Malware Analysis Report

2025-01-22 12:17

Sample ID 240624-z3lapawamq
Target 3febed0037c9b8de98e1507a29951ec438f148732b53e14ea54c404a04ab0ba3
SHA256 3febed0037c9b8de98e1507a29951ec438f148732b53e14ea54c404a04ab0ba3
Tags
macro
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3febed0037c9b8de98e1507a29951ec438f148732b53e14ea54c404a04ab0ba3

Threat Level: Likely malicious

The file 3febed0037c9b8de98e1507a29951ec438f148732b53e14ea54c404a04ab0ba3 was found to be: Likely malicious.

Malicious Activity Summary

macro

Suspicious Office macro

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 21:14

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 21:14

Reported

2024-06-24 21:15

Platform

win7-20240221-en

Max time kernel

45s

Max time network

60s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3febed0037c9b8de98e1507a29951ec438f148732b53e14ea54c404a04ab0ba3.docm"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09fb29c7bc6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab40623429ded44fb8f1920ae1a7c53c00000000020000000000106600000001000020000000e50a93c7813641c433ea481c75791a60d62c06b23b991f2d0c11c81546334953000000000e80000000020000200000004e69b7b731064a353c27d8c93818313411842bec550dbaffa821c351115918432000000042d717fe09073719fc4092d9d26392731912ad65aca181e461bc39526b33e6024000000061f2fbd6b86ba3a2fca66a02ccc2732b3a9792c5cba8adf16a6503b97e2df2f7123cd7fa9ef2f03cff4314f0c3cc32de80040e87dd6d04291c79c238d19ad865 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3C6F4D1-326E-11EF-87C3-6E6327E9C5D7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab40623429ded44fb8f1920ae1a7c53c00000000020000000000106600000001000020000000876eac85a392292c6b71208ca57798371534942a726b4837f4da9291584728cb000000000e8000000002000020000000a68e4eeefe7ca5a79290136f5badfe768005e8a053d51652f452bee74605e3e090000000c2e5842b2512e7ffc5e205a6f30a94592ae0cd99dd6753c175ed2587e3fbb819d5e0bce16297448c6011a6827bb87622d5a170f2150bd232457c1d7fcfcc5d03cdc9ba6dfef1216316bf2bc99012aa30286569927f2ef7ff6fd2dcd077ee368615be105fd551e4d9b092e9518ae68ad05f891f3d2651c3f508d39cf934dc31ff7c58f46ec47ad9927143f82fa48ed01240000000845d5fa7903402058fe7fbf55a9cc6e9876bd2bee4ccea10712bbf30a982883a80b974b1371c54d400821356c7ceeac14b6a514db144dd0a2bb7b7bc1daad694 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5ADC4564-F49D-4C51-83CE-69F43C41588D}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2432 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2300 wrote to memory of 2432 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2300 wrote to memory of 2432 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2300 wrote to memory of 2432 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2432 wrote to memory of 2244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 2244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 2244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2432 wrote to memory of 2244 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2300 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2300 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2300 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2300 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3febed0037c9b8de98e1507a29951ec438f148732b53e14ea54c404a04ab0ba3.docm"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://password-changes.phishwall.net/XK3hjR3J0NUMwTUtZZUpMcDZ1emh5S01OLzhpV1FpUHdnZ0grMW1qdUphN3hzN2Zya2lJV3BlMjNuN2ZiWU42Y3FCSFRhS0d4TmhvblJvSGtUZTI1RThoU0M4a3VjbVhBR3pHMjI2L2VSTVpqQXZjQ2dXYTQyZWNrakYwVDIxTzdMOVkwd0hIVTNLa3ZOVTdVbFlIUG9VdVVqV2NCblZHcElKdDlmUlNOQ2xYTW5OZXB2MnZTc2puQS0tMTVmTFhYSURtdzRTcHRxRS0tS1VGVnJPTG9PeldFM3VrT2xPL05EQT09?cid=2037834398

