hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Pony

Resubmissions

21-11-2024 01:00

241121-bcm5laxhll 8

21-11-2024 00:58

241121-bbt7hsxlby 1

Analysis

max time kernel
136s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Pony

Score

8^/10

defense_evasion discovery macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
behavioral1/files/0x001a00000002ab83-204.dat	office_macro_on_action

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
1	raw.githubusercontent.com
29	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

WINWORD.EXE

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{894A1065-3C73-4C76-BFB3-D4A5B4ACBBE4}\8tr.exe:Zone.Identifier	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXEmsedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

Processes:

msedge.exemsedge.exeWINWORD.EXE

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\metrofax.doc:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\metrofax (1).doc:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{894A1065-3C73-4C76-BFB3-D4A5B4ACBBE4}\8tr.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXE

pid	Process
1452	WINWORD.EXE
1452	WINWORD.EXE
800	WINWORD.EXE
5156	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	Process
2920	msedge.exe
2920	msedge.exe
5056	msedge.exe
5056	msedge.exe
2960	identity_helper.exe
2960	identity_helper.exe
2216	msedge.exe
2216	msedge.exe
864	msedge.exe
864	msedge.exe
1664	msedge.exe
1664	msedge.exe
5496	msedge.exe
5496	msedge.exe
5496	msedge.exe
5496	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

msedge.exe

pid	Process
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	Process
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXE

pid	Process
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
800	WINWORD.EXE
800	WINWORD.EXE
800	WINWORD.EXE
800	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
5156	WINWORD.EXE
5156	WINWORD.EXE
5156	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 5056 wrote to memory of 3600	5056	msedge.exe	79
PID 5056 wrote to memory of 3600	5056	msedge.exe	79
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 4192	5056	msedge.exe	80
PID 5056 wrote to memory of 2920	5056	msedge.exe	81
PID 5056 wrote to memory of 2920	5056	msedge.exe	81
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82
PID 5056 wrote to memory of 3844	5056	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Pony
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1e013cb8,0x7fff1e013cc8,0x7fff1e013cd8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1452
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1428
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""
  2⤵
  PID:504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,7752358632731631632,6242794710207956139,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4880 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:800

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:800

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
af823ecab81c2f4e8b28b35965cc10cf

SHA1
5fc0fef3b39338df80644d4233772a10f16f857b

SHA256
a0838da2c827f4b0107d1610b57f650fb4746ccf4877aafd940587b6b2b6e397

SHA512
e0aa03dcbbe9d5f5138af7fd5cfd39852e427697dba51f97631f92cbd1acdb2975446ab073f64aa898aaac2153bfd78124bbd30943c077c76978f64edee091d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
218834a06cb57bf156e6c443868a5231

SHA1
9977d8d0b4e4006445465d32f454361f2d5d0916

SHA256
6487d576e73ed69a6084024533bc6f87b468e22f0d202204b7a2b74513a4d2a2

SHA512
d85f337d5bf834774d9e5ae8e767cdfa9e69f83cb847f2555aa838fd8bfec90b2386d09bf80b0824b433a67b38913a2722fad303f80b581cbe59e79538dad4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
221KB

MD5
28e855032f83adbd2d8499af6d2d0e22

SHA1
6b590325e2e465d9762fa5d1877846667268558a

SHA256
b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

SHA512
e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ebd6a00ac3bd140e0fe1292bec9e8978

SHA1
953d607ba89784384df2ea8f2d40527c8543b464

SHA256
2eccd55189e74b972d276acdcd96e95067e76305bbe983f6e9a4a715c8b6e8cf

SHA512
0168d8b4349b8583de2f4641a439ce5e7c088ef98da51fd2e4d1496d2aeaea4e49593a77e0d107d46442a5003677ba8ac7ee5692c802207e06e231186902920c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
e51401bdf1eae288a9ba5d952ebb3aa9

