851b7ed20c33e6bf906070ab808041fa8e38b2acf65c023db42081bc74fe475e583226223425e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
aabd3bb655d3b6f753ba4bbf98120f40

SHA1
473156063e9cab23a6f7aed71ff55232be07000e

SHA256
b81cfeb890daa235057d38e3cec1f83f80ffb417aa8da9d9b6b2c0f710cae4ee

SHA512
bb54fefb8c0c8dc52c8136f5fade3e74ec9ec91c2e9f967c4ed36657453a8d61bdb6f6ef6add3133932e971a15b17c07aadc6584acbf1d76bcd9c383af663f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
e608ad1b0cde71992540fb503d5ac6f6

SHA1
ea294cbf5fbed67f96e9fd35c24e7e765f780f2a

SHA256
e51038058e98a968074dd4da54ea2876bc2105a05a70785b7627b4db3ab818b5

SHA512
fab0bfad5ccd016ad1b997d1a8368f8b9421463960915356a98b876e22070cd110d30d9c22b0c7f5228adb3665a9e27ff805de8876b6fa24a7dbc5759dbaa3d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
fcf6248436047162fe7f62cb7e3b1d5a

SHA1
9cc68a2fb5f64296ba2d3253c7bfa853a53a6352

SHA256
54ba6ca2dc3e0be05eed54541597fe9e9eb11874b48814740f91ae4e1ae3cdbb

SHA512
706ee87dde312388395b017994b74932cc059e15e5685e5539db04c9e8e2420530f4215818130d4ddce38c1936420a8f3e190679c1d39a26b1fbb5782c03e76a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
763cd466221001e01d872edc02817573

SHA1
c018f8256e0dd73f24d91a320362dcf82d96a8e7

SHA256
38fd4a5712430c565f8b925e77ecee494f79dbae3b657bc10ab05c1b1424dbb3

SHA512
fbc5a99ca5ebe853d91462164446c8d503657e4f6de7347d477d3ab465af013306a60839383075e59e02c00b0bf40ddbf582c4e0e09c3079d22b9d8a5038c324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
09d561af74596701a3f410d3667ddee6

SHA1
2a1850527a829e3b1303baf36f1a294ad5906f6f

SHA256
f750ca72667a5f1438ea27acc427a4312e607ff5454fceb2f520a6942140cc8a

SHA512
50e2f3f8a60812eb73253e5fe851cf84a66a978b978541666ec8b7f650d432f92d211aa726d61b1402bf6018ce71025248e9dd31e82a7cc6a2efb33a7afc2330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E3EDCB0F-F6BE-4395-8D29-6D472EE58B13

Filesize
169KB

MD5
998f3fc5a5fd3e228eaa50c459431a28

SHA1
7088737ab0cba7709be44a987aa5360bf235b038

SHA256
acdc33e8f4810130bb5fc4563caf34fe4be82442c14605408c752dbe4cd0f91c

SHA512
df3eb6935b0037f4cf40ca9a7db63a89cb67d5b40b622d6e339682aa0c57dfcc3194dd18230872de81db666b102bd2014d6210e8cfbd7f5746c013a90063267c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules.xml

Filesize
370KB

MD5
d432601d3794b7fe509bd48cacae3b48

SHA1
c489c134c7fda0a71d6d108734870da2b2154c50

SHA256
9a5ee0aa1b4b1142aa4c0f5f7bbba5dd8caca810423484ea7b3bff1a1ed32a5d

SHA512
6565b8eaa2d297df190a7001b2974dcce95691b671e5a649e29f63290c2037edc5c178704947314d41e0e3e61c4a687b660e5311f98eb5a23fbb2fe9ea559766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

Filesize
80KB

MD5
03d912f291c47ff71333001d79c18dae

SHA1
630fd57bda2967fc7924a3440877604ed5296492

SHA256
e2e8e65f30f247250164c486f8ae2ad30b69432685d13ddb44375bb82ab78924

SHA512
6d0d5096f5e26d623aa9d766dcb0ff8b8622c87760d5281af2eef8ec8766c81ee98792d9983b339fa9062ea3f0f6efd04dc9807d3e9720421be6e14fb50fb2c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
8f86b8920c6969aa2372a822572069ef