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:275457 /prefetch:2

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 password-changes.phishwall.net udp
US 54.81.217.133:443 password-changes.phishwall.net tcp
US 54.81.217.133:443 password-changes.phishwall.net tcp
US 54.81.217.133:443 password-changes.phishwall.net tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
FR 18.161.110.147:80 ocsp.r2m01.amazontrust.com tcp
FR 18.161.110.147:80 ocsp.r2m01.amazontrust.com tcp
FR 18.161.110.147:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 secured-login.net udp
US 35.153.9.28:443 secured-login.net tcp
US 35.153.9.28:443 secured-login.net tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
FR 18.161.110.147:80 ocsp.r2m02.amazontrust.com tcp
FR 18.161.110.147:80 ocsp.r2m02.amazontrust.com tcp
US 35.153.9.28:443 secured-login.net tcp
US 35.153.9.28:443 secured-login.net tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 35.153.9.28:443 secured-login.net tcp
US 8.8.8.8:53 s3.amazonaws.com udp
US 35.153.9.28:443 secured-login.net tcp
US 8.8.8.8:53 cdn2.hubspot.net udp
US 8.8.8.8:53 i.imgur.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 52.216.214.80:443 s3.amazonaws.com tcp
US 52.216.214.80:443 s3.amazonaws.com tcp
US 199.232.196.193:443 i.imgur.com tcp
US 199.232.196.193:443 i.imgur.com tcp
US 104.18.87.62:443 cdn2.hubspot.net tcp
US 104.18.87.62:443 cdn2.hubspot.net tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp
NL 23.63.101.171:80 apps.identrust.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp

Files

memory/2300-0-0x000000002F211000-0x000000002F212000-memory.dmp

memory/2300-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2300-2-0x000000007171D000-0x0000000071728000-memory.dmp

memory/2300-12-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-13-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-14-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-15-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-16-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-17-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-22-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-21-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-20-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-19-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-18-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-34-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-33-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-32-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-64-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-76-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-75-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-62-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-54-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-44-0x00000000001D0000-0x00000000002D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 9fcda127ff2bab11d18a82f398dda522
SHA1 121f4134713b3cc34d7551bd1d169e2c0a935df7
SHA256 fa0505927755292ab70f283bec91726db9adcf9b5f3d7fb926a2d3a1581014b2
SHA512 34f4b0d2c2ddc17e52381b97a82ab7f8d563721a1c9b1bf430c8c9c3b37355af0b7b84f7e269621c01f4265d6f3eb69602563a3b3cce2fe0623a258555d84c1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 c7c9807793736d570f27af61f07ab48e
SHA1 47b11c2007577ee76f4137a3eb35c08f01f8e788
SHA256 3df0617409e95184d89ba7ae249ffdd34616d2122711c70b8a292c5037e881ba
SHA512 fab0555378c2495e025dcf6b08e7ba3218ea30f5867ca6ca20f5ee6e5a2f3975ba4b0da2d21ef87642c58679781a234ca454459d5ba7a2a04081b17a94b17c93

C:\Users\Admin\AppData\Local\Temp\Cab29B1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar29B2.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2129779eaec967191430b63127900cd7
SHA1 ccce9aefc74556d49ee834f26b823c6c87fc4185
SHA256 65093ccc28089eea427edab55a95e774eaceb7c943f8e2adb2e9aba6ff410559
SHA512 90ac838a7b781e7d34a92ea07f659e4f2b7c21d94b0357c7e840e33f026a17f9bcfaf8c2420756cb4999428639a2722e76baa9e190be003bf51694afbc1c115d

C:\Users\Admin\AppData\Local\Temp\Tar2AA0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9790595aa2b7fc8948334327962bc3a
SHA1 bbaadb04cdc412625d0563c841f9dfdf90072dfa
SHA256 d8638964f29604fcc58efa3e49e7a8a53fa3d5383a929a7b64ec953866c6c33c
SHA512 055ee6c70671199b9835fcce382f15c800de635742b1a88a5bf205d09e4d7e1000f0e4e2cf1bf4c0012ad8d9bb7812719a9f969f6ae3204081f6122fac9fe2bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4eda0d1b7997b8ba6d79e5efb683607
SHA1 df997707a3ef9cd9a021f0203dea5187b5521f24
SHA256 fcdf65a95e210dd52499b86e4ea67e50436542a96915c0d8bc6c3d1696e1d9ad
SHA512 cf84d4d25eed96e3f38872447cd5ff4d17fb466d6d70f42c816651f9c5d62d9b9b4da5003d6f5dfd4aa796fe562141f6b7be262b9e4ae331e75e2a7d36752087

