hxxps://drive[.]google[.]com/drive/folders/1-SWLDi4i8vzEkwOaCCgMfWAI_pJkrB13?usp=sharing

Analysis

max time kernel
87s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2024, 14:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1-SWLDi4i8vzEkwOaCCgMfWAI_pJkrB13?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
8	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
464	EXCEL.EXE
392	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2412	msedge.exe
2412	msedge.exe
1180	msedge.exe
1180	msedge.exe
1836	identity_helper.exe
1836	identity_helper.exe
4524	msedge.exe
4524	msedge.exe
5900	msedge.exe
5900	msedge.exe
6100	msedge.exe
6100	msedge.exe
5340	msedge.exe
5340	msedge.exe
3876	msedge.exe
3876	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
464	EXCEL.EXE
464	EXCEL.EXE
464	EXCEL.EXE
464	EXCEL.EXE
464	EXCEL.EXE
464	EXCEL.EXE
464	EXCEL.EXE
464	EXCEL.EXE
464	EXCEL.EXE
464	EXCEL.EXE
464	EXCEL.EXE
464	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE
392	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 4336	1180	msedge.exe	84
PID 1180 wrote to memory of 4336	1180	msedge.exe	84
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 556	1180	msedge.exe	85
PID 1180 wrote to memory of 2412	1180	msedge.exe	86
PID 1180 wrote to memory of 2412	1180	msedge.exe	86
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87
PID 1180 wrote to memory of 4288	1180	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1-SWLDi4i8vzEkwOaCCgMfWAI_pJkrB13?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8bcad46f8,0x7ff8bcad4708,0x7ff8bcad4718
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3940 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Auvergne-Rhône-Alpes.xlsx"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,17570204832511147828,11056848900189456637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Nouvelle-Aquitaine.xlsx"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
b43dbe12efeb04d44b1c84e788c2bcde

SHA1
88ea4697c30a591a754ca8ac5a96c656072ef510

SHA256
92aa2d7a8cb2c5d58a41d11f26033b46db81e5de19a5b50aab3a16617fbf5ad8

SHA512
79d82d1d2b4f4e033c3306ad401d8cce12debd7a0b0b143b6464825bc80316422f6d484e1d113ad311be2f07d9be49f48d629cef2e7be8b12b2d7f62b3b76ac6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
fe0c41c39721e17659621893b81ac160

SHA1
7c0d985a8c954329c7bc6f64d8c66d778064d899

SHA256
9cb0a7bc469d576e2d49493f5f6d2905fe6ea7e45c5606682c94d8e05a80aa87

SHA512
9952dbe130729c8456ea4ede4ead8eeedb3aa02bc2ad4ec9d80e43c9c7e23a6e3d5bd9258c768fd53584222f6efb781d882d22b024a62cdf5b06f1c8d9221e2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
30KB

MD5
153d000f897ae2ddb7dc769756dcfe72

SHA1
33c6849078122381f505061462818f6b6631c7e1

SHA256
783bed406b582b13cbc7bfe78438bd5a57307cec5e50fd59184ffd1163c75e7a

SHA512
3ab5e8759f744e11dc484ef1b2ecb477dbb13c054c28751b62db753472cb096c9e99de78eb3b1b8bb37554adadcda0bdcc96690bfd88a6812ecb3c4cfb1fa77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
31KB

MD5
32e0ce903cf7b68b11d4d12549770773

SHA1
5f0df5a9b9497b9c140abe47e772c875488f369a

SHA256
5d032cf6e607aa32ea4191e46658ef55d65dda9bdf39ec6139c9f6063c0a4de3

SHA512
7d197c5edeb50bd2842ccf840657fca937d4d53c4f2aa95f69a5c29d8dc58e8e3f28dacf2ad7642e11135ca1ce308b7a3ac6f08af389598096011e66eab26f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
29f7536e6443571884c8172c1630049a

SHA1
8a89aaeeb10fdbcf907b9dc2fbe1c260e1a7f980

SHA256
735cfad33004effc76817548133b614c2412a2ad70f000af0a66e36017a721e1

SHA512
06ea88d4da142e79b10fc5cd19aec1c336df76867b840321cfc01cc12e0e4cdcc68aadda445debd964b3ce8fd84a4e00e895f2545e47a6cb7e2f4d6b3dc3f339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
912616c94cf536dfe6ce650d1e1164dc

