be4c39c44e9499121973ea2b034c8832d763762e56107c77257c3813141c2974

Analysis

max time kernel
130s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update.exe
Size

1.5MB
MD5

b900aeb4d6470637fd6a48536b0c693c
SHA1

67e401ece386208299a8150c04a90da40e3099b9
SHA256

be4c39c44e9499121973ea2b034c8832d763762e56107c77257c3813141c2974
SHA512

08d8f5e9f1f20bb8726f3599a23908f29d0868b084b9b6ef9033884a7cf5c884f745a2dd0b47a2e39514bd681d338454b7e45ce2635f6c045960aae57b4c353f
SSDEEP

12288:d6CyLEgR0ro/0EhcXAHjRYSN9bUlOr/oJfT9Pu0XejfQ1JRQ3Tzvx+nDIpnUxb:eEgRN/th3VelBPu0XUfWJms0pnY

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1084	WINWORD.EXE
1084	WINWORD.EXE
3372	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4332	msedge.exe
4332	msedge.exe
3804	identity_helper.exe
3804	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
1084	WINWORD.EXE
3372	POWERPNT.EXE
3372	POWERPNT.EXE
3372	POWERPNT.EXE
3372	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 2936	4332	msedge.exe	103
PID 4332 wrote to memory of 2936	4332	msedge.exe	103
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 5108	4332	msedge.exe	104
PID 4332 wrote to memory of 4872	4332	msedge.exe	105
PID 4332 wrote to memory of 4872	4332	msedge.exe	105
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106
PID 4332 wrote to memory of 3536	4332	msedge.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
1⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RestartUninstall.mhtml
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffffd5246f8,0x7ffffd524708,0x7ffffd524718
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15298397327494563304,5804472801906723395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:4624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4220

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\StopDebug.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\DisconnectSkip.pptx" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
a0c575bee8a2ae038f82903aae31c48b

SHA1
2f9dab4a3ebc4af861855fd61ce57eab3ae6dad7

SHA256
0e74179149762de6b2258f9aa82f336e551d265fb1839c6aaf1333dab9d03371

SHA512
f3ad79b7889d626b019712beb68282dd4401fe32d5e333b24d8c09aa32e633c131ccfb2c950bcf7a25917fba3ffb8c1a9dad401fc3ec8f9b5ddfe08c93b1ddca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
967feb4573c01409b380249f9716076b

SHA1
f42a319680676c09fd9188f61945780fabf19f8a

SHA256
db78d079f90ae7b0c6caa14c7be2fc0157b287b398bd10377f14bb3962247875

SHA512
60d5b2fa3939f64d088dbeabc9dd7ad2b1f6bf848ebb4e733eaab78caf49b87a36b4bb846677a12620143cfe0640372c4de220d884c4d9ea0a5a6d768a833401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70587fb414246b6465fb771774898ae9

SHA1
10b4631aeeebb5b9fdc548eb2fd9a04cdbbd8fbb

SHA256
66a730cac025dfe2bc96128ea2fc77f808d936080a99fc4a60453ebcec6630ae

SHA512
856b1fdecd913e99034bebc00f0cdeb304864a60ae3cea9c6fa9bc2af91e318b0e57decc97c64695cf29ae36aeec267b65c4d7fed43fea4e6daba713794e926c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45ab0533eafd41fd4ee5ce0d5b0fb7f2

SHA1
eaba582093aab1d3391c760ec7f6a5d3b2a0b138

SHA256
c94c672e6b18ae78d3facdc291ff30801c7a831b6773200c757ae34150684c24

SHA512
b6566cb040d302f60867c7fb183fa1315fbc7e1724a983e7a2e1588834157d1838588a547c4e4c1ea1872ffdf444b73726deb8aa51303152a056122a279fba08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f4a3d4ebbd1d3f5d43d22b09d54d77f

SHA1
f63bc08a8f1330dea94184081538068b73968597

SHA256
a4a5ba5d2e53628893313055d337b495f864d6b29f4e6a73e0f2319f008e752a

SHA512
d7f683418e2b167dc4d35f7bb5c66cf3582114de14712c65912dea048f7d81b05cc7d7d339b0f9ccc24cac36b07e4b1c271ec361ef50f1106b0d8c1ce8c26e53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f265e727819d886fe5d0e1558f6ed2a4