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6294a7391b92f1ede7301fe2baa18874
SHA1 318b6df877f6b69eaf80277e942a67921b5e6f15
SHA256 eca635dc10d4e40b7e1127991f0c4a61265a54bc6a9932ef84869d33e1cbd488
SHA512 93ce247ec54eea4d465bde9efe88f681ecea2730695d9af9ac1938013e477b53ee9bbd8782b782afaa2d78ee14951558cdbf5841bd62b0bb450814cb26b340f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b524af0a1e0c15051ca9bc9e125e4e3
SHA1 a272ca5da4362d3f68f5ecd3d1fae393849f6c19
SHA256 e7d110dac002693004aa583d6a6cb1a8320ed9a8067ec6c1afbfccd287f8e529
SHA512 80ae6913413a28dab9b0fa0df341267cf2435f7f86616f7bfc161898f9fd616cae2a9c838c052a6016dba4c0f70492bced8456aae0eed3e49889504cba897f08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1f3680fc685f6c1fdc531f1b3d5d575
SHA1 9c18d1d4d1e364bf298414c8549fcdef2401b41a
SHA256 cae3988ee4f3d437399cdf7276950e82fc73699c990ab532f390de4e1b69babe
SHA512 0de45eabc9dcac960c75d98a56a2d75fb85e3a3b3e25b5562e4694fde5fe539c26bf2cb532f19bd5de8ab07b957a71587f3489718b5e98e002ba5e832cf2148e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 94514623d4d86e3784ecc0eda4e70698
SHA1 f8d4903df2a36d1cff9d7716b49063c1a73f2b93
SHA256 5c0ba4299de05d6ff21d60e4eea8310327469dace4c35153488cf568cbd64c26
SHA512 f479c6d19473a52f084f2746f00088277cf751d70fa0dae76804fb167a645c4d17b2ae93b0e25c6983556f1d433cd5f9a176ea8ee04e16176ee25406e9128630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 08645fc027fa13f9194eee3f41fc2a7f
SHA1 6361552351e0ac006c248a66ebcd1e9e6b35cb1b
SHA256 c4f6d94aeddd22a6274a8dce02c1f7df9dd95dff01d8d9c107c7e1ecf57e464d
SHA512 1920d9970bfccae303849f5dd8c90757b5055fd0a46a8214a00d192fa2f388e9f52368967d5ffac0a998ac821b0ecb76fd77c6a6132b9f6438cdf9153682a93d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 87da78507459c9ece7a38bc29324cae8
SHA1 412f975b05d53b3db56c0374716cd7d5173269c8
SHA256 7e8f916a40dafaf94fff55cf077f1360f205717a46b20a288c7e2d02ac3fdca7
SHA512 4164c2a30bb047bddea7d096b8e083d04d1c06aef0f0df41161c910f4d1a606c5e9dc3c600d5f8baab947b172bb83d08f3bd41aa6537088bdf6cd0c9d566cd1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 4e6bd65c19f1cc69e7785d32eb584c6f
SHA1 c8b6a933e82ed32cc6e85a719a2aeca3b4aded87
SHA256 3976c509a7e11c91e4064c9aa5ac329ad5319fedb8871eb482b06757a5be1bc0
SHA512 6aca886a2a4163b6d6970b4ba2d1076a9b93fc5567eebe6a7a74143817c89db08ecfc235eb29d1ff434277aea8966f2ac9448338f1c4a923c4e568ed9b14f869

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

MD5 ec9c3ea0a1bb8d5762637d4a5ae212eb
SHA1 13a243ad584a426bbd722334e8fc1cbdc1c57d34
SHA256 2e711ecd5e9f7413e9fe87050b17e34b9966979a502acf96f21bcdc2a695c9e3
SHA512 73af10215092013a94fc7ef8ce854192dae0e8976ddff7cfb95747869b1655ec8c5d7ab6822166e9444d9916bc755f8b8a1c8e7f32ad9a57eb3f7820bd623a93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