SHA1
0aa5583cc21af377f261a235e55c1384775f0e9e

SHA256
bc7c20e1b10cf6c8f9608baada8fbf845d9315bdbe8c0ca298f2de8fe001e203

SHA512
ce811622db75596d54adf4ad8b26ac0f97bfe16de9cf8bc4f59ce8ed8fb9fdf9c2e4fa61f8cecee532fb223510a5e0e8d58b878c75305bd937e99b9652e4086c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
79065490e477be1d3de1db0a7999b37b

SHA1
fa45f327b13038bbd20b6358aee02a500feda44d

SHA256
3515c9ff8e0ddc246ca33eafabc3df8431a2933d15e0925d3fe1e42cc35ab8fa

SHA512
7a6d413bce8e71d85dc0f52c1e73f7a861b2166b7e4e090a16d48f04edaf1b7d7d234a1e4f3ecadd69269d97332ba488293186b4c182196d6cbfd15f6e4068cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a18483678c108509deb0eacc89d91fc7

SHA1
48f45d140ead8f9e3122ca5746e70794c43ec7cd

SHA256
cf26fbd79261b96d8bbdf62b7d36fa80273ab9e68c3fe5a65c369202c0ad6547

SHA512
bd396cdb2e4ad07f3700f59bc9d981c05d99451f9b8b34af1f39daabe9e5e83843801c61b6fb20f809ec2654d597ae467ab675995ab855e059f6ebc3e93fb215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a60cda19e82bedf2af6b73eb323256cd

SHA1
66bd2a82c98402ebb7cd4553e93fe235ec6afdbf

SHA256
96fa4b4e4ac3f6ab75048da5635eb31e8eb63fc2cd75c7b2a045c4791dd4e3af

SHA512
511b2fbd5e6281503e8de84a1354d35efb34c720e6efa6f0d0df1554d26fef018d0181ccd9e52fe2cae21313d2dcb46052e94a7b04340684388f8686ea0c006e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ed55eb1ab2cd129edff79f0a913ba625

SHA1
8727229a278c0f61a30025fce86741cf245cbd3d

SHA256
fe559ec3e2dc1fcd46957ebc1d68419ffe36c3c4f2087bb24d4b42d05888ffe9

SHA512
52cc254221a1f7105b58ff589b11a30d8c1676f7017bc3029c60723081c564a7527883e9f068f82a9cf66a0df1050b2f69206a0032c9d3749645c57b3b274d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3d8e0f8f67b053615a2d7ce9e8bdeb4

SHA1
f0cce8dfbf47ced37b03e7647ca365cee5099f8c

SHA256
6bdfd4f08c47ad7e8a0792aceb63e455257d21c63b75e7306fd7f8aa72f0fa10

SHA512
ab4d949aa0c753a8e95e332d8a1a49a0105b75d6b21938442f2cf7692e06b345c3c893e1646f5cfaec55874142d220df385a5fdf4e49cfb3dd1f887e19dc8c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
723c2f774c9c45190d7d35fdfb75f79e

SHA1
1e143510f893393158a8636c803ae23c23f79b02

SHA256
316add375acedbd28164acce86971d9a6971d09a518a466a7a9e5a59b4374231

SHA512
d2dcb10748ad1892127788e2cc667fae5d3be79298cbb7b22cc3880bffaa0ff2c036abf38140ee4eddf4ec6ed4af0098d8d22e5cb74c57f79e58217c93c744b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
635f50775e438dd57f2327315e6c82dd

SHA1
d48f7e6d3d1621158baa3cbe457a363167c28b33

SHA256
9c5fa6ba408bafc610aeb620ca10062050551fbd88e6d071a92388385fac9c47

SHA512
96044341937721d626b07da74c71dd30e5702d0c5c31ee8806fd6520c883e25e1aea59bd2d2e57a7cfb2fddad32ca6fc1c7004af278e87e66d90538e8f6eeb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dfc1.TMP

Filesize
706B

MD5
fc7c78d984302b7934f634bfd9041d7f

SHA1
587de8482643947e3b8b6164490d2cc9af7eb292

SHA256
6f1eb7c53d0d887484a3bb7b38c988f17e486497ac913f8b759020ad3996f08c

SHA512
0d251e1c5ad001ad725070de0f6a8dfff46641b16e9ff60127e093575c7358abf496236db364097a5952566979fba51a413fd4ae9818860c8648306d31a9acec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
34296384142666cd34c27cb2a35e07d5

