41a9bc55743203f6da4c6ea8cf71554e1467f00eb23b576f866515914591546d

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41a9bc55743203f6da4c6ea8cf71554e1467f00eb23b576f866515914591546d.xls
Size

244KB
MD5

82c1446e538787df6c7fe7ead7101746
SHA1

630d6507d349c2455647bb03737fe8ff77d2d373
SHA256

41a9bc55743203f6da4c6ea8cf71554e1467f00eb23b576f866515914591546d
SHA512

34708d67059052a8ce5a8af067f6faed6cc51da913634f5de782040598ea1489938b293321d73a08c31b684606766967be2eaefd56212e2ae28f7241b60fcbc7
SSDEEP

6144:Je4UcLe0JOqPQZR8MDdATCR3tSN0W8M6c+KmqB7sBhH2:PUP/qPQZR8MxAm/SiW83c+aB7sL

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEmsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1564 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2928	msedge.exe
2928	msedge.exe
4640	msedge.exe
4640	msedge.exe
2144	msedge.exe
2144	msedge.exe
3628	identity_helper.exe
3628	identity_helper.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4640 msedge.exe
4640 msedge.exe
4640 msedge.exe
4640 msedge.exe
4640 msedge.exe
4640 msedge.exe
4640 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

EXCEL.EXE

pid	process
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEmsedge.exemsedge.exe

description	pid	process	target process
PID 1564 wrote to memory of 4640	1564	EXCEL.EXE	msedge.exe
PID 1564 wrote to memory of 4640	1564	EXCEL.EXE	msedge.exe
PID 4640 wrote to memory of 4224	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 4224	4640	msedge.exe	msedge.exe
PID 1564 wrote to memory of 652	1564	EXCEL.EXE	msedge.exe
PID 1564 wrote to memory of 652	1564	EXCEL.EXE	msedge.exe
PID 652 wrote to memory of 4288	652	msedge.exe	msedge.exe
PID 652 wrote to memory of 4288	652	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3952	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2928	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2928	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\41a9bc55743203f6da4c6ea8cf71554e1467f00eb23b576f866515914591546d.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ilang.in/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f?wsidchk=19823233
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef44f46f8,0x7ffef44f4708,0x7ffef44f4718
3⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
3⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
3⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
3⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
3⤵
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
3⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
3⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
3⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
3⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
3⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
3⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,9954444719471545494,823665133328970895,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ilang.in/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f?wsidchk=19823233
2⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef44f46f8,0x7ffef44f4708,0x7ffef44f4718
3⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8215858383584765345,3022520369217519671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
176B

MD5
9cfc767fdb7f255dddb2a008aa18e7e7

SHA1
81f3edc820817f8fd5cfe9d6621aadd0f7c42666

SHA256
8a524e068237c3addc96cd5d6bc75c763246aeee570eeee0df2b6255bb11335e

SHA512
d25014e11a4143f8b0985ccff389d035613e017ce2904657bfd776e5663e8a15c81535ba9e87d1c80e3d7a976b39815a5e123ace516380aa7534380312dc7cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1f55d9627f19a492fb62748ae8660f07

SHA1
578feb501d3d5d7b0cf05afcd51e28541b45d0cc

SHA256
b4c90856d31aa30229882a022f856aef75aed4c74128b51d1a45eb0f903c405c

SHA512
0e104967f3ee4c2e71f7366d37bd4aa399af3ab09c0d67283df30541a92102a464e626c0543f4b86c9af669deeb3c1aa66cc362e47a7eff71afe716781ec534f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e9360a8d46337ee91319c6c41f3a18c

SHA1
1de4527b1ebd67bde05b2b5b0ab9233bd3c837c7

SHA256
a21da217d71ef56dfff72934a1298e99f6e9567bb9452ffadfdaf44535a0c409

SHA512
6bff1fee94965a25b424104ecaad6cc7f43f5ead51813f093a8ac0faf9d9ab67249c628987ffefcd3bc3a90589693baad4ede5edcba9902319f56b631d96e5f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
94ffad6ccd9ad9813a0fc061bec070cd

SHA1
de3d0a3e40a5bdf467762a538a0c47f392a856fe

SHA256
b8f7c734b63e965e352d13ab2c7479cd33abc5cc39364670a4ca62c0801decf4

SHA512
59fb81e6c5a8baa0a8b72a984c737459ab2541b71e8f4348258f8bb19a96cc5329ea794feb7b49ca6bad3bd4e6835096f8d192dd518624051f147cb94bd39c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6645e2eb8732ef6515a14b5a8ceac2a3

SHA1
f5d0ec95726699b2fc75df96a0b340f9bb873622

SHA256
f1d2140478b9e1a4e1b2979084025abcb7b2e84e3729053e15c87f479a71d3cb

SHA512
a98034896d8ef45fbb99386fe0724d58c79b4bf23d49dda62257f7062a8a477e25810dd7a9e72f19252eecc65d350ddf86e2406fe731724f2b84a089eb53dce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
82dd47c8bb39a3f21aa53b54694f21c5

SHA1
dd7839063ef2ad9e73bf29460b5b615ed5cb3659

SHA256
44883e3588190ec409fb6fcda6ed7887427de69b56bf7e615e07c42e44226b30

SHA512
444033a09522b52be02df1e1d0c72d4de02a0d88b71de3c6ff122514c3e2778f344d74f1bb54067af09019969dfe05a7994e2fdc8b75400244c482e6ec114ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
c2ac0733813aa9b6777e1c4e67fc8c81

SHA1
2f56a76aab4aedc94458df8cf2dd85ef1a3d9d11

SHA256
801b365813b769f0a4ca88651d8ba97d2589986873b9c25380d06ceda211e90d

SHA512
93eed6ee39d9c193a374f10f61ae05695c597a559be17db29b1f0d8fde90dc9483d5c9e1c8485bb6a17c1b3ef261a6b9b927bf4e3673a2cded262a34033f0a19

Download Submit
\??\pipe\LOCAL\crashpad_4640_YQLCNEJWUNRQPUQS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1564-9-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-10-0x00007FFED70B0000-0x00007FFED70C0000-memory.dmp

Filesize
64KB

Download
memory/1564-15-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-16-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-17-0x00007FFED70B0000-0x00007FFED70C0000-memory.dmp

Filesize
64KB

Download
memory/1564-14-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-19-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-18-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-21-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-22-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-20-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-12-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-11-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-13-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-4-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

Filesize
64KB

Download
memory/1564-8-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-6-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

Filesize
64KB

Download
memory/1564-7-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-5-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-0-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

Filesize
64KB

Download
memory/1564-1-0x00007FFF1938D000-0x00007FFF1938E000-memory.dmp

Filesize
4KB

Download
memory/1564-2-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

Filesize
64KB

Download
memory/1564-136-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-137-0x00007FFF1938D000-0x00007FFF1938E000-memory.dmp

Filesize
4KB

Download
memory/1564-138-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

Filesize
2.0MB

Download
memory/1564-3-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

Filesize
64KB

Download