2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Resubmissions

14/12/2024, 03:38

241214-d7dwhstkgv 4

14/12/2024, 00:39

241214-azvmhstper 8

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1004	explorer.exe
1040	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe
2352	HorionInjector.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	HorionInjector.exe
Token: SeDebugPrivilege	5604	taskmgr.exe
Token: SeSystemProfilePrivilege	5604	taskmgr.exe
Token: SeCreateGlobalPrivilege	5604	taskmgr.exe
Token: 33	5604	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5604	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe
5604	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1004	explorer.exe
1004	explorer.exe
1040	EXCEL.EXE
1040	EXCEL.EXE
1040	EXCEL.EXE
1040	EXCEL.EXE
1040	EXCEL.EXE
1040	EXCEL.EXE
1040	EXCEL.EXE
1040	EXCEL.EXE
1040	EXCEL.EXE
1040	EXCEL.EXE
1040	EXCEL.EXE
1040	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 372	2352	HorionInjector.exe	83
PID 2352 wrote to memory of 372	2352	HorionInjector.exe	83
PID 2892 wrote to memory of 3816	2892	msedge.exe	112
PID 2892 wrote to memory of 3816	2892	msedge.exe	112
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 2632	2892	msedge.exe	113
PID 2892 wrote to memory of 4548	2892	msedge.exe	114
PID 2892 wrote to memory of 4548	2892	msedge.exe	114
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115
PID 2892 wrote to memory of 1524	2892	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\explorer.exe
  explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
  2⤵
  PID:372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\WriteOpen.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd34cf46f8,0x7ffd34cf4708,0x7ffd34cf4718
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6905192409251876698,2594704951950427948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:5508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x51c
1⤵
PID:2028

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
030b68db7ee1939dac0df0ff6be92092

SHA1
2b02ba140517bc9faaca1f1c1dcb027e6fa475ef

SHA256
a6b2f0e5c0e4cdacd904dd7119223715ed87b7d350463664c3fb97bf3fbb84b4

SHA512
ce70d6e8d87a43457b77f91a83cf731faeec833065005eaa857bd759920f070e95a855b0f7617f642bb74b4c6d5c82f988a66f4e8ca9e47810f1aae00cb8db32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
67713631e9b23d60416e99b5b9dc5fc5

SHA1
64ace26e5b30558874eeb5efb919d52ef2dd5817

SHA256
964f4d19d9e68bebd0d3eed47d2d83922f755f0b52cf66f52ec4e9c6de6363bf

SHA512
5f046254c2ebfe90827bf2b2f41f847a29ee86a1ea9aa362aa39254b78c8d29f5578ee799b3525a5acab8a3c472b736fcb87390b8e4b4577e0282f3772f89723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2c257cac6066d9ce74c50f5df10b1e0d

SHA1
33d4449289598512b414f82169e24fcacfb2a604

SHA256
dd6a00de8fedd768bb582aba0ead822dfccdf5d99c7ff00201a86029f23401f2

SHA512
1b0413c63a842bed39e8181b7c746f681137402dec38f5a2459cdf2643f9a8f1cb7f295ceea678ba68e2396ad7172dcce364b6c33672bfefe367cecefe8ac7df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
36237348e5ec6838ee2b61953d5bd573

SHA1
479c6e72cae1ef2942e6f6390d76f1d7dccd827b

SHA256
7d777addd5853b43d45463e38c7ee46369c2b560c0964438602d1ef0688d5dc3

SHA512
2f4ed6e3da2fce1f8d0b0c61abaf4081de9966f8d3b9d6e075354c4d946fe698a3be3c86d98e35887afe67225ead9d076ebda033aed25acffc01a2175d5d7deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
1651c0606f9bc4ac06cf3b67c6262f15

SHA1
a95617b93f0daaccf9ca135db66b74ccac52d503

SHA256
c47c70d2bc8cf78111bedf56fc122b43a1d526a1df2272d05dab864d0f3f4fd6

SHA512
ca5bb0d2036847850c72b57b02931d432838953b3d445256a5033c11c22a4ba18b0cd6941fb24a30c2114443dec57069fb7a8e1e1239b600b4dd995c3956c47a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
10fc3cc70e72c71b46dc031a2d6e771b

SHA1
e01fe51dcaaf01b3dd902616ffaa79a44a8a77ab

SHA256
b2e327b51e932cda7d6c1070a953c11964380e37a0f6dbe9f3387c44b8605513

SHA512
4d81a274cd3dc2fecb7d207663e70d2a6e61be8441fb6980f720bf7f10007514ee8375c8b7a9a350b564a1156eba6c69515eb578cbca00f9e5951d65d82bddb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
12f7fd91196c2f1b5237456bde7e020b