SHA1
de60dfa431db560cc7a9b9d08b84512a790fa67e

SHA256
ca3242007bf22084072758c193431964faf63559360374d1409ea98af2abe8d9

SHA512
418260ea2f00352d69115c52ee3afb7fef867af6a4f67658b0d4eb0b8b1efae8f61752c7f08ceea31b10314c086c64b9f0729fe24602cd4ce5051398033703a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1f88486226c22e2139e8487d135cb330

SHA1
5d230bab0a81c7879bd305604abd892550ed28ee

SHA256
7c325a88d4ff9ff5d78b803ddf977080dfc5a623dd45d68e35fee3b7f9be5246

SHA512
440ede8562b6faeb957f088c6f487491e37243cc68f254ad6934210e709ff5d78cec74dadeb06e11ac7cf46d8aad4fcb352f0e11a904b48f6f9c5510786a7d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5D7BC478-ABA1-424E-ABAB-2DF47B33D30B

Filesize
161KB

MD5
b5380cfe2a618d9ff8108217a742d01d

SHA1
1cf209a1fc0732cadd83db4d3ac983b3a64bf735

SHA256
d4c2a2f0b1fa0d8c14470f6364f63b47bf369fd955cfe4acef1e61f5bed7adbe

SHA512
a2e25b5d503d3c06d9e5c364906b4934916317284c1a32b0a7d15d7e9bb8b80a33d316f3991bed6fe202d63ceb086fe05d344e975b039a758c6ff2da5bcaf1ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
bccbdf5f0a344fb277f78db70c0318e5

SHA1
ede964acb57debaffb05b1acd35e2e10b7a355a6

SHA256
8a941dd2c65be80a3237077f9f7dd1b7645a376772e79a757f66bb9b20ae2809

SHA512
f5aef92d4d1cf027b96402cead620f7029c02465f77e7262461edf8de6e10211f0299193135daa7eab131fdb3420d8c8814e7fbb5af2222a816985e47556b98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
b4aeab292f7ab840483eb48f86903fb3

SHA1
607d5f9b47d7b75f3b24a1cb357ccbf8a72f5ad7

SHA256
19b90cedad4c81740d7bfa6c658015c3f4fb9765a644c1684cc01373ba353d06

SHA512
95e0575de7a16ad40aa6293125fa07a277169c6afdab83fda174de40f080f920f06afdd0e93374628c7d2a46acb26e8053208c15e5d747e822fbc21204c27c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
1d6ead04519999fe5a0e3b650cd2ee31

SHA1
8c1e2815e1f1fc5577ac37c1fc7f70836c48fbe4

SHA256
6085d24713c0594d81c007579c0dfe4888c8ff2f999222e85b506cb73b11015a

SHA512
d634c35fc3b2555584fe4450b47e1ef1f35465f44714c68d29096ce3c3843ca32fea242ca91f8d57a91324712c5f5c4a098e568e3bb19a45251f31e917afffc8

Download Submit
memory/1084-149-0x00007FF7D9340000-0x00007FF7D9350000-memory.dmp

Filesize
64KB

Download
memory/1084-145-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/1084-147-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/1084-148-0x00007FF7D9340000-0x00007FF7D9350000-memory.dmp

Filesize
64KB

Download
memory/1084-146-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/1084-144-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/1084-182-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/1084-183-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/1084-184-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/1084-181-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/1084-143-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3360-5-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/3360-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/3360-1-0x00000000001E0000-0x0000000000356000-memory.dmp

Filesize
1.5MB

Download
memory/3360-2-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/3372-190-0x00007FF7D9340000-0x00007FF7D9350000-memory.dmp

Filesize
64KB

Download
memory/3372-191-0x00007FF7D9340000-0x00007FF7D9350000-memory.dmp

Filesize
64KB

Download
memory/3372-187-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3372-185-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3372-186-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3372-189-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3372-188-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3372-211-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3372-210-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3372-213-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download
memory/3372-212-0x00007FF7DB950000-0x00007FF7DB960000-memory.dmp

Filesize
64KB

Download