MD5 8ab2abf63865ea86af33a6d172d7d36d
SHA1 4bc448a9bd1125ddb3b03ed6c200bfaf601ec81b
SHA256 c76cde76725392dde02ab21156d3ce12e3802f3231d8ef586d7e5a8ce15b78d1
SHA512 abe0ccd09c590cb2167236b418f5d1b568f56f7651044282e2eb27b0793ad91358a614089a4f54e286a5c7809281c55426e747a4985c6bd39df022f714f0db04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bf27d9d7b443f8313e57054613ed395
SHA1 4b1aab7a5b224183c6db9a19ffc4ce7c20870b84
SHA256 2180c6213c87bc2694d609856b88c260321f46268f347eabd81e6ff64f4456ea
SHA512 286faca2d5e5a43566f9e4146f48779d7e4a3a1ddfc323e036afc086192212fc7994ed200f102b3087a5c743df2e2974ab9651bb51ea881f818a3c20cab95387

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_5DB100F6A376A1D5B173061B4CB53868

MD5 7c1643f918b9d7726861d62d2f059914
SHA1 c63bb44a8d9b262020c5d1824fea531dc2d7cd21
SHA256 f3ada2f4e5f5664a499ea149becb49deff728e297093e738c6bb7d04a94de4e0
SHA512 cc556bc5967f5ab8d9d9d14f6ad1727ed3cf6f79b046c09646f6da98fca9d6dc6a7b301d0aa5fb30df217a3dc566a19a14d28ab708452a1eb2a345d244bf44bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19261108c45dc3509537f90de6bd11b6
SHA1 687243f318fd3d0fbb7a6fb5487b9e2c6227a56f
SHA256 e55c9b5091149532666f824bd3e400c53238d03831afe034e3f23d27a13f3447
SHA512 69470f3a346e8674e7d90815bc3485d8d84d89ec37315ba9145d17b2a99a930c4b085decc3440e093590189645f59b270be0fd8db56a2b9d62f32d0018080fd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_5DB100F6A376A1D5B173061B4CB53868

MD5 2fb3f0c09c69c54f554248bf636f3ab3
SHA1 9d16618d9ebc2b13399e092a3753a64a9445d350
SHA256 d38e1d1d2bf30ebb9cc5f0336bed4317b8c110e7abc0425272375112988ea312
SHA512 2402c661b4ddeaf7417e27da2354964064df1f7193ef9f632ca207f70c14a970a7ca5ac002fa983af35715aa58b471eca570f640bec8c1091fc353b12a8c7327

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c7f755a977a4c6f6dc4f389b8139cf4
SHA1 0bda553495e8b28840f08f192434a66e252d0331
SHA256 3d2cbd0fe1b3939250332b9153bcf116836f9e0f1ca6603ddb0ac54af2255a68
SHA512 53ad5f310b6c69d9ea2714a32731d192e162ef5fdd65149ea1d876d6448ff9a0ce9e470cb333cf41b21260ab63b1e457595dc7e8798df1aa6b5aaf3995e9188b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d8510190e4aa42c84d263dabacd5a1a
SHA1 17848e43fe71a080bb56d0d793a7535f154c2c0f
SHA256 359f51e67c616461dd7b2f4c876a4d44fa7ab60ff3b323d7c24e92ee44d26790
SHA512 bdc828929834fbe52c1e83571ecdb1e833fa56ea2d1d363c02fb5c0d047a5860d78ace44b6533bda3ba4e19397eb44dc977fb4945635ef97ccefd1002c17c743

