hxxps://email[.]dwyer-inst[.]com/e3t/Ctc/OQ+113/cYR8T04/VX0cZq5Dk2rtVgRhdm91Z8YTW3kyKQV591w8bN824Dyd5nR32W50kH_H6lZ3pmW9cHk4w8jJMstW6tJpMn8dD8S4W9hh99z5-fVr6N7kf77xw3XvHW1VwQmK5m8yJSW4Rdrsx3Md1MSW82KXYt4HTDQRF7PcL5DbYhHVKLmKG14kBmFW4JBLXV8XdWnjW5_ZlhN61D1k4W20X5411W8YcgW2MPQz07mvVVDW8VGj4z7xXDc7W7Kh3ds4_qKpWW4nts7t4wBfG1W4gWPPL8lk7SdW726hbl220drmW8lzgCP2CR2jYW3Zrp9d8F7rm6W8p3X266ZsJKgW8YKtTt815QcXW6kHWm53F_QPDMsqcSH_XXYmW6PhW5391G390W53dmbn3mC-53W1JKg011vMNd0W1cW2626c2SDGW5FTNGM7F-5TvW2l4ykk2gRS3pW6r3Q_l3gTSMgN8mcQ_Bs72HPdYxPfv04

Analysis

max time kernel
50s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://email.dwyer-inst.com/e3t/Ctc/OQ+113/cYR8T04/VX0cZq5Dk2rtVgRhdm91Z8YTW3kyKQV591w8bN824Dyd5nR32W50kH_H6lZ3pmW9cHk4w8jJMstW6tJpMn8dD8S4W9hh99z5-fVr6N7kf77xw3XvHW1VwQmK5m8yJSW4Rdrsx3Md1MSW82KXYt4HTDQRF7PcL5DbYhHVKLmKG14kBmFW4JBLXV8XdWnjW5_ZlhN61D1k4W20X5411W8YcgW2MPQz07mvVVDW8VGj4z7xXDc7W7Kh3ds4_qKpWW4nts7t4wBfG1W4gWPPL8lk7SdW726hbl220drmW8lzgCP2CR2jYW3Zrp9d8F7rm6W8p3X266ZsJKgW8YKtTt815QcXW6kHWm53F_QPDMsqcSH_XXYmW6PhW5391G390W53dmbn3mC-53W1JKg011vMNd0W1cW2626c2SDGW5FTNGM7F-5TvW2l4ykk2gRS3pW6r3Q_l3gTSMgN8mcQ_Bs72HPdYxPfv04

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5368	WINWORD.EXE
5368	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2396	msedge.exe
2396	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
1356	msedge.exe
1356	msedge.exe
4464	identity_helper.exe
4464	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5368	WINWORD.EXE
5368	WINWORD.EXE
5368	WINWORD.EXE
5368	WINWORD.EXE
5368	WINWORD.EXE
5368	WINWORD.EXE
5368	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4820	5100	msedge.exe	85
PID 5100 wrote to memory of 4820	5100	msedge.exe	85
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 4512	5100	msedge.exe	89
PID 5100 wrote to memory of 2396	5100	msedge.exe	88
PID 5100 wrote to memory of 2396	5100	msedge.exe	88
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90
PID 5100 wrote to memory of 2384	5100	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://email.dwyer-inst.com/e3t/Ctc/OQ+113/cYR8T04/VX0cZq5Dk2rtVgRhdm91Z8YTW3kyKQV591w8bN824Dyd5nR32W50kH_H6lZ3pmW9cHk4w8jJMstW6tJpMn8dD8S4W9hh99z5-fVr6N7kf77xw3XvHW1VwQmK5m8yJSW4Rdrsx3Md1MSW82KXYt4HTDQRF7PcL5DbYhHVKLmKG14kBmFW4JBLXV8XdWnjW5_ZlhN61D1k4W20X5411W8YcgW2MPQz07mvVVDW8VGj4z7xXDc7W7Kh3ds4_qKpWW4nts7t4wBfG1W4gWPPL8lk7SdW726hbl220drmW8lzgCP2CR2jYW3Zrp9d8F7rm6W8p3X266ZsJKgW8YKtTt815QcXW6kHWm53F_QPDMsqcSH_XXYmW6PhW5391G390W53dmbn3mC-53W1JKg011vMNd0W1cW2626c2SDGW5FTNGM7F-5TvW2l4ykk2gRS3pW6r3Q_l3gTSMgN8mcQ_Bs72HPdYxPfv04
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9056c46f8,0x7ff9056c4708,0x7ff9056c4718
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10583411645654773735,689542826911016205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\RUSSIA STATEMENT.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\72798a3e-822e-4a1d-ae54-cdf79d1a577d.tmp

Filesize
10KB

MD5
085539b3f4522f2d08db1e2d83575c5a

SHA1
7de2f93d30e84065b6547cf2ef8dba84340b1420

SHA256
b6dbe374f932dd5a3c5066f26297bc73a6a3a106e9590ce8a6977c44557f2c39

SHA512
7e754f7a63d4ae58a2d4d66f96529ee51c3a71ee43ad1fa42c6d89dcb2f625cef4205e2a7841a9e02baffb8e1a8c335dd8f4e8112a24103c62ecf827dc5e92e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f246cc2c0e84109806d24fcf52bd0672

SHA1
8725d2b2477efe4f66c60e0f2028bf79d8b88e4e

SHA256
0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5

SHA512
dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
587dbb37da5c27666a8c3efbb72da994