SHA1
5effd82fee8231e1294fd404dd1f10caf5c41fd2

SHA256
a08ea4c022c5207583d92dedf27194f6d81335b90bef42e90132333220a52fa2

SHA512
f777e86f2eb64d2c31afba76f544f9a65392b0d77de18e16d6a2b5534f43febc083f757d37c0719b29b556c5f73b1238c0857ee7b9a6e18c0c9c99ca54133edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f5c79548d677c856a46fae9648caf3b3

SHA1
57c9942dee6e959f5be2290d37696c6316d74b8f

SHA256
150228975cc81bc8aaa95e66f9320ff8e0176e7d0062fd53220dc5288cd10606

SHA512
7ad819f4874e9e16ea5fdb0054936c8b01cdb84b869d2be3f1aa3e5630543e21199d147955de19d3c6d2118c6c9efd3d288f067e0dceee95fae49e53ea638df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
24cb2dbd0368dd394b85a743261d4262

SHA1
0e54f647f9aa2f191915a5b1388dc474a6ffce52

SHA256
3cdfed03a2d27315a402bc51a0a7b7f493cc1940d4381c4b86dace4975ebad32

SHA512
8600eed0afce0cba923b39864b295cdb00a3085d358838c66c87fba419b9a341386a6d30eded6f50931698c184523b608393282d7cdf6453638b36becbbc0cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
75f56ca25f9aba3907454288adccd125

SHA1
470cc3c992ad5133dd8ff611e0cc99b6fcdf5c27

SHA256
d4c3dfbd2aa3ab1ec49afe07e84b9bd8285719da22c913e83853230c2c33a977

SHA512
1b07482e61e1280eab3585d30b99d07cc86b99c16eb14978648c8bf0abef14a965cf44127b9860ba49659db8a76fd0fe5af41982d5216ab84cc10f1e1ceae5a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1b09ac126ea000f70f0950b870433253

SHA1
e429600ae7535e0aa239c00c1f1d5d68ed9f9f9d

SHA256
90dc8ca026b5369d4f1f58c56d2618232bf85b961e112f3c903e83691d9a61c3

SHA512
b71bb0930c850468e013bd31874e6c145892034c0e71c7cc397f36b587603e99f4d717bdce4812a2deceb7dbd5172c41b7158ac7e20c69dfc64e88adf0eedf75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582ff4.TMP

Filesize
874B

MD5
258e6ebb9b2de671ca317279db3de612

SHA1
1532221dcb7e822fce5778f0b668a9ca935e550b

SHA256
42cfafb18adfc3e7b7135faec52d9f6d619c4f127925479026c5df77feb620c8

SHA512
ccb6a2745732ed9bb479207d3d3e4c666c1662dab6635cfdc4adec7161f9f53bf97b5ec68584ecc5a444e2c4d38915257b73e64ae6d3ef5e99fb885191a1674c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
86a44e800359cc462b9cb88d05f92adc

SHA1
e3b5b8af97c5b21c5d07c2261d2953bc603349c9

SHA256
9fe6ef343e26ca540d1ee3c10f3347f34d0ab03159cd269879d497fe5cebf6fa

SHA512
5750b5128358424f20fa25c8af1ed2a2dfc12bb2e810169b82b03d5270dcba89b37603c67fa2bfd308b353ba99d5d0d036dc9ab35d5578b6c1766dc71ce0f0c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dd2f88f33565f94333b36af1e815e0da

SHA1
25ce70ce14fa25c4f4367de23cd068251ff45ca9

SHA256
1be1371134fac4d5ab555f7303271065a520fdd600415804ea0b291f770a798a

SHA512
660aa1ad5c881c33b82799380d6a2ac420e91cb84d5bea7ab21a091e95bb917d21d24ec98a24be27f4380a281fb2320dbfd230a666f26c4d4259253543d8400a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
99371bf34c9739b51b41f3a83540555f

SHA1
250c8208c1c6b4ed15f19e044b026e94c9072938

SHA256
0b56cc7266dec54af08a4358e133082749d9081807fd09b787fd96b76fb3c487

SHA512
91ae7e7eca44821bbbb7ed20223f9f592b4e90679c66c7d2a0c3deafb51217a17f01be503ac9ae75dec35e2f92b91908a51a67b62b860f647fc07225380b3afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6eaf4e8b060c418177bfde9ac1b4e557

