Resubmissions

16-11-2021 12:04

211116-n8q8cadfh8 4

16-11-2021 11:58

211116-n5f8zadfg9 3

16-11-2021 11:55

211116-n3qpmaaffn 4

Analysis

  • max time kernel
    137s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    16-11-2021 11:55

General

  • Target

    ModuloConfermaIndirizzo_2016_56.pdf

  • Size

    89KB

  • MD5

    3e4e9232f4a973055eef13a2692ffc54

  • SHA1

    94cc703064b56a0416d884be1bf6a2edb66521c1

  • SHA256

    445f1576ff067209bd366064032e5826ef4b3b0e6b299184443053be75e49289

  • SHA512

    e6958ff09ca3ac3e826ce80d91c319d67390af75632a1012694799999ab9fd6b9a00e147b62fcd681fca76502a0fa2ff345af97e7754d3dea3c4c9611258dca6

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 6 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ModuloConfermaIndirizzo_2016_56.pdf"
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=96349C434B80AFD92B7739CC90A49768 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        3⤵
          PID:640
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7C9833741E8062C1133AE21132438FC3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7C9833741E8062C1133AE21132438FC3 --renderer-client-id=2 --mojo-platform-channel-handle=1652 --allow-no-sandbox-job /prefetch:1
          3⤵
            PID:816
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AC854DFB4D9047923B905391A50F174B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AC854DFB4D9047923B905391A50F174B --renderer-client-id=4 --mojo-platform-channel-handle=2072 --allow-no-sandbox-job /prefetch:1
            3⤵
              PID:1128
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=91147B65E5623BA5E4D91749AA82D248 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              3⤵
                PID:2084
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C24399BEF6E9B4D35B86A670290F26D4 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                3⤵
                  PID:2724
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF4DFFF12824994F964FC8F230D8FA9C --mojo-platform-channel-handle=2508 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  3⤵
                    PID:2776
                • C:\Windows\SysWOW64\LaunchWinApp.exe
                  "C:\Windows\system32\LaunchWinApp.exe" "http://www.b-soft.it/FOTO/DHL/ModuloConfermaIndirizzo_2016.exe"
                  2⤵
                    PID:4568
                  • C:\Windows\SysWOW64\LaunchWinApp.exe
                    "C:\Windows\system32\LaunchWinApp.exe" "http://www.b-soft.it/FOTO/DHL/ModuloConfermaIndirizzo_2016.exe"
                    2⤵
                      PID:4728
                    • C:\Windows\SysWOW64\LaunchWinApp.exe
                      "C:\Windows\system32\LaunchWinApp.exe" "http://www.b-soft.it/FOTO/DHL/ModuloConfermaIndirizzo_2016.exe"
                      2⤵
                        PID:1728
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                      1⤵
                      • Drops file in Windows directory
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:3756
                    • C:\Windows\system32\browser_broker.exe
                      C:\Windows\system32\browser_broker.exe -Embedding
                      1⤵
                      • Modifies Internet Explorer settings
                      PID:3728
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Modifies registry class
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of SetWindowsHookEx
                      PID:4488
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Drops file in Windows directory
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1704
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                      1⤵
                      • Drops file in Windows directory
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:4664
                    • C:\Windows\system32\browser_broker.exe
                      C:\Windows\system32\browser_broker.exe -Embedding
                      1⤵
                      • Modifies Internet Explorer settings
                      PID:4968
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of SetWindowsHookEx
                      PID:2164
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Drops file in Windows directory
                      • Modifies registry class
                      PID:2372
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Modifies registry class
                      PID:4672

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Discovery

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    1
                    T1082

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
                      MD5

                      0db264b38ac3c5f6c140ba120a7fe72f

                      SHA1

                      51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

                      SHA256

                      2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

                      SHA512

                      3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
                      MD5

                      4cfed7683bbe8134400d855ef6c5092f

                      SHA1

                      cf1fe7732989a671da1c11e0386cdfeb097cfb2a

                      SHA256

                      6528ee08a4c05b89cb8c2ccb344c7306d5d44c4467c5e4104eede127d0c1243a

                      SHA512

                      94bf36f3f02267f80d8fea6cbf67b1d5368ce3d2a43552ed234a6b3f840a183f01a2ff079bb6a5728b1a6569226b58bb18bcd318b3bd6ddc401e8ceaec4325fa

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
                      MD5

                      99fac9448f8a161abbd89f141699a773

                      SHA1

                      49546849287236d12541d249af40367c62e1657b

                      SHA256

                      397fc3b4ca56b039fdfc4c7b72e2a872fcbabad9d4221bb3fdfc8e0db7192fb0

                      SHA512

                      e70340f865abe0160879bc8a3035bb62b571952f73b353b4d6631b6d2a0f74c8a4cc6aebc8406fa3712d30e943be63e63c7c40d4754a3069389ac742dd2d88bd