SHA1
d9675137e7c96822a9cc5f91ef1993fb7662aad3

SHA256
80bc63e438d29e66ddd969df8a101a902f9b96ed5b3673a649ef8dfc09fb82e2

SHA512
4bd081527b3ddff59bb31c39743b974a46d5843cd5f23aa08b59a5737b775aabd67d774d3a5c47faec98187e17d59aec725ed9591e0190852ac88c775b034cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
16d4f70e4509300275fd319fa104cbb2

SHA1
289f774f3f10f28e858656ddb99250369aec8194

SHA256
f051659f7d04f519ac29684adaf138d4cc9cd5cdc21e7e7bd3f0a04b48ea95e1

SHA512
0e97893df8ab51a8d292bd0c1997685e39366e0d33bb51efdc29331198e7bccfb744af53023dbded18f47ab30587cc58aa3ac35c679001d19750397f9eb71a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f2594d74110872bd1afd6d0866177165

SHA1
0f0ba6702dc88379f703a58b26b510c5f58ed94c

SHA256
051baf293b0cce8c03c39f9b1fe030db6cf624ac90ba0f9943b809fc8e5a9e69

SHA512
49958e681e156ed0becaa0c40d1d80d8fe33675c94cd460812dadef1db497a10d8bbef4c73e6d5d0352bec49778386dbbc0f01ed75a8524b8b715f5722829049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bea62d2ec8d08116addc081f4da100ca

SHA1
6d47fc5d5932dfbbc96dbbd93154a4aad2d7d95b

SHA256
8aab8caadf7528919c34c7f614107dca957a9fdd65e53336d83abe9cdeea1c0b

SHA512
71fc4fc9917e9fd9d9acb4934be969e34d214d48a0c46ec7576a27996560edf8649c1aca2cd88c3655b2ebac59fccebb474718f46e63300000c385bdccd23bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7CFE9CB1-D582-4AAE-9653-5970361334DF

Filesize
170KB

MD5
7db1ce97c688604e7c5aef348e1c52f9

SHA1
38e5e4b73083bae44ec9a060237322765df0ca73

SHA256
edc08fd4d6884ed2e61c3f5b1b0c84017733c966e25d1b3bf15199d9eb0cef5b

SHA512
e162ab5dbf5bd71bd099af2a569f9b36918fd4e0a82c6311849a040c30632c27ed133b9fb280c8ca0bf3924565ea6806fcce7649d7e452f8ec563a8596581a68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
320KB

MD5
1860cdd48aea9511bbd598c3d6e80ec2

SHA1
4d80fb389297d1b42330fc9cc043890b7de843ef

SHA256
c72ac8cb5ac91290357dd9c931f52757bd17d6792cc0b6cda581e4f97d72f035

SHA512
64718fa5631271dd34463b67d7c95c87ffa80f914f61d2dfd2b33262ad9e7aaa8e3ba5ec6b53e39c8eea8a8baa0b0364dfa0954d1192ab483e07dc1f8a5485e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
9d0c379214abdde6e3035d180bbe8977

SHA1
9fb19bbee3514f2df47bbbd3c4efbe5fd24c44c5

SHA256
1d272786b1d9bf6e090aa5e41e388e9923ba5406ebbade14bd92d703ed9327ee

SHA512
11e6dd78b06a6b64207363443c360e754412ecaaedda115c563df7e11b108d1142659107e93d9104a56cde0bf9ae2769b766a34a63b64b6b92cab1d5c30b3040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
d3a59f3b73733b02badc0264f678df71

SHA1
57005c6614de9c59e198ce3148be737fc8452a93

SHA256
3d363d43ff5ebf7448973bf174211e71d82d1e6539152c048f31fd77a3170c6c

SHA512
6bf6eb9dbe7729102a3dda7dbd506ed5d911f7e1d467a6ff14146a8618e3cb972b8535c67a7cf1f0435b690fc71647b91aed9af0cee78f02e5f66e6c70b770ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
d34d6e5d648bac4f7b4e8c15f09bcda2

SHA1
be1594fa02380e7cda25af24dadbf45638130a3f

SHA256
30bb3e0f2aa4cd4a04e4468ef7aa81e0a4d83414da7cfdcc0462760533f407fc

SHA512
6c73fac41437021c7e8f5e7f84e6c9f1025650a2aef99d0806719812f21ef1f5904a37e9b8d1d58620d54a0954df845e5ebc70469b30db410837cba7f710a7e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
4dccd07177d99497cd148bb124caf87b