SHA1
49aa732eafb7b38c209050e74c695adcc3aa4770

SHA256
42f432fe0d00a302bb5ba22a4306ea361cf2afbb4c92ef9aa044efddc4bd3541

SHA512
a1bd0c85826b15005e7a2eaedfe30b54ecff9262ae9c91b145676524f3260895c4869d27967284ea448f087758d3293eec0302bb2de3ecefe0f1674dc44c89cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8829913E-0B05-4594-967D-3515B03AABA5

Filesize
174KB

MD5
c4359902782a1b75e95f6deb4373224c

SHA1
0ffdce74f8c8678910ea58305825458ce41e5a26

SHA256
4063ced730329d80a2e60f83a2f98a55e7545e7a0445a2aa8f02132916ba5eee

SHA512
d5d3e4778433567c2c3030f96245361a4f30c52a664a7e05b048da42f191d83911c1b7330cceeeba2461b6a0a1abd4ad14dfa5b7462d41622b884e88b0bf66a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
cb2c0ac55b36810798679fee2c9e0fed

SHA1
29ad132b2a21f2755ac8c69bc349a6d22cec43d7

SHA256
0658f9b0bb4037776db1cf6dcfb83df6a3a40857789c68f8d9106c7eb6345b5b

SHA512
4ddfafb6f2a4689d853dcfd65a3c1be6d221286deb41fd1a9554e2c463f3125365165d19bbee14183f5b641c8a8d401b0dfe556adc4fd4953a024fa3c9e838c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
12KB

MD5
4871d91385b373634ffd25d334acbc54

SHA1
f9c17c21018555d5eee41121f22ea87823681916

SHA256
f696d39a24d052ff01af3ae510cc2925905dfa6e7e5419ea36744495b9a4bc9f

SHA512
e0b8e0c487941c7d909e269bafcaed8233de8c262f689983f3dae127b945ea891319afa5309f3d317e71ef9c7acbc5cf6df518322b803c8025495c1b59c7e30a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
93b64677d6f8732b59a9d9b6d60ded64

SHA1
91a7eefa5d5f39bf0e3055ea301c374d8be934b0

SHA256
327f0f40fa815c39790cae27f43b88aea0793a8fc5d1e271c06a8453fe045788

SHA512
687054f819b544d35f019cbd83229068fa7c1cbe6ef543eab2e92006dfa818a44ea52ad8e0dc7ec44e1d531e4c379d50ae8ffcc7a471c036485c84813094b7e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9F5A988A.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0000.tmp

Filesize
18KB

MD5
ad4004f99816478be2fdb068391cbb9d

SHA1
4270c9d9c3bcc8c73861fbd37a8994069b11e861

SHA256
6f839db3aab486128b2ab91128844c18afb6cc60200ca6791e45eec5073d8803

SHA512
3c5bdd9d424b6347c3165f8d699518cb983cc9993f83b3e921faaff1b9031dda9da015d6ca7a1b4cac002b4d45c5a2e635752d1cc2de840e87b0004630548c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD8E53.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
fa841f55f7a5f47a29e8a0e9fa29982f

SHA1
e005361c2d95289471ac0d4124faaf550acdf705

SHA256
b82f8baa5ad0f5a50041953fbf9382eced46c459ed1441c39dfc3713159c21a9

SHA512
45e9440c313a4afa88bb79219d0bf434957914706b3e4f0d67dfc012a8ee3579e19546ff9cd93be41482236f6f25f40b3a31158a95361a2f2266e79b5e1affb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
7a9f41c8823eca295647bfe2a8478b88

SHA1
280be7c132be1cc52f73120c6fc5009f7b7f26ff

SHA256
9578b78662ddca12e70a98a111fdd5f7ab295ae05a1de9e640e8dff7c569c3ed

SHA512
9b8bf4449120ec5c30019f357165aa1ea85582684c3a3cd7e0873b8444e6febaa19c5d881898f4881c16aa2768c5e32d4bf7a99abede7b51f2e524eb8778f66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$vbhja.rtf

