cc721111b5924cfeb91440ecaccc60ecc30d10fffbdab262f7c0a17027f527d1

Analysis

max time kernel
1686s
max time network
1135s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

docs 06.02.2021.docm
Size

43KB
MD5

f08771b9fdfe82caaa089641e2348c8e
SHA1

b02c121597c9d56d7fab76b54834d5f3bd961e8c
SHA256

cc721111b5924cfeb91440ecaccc60ecc30d10fffbdab262f7c0a17027f527d1
SHA512

3bb2b582e7119c346473f78056f95e0890a3e74976de733739af9aaef810c4e62b35d7f81ec52acfbf675d3d501a048a36fa323ef76ee8843502424211b46ebd
SSDEEP

768:u5WkgUEeFPIlj5oQ0fUDjxXSwU/+BtgKpyAAlQg6DPLFXS:plekVoQTCFmgKpslepC

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	392	1548	explorer.exe	57
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4336	1548	msedge.exe	57

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4536	3068	WerFault.exe	90

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1548	WINWORD.EXE
1548	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4352	msedge.exe
4352	msedge.exe
4336	msedge.exe
4336	msedge.exe
1240	identity_helper.exe
1240	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE
1548	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 392	1548	WINWORD.EXE	88
PID 1548 wrote to memory of 392	1548	WINWORD.EXE	88
PID 2184 wrote to memory of 3068	2184	explorer.exe	90
PID 2184 wrote to memory of 3068	2184	explorer.exe	90
PID 2184 wrote to memory of 3068	2184	explorer.exe	90
PID 1548 wrote to memory of 4336	1548	WINWORD.EXE	103
PID 1548 wrote to memory of 4336	1548	WINWORD.EXE	103
PID 4336 wrote to memory of 4924	4336	msedge.exe	105
PID 4336 wrote to memory of 4924	4336	msedge.exe	105
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 3116	4336	msedge.exe	107
PID 4336 wrote to memory of 4352	4336	msedge.exe	106
PID 4336 wrote to memory of 4352	4336	msedge.exe	106
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108
PID 4336 wrote to memory of 3900	4336	msedge.exe	108

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\docs 06.02.2021.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\explorer.exe
  explorer collectionBoxConst.hta
  2⤵
  - Process spawned unexpected child process
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?LinkId=614981
  2⤵
  - Process spawned unexpected child process
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb89c46f8,0x7ffdb89c4708,0x7ffdb89c4718
    3⤵
    PID:4924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,18193813317013176579,12571918170081002703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,18193813317013176579,12571918170081002703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
    3⤵
    PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,18193813317013176579,12571918170081002703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
    3⤵
    PID:3900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18193813317013176579,12571918170081002703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18193813317013176579,12571918170081002703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:1544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18193813317013176579,12571918170081002703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
    3⤵
    PID:212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18193813317013176579,12571918170081002703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
    3⤵
    PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,18193813317013176579,12571918170081002703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:848
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,18193813317013176579,12571918170081002703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:8
    3⤵
    PID:3548
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,18193813317013176579,12571918170081002703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1240

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\collectionBoxConst.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1352
    3⤵
    - Program crash
    PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3068 -ip 3068
1⤵
PID:2460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
fe247979e5f80c856d0f9ca2959e129b

SHA1
6c591cc947818a8649bf3374e3076d2c353bc71c

SHA256
4c7eb2f03ef51951e1a29068e63c2991877022dee10d255b2fb37539300d7b72

SHA512
b3319b85f958c74148ff2b7a34f119c2912fab4c61d8fa46024c0b71c0aa8715614931afd3eaace20f449f6dd08cd86fa4da63f37ede2108d52b71f53389c249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c487a927b8859e9823263410290aa8bb

SHA1
37791be15e41fa94d27dc046cccceaccd9f38764

SHA256
63a2d5226ea6377aa88c6b1e882c32e069bd320f1a79ded0b5c129924cd34a21

SHA512
85d3dfd9c7c718210091957c078e788f384d29d09c50d24ea3c8705c9ad2d91edc8394a0654f773878572080b14feb9c388d4c223aadf22bf071538dab89da21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
79cdd766b9e26346a459ef7e376c791d

SHA1
4c24c69585d42f219c5e4a0c994e79952aa82a33

SHA256
eb70af19d3e413c0dd18ea0960814d710a21a66ddc1f158ed1b72fef7e8af155

SHA512
2a4b693115578fe06beb089333e21ae877c9b94409088aac640e36fe1a649064261ab1b586db9525554fd7b6873d3967296f18e849ea6af642afe2ebc34e5515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
438ae99fc614f2c7011cfd346c4a7c4b

SHA1
e0a6e23bc81725f6e5b8edf6223a31f4a1a3d6f4

SHA256
d5c34bc2ba64031a2f283141ed6295f343f56b09bfd1651702a5380ec2c6ba4d

SHA512
753697742a549297eb9811dcd23ad1040c1ac8715289aba679498219e91879ea61f120cdd2d16bd73d42c79d76f9b5f53331c6b98d2d3e01c72070b111b2dbbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4b21b24a3383661182ca47a0735916df

