Overview
overview
10Static
static
8challenge-files.zip
windows10-2004-x64
1challenge-...top.gz
windows10-2004-x64
3Stairs.txt
windows10-2004-x64
1challenge-...sk.txt
windows10-2004-x64
3challenge-...64.dll
windows10-2004-x64
10challenge-...st.hta
windows10-2004-x64
7challenge-...st.dll
windows10-2004-x64
10challenge-...1.docm
windows10-2004-x64
10challenge-...c.pcap
windows10-2004-x64
3challenge-...se.dat
windows10-2004-x64
3Analysis
-
max time kernel
137s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2022 19:06
Behavioral task
behavioral1
Sample
challenge-files.zip
Resource
win10v2004-20220721-en
Behavioral task
behavioral2
Sample
challenge-files/challenge-files/2021-06-02-fake-gzip-file-from-supplementik.top.gz
Resource
win10v2004-20220721-en
Behavioral task
behavioral3
Sample
Stairs.txt
Resource
win10v2004-20220721-en
Behavioral task
behavioral4
Sample
challenge-files/challenge-files/2021-06-02-scheduled-task.txt
Resource
win10v2004-20220721-en
Behavioral task
behavioral5
Sample
challenge-files/challenge-files/Tetoomdu64.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral6
Sample
challenge-files/challenge-files/collectionBoxConst.hta
Resource
win10v2004-20220722-en
Behavioral task
behavioral7
Sample
challenge-files/challenge-files/collectionBoxConst.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral8
Sample
challenge-files/challenge-files/docs 06.02.2021.docm
Resource
win10v2004-20220721-en
Behavioral task
behavioral9
Sample
challenge-files/challenge-files/infection-traffic.pcap
Resource
win10v2004-20220721-en
Behavioral task
behavioral10
Sample
challenge-files/challenge-files/license.dat
Resource
win10v2004-20220721-en
General
-
Target
challenge-files/challenge-files/docs 06.02.2021.docm
-
Size
43KB
-
MD5
f08771b9fdfe82caaa089641e2348c8e
-
SHA1
b02c121597c9d56d7fab76b54834d5f3bd961e8c
-
SHA256
cc721111b5924cfeb91440ecaccc60ecc30d10fffbdab262f7c0a17027f527d1
-
SHA512
3bb2b582e7119c346473f78056f95e0890a3e74976de733739af9aaef810c4e62b35d7f81ec52acfbf675d3d501a048a36fa323ef76ee8843502424211b46ebd
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exemsedge.exemsedge.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3268 3712 explorer.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1664 3712 msedge.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4108 3712 msedge.exe WINWORD.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation mshta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEmsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
explorer.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3712 WINWORD.EXE 3712 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 3212 msedge.exe 3212 msedge.exe 4904 msedge.exe 4904 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEpid process 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exemsedge.exemsedge.exedescription pid process target process PID 3712 wrote to memory of 3268 3712 WINWORD.EXE explorer.exe PID 3712 wrote to memory of 3268 3712 WINWORD.EXE explorer.exe PID 3760 wrote to memory of 2912 3760 explorer.exe mshta.exe PID 3760 wrote to memory of 2912 3760 explorer.exe mshta.exe PID 3760 wrote to memory of 2912 3760 explorer.exe mshta.exe PID 2912 wrote to memory of 4384 2912 mshta.exe rundll32.exe PID 2912 wrote to memory of 4384 2912 mshta.exe rundll32.exe PID 2912 wrote to memory of 4384 2912 mshta.exe rundll32.exe PID 3712 wrote to memory of 1664 3712 WINWORD.EXE msedge.exe PID 3712 wrote to memory of 1664 3712 WINWORD.EXE msedge.exe PID 1664 wrote to memory of 4416 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 4416 1664 msedge.exe msedge.exe PID 3712 wrote to memory of 4108 3712 WINWORD.EXE msedge.exe PID 3712 wrote to memory of 4108 3712 WINWORD.EXE msedge.exe PID 4108 wrote to memory of 4188 4108 msedge.exe msedge.exe PID 4108 wrote to memory of 4188 4108 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 2116 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3212 1664 msedge.exe msedge.exe PID 1664 wrote to memory of 3212 1664 msedge.exe msedge.exe PID 4108 wrote to memory of 3636 4108 msedge.exe msedge.exe PID 4108 wrote to memory of 3636 4108 msedge.exe msedge.exe PID 4108 wrote to memory of 3636 4108 msedge.exe msedge.exe PID 4108 wrote to memory of 3636 4108 msedge.exe msedge.exe PID 4108 wrote to memory of 3636 4108 msedge.exe msedge.exe PID 4108 wrote to memory of 3636 4108 msedge.exe msedge.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\challenge-files\challenge-files\docs 06.02.2021.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer collectionBoxConst.hta2⤵