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f93f23ebf89f1bf6b12b95a78ebdc690
SHA1 9408a99e8112045477395a4132845ff2d40ce142
SHA256 93a88f37275c195905a683746b57885daadb8312d3d5ba69b7f87935a94d2288
SHA512 dc94c1825a8edfb217fccc76632d2571baf13c4961b07110b01df40097a091452d383a4a2e39d0645def4fa1bb4f9b1bc3788dcade9b5ac431e67233dbb6ed6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe237a9fb57b68c5eab65dccf4fa326b
SHA1 565690f73a6572b61138678ec8f7c661573cb047
SHA256 903ceec4ba75f18a0585d51eccc91c7315f6fa34de529dfb5c49504f08260903
SHA512 3faaeb48a0e494ebe005bbb418a6ac0ea88801248dabd53fa64621d8f9a04e1c7a8e1dc5a11800c9328f1818627b16d6e82be23ed1ad3e768557b0b4987e2f4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 20ab72610a1db2c50df17a066ad9bd57
SHA1 4269aedff9050d33bbf4c984717b939813ad7a46
SHA256 31684ac2698f35ddb3cf2028b7fde6d24656c7972120709ea6617788388717c8
SHA512 1682ea6c84ce1efabac04e82763bccffe1e734e0f708f46dff16194790c6c9b24019fd0ea370e538d303f60c1c5beec129226832df8c56d1a5d96368f06e38d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bed1d9aa1af7a8db0867b17ba5c6b65
SHA1 6c2ee9b144a368841bc23493a097845babf3140c
SHA256 201aba78d7ea0826be29358b007c94511f3905b26e5e5ab282d53e21082c2420
SHA512 5f481ff66f727a69a491c35fbe0db14300ceef979c5dc03490ff2a5b14980e58fbcd10ce92647a77dce7526ebc49f52a9fb7a0dfa4bb42acadd76469c6e3d5bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32109a4e1715f451b8d4a7366d8f0972
SHA1 6289d589201de2327f53b74bfa8152c6098fda5c
SHA256 414e2de585d28fc3e2af99b9bdb52e9fe175fa753d3a51a94bfacf57e5d76e31
SHA512 420666d40d21f70f25b2b850232dfb5c9230bd5f55682f6609ed1480de989419e4a5cc1755e5024a716bd7a040e67a98f1f8781db9f16d95a0ccb717974d0601

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b544d021be89170c0794f8643acafbaa
SHA1 b27c28af2bbd2ef9d2682413075d64702717e961
SHA256 67fafd4d9c727cb1fe831457302b0b05aa164a389e9e5ce5f0686fcfb733c7ae
SHA512 1f2efba535053cb0c3f292eff1397406edd026befffb9caf43eb3710fa8f1ff50b7d31e0d1eaadac0fb75868b3ad70361e7e9ef734bbf8c8f79c66c5ef64cd63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eba4157cd68f7b891815a40f7574fd0f
SHA1 f59fc043d3154659c64e2c9c33346615823e5042
SHA256 d94baf5aa982c4f9144b9683be536e15fcc95b9299b06e2a78da3cceb6c42623
SHA512 0fe31e7f11e1ed0643b9cf17ca7567ab71c305bc47e712410b351bbe9d1802cd209759d1c9196fbe5882fad3db80385fbdca451a63a0c35e469d0b97e4cedc8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74b002478ec94abe1541fd000b3c2861
SHA1 f7db58a061ea19a35812e56eb371b45b4b782472
SHA256 50e08ed5c6309e73f60f95770cadce6b069070f5e1111d293172db5bbee685c6
SHA512 927bdff9063aee08fce62143e419258822310493a344dd38eb42314d1f89a96f8acafb0201a5daedebef81a9f761eeb87234d57585a5525e007be464bfec4f42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4832378d0bb6f4d892eb74e9fae43fd5
SHA1 a9d9e5b00f316df2014551d705b4bbaae3a9946c
SHA256 83823d4c099a37168a560be7884a2f9acf8e1e1d9d672dca3f0eb1eaae2fbde4
SHA512 441dcb423581576c0ecbe0c83b19a4736ef727acb9ddefd841acc26b3f7fd80e951a3bb73f5ff946922e05306bf0e191b89bfed597e309bacf28f5a7d3b9822a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3e5302029a4a6327c0d820a3b3d4aee
SHA1 eede4192a6e3868079dedf82686bf5e2e0ea5877
SHA256 95f1e27236a0008111fb98febf3cc5091251cbb567d7a80f278eb4dbf15541de
SHA512 043e64ca80fff71442ee3e64bbc47df5fbcab69d98448dfe88aef26eddfd8feb9096c969733710f8a1972815bfe68f2327d576a49acf65b38a71a8fb6de7b9de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da487161817e3e80db1c8d50c8c7fbd7
SHA1 5e80d8c65e348dee88b486ba8a6104e1b40dd830
SHA256 69f77fd5b0cf55a8028b4d243a1df21b0a4257f5a7cf1749adf5e6650600dde7
SHA512 eb7d84afe4ebdd1ecdd0666b27fc7843cdcd322216fc74c0fee91842d414debca83ea6dc283ae9d82ace85dcbf40914f5b857e3ab02139f0859716b4704f41e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95d2387e49945d2c49dbb5a86e7b8f3d
SHA1 2908fcb9187b8bdb12cfe63ff726e700a0e3d2d9
SHA256 2fa312df8f2914839cdae16147e2d7ce4c2416dc92e03752e520fcac0d692578
SHA512 fd52589753842d83dd8228ea1a8a9d8a9811e8ec824fc1f7b345ab58e2fb1cab5560fdd1c26ae6020a07f4945ac3f60a3cd72b4cf9bdea16403994c61cdaa93e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d31c763f544585f0c2dc0bd1ea9a9f9
SHA1 9635709bb18703006c1b6c51dc51691d125f622e
SHA256 69840dada034f1d314bf351242d9385592e2dc65b7687ec2dfe898c8893f0a18
SHA512 1ef824d6dc2055f209dbd16d191177daba1bd1a6e9737f7f2686903c09bc54fbef39bc5ec4a97909eabf583dda11e8163cc4650fecb0a345351534c6371dac68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a64e546490c6c15347370093d605deb
SHA1 b7503dbfd069aa8d2ecc5a0210fc6fc3bf9f2cbc
SHA256 add632218f6dad704e1aff0a22fe1f1d13b75b78a77bf7dba02b8b57c55e342f
SHA512 b342e503fc052521058fb8c5d8be6af9b1d419abde35020ee32c9688c11b0a4151f6130f508db1d547907e03c805adbcb52ac24aa9ffdbc47c74d309ec6bb3a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f3601eb1751e6fe3ccad339f1d38afd
SHA1 4ddd3e590b5f0b5f4b44533c60cf5e78606542d1
SHA256 ce9b36a3638c755f2aa53b9fd094ad36e1eea83ca4d518c58e429738cefd2495
SHA512 e4223ca934911184ca2bc8adddf3b9da948ec12f6ca79fa344a7ceab8770d2a0c810806c363457834ee0c93cd08723c30097258d41d12fb8be70c772e604e627