SHA1
a000d14f277b90ecd39e603878265a9c62c99a2e

SHA256
17e3cb2babf1d0488d409bc6ab6a08e3de871f6338002f367ab07febc4e09807

SHA512
eda96d6ac679dfdd5d6652d00c441adc8ff8b9947781c02c3555d079cf7fe352a7977c95cd35c202c1dfdd7ec4621c786c4a07656908276ac7b4d028f0ea76d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
cbaf866d12b266c379a1c7e0aa51b041

SHA1
3a1bb4d26f3ec8dbddb461e0caececd9b6f8799a

SHA256
292d6be2bb58740f76ae99a1b22a18a94881b7f53c64520b1959e6968e9a6148

SHA512
fae3449ce59441457ded121af0f6c3af861c3680407f8fbde8cc8cc92151eabd8fb26c16a27461b3926a26a48cc85d84ee54feb6584f3b3457b04498ea8bc806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
700df88d69826a0cdf963d16d67e5463

SHA1
6a08d3b5a620ee22fd88d2f936d618b751157e51

SHA256
fe0f73ed8b322b6d3b686506d1c251e0a4e4ae49a409926c4251a5ce966ae69c

SHA512
ffa4bfe834b96c08d6912d62b7c137ddf1feb7fd39ad550280f3621cc6a8194d91e22a12c0b64483325823b90697e9e8d6102e348760b83dc5037d3d10ecd893

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
39f81555b29b590aab9d31684b0eb3a5

SHA1
1e5f5491fdca65708f6254c38c6ca2037f7b5ccd

SHA256
2d2d629aaab3caa201d8dc1104bb3fedf82d90755f5beafe6591dc4982e067b7

SHA512
413c2416c35ebf539c4989785f6f97c7472918554b3771483aa949f41a56d3166b0cf20a250c51b9b68ac0180d01ad8d8e4b9bcb2362018ec2693ede64ff4146

Download Submit
memory/1924-944-0x00007FFD332C0000-0x00007FFD332F4000-memory.dmp

Filesize
208KB

Download
memory/1924-943-0x00007FF7EC9C0000-0x00007FF7ECAB8000-memory.dmp

Filesize
992KB

Download
memory/1924-945-0x00007FFD1F480000-0x00007FFD1F736000-memory.dmp

Filesize
2.7MB

Download
memory/1924-946-0x00007FFD1E3D0000-0x00007FFD1F480000-memory.dmp

Filesize
16.7MB

Download
memory/2428-954-0x00007FFCFB140000-0x00007FFCFB150000-memory.dmp

Filesize
64KB

Download
memory/2428-977-0x00007FFCFD330000-0x00007FFCFD340000-memory.dmp

Filesize
64KB

Download
memory/2428-950-0x00007FFCFD330000-0x00007FFCFD340000-memory.dmp

Filesize
64KB

Download
memory/2428-951-0x00007FFCFD330000-0x00007FFCFD340000-memory.dmp

Filesize
64KB

Download
memory/2428-952-0x00007FFCFD330000-0x00007FFCFD340000-memory.dmp

Filesize
64KB

Download
memory/2428-953-0x00007FFCFB140000-0x00007FFCFB150000-memory.dmp

Filesize
64KB

Download
memory/2428-948-0x00007FFCFD330000-0x00007FFCFD340000-memory.dmp

Filesize
64KB

Download
memory/2428-975-0x00007FFCFD330000-0x00007FFCFD340000-memory.dmp

Filesize
64KB

Download
memory/2428-976-0x00007FFCFD330000-0x00007FFCFD340000-memory.dmp

Filesize
64KB

Download
memory/2428-949-0x00007FFCFD330000-0x00007FFCFD340000-memory.dmp

Filesize
64KB

Download
memory/2428-974-0x00007FFCFD330000-0x00007FFCFD340000-memory.dmp

Filesize
64KB

Download
memory/2596-98-0x000001B7E6540000-0x000001B7E6550000-memory.dmp

Filesize
64KB

Download
memory/2596-114-0x000001B7E6640000-0x000001B7E6650000-memory.dmp

Filesize
64KB

Download
memory/2596-130-0x000001B7EE970000-0x000001B7EE971000-memory.dmp

Filesize
4KB

Download
memory/2596-132-0x000001B7EE9A0000-0x000001B7EE9A1000-memory.dmp

Filesize
4KB

Download
memory/2596-133-0x000001B7EE9A0000-0x000001B7EE9A1000-memory.dmp

Filesize
4KB

Download
memory/2596-134-0x000001B7EEAB0000-0x000001B7EEAB1000-memory.dmp

Filesize
4KB

Download