hxxps://emailmarketing[.]locaweb[.]com[.]br/accounts/192943/messages/1/clicks/31925/1?envelope_id=1

Analysis

max time kernel
95s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
05/07/2024, 13:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://emailmarketing.locaweb.com.br/accounts/192943/messages/1/clicks/31925/1?envelope_id=1

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	hANEXOPDF.PDF40 937581.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	hANEXOPDF.PDF40 937581.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	hANEXOPDF.PDF40 937581.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hANEXOPDF.PDF40 937581.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hANEXOPDF.PDF40 937581.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hANEXOPDF.PDF40 937581.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hANEXOPDF.PDF40 937581.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hANEXOPDF.PDF40 937581.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hANEXOPDF.PDF40 937581.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2728	hANEXOPDF.PDF40 937581.exe
1376	hANEXOPDF.PDF40 937581.exe
1188	hANEXOPDF.PDF40 937581.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2133704870-72480668-1360283475-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\119629036700.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3328	msedge.exe
3328	msedge.exe
3120	msedge.exe
3120	msedge.exe
4800	identity_helper.exe
4800	identity_helper.exe
1164	msedge.exe
1164	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 4972	3120	msedge.exe	79
PID 3120 wrote to memory of 4972	3120	msedge.exe	79
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 2272	3120	msedge.exe	80
PID 3120 wrote to memory of 3328	3120	msedge.exe	81
PID 3120 wrote to memory of 3328	3120	msedge.exe	81
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82
PID 3120 wrote to memory of 4564	3120	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://emailmarketing.locaweb.com.br/accounts/192943/messages/1/clicks/31925/1?envelope_id=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdefb83cb8,0x7ffdefb83cc8,0x7ffdefb83cd8
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,16643960653605441647,14666541535941327177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2232

C:\Users\Admin\Desktop\archive\hANEXOPDF.PDF40 937581.exe
"C:\Users\Admin\Desktop\archive\hANEXOPDF.PDF40 937581.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2728

C:\Users\Admin\Desktop\archive\hANEXOPDF.PDF40 937581.exe
"C:\Users\Admin\Desktop\archive\hANEXOPDF.PDF40 937581.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1376

C:\Users\Admin\Desktop\archive\hANEXOPDF.PDF40 937581.exe
"C:\Users\Admin\Desktop\archive\hANEXOPDF.PDF40 937581.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c00182578404b4b6fcfde21669962dd4

SHA1
25e096b73941797b77cfb40dfc84e5d38102b1ee

SHA256
6b4b411180d903dcee076619b1b6af71d0e35569e68f0d330f8050a94e5c521e

SHA512
06a13324b95603357abbc051ec4fd083148bb28da731f8b83d4066bd47d73a7383a58d4dba52ecd63f28ff46070669dee07ce8e8f87fa07207af122264e95e9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8739e9507ed3529c450eb5b6ac83e21

SHA1
0f933f32c39a0af112fbe0a58e5d7a9edc617965

SHA256
2b35918fecd0a80628088d9069436558b2dde8eb14de4162abf9c2e4538eaa13

SHA512
e852a75b3505554fc690faa3720b2889c884602b724210533c608649e1a1a58ebb33975ee0acfe9767ab09ddac120e934bc9662a9949750665a3a350ba9acb67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
08991b36f86fd90b389b30cce0a92e5f

SHA1
eb69da0e78586c67c1f2e94a3932e16da06391e1

SHA256
cc421646cd9b02dcb5611d434a444d1ada7025e458b6ede7cf50fff6b707e1ed

SHA512
a6730aeecee3e2502e9ffee66d730d16b6100e7b806deafb34298ab9128895821d8b1a096c5c634ecc3da6515d829eef2b4a458169850c9d4588a14936fbc08c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
743B

MD5
2a96953607f77bf4cf3ebbb65ef48ed3

SHA1
b103ed24631c85d4cf89f92680688c84bc0e4b24

SHA256
49f0d68fdb2b3019f0f848c76eae81330ba0e3b39ef7debbe75c9508d14f9cf0

SHA512
89ad92d2dcd393dd9a8589028a2a9be07a7e4d87a0fe09df9445a8dce558707f5999e97e3a6ab9633c296f7508a929ebb8c0053f71cff381b0b3826024935aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb0574501e9712f1c57d5c28b45fc009