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 575f16ab805611faee4519120fc489ca
SHA1 2bda476bd3351a95bd6af86cdb8e94bf11f3a140
SHA256 0ea6892fcb7dcc41fc9454d23441ef9bdd2eb6b6d950c707ffdf91c424de4112
SHA512 e14dd85da535a44399f070e85a220e6207f4aec0f3800f2e21af8fbb58f7cb5bc61177bb7586f7f24a642451f5e06f296aeb1108a28fdb7d7cbfdf28a299092d

memory/2300-1462-0x000000007171D000-0x0000000071728000-memory.dmp

memory/2300-1463-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-1464-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2300-1465-0x00000000001D0000-0x00000000002D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 21:14

Reported

2024-06-24 21:15

Platform

win10v2004-20240508-en

Max time kernel

53s

Max time network

60s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3febed0037c9b8de98e1507a29951ec438f148732b53e14ea54c404a04ab0ba3.docm" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 3432 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1900 wrote to memory of 3432 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 3012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 3012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 1512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 1512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3432 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3febed0037c9b8de98e1507a29951ec438f148732b53e14ea54c404a04ab0ba3.docm" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://password-changes.phishwall.net/XK3hjR3J0NUMwTUtZZUpMcDZ1emh5S01OLzhpV1FpUHdnZ0grMW1qdUphN3hzN2Zya2lJV3BlMjNuN2ZiWU42Y3FCSFRhS0d4TmhvblJvSGtUZTI1RThoU0M4a3VjbVhBR3pHMjI2L2VSTVpqQXZjQ2dXYTQyZWNrakYwVDIxTzdMOVkwd0hIVTNLa3ZOVTdVbFlIUG9VdVVqV2NCblZHcElKdDlmUlNOQ2xYTW5OZXB2MnZTc2puQS0tMTVmTFhYSURtdzRTcHRxRS0tS1VGVnJPTG9PeldFM3VrT2xPL05EQT09?cid=2037834398