SHA1
33a8d174566ea6919784dcff3622b33956e7c2ae

SHA256
102c9a627cd9582a57dae9352bb138c44e227c0b3ab45a0b0a52b7e396c306e7

SHA512
a6b3e6f4e654687149214c5580295eacde02e218f745c71d79b75bd4c5c1093e96babf905ea73e0dd60ac596d3cc7f868f33c2dcf093ef330e18b4faf59b9633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0052d7f7f9e55ec2871555e68c4927d

SHA1
45b4167bc3e67a69291faf3d72d02a518ef53b4b

SHA256
053a1087f54d30400271a0d1385dbd2f49c07f5882be22647c39a35b449272ba

SHA512
bc563c6f3db8a833fcf49adcdf9e722fff336e1eb5204c1e9673904ef70d929cd3540b5b73b43daff05e8fa525608788cf5607ff32292c717ba8a06ab1b49f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5e62a6848f50c5ca5f19380c1ea38156

SHA1
1f5e7db8c292a93ae4a94a912dd93fe899f1ea6a

SHA256
23b683118f90c909ce86f9be9123ff6ac1355adb098ffbb09b9e5ec18fc2b488

SHA512
ce00590890ed908c18c3ec56df5f79c6c800e3bea2ad4629b9788b19bd1d9e94215fb991275e6ec5a58ac31b193e1c0b9cbaa52ff534319a5e76ec4fc8d3ba54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0a03dac8d46ec2e3cb70d7c73fa734cd

SHA1
d7d3be22b6bced42fb6f161f2c979f9dbdca528e

SHA256
22c1e8b79a76944901893a11d3a99323abfd8e0c607d319c01bff30b814729f3

SHA512
018e3a01e09b1b480a1baadff53fc7caa37434e49d2e8a274020f222f57a82acef0cdf1615829bbf6db8c27468d36d0fa731ef603656c62955acda858c83abf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
e58a21c03ef00f15ac95208120f67dbf

SHA1
d656d6ef002a77d97efbaad4ae59ffd18a648b69

SHA256
8ded216f52d2804e4ef006e4c9caefb84b02ecd7fd6db1c7ee641cb7f7acd5d3

SHA512
1c1f21037da064ac0d6eacb0f4b983b83f2f0aa2a18b66afb8125ad7f5d3fe1808cb95eb204a6b2f790fdd9dbadbc951ba355dfc6c2ad299c5df04b3315b1a90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
241B

MD5
ef3c47f8e61decde41a80427b9e08f94

SHA1
cb26fb3ab001c23d925c06fb9bd167db0ff5bf22

SHA256
765567711c62ca9766440ce7b52d2eb8823a26431b63ffb2dca2ff40cfbf9bb8

SHA512
36b4918d55ac441fffb135820acb6d49cc637372fcec2210932618f63dc53055f8e5d3b8a613d10cb3dac2a955a82d83fe224c3ff4541e96195e8fbc12fc54a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
971a447c7a83915ea16edc4ae611f486

SHA1
5f860eee2718f09c96fffb4935a2af295b502b2c

SHA256
0a6070d62334aad6976c2745602ae2a4bb43e5648a975a3d714e126a60ffb1e6

SHA512
61733467331a62635c1303430168236f361c6d0c3c002dea101b8fec5d6a53cd06cba1cabd742ca8be07288f29b6f94189558cf5ec9a5236a2d0ae4b41aa5228

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
513865ad8b7b330a07f7d8f10586a8c7

SHA1
65d6e3a891edd37ebb6af25a3b2cd4ae48a310e6

SHA256
f5d9fb2695ae8c755983c289967f2da803e0ea64e1a79ade50d7caa4e83b08c8

SHA512
9eb28888e02c3e14db3d6c4915e226a374db3c56a05c1d750362ab551db790a6c3a82c5584003cd2451ec8e3dc35b08a911e26571d877ba2710e294bdcbbf2fa

Download Submit
C:\Users\Admin\Downloads\RUSSIA STATEMENT.docx

Filesize
267KB

MD5
24614454ef59b57f45199642d34d094e

SHA1
86c8b1db03069ff962352394eddf5ec089fe2deb

SHA256
3f9b3d100f7c645ac006c11c1ee100a69a41ddc7f94bb1b496b7f6fdbc108ac2

SHA512
4c6bfa25c1543b138dfe143c8d9862127493e5a17fdd9aa125b8a76eea46036f145693fb790e01004a774993e384c0e9e93bca6996d7b2ee15dc187bd58c37a9

Download Submit
C:\Users\Admin\Downloads\RUSSIA STATEMENT.docx

Filesize
267KB

MD5
e827474b0d45e8e829637b0dbffac307

SHA1
ba0592bd9badfa396decca35e1fdeeaef5aab293

SHA256
1c0b2cf2dc3c178647fd8111ddfffa6d24617468acbd0b3c32143fbc31046ce6

SHA512
6de880e786f61aca4cc8fae29adfb978d30beef5ac0521ba681801a34b40ef41d4d43e68448af51106f6cc6b3bb2181d0bb96a872312d2a8eb6e95c6a6e42f2e

Download Submit
memory/5368-97-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-103-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-95-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-94-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-91-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-96-0x00007FF8D21F0000-0x00007FF8D2200000-memory.dmp

Filesize
64KB

Download
memory/5368-98-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-99-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-100-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-101-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-102-0x00007FF8D21F0000-0x00007FF8D2200000-memory.dmp

Filesize
64KB

Download
memory/5368-93-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-104-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-105-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-106-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-107-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-92-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-90-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download
memory/5368-89-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/5368-88-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/5368-87-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/5368-86-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/5368-85-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

Filesize
64KB

Download
memory/5368-170-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

Filesize
2.0MB

Download