SHA1
71f93d6cd6d0fda07c685910781ebde30d32f265

SHA256
3bcce9fbafa641b6d0a6f1e4bccf630a87c74a9c291ad5c5f5075ff3daefab91

SHA512
f0ffca8318a98476648491157708b91e60f02b8d1f292c14e3f7f6b50d8bdc5772fabaf46d1288b7d1945acad2eec441806f3e29a353b826525a033342e65b62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
404B

MD5
61187da1a98c24ee726a7d6172206d8d

SHA1
a5f9ca276e19193cf2be4a96d0ec1a2870a73c3b

SHA256
37fd17429fb478de582fb9f825313a2b48412e3c060075df88b6b36ff9b27434

SHA512
33b5aaacd61e03bd83a52fe6615e101248a3d8b172357d37ac2b8d031a780f979358f7c4a10adfdb5816675b4fa2144be5b15eb8e6e309364d96b50864c79a29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
440B

MD5
a8f96197e5db67a4a6c5e387e695d269

SHA1
5d5117df2c292a0a60409dfd44fab1050d29c119

SHA256
deb5b5b3e26e657f58e3592f061deb3ebaa772651388f8443ad0ed56762aebca

SHA512
4551178ea7f4d0dbc0669b0cefda5a6392800a5c3f7e485288c6037cdc69fc69672dc7acbfd815a764d489c5e37e46a6ba5068b303606295048c167d53a919c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
99ba1c40b6d4930f8609b8cc5aeceb78

SHA1
1f890d3f3428f91c060bb33e292912e1c275aa09

SHA256
076aec3fb756eca895fd238e06181ecf566ecbce4799321e7d59920effd49b8f

SHA512
ee6442e8f963dfa92294b85119e61a47ecacf727df40e3c70c4b8d5ab8a3ba260d3c878ff812805e452d265a373e4b706a4f070a00ad77967af717ad2f448edb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
fd14eacd734b63bfe39486da14e6b6ee

SHA1
fca750f21ce57fd6aca21279a538adb8bd6ca335

SHA256
67abd1cdcd05e5e0d5a8e78685e1733b02a90733589319a273a3a3259059bf05

SHA512
362d4ae22c38afcad844d7dbef18fad9ea3ad73ce519bbbbf89a56fcdf5f9ef86e3e10bcd1b770b66db38aae6c5c49f8033db9b8a0436ec6ec36dafd16be408d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 392156.crdownload

Filesize
30KB

MD5
83db76da8d98912a453d76c19039528e

SHA1
d0f02f456cb434f99c2b13bd83c4594d83704ad7

SHA256
8db7e2e5ed9be31136665ba22c8300ddd031a250fa4f76a3a424d9cd55aa0a79

SHA512
d3d299e91529f7bc2c271276fad00805fd0cc525e41f9f570af8cf6d73a4dbaaeb3b809d32d1aa060ac9f94b8282fe962705411a6423fead6fac4dba9c7406da

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 921256.crdownload

Filesize
30KB

MD5
7821ff01f7dfdef867c9d610d335a5d5

SHA1
2f5ac2aef9fefffdd96fa0a9ad52c94940b32525

SHA256
69d093ed98ad47b76821a5ad4a2df5a04e2681c3495d2415147ebefab17be0ca

SHA512
1d6517f959b7efa1538f25f7d998306936d1d84a4af6b7202d3e24c5588869d35a82f636ff39ac6ae4b20932329e6ca7a1068cd664dc41553b77461f9fc2be1c

Download Submit
memory/392-359-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/392-360-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/392-358-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/392-357-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/392-555-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/392-552-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/392-554-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/392-553-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/392-361-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/464-198-0x00007FF889E20000-0x00007FF889E30000-memory.dmp

Filesize
64KB

Download
memory/464-196-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/464-195-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/464-194-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/464-193-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/464-192-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/464-197-0x00007FF889E20000-0x00007FF889E30000-memory.dmp

Filesize
64KB

Download
memory/464-284-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/464-285-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/464-287-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download
memory/464-286-0x00007FF88BF30000-0x00007FF88BF40000-memory.dmp

Filesize
64KB

Download