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffee4b546f8,0x7ffee4b54708,0x7ffee4b54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2245991272299939753,12932352314381198689,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 password-changes.phishwall.net udp
US 34.231.66.49:443 password-changes.phishwall.net tcp
US 8.8.8.8:53 password-changes.phishwall.net udp
US 34.231.66.49:443 password-changes.phishwall.net tcp
US 8.8.8.8:53 secured-login.net udp
US 34.230.108.107:443 secured-login.net tcp
US 34.230.108.107:443 secured-login.net tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
FR 18.161.110.147:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 49.66.231.34.in-addr.arpa udp
US 8.8.8.8:53 17.97.161.18.in-addr.arpa udp
US 8.8.8.8:53 163.94.161.18.in-addr.arpa udp
US 8.8.8.8:53 187.153.230.54.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 107.108.230.34.in-addr.arpa udp
US 8.8.8.8:53 147.110.161.18.in-addr.arpa udp
US 8.8.8.8:53 s3.amazonaws.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 54.231.136.64:443 s3.amazonaws.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.153:80 apps.identrust.com tcp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 64.136.231.54.in-addr.arpa udp
US 8.8.8.8:53 153.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 cdn2.hubspot.net udp
US 104.18.88.62:443 cdn2.hubspot.net tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp
US 8.8.8.8:53 62.88.18.104.in-addr.arpa udp
US 8.8.8.8:53 193.192.232.199.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp

Files

memory/1900-4-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

memory/1900-2-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

memory/1900-5-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-7-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

memory/1900-8-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-6-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-3-0x00007FFF0C20D000-0x00007FFF0C20E000-memory.dmp

memory/1900-1-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

memory/1900-9-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-0-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

memory/1900-10-0x00007FFECA160000-0x00007FFECA170000-memory.dmp

memory/1900-11-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-12-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-15-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-16-0x00007FFECA160000-0x00007FFECA170000-memory.dmp

memory/1900-14-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-13-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-18-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-17-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-48-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-51-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-52-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-54-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-53-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eaa3db555ab5bc0cb364826204aad3f0
SHA1 a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256 ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512 e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

\??\pipe\LOCAL\crashpad_3432_ZFXNYQTIOUNOLKCO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4b4f91fa1b362ba5341ecb2836438dea
SHA1 9561f5aabed742404d455da735259a2c6781fa07
SHA256 d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512 fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9822babd57716ce480cbb8103857e7f6
SHA1 36bebf603e5442432e42aaf953abeab16eae774e
SHA256 d436a824ed8ba77555b65be653aff72cc62eb0071309a19625c9dfe4141daa56
SHA512 c692688f9416de16bc9d037ef67a900c2c5fa72d76d82ae0d7b93ea257f7055aa1198f2cbc34d38912a8ca8bb877be8c3c77d4fa19a9fd2775de1b9446b576e2

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 a9806bd21505cd1dea3248609eaad973
SHA1 2f5899604075a92935b4322dcf5a0977b90de76a
SHA256 0e8fcd87c9708da8ccffde64fd6278f9b24716a5ed3f5b1fbbbce765d3371189
SHA512 e32667b68effb5396f8836695bfaa01786624e3ad20772ad6223dc597951a7153f0a23fa07850eb71bafa91142cddd75bece2b0c39f82f25f787005ff983c947