SHA1
c4e34d33f82a6c1beb517d101f1e3c675a8b5e67

SHA256
dff7f879db9cc4eaac8a094a03194d2aa5562f1e12e475ac012dacad6a19ccd4

SHA512
35b7288ac9065d97b64cf07fc5e7000708a88587aa0d9dc8743b5c2725c1e21ce7a9fd78a420d770886ffb2d92abf997d0950e3faba5e208295ae2ef2e3a1622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e866af9ca6d43709e5876ce675d55c5c

SHA1
d032ce290d01c0f493ab4a190f3b2156a4965a38

SHA256
0d14796048c5447312559db29ca6f6331689e4042be1ecddb2d4c80c22f756ac

SHA512
c7b60d505448617ce0dd6f5fcad8997d1b6e4b39e96946d65f8a2ab53dee9831e7e12792bb7c4be5548abedd24ca99138211e9819b4844b5bb54199ebd8c64df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3297a097a18ce694212f306cf3cf728c

SHA1
49572e8e35dca7f64ff8feaa68ebf3c29c6be571

SHA256
28d8fd5752041bcdd547eb9f8c1c1aa24275b6cb59bf2f2e8ba0593f12113a03

SHA512
4bb9430c5e040a4bccb25cf806c6d9035d8d669488cbfe15a7e4654527d8c34bb66e5da473533536d0d64f710f8ebc300a737d94c6251b22914001fe95dda92f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
493e1062f771de56bfa204791708149d

SHA1
9fdb557d17153d13962e3ddfd67cf22c126c945a

SHA256
dda62951f9508c601617b2676f08c6542b43a4218c9185a0a5331ae22a6fdbfc

SHA512
877a0956ff89799f08a367e7264cf29365b60cedaf4622af83bc53aecd6384aa93a99fc3d985f6f4f3fe8e1d9b9a7dbafa987ee52fed021485b62d8a60ebb1d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
5cc267a196559f14ec52ab2b6a0e7764

SHA1
45fa9fee610aba10ddcd7be6cffb47463473e748

SHA256
a68694c43a1a67e2e99168270549eb5f22e3682e83d8b8caf7b73906e1d2dd37

SHA512
562d44208fd5f57d3bcd9d4cba94645fd85b27c92044201b4ab4756d66352659076b49c7fdf7f0b87c935a1d84727ecfc353fb2f936aac782de940a37f661ae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
c16254debbf689ebe322d85d5fac8c28

SHA1
b96f693c892ad22851d8483d135fd5d320276fca

SHA256
b5ab5182b8fcaa8f0bb92856e70c4756f909c8bf667ac7170272e9a1448ac624

SHA512
207b61ac459837bc4fd065da0486111112438d20474878d41c5abbb10e77abb49d75e3f6ec683f9868f1dd5de7ad4e0f4017100528caf743593cfcb607f7084a

Download Submit
C:\Users\Admin\AppData\Local\Temp\collectionBoxConst.hta

Filesize
3KB

MD5
99a1a4391c6be3ac5f137c0a092d8edd

SHA1
34afc663a569d0ba183c73ab40ae8d682273d193

SHA256
b25865183c5cd2c5e550aca8476e592b62ed3e37e6b628f955bbed454fdbb100

SHA512
45e5b38d72add4d28234b539071a3cb4059c9c104b5389a43190fd3197843e103fdaf7552c1edcb9bbbabe15b122a8bef0389ce39d6130b438a835c4c2d4f345

Download Submit
memory/1548-35-0x0000024A14C20000-0x0000024A15BF0000-memory.dmp

Filesize
15.8MB

Download
memory/1548-13-0x00007FFD938C0000-0x00007FFD938D0000-memory.dmp

Filesize
64KB

Download
memory/1548-17-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-15-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-19-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-18-0x00007FFD938C0000-0x00007FFD938D0000-memory.dmp

Filesize
64KB

Download
memory/1548-21-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-20-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-0-0x00007FFD96130000-0x00007FFD96140000-memory.dmp

Filesize
64KB

Download
memory/1548-37-0x0000024A14C20000-0x0000024A15BF0000-memory.dmp

Filesize
15.8MB

Download
memory/1548-38-0x0000024A14C20000-0x0000024A15BF0000-memory.dmp

Filesize
15.8MB

Download
memory/1548-14-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-44-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-12-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-51-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-16-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-11-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-10-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-9-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-148-0x0000024A14C20000-0x0000024A15BF0000-memory.dmp

Filesize
15.8MB

Download
memory/1548-8-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-7-0x00007FFD96130000-0x00007FFD96140000-memory.dmp

Filesize
64KB

Download
memory/1548-160-0x0000024A14C20000-0x0000024A15BF0000-memory.dmp

Filesize
15.8MB

Download
memory/1548-6-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-5-0x00007FFD96130000-0x00007FFD96140000-memory.dmp

Filesize
64KB

Download
memory/1548-4-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-2-0x00007FFD96130000-0x00007FFD96140000-memory.dmp

Filesize
64KB

Download
memory/1548-3-0x00007FFDD60B0000-0x00007FFDD62A5000-memory.dmp

Filesize
2.0MB

Download
memory/1548-1-0x00007FFD96130000-0x00007FFD96140000-memory.dmp

Filesize
64KB

Download
memory/1548-282-0x0000024A14C20000-0x0000024A15BF0000-memory.dmp

Filesize
15.8MB

Download