SHA1
b5e2e1fa4e4c3075b62ceed1d0d981101c811c09

SHA256
e81c528524c2c4298906574d18424994eec4c54603476b7b02b1310ff4c38d9e

SHA512
07bb33059bac0cd4b3d1cd279da0732dc8f33fbeedb91c03dfcf0f453d3f852ce2f2c769f51f933413e168cf2c0f1447663f130333747ba2c58064fc4e20e612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3f3d1d0d0ffa1d6261a247c0fd3be6fa

SHA1
3cf541c95a3c4deea3b411b2bdea270fb7e1f56a

SHA256
d11eae57550b8970353587f6eca0e75a56a16fd31affc10f2d0789a8690fc652

SHA512
76ef69d6d9c93c8c0fe59975046f1b9e938ce5d4daa9dfb69c630f67f57635f662e2b03f1ec5fb7f5361f2a4ab9e399f5634bc2d47dea4da77d609a4c4fb6e3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3c2c872508ee37af932e53f57661a221

SHA1
0bffdf8fbbaefda346b0e293448c2568bfa590b5

SHA256
f67b81b8d6710743a0dc2162f89c807a0dc8d283cfb31d917caedc5076880be9

SHA512
c41847999ee79fa966128d030c34e3bcb5920ebfc9e83165a7c6e826719bddf42b4814ed280983b727b00101a3dbf1f7d3a300dfe6f05c681a75e9650e9ca133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
efe107e71ea7669c4babd540dfc58606

SHA1
cf37d8f2066f09bc8c3401b91049b3f2b4e81935

SHA256
eabf4c06d51a8a2a191e313563bf54cfd68b4b741597b3a700ab7b78e74b496a

SHA512
98992ba236ced1615b79632534515b40022b8800598432eed2ecb5d36a111703ec3c432ecc6b002d2c35ce1022b6723660c24123ae0f30ad05625f82b55fd4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5e424d998ab31b2b8979d6f9b9b458f9

SHA1
382e713b057df7d4cc56fb5db54c2b05299e1b27

SHA256
ca50e133fbdef0cde1c2684afb6ed6459547ce340f82d83b97536fd6709bae3d

SHA512
332533d829342b2d2cd497bde5a0eece1d7a1e6de9c3082b4b694c39e3adc2a0a66e32cd0f47c4f95327bd8280dc934e1ddb463bc84a498fe01149f34198c370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
aa3a738c3a759604216b0f815fadd644

SHA1
8fb9d6bd6b142e913c1e4b8e9606b362bb2f721f

SHA256
ab119dfa6fea197ad9d468ecae808e69abb204fab5e25e68c95f48a093c29327

SHA512
0c445617d0de32a43abca4cb4f2ad30e30f96b0da54227649063396c0df151c16ba476038a603d307333c1312815029068ae7ee38bb137c774f5e2cf8daea13f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593a31.TMP

Filesize
538B

MD5
0bd167b844771ec9bfa8b06517c100c9

SHA1
8e3387fcb3735981cada8055df4130746afc14e6

SHA256
93f520541698f8a30959a4fedffeaa037e6e94a4cc15d04231e516bd604d2710

SHA512
7bc71c07ce8da2297e692dd9572e52fc118a32adee42e5c42af336332ecf4313bd2e1a834bc1d8e607b44bdbbcfaa3bb0de38a2896c0573b7977ff81e3cbfae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a7e7cf2a1a5e708a6721fd9903e7bbda

SHA1
920d202d6b2be1742b074dd15a27b63ba42c7e03

SHA256
2266f0df31e54df3e378b310bf2fd5b81b8c312df57b1dbe267786138f0739f4

SHA512
7bd683b659c490d7954e0c2ae9e9a61f6d192145a04fa54bb94afa987b7d50771e225df0edb3bcacaee9571eeb275ceef45d5095d775dbe93978a6061231dbc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cb8caec5bb3d87ae731a7b19a6432a03

SHA1
fbcab0b27777d5029265ff654b354e3774a4888c

SHA256
672a12586383788ddbceeb9cf3265ee03186f43ea528560752cf4cecc4eb0a58

SHA512
e4e8916e92a2202f931da9d270fb5a57634d68d7ad2c5447264e25f8bf790541cf901ef947b9f01d0efcef97b52a0a47eefdcfd1f22009cf0ea3337d43c1473b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
4b0548b2b2ef4deb0cbd4a54f2483b2e

SHA1
7248b8a21e4c770e02e45024d728ea54fce72299

SHA256
7a239714eda33a5024a7b9307b0e45962e18a03ae06eb24f533ad4662b850363

SHA512
a2356c1385a5ef63f3141896c00629d4c21e4d79eb4ba71d16ec0e825bf12b908c41481f08b1a41d3e82b940d6ec97b4d36b11ccfa1db14b738b48ae21eb53b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
6d2c19ad2886e9fc38069f4b4bcf943f