- Process spawned unexpected child process
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?LinkId=6149812⤵
- Process spawned unexpected child process
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x40,0x104,0x7fff665f46f8,0x7fff665f4708,0x7fff665f47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10320315924394639336,7007195393034082157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10320315924394639336,7007195393034082157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,10320315924394639336,7007195393034082157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10320315924394639336,7007195393034082157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10320315924394639336,7007195393034082157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10320315924394639336,7007195393034082157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,10320315924394639336,7007195393034082157,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10320315924394639336,7007195393034082157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10320315924394639336,7007195393034082157,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?LinkId=6149812⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff665f46f8,0x7fff665f4708,0x7fff665f47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11910678287943401164,11019011614159229353,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,11910678287943401164,11019011614159229353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\challenge-files\challenge-files\collectionBoxConst.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\public\collectionBoxConst.jpg,PluginInit3⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD56fc938421a637089d141c9a9fa5c0f7b
SHA1c17618bd4f96ab2478c1d97c8a1756ab4b5a7644
SHA256be3d1c803da697c1f2ef5547ef0c7653048d8d3e7a609056ef7848e0f39fed64
SHA512175edcabbb84ca9c09e032bac60911cd73b9a4223ba308398e7a470cfe1a2694643da99a51ebf1dee46246ddd749526e25eb2de643eb3bc22bb3c89da91300d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
442B
MD5f16fdd86c343a5b0c8ef2ed052d5d711
SHA1be0173770341ac77d29850662e26bbf0b8c756bc
SHA256654d6fbcc0d64f3533fb7c0a51ceb6bb7dac5d5a10fd6d4e5b2f64022ff73094
SHA512b4d74103766ee0f1db14cd9283d8452229380acf16d9b207c321ec860734314997ec19157bf69bfcc17fc9326801fb148f69ae0dbffd801fd15337bcbd493806
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5350bf115f2e2fd3b19d74575eaa1b540
SHA16e630a7ca93e5668abf28f63f8cafcd28614abbe
SHA256a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d
SHA512679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5350bf115f2e2fd3b19d74575eaa1b540
SHA16e630a7ca93e5668abf28f63f8cafcd28614abbe
SHA256a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d
SHA512679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5350bf115f2e2fd3b19d74575eaa1b540
SHA16e630a7ca93e5668abf28f63f8cafcd28614abbe
SHA256a6e4e8a6cc8eefa26fcb51644db6c7a9d800eb4a230bd8b7dfa0896026e4c29d
SHA512679dd585c134bd93085b2ccc436421f1f91316d7d54120cdc92033ff2b0a9c99ef7cc67fec3f0ba368fb19151de623d016863be7b315dc3bb846a9995b77cb85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5007709614bb3de70288cedc2bb85bc6e
SHA12b0049ace9237c72d5b068a07246870fbae9a41b
SHA2562159616661c7e0266d814763042fc6a1eb9f9b32783474fefc2171f1140e7ab1
SHA512cb523fa8dc7d42a942fcfdff8bcf97812f76de3451731c01b3fc435afe73e4f1ba9393d34a85984f0348d2aa39a4d1f5b194b71e323e934b2d3a16c60ed246a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD59702d011335e8e2d6b8afa386fdc2edf
SHA19886e2ac439bcf21fd9700a2fb35034d4bc63eef
SHA2560eb55febc817bc3bb8bff88254ba9f8097b031abfb3c7d5cb3c721ccbb96e83d