Filesize
162B

MD5
62053f536fc7dee8e531c01e9bf51d4c

SHA1
58da308f0fd0ec6665207cfd957e05666dcab24c

SHA256
ab5bc7658e80f5149a36e986b9316bf1c5068363bdd15d61af094084ef0b1b44

SHA512
5ae50c93dc2577c680ead3fcf7ae570a5752479705a0e79fde0602d3bdf4405a9badf9a818e2801d22835a9b9f8c4743a846d0c7ca4b97602659d2b1e386413f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
334B

MD5
73a024b5e8e3b0523defa5d2922b0eb8

SHA1
4b92a59bb36bab4b9c5e4db08a76adf0bee1ec26

SHA256
7948face1dd73a8b01e923421e1805f4148856d2d04849dc5a72c1dcd11f741e

SHA512
527a81cc1300049a3052102326ad285d36f56a8a7be8a5f3cafaeaf320b98a8a971da41f9a09dcfd909ad577663e138de3923e659dec1f728c34265fef895f72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
1ee411532dffe4271acbfdcd0975fb65

SHA1
e5cf5633a60febb7fced585834af8663acd8ccd5

SHA256
4325d7267989217ba0bf727cf11390b8fa6282732eef7daab8f0f5c0c88381c2

SHA512
db3421e6955bc8a35f42942d1667ee0dfc2aa2111898a86e749f388c33ca8f024b477b9dba69ac21a0a75424febd36d1abe4069ee39b107499e701ea49c5fa0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
684ecf8dec3bdbc42056ff81ef91e1b5

SHA1
163a2ac800c72e1698f4602c43fc38e477f464b3

SHA256
67f5b3f560af81a026c0927177edc699fe17d18840f4f5838ef9e1cf907c194e

SHA512
2993912b43d12992e62dda668ec77984abc4d4828d03cd610c0d37355ca80fd86f688d5b0ecc2ea5e4e21d5c9ff5aca3fef0ff9a7f405c4087577d0d900f372f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
e36e08bdf585c358c8d869234c46b581

SHA1
7bfddcb20f4dbfd76969d39eae90fb24798601aa

SHA256
92cab239f8b555b207ae72c0ba86cecd62f05e2af2c72441603b0df782693af9

SHA512
5738b89a878b1852850cb6f39fba614c6cba959d049bd4a59e24d643c868298b373b476b4322a38b87b713b5110dc8eee00731180bc885b1860fb149aa735d7a

Download Submit
C:\Users\Admin\Downloads\metrofax.doc:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
\??\pipe\LOCAL\crashpad_5056_EDFPDVKMHGMSJYKD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/504-352-0x00007FFEECCF0000-0x00007FFEECD00000-memory.dmp

Filesize
64KB

Download
memory/504-349-0x00007FFEECCF0000-0x00007FFEECD00000-memory.dmp

Filesize
64KB

Download
memory/504-351-0x00007FFEECCF0000-0x00007FFEECD00000-memory.dmp

Filesize
64KB

Download
memory/504-350-0x00007FFEECCF0000-0x00007FFEECD00000-memory.dmp

Filesize
64KB

Download
memory/1452-243-0x00007FFEECCF0000-0x00007FFEECD00000-memory.dmp

Filesize
64KB

Download
memory/1452-242-0x00007FFEECCF0000-0x00007FFEECD00000-memory.dmp

Filesize
64KB

Download
memory/1452-241-0x00007FFEECCF0000-0x00007FFEECD00000-memory.dmp

Filesize
64KB

Download
memory/1452-240-0x00007FFEECCF0000-0x00007FFEECD00000-memory.dmp

Filesize
64KB

Download
memory/1452-239-0x00007FFEECCF0000-0x00007FFEECD00000-memory.dmp

Filesize
64KB

Download
memory/1452-244-0x00007FFEEA4A0000-0x00007FFEEA4B0000-memory.dmp

Filesize
64KB

Download
memory/1452-245-0x00007FFEEA4A0000-0x00007FFEEA4B0000-memory.dmp

Filesize
64KB

Download