SHA1
d8008d4feab27b3de00f1a19f4009492da1d2b79

SHA256
ac3f40c76a1de7fb905afc7adf6414bd9b4c774f4a2dd199891302370b667e59

SHA512
5cd1a26c156d7f9f8a37eb702aeeaf6c4523f927963d278afbb1843ddda5013099ad035240b4d1a0f755e7bab063251e83ce7c2676c295b5872b12935f91573b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
377B

MD5
963eb59dd313f76f46b3e2ae3b9a3594

SHA1
491eba5e089c471e0383518a15d8c44584d389db

SHA256
8e0387eb52cdec75c83d9cf1f29ee9e50317f5d3d539e7894b8bfbc2751faba9

SHA512
f76c9471841b8508198a1135a8009b7bb8b43017877c6b0941689cb0fca2d2642240e8e59782f24f8758a475155aac38c16f80c5ef88f0f2cc1e7bb80a042273

Download Submit
memory/1040-21-0x00007FFD133F0000-0x00007FFD13400000-memory.dmp

Filesize
64KB

Download
memory/1040-63-0x00007FFD133F0000-0x00007FFD13400000-memory.dmp

Filesize
64KB

Download
memory/1040-60-0x00007FFD133F0000-0x00007FFD13400000-memory.dmp

Filesize
64KB

Download
memory/1040-61-0x00007FFD133F0000-0x00007FFD13400000-memory.dmp

Filesize
64KB

Download
memory/1040-62-0x00007FFD133F0000-0x00007FFD13400000-memory.dmp

Filesize
64KB

Download
memory/1040-24-0x00007FFD11390000-0x00007FFD113A0000-memory.dmp

Filesize
64KB

Download
memory/1040-23-0x00007FFD11390000-0x00007FFD113A0000-memory.dmp

Filesize
64KB

Download
memory/1040-18-0x00007FFD133F0000-0x00007FFD13400000-memory.dmp

Filesize
64KB

Download
memory/1040-22-0x00007FFD133F0000-0x00007FFD13400000-memory.dmp

Filesize
64KB

Download
memory/1040-19-0x00007FFD133F0000-0x00007FFD13400000-memory.dmp

Filesize
64KB

Download
memory/1040-20-0x00007FFD133F0000-0x00007FFD13400000-memory.dmp

Filesize
64KB

Download
memory/2352-14-0x00007FFD352C3000-0x00007FFD352C5000-memory.dmp

Filesize
8KB

Download
memory/2352-3-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/2352-7-0x0000021F2FC40000-0x0000021F2FC78000-memory.dmp

Filesize
224KB

Download
memory/2352-9-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/2352-8-0x0000021F2FC00000-0x0000021F2FC0E000-memory.dmp

Filesize
56KB

Download
memory/2352-16-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/2352-6-0x0000021F2F7F0000-0x0000021F2F7F8000-memory.dmp

Filesize
32KB

Download
memory/2352-5-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/2352-0-0x00007FFD352C3000-0x00007FFD352C5000-memory.dmp

Filesize
8KB

Download
memory/2352-4-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/2352-17-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/2352-15-0x00007FFD352C0000-0x00007FFD35D81000-memory.dmp

Filesize
10.8MB

Download
memory/2352-2-0x0000021F2BB00000-0x0000021F2BBBA000-memory.dmp

Filesize
744KB

Download
memory/2352-1-0x0000021F0FC40000-0x0000021F0FC68000-memory.dmp

Filesize
160KB

Download
memory/5604-667-0x000001947F680000-0x000001947F681000-memory.dmp

Filesize
4KB

Download
memory/5604-669-0x000001947F680000-0x000001947F681000-memory.dmp

Filesize
4KB

Download
memory/5604-668-0x000001947F680000-0x000001947F681000-memory.dmp

Filesize
4KB

Download
memory/5604-679-0x000001947F680000-0x000001947F681000-memory.dmp

Filesize
4KB

Download
memory/5604-678-0x000001947F680000-0x000001947F681000-memory.dmp

Filesize
4KB

Download
memory/5604-677-0x000001947F680000-0x000001947F681000-memory.dmp

Filesize
4KB

Download
memory/5604-676-0x000001947F680000-0x000001947F681000-memory.dmp

Filesize
4KB

Download
memory/5604-675-0x000001947F680000-0x000001947F681000-memory.dmp

Filesize
4KB

Download
memory/5604-674-0x000001947F680000-0x000001947F681000-memory.dmp

Filesize
4KB

Download
memory/5604-673-0x000001947F680000-0x000001947F681000-memory.dmp

Filesize
4KB

Download