SHA5121f82533e650dd922ccfc0a7b1bcd5f9fa5e70f5cf23b35c742f4ccf5e00e238db9a3c2c407df047f6f23250a067d910bbd5ecaf22f75026f779dd411726b46e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettingsFilesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1Filesize
126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUrisFilesize
40B
MD5074d836898ac044f03d0cb510aa16353
SHA1828cc389a919c2980180d20430bfbab2a9c659b2
SHA256382cd76c2a5d9e3c67ec16b491a8a356e0f73096b20e7325aa14fcd28a8b3bdb
SHA51214dcdda3ea885d2a04a89b7d00f9a6c9cfbd0b77c59aa1f78ff062be5af0192ebff14a950d6e161b9e5a47cf9e37aa008968bb3fcf8a605d6b3e47bc8e0b37c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUrisFilesize
40B
MD5074d836898ac044f03d0cb510aa16353
SHA1828cc389a919c2980180d20430bfbab2a9c659b2
SHA256382cd76c2a5d9e3c67ec16b491a8a356e0f73096b20e7325aa14fcd28a8b3bdb
SHA51214dcdda3ea885d2a04a89b7d00f9a6c9cfbd0b77c59aa1f78ff062be5af0192ebff14a950d6e161b9e5a47cf9e37aa008968bb3fcf8a605d6b3e47bc8e0b37c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637957518244806660Filesize
2KB
MD5b251db88f3c2cf14198361d3b9fe6ede
SHA1d2b8156d300fa58a6cf29f5c847586662844dff3
SHA256e71a7c94cbc812d8ceb0ab293c619082745bf8434f0f8b3a8250a1561c700fd5
SHA51229902604f48b445d029455f4dee450ddc21e4a0976833c2401217c500d4a5874b68c547a35af7a322e0ee6b0f49bf009cb0b6e4131f850282a17038a41f710aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637957552397049312Filesize
2KB
MD5b251db88f3c2cf14198361d3b9fe6ede
SHA1d2b8156d300fa58a6cf29f5c847586662844dff3
SHA256e71a7c94cbc812d8ceb0ab293c619082745bf8434f0f8b3a8250a1561c700fd5
SHA51229902604f48b445d029455f4dee450ddc21e4a0976833c2401217c500d4a5874b68c547a35af7a322e0ee6b0f49bf009cb0b6e4131f850282a17038a41f710aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTrafficFilesize
29B
MD5ce545b52b20b2f56ffb26d2ca2ed4491
SHA1ebe904c20bb43891db4560f458e66663826aa885
SHA256e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899
SHA5121ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684Filesize
450KB
MD5a7aab197b91381bcdec092e1910a3d62
SHA135794f2d2df163223391a2b21e1610f14f46a78f
SHA2566337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b
SHA512cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774
-
C:\Users\Admin\AppData\Local\Temp\challenge-files\challenge-files\collectionBoxConst.htaFilesize
3KB
MD599a1a4391c6be3ac5f137c0a092d8edd
SHA134afc663a569d0ba183c73ab40ae8d682273d193
SHA256b25865183c5cd2c5e550aca8476e592b62ed3e37e6b628f955bbed454fdbb100
SHA51245e5b38d72add4d28234b539071a3cb4059c9c104b5389a43190fd3197843e103fdaf7552c1edcb9bbbabe15b122a8bef0389ce39d6130b438a835c4c2d4f345
-
\??\pipe\LOCAL\crashpad_1664_NODXDWFOTPTNFVUNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4108_CWZFIQACMJFGIHVVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1664-141-0x0000000000000000-mapping.dmp
-
memory/2116-151-0x0000000000000000-mapping.dmp
-
memory/2680-161-0x0000000000000000-mapping.dmp
-
memory/2912-139-0x0000000000000000-mapping.dmp
-
memory/3212-152-0x0000000000000000-mapping.dmp
-
memory/3268-137-0x0000000000000000-mapping.dmp
-
memory/3636-154-0x0000000000000000-mapping.dmp
-
memory/3712-133-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmpFilesize
64KB
-
memory/3712-130-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmpFilesize
64KB
-
memory/3712-136-0x00007FFF50640000-0x00007FFF50650000-memory.dmpFilesize
64KB
-
memory/3712-135-0x00007FFF50640000-0x00007FFF50650000-memory.dmpFilesize
64KB
-
memory/3712-134-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmpFilesize
64KB
-
memory/3712-131-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmpFilesize
64KB
-
memory/3712-132-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmpFilesize
64KB
-
memory/4108-143-0x0000000000000000-mapping.dmp
-
memory/4188-144-0x0000000000000000-mapping.dmp
-
memory/4384-140-0x0000000000000000-mapping.dmp
-
memory/4416-142-0x0000000000000000-mapping.dmp
-
memory/4904-156-0x0000000000000000-mapping.dmp
-
memory/5244-169-0x0000000000000000-mapping.dmp
-
memory/5264-171-0x0000000000000000-mapping.dmp
-
memory/5468-173-0x0000000000000000-mapping.dmp
-
memory/5556-177-0x0000000000000000-mapping.dmp
-
memory/5680-179-0x0000000000000000-mapping.dmp
-
memory/5696-181-0x0000000000000000-mapping.dmp