SHA1
a011226698ef865db85a064193a05689287f03ed

SHA256
99e1d4c5aff363e4b201e66dfb86469e8c2999847d18c5471e555eb9ee86bd96

SHA512
ab2ef22fc68a37cd5ceae8dba4117c62f9572730039a52508aa4faced840e313babcfc55e0f513798834f4b45f54b550907d460c643563c2f3b00389f735c267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70f5abcd68431ebf8455c9a8f924cbe4

SHA1
f60225b16e73a365ae7e6c8c71d891671f324bcd

SHA256
7519b73f4e758ec0677f1f60afe499683c9d6281036c5a467f2e1912ab4033de

SHA512
45fc51eda6af3eb5f6c413472230a18543af03554d044946fc8bdf857222c109ea946f599ef88f01a8779526349279d59bded3151d9f6304d2059c9790b91fd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
012513cd01e7e1f32f43827d808875be

SHA1
92cd83ed7a98677fd642c0dd0a27e4f867c57215

SHA256
060ef5e040940110bebbca538e29fbd3fb2066b85b43d64e161f5e68e0ec390a

SHA512
e0a3ebc024e4fbc65dda25e5da7faf34c9945175407d4e946f9ee2caaf6d579a3e06a89069f3170d36e3c27fb64a945215710fbc475fc4c81a9f9ad13953e663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2a51cc8354973d5487a1a219d9a2c0ba

SHA1
35771eea5869c987def5a0a4e3338c51f3bcac43

SHA256
381e29a2d7eb24e2141af7573d7e143ce3946f2807566178055c651d0c6607cb

SHA512
c5591b147a6f0bfab00771d6c893383f7f72f7026c07d3d972361d74ae9f538314beadabf8e32cdb9a07c1cb0e4b00d5a0fbcf1606e75ae8863a736d8c7499d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
518670c96f4b97892d51a30ca23d12c5

SHA1
b3dc1d3c90ab2de937e7c834b9066a821756228e

SHA256
59cd33aa4b3e3a747b55882d5aa379f3caede3e44b83fcd65b3e5c1d7fb05381

SHA512
b68d2228bceac2d1d17fbff57574eec553ef9f1baeee53d701bc2c52d52f457782b0a9e1ec493810173b9bc8afd1938d26f4d369556b1c511eb7f8edef917198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6e19f00a0a286e67ea59aa1b9a3fc0d2

SHA1
151843b0e5b2c31a328ca3d58fc215616fa7e7a6

SHA256
a8fb953f0728b9230de36922544edad68d4862280fce774fd62e71ef75fe1eaf

SHA512
9ddb60e3b75fcb75d36b6fe7285a941adec1e622e7a6e83811b8f89c366cb33d3c7bf474a7f67626f6c131a26e7f37d484297d604459f0233d3aaf019a850efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
e2d389d95fb754803b5cc5718300749a

SHA1
086abedf1fef852802fabfec7ae855a1b0607675

SHA256
633caa74b8ff8ae66fc50c006e956d1aa4224a1746e8d6c5044686d921b722ad

SHA512
cbb3f21d4c6771fde0f2f9d963406df13167b1d5e83c31473577c3971c4142f3ec06c1a5ed5ab4a99e89befce19631baca1843dcc3b60158a0a56f940153f7d2

Download Submit
C:\Users\Admin\Downloads\119629036700.zip

Filesize
20.5MB

MD5
9aa2e57c7c424b83ab802242a5b1ed44

SHA1
697cfc6d447fee5169bf90ea1e1de2cd13b5b025

SHA256
a651f40de0381f2e5d2ba15aa6c97feefe3b9900ffca1351320dd1cfbc03058e

SHA512
a63c9cc413ed7794c54a0932c274558c24eec68687c36693de92433f6ecd49c93fcce9e43f27734c24b21639a8de63ce9540ca051ba370ff68fc49c42b67993a

Download Submit
C:\Users\Admin\Downloads\119629036700.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1188-191-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download
memory/1376-179-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download
memory/2728-157-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download
memory/2728-164-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download
memory/2728-163-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download
memory/2728-160-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download
memory/2728-168-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download
memory/2728-159-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download
memory/2728-158-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download