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 240b84b2b9bc2771b8a25175892a9c47
SHA1 755ffdd6e4ceaebc4d4918baca71a5e3e3623622
SHA256 08c8ab5c7da588aa3733013982a59ec6519a2609ecf0827cea32c7311d8c80ab
SHA512 d9d0a9091304c62a7822837bc7309d230ffcfe26f1a95ee70e3cc562319946cd1a7d6eef810a3ee3028631dfb620206e067e181213ffea142cb2cbeba0b81ea3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 87da78507459c9ece7a38bc29324cae8
SHA1 412f975b05d53b3db56c0374716cd7d5173269c8
SHA256 7e8f916a40dafaf94fff55cf077f1360f205717a46b20a288c7e2d02ac3fdca7
SHA512 4164c2a30bb047bddea7d096b8e083d04d1c06aef0f0df41161c910f4d1a606c5e9dc3c600d5f8baab947b172bb83d08f3bd41aa6537088bdf6cd0c9d566cd1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 4d6ca809abe6da02ae2525155886a114
SHA1 7840672d1447587771f694ff19d65d500204be99
SHA256 01525043de84146db8928d9df2092560a6dcc3b9fd1aef781be2465e5b0e7b26
SHA512 222189f4fc6bfe52233786ebb04be6a9f7c0d3a3be3d820aa84f743ab14b2a5fd81538d0173096d5628266ed5146dcef27f988dd36add6d0d83ef7a6caf9e37f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 94514623d4d86e3784ecc0eda4e70698
SHA1 f8d4903df2a36d1cff9d7716b49063c1a73f2b93
SHA256 5c0ba4299de05d6ff21d60e4eea8310327469dace4c35153488cf568cbd64c26
SHA512 f479c6d19473a52f084f2746f00088277cf751d70fa0dae76804fb167a645c4d17b2ae93b0e25c6983556f1d433cd5f9a176ea8ee04e16176ee25406e9128630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 71121aec9433cd155603a13b87359be4
SHA1 041b4e6bbba574289ebd521b70bc3a185a24b1ac
SHA256 81b0c2fb3315bb49e7961bf905590f572821c4498cf2328e8bd70fea116661ce
SHA512 41f5896433754a651c83cd93b83f8516d86ddc7352a64e85b93d9d7844e3d52af665f99ba716dd41ea63125365fbe21cd8181c48be76ea671c80453096025c19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

MD5 ec9c3ea0a1bb8d5762637d4a5ae212eb
SHA1 13a243ad584a426bbd722334e8fc1cbdc1c57d34
SHA256 2e711ecd5e9f7413e9fe87050b17e34b9966979a502acf96f21bcdc2a695c9e3
SHA512 73af10215092013a94fc7ef8ce854192dae0e8976ddff7cfb95747869b1655ec8c5d7ab6822166e9444d9916bc755f8b8a1c8e7f32ad9a57eb3f7820bd623a93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

MD5 f1d6b45b8beceea44e0321c2e3d60a0c
SHA1 275a8ec18b2fc3c97ab3314cbe76b6a5e5dfed5c
SHA256 cd76b5fb95b14f24f68fc4c70ba53e577ad9713119b43e668ca00a25801f0987
SHA512 581b3207ea6143f9f6a9f6eb4b73692133a5790c995d95b306e7b72957d241d8465171660a2c983e8917958cf47c5ccf0642888a814a83530b7210451e6116af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ad9b858a3f3aa8a057139c43ac8b0d01
SHA1 6e432d8fbc47ed5551d86cca50b5aa6f79716a28
SHA256 5c3b15f205553cbbad2faf2fd47d64915449a1e24d52a68edb19eab59b335ef9
SHA512 c820ce3b71d0d259c34bfa59defb434aba807ac25364a2a2b00e8122143ce7fa394f831c64403fe3ebd3675f3028df0c3a1accc99aa0b088d1dad03283f78ee5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 945752c554f465c1e139737bac2ef486
SHA1 4e3c1249479432962b6b3ba563819baa83c55547
SHA256 aabac61ea7c17b0f77fe43242432ce46795d8dd9ea851e612a1708c50cc73d45
SHA512 ee4a84aebfa9ce14d61a0481852985fe84480e36ec96b25eb7b1aa8deef17ce90562684231f1a9d3e709e61441445c9803f0c0f2ce2c41d4787e969d5da6e14d

C:\Users\Admin\AppData\Local\Temp\TCD9BF5.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/1900-655-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

memory/1900-656-0x00007FFF0C170000-0x00007FFF0C365000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 93556f66a037e43ef776d487cc544659
SHA1 3f923467b0c2aa2156e1a119b12c2920172d2360
SHA256 4b88d7bb723f4af55490a605cd1024fceb3bf9f1a9e4aa57750e94e5a5e1adaa
SHA512 f68578ed966d54ee61088c98a9ee06331e1e7a867dd0239f4db730b7f185b1d548d1ae5b738ab64922d0d37ae7903863f898a371731cbcc9a7856e57e53a7d44