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
                      MD5

                      d96e7f9a6f64c41d30f7f74d0a7d05bc

                      SHA1

                      d268c38769f9a4e4919c2979e572d5ed6b6f82ae

                      SHA256

                      a55ad29731d26c2f31cfe9e127f80e02d4f7305817edbd48ebbd49bc99741b8c

                      SHA512

                      de5713ad196cfad626bf1e79bb36891b764085e1fe2fe02e3a0ceb9e16c2a9d449d68ba2788933019bb402ad3fc6a2c9978438c6772bfca9fe53d07c4d94e4a8

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
                      MD5

                      6c98fc3297d33b9f32d56c8e96bb25cb

                      SHA1

                      2de589163a84f91f3083a55ab53d31b5e9625757

                      SHA256

                      a571912432b53a3b63e7cc0241daded9a4fc75860092efd4454e510174360bc7

                      SHA512

                      f2d50befc88ccd099f47e773e59f1bdc4d5efa5d8e158cdbd607cac90f1528e860400fb40fa8b305a837d3153ddb6d277c4b99ef40e48250d9ea3f41d7fec5b4

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{454D8153-045E-487A-9208-A62DBEDF8773}.dat
                      MD5

                      422f4f392508aec167107f542420a261

                      SHA1

                      256bfa3bd4a888642fe24f46189448c20af9084a

                      SHA256

                      2d5f3514f6a7d278e736f525f4b20ba724e08e3f62741eff704c85625fd18afa

                      SHA512

                      56072315e579ab6eb792f85e3e14a8cebc37afd69587c2e5e9526314a01e02cd8b39cc6a874b7911c1d60d931b9652235e00733a5cbef3e2a819bb76fe83e8f7

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{1948F61B-49EC-4012-A5D7-C8266334BD52}.dat
                      MD5

                      444bd73a20db7b66cecea28ad3667c8c

                      SHA1

                      55cfef668e1b857a14ba5f344fe3d64ca99ab3f2

                      SHA256

                      c46fe51da0eb80a01792b1bcabc0025a80b2de3a13ec28f072c2568ecdf0e41a

                      SHA512

                      28362af2c159be18c710882cc46466ece96ca0fbe1e05b5f218084c0b2167543207a9d84b636b954c5bc53a7557e04f524c2f687893e6dfa81b9bf50fb95303c

                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2274612954.pri
                      MD5

                      0db264b38ac3c5f6c140ba120a7fe72f

                      SHA1

                      51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

                      SHA256

                      2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

                      SHA512

                      3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

                    • memory/640-119-0x0000000000C40000-0x0000000000C41000-memory.dmp
                      Filesize

                      4KB

                    • memory/640-118-0x0000000000000000-mapping.dmp
                    • memory/640-116-0x0000000077AC2000-0x0000000077AC3000-memory.dmp
                      Filesize

                      4KB

                    • memory/640-117-0x000000000101A000-0x000000000101B000-memory.dmp
                      Filesize

                      4KB

                    • memory/816-121-0x0000000001015000-0x0000000001016000-memory.dmp
                      Filesize

                      4KB

                    • memory/816-125-0x0000000001030000-0x0000000001031000-memory.dmp
                      Filesize

                      4KB

                    • memory/816-124-0x0000000000C60000-0x0000000000C61000-memory.dmp
                      Filesize

                      4KB

                    • memory/816-122-0x0000000000000000-mapping.dmp
                    • memory/816-120-0x0000000077AC2000-0x0000000077AC3000-memory.dmp
                      Filesize

                      4KB

                    • memory/1128-128-0x0000000000000000-mapping.dmp
                    • memory/1128-127-0x0000000000D71000-0x0000000000D72000-memory.dmp
                      Filesize

                      4KB

                    • memory/1128-126-0x0000000077AC2000-0x0000000077AC3000-memory.dmp
                      Filesize

                      4KB

                    • memory/1728-146-0x0000000000000000-mapping.dmp
                    • memory/1968-115-0x0000000000000000-mapping.dmp
                    • memory/2084-134-0x0000000000000000-mapping.dmp
                    • memory/2084-132-0x0000000077AC2000-0x0000000077AC3000-memory.dmp
                      Filesize

                      4KB

                    • memory/2084-133-0x000000000101F000-0x0000000001020000-memory.dmp
                      Filesize

                      4KB

                    • memory/2724-138-0x0000000000000000-mapping.dmp
                    • memory/2724-137-0x000000000101D000-0x000000000101E000-memory.dmp
                      Filesize

                      4KB

                    • memory/2724-136-0x0000000077AC2000-0x0000000077AC3000-memory.dmp
                      Filesize

                      4KB

                    • memory/2776-140-0x0000000077AC2000-0x0000000077AC3000-memory.dmp
                      Filesize

                      4KB

                    • memory/2776-142-0x0000000000000000-mapping.dmp
                    • memory/2776-141-0x0000000000FB3000-0x0000000000FB4000-memory.dmp
                      Filesize

                      4KB

                    • memory/4568-144-0x0000000000000000-mapping.dmp
                    • memory/4664-147-0x0000021237920000-0x0000021237930000-memory.dmp
                      Filesize

                      64KB

                    • memory/4728-145-0x0000000000000000-mapping.dmp