hxxp://youtube[.]com

Analysis

max time kernel
78s
max time network
82s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29/09/2024, 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://youtube.com

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
1876	OneDriveSetup.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VersionIndependentProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\ = "UpToDateOverlayHandler2 Class"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ = "ISyncEngineDeviceNotifications"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ = "ISyncInformationLookupCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ = "IGetSpecialFolderInfoCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ = "FileSync ThumbnailProvider"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\FileSyncClient.FileSyncClient	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ = "IMapLibraryCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ = "IToastNotificationEvent"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\VersionIndependentProgID\ = "FileSyncClient.FileSyncClient"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\ProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\OOBERequestHandler.OOBERequestHandler.1	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\VersionIndependentProgID\ = "FileSyncClient.AutoPlayHandler"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\ProgID\ = "StorageProviderUriSource.StorageProviderUriSource.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win64	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib	OneDrive.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2808	WINWORD.EXE
2808	WINWORD.EXE
2040	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5680	msedge.exe
5680	msedge.exe
5916	msedge.exe
5916	msedge.exe
2948	msedge.exe
2948	msedge.exe
4156	identity_helper.exe
4156	identity_helper.exe
2040	OneDrive.exe
2040	OneDrive.exe
1876	OneDriveSetup.exe
1876	OneDriveSetup.exe
1876	OneDriveSetup.exe
1876	OneDriveSetup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2688	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
2040	OneDrive.exe
2040	OneDrive.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
2040	OneDrive.exe
2040	OneDrive.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2808	WINWORD.EXE
2808	WINWORD.EXE
2808	WINWORD.EXE
2808	WINWORD.EXE
2808	WINWORD.EXE
2808	WINWORD.EXE
2808	WINWORD.EXE
2808	WINWORD.EXE
2040	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5916 wrote to memory of 5056	5916	msedge.exe	78
PID 5916 wrote to memory of 5056	5916	msedge.exe	78
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 3412	5916	msedge.exe	79
PID 5916 wrote to memory of 5680	5916	msedge.exe	80
PID 5916 wrote to memory of 5680	5916	msedge.exe	80
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81
PID 5916 wrote to memory of 4708	5916	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youtube.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff6db93cb8,0x7fff6db93cc8,0x7fff6db93cd8
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,7234940753324630583,6884253625760018277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:5036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:932

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RegisterInitialize.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2040
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
    3⤵
    PID:3960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
92e56421198ad7844902ee81574f86c5

SHA1
b5d9c2597dbce1cfd6e3f297ce87633c8391e92a

SHA256
c9c28509c5c9884c6796b14dc5e61e9743e198aba1d29523de6d784128d9c41b

SHA512
f3bbbb7f7d497809bf0ae0fe842ed35d9970a622a4391d1cac7fa601681dff0c2c442d4999f487c08156a7afea2268f39cc11418cbb62d0ec4bb07063c1ee876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
d3aa197a6081efbd510e783cc2835f4b

SHA1
13aaf586d74093bb378a29bc742aede9e265cded

SHA256
18eb76cebaf53d08e83977a016e929156922bb58091fedb644ae35c7609c882c

SHA512
fb37891d97a74beaa512ccd93e3ce35aa2493e87b8807365347dd5eded1103c1ae6eca777462345d320a4eac283c12867aa164a2b415ac51e817165d915dbc12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
232KB

MD5
f84bdf117f2262ab252cd4b159bd0d17

SHA1
6e51085674da2a254d29f3753d3265961bcc5470

SHA256
ce2c2a89853d3389da8cf433e152e208f6cad1d24eefa4d31fadd81dc036a4cb

SHA512
82f4797a1ebc8f11f46bee31981aa9119af07d3a058f17008afc933fa72da125fc512144b2e808a6b6541a67e5340bd5e4998df7ff0243cefa8a759972cd329b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
20KB

MD5
3684c7775bc328aedb86315ec6891439

SHA1
cfbff177f45afdf36026595ba0abd3bb59f86a43

SHA256
e8d182897c2ec12664cd8e86b31ed441f775479b41a7f1ba39278d32e29fed87

SHA512
2f5f00b2018c4632260b7b26ed4d524dcdcc02f66c3e561a3ccef3a023c042ffefc3028329b4c58b59c4186936d51514b892bed0da00a410502b81bc95b6230f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
47KB

MD5
02bac54636d00b4059602a7d04ee6d41

SHA1
181ea605fbf32bd2895a9170873b6356dc37748f

SHA256
28ba0b7e3fa6070799b7d8a5a166a1c05751948059604b835c7a9e53e5668fd6

SHA512
be83074f59ae14751cdca5ef08b5e4422754dd013a13f1071e4a58981d0accb17449f9764a0fc33577980b4f7ad67a8e6514162f761d91eafa5d17f22b27edfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
605KB

MD5
81f7e78a8d33d1ec2c9f3802e35e1254

SHA1
303bac1301199b0d191a145525c581e42e22cd46

SHA256
b0df7eca346df8d87115520f2b5accf863d6fba3f8d0991405c98093e8e6064a

SHA512
a91a228c26376f4873a1e110f3a6a1ff750af4eac7d4410473e0e9301fc94fc11c08e4c39b980abd212e8896c140f449828741d24610d0c9484d02ed05207b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
33KB

MD5
bb589f3d4db1978b8134a6f7b4576112

SHA1
bd00bac5c896d046b98e75473a3eb17a28d711b7

SHA256
2037a87e8725f47c6965d2d1f31478105db4614ea5232e9f401427a0e3130b11

SHA512
6d403d4418a7dcce851fedceb55fc9b3d2a89dc70a955768c7c50b5af00baf8b900cc3dc84e1012441f00bf41d325c66e39fd55dc84fda93481b0dd28b89bf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
32KB

MD5
1734e6280324c2db9fdfc37869415097

SHA1
e6dfdec9d9637b2aee1750c489e906716df1dbeb

SHA256
ba7fcc5387a8cb424c043bcdee35475f56c5bbcd78d2df5b7a081e3241178b2b

SHA512
e584250ea519b3a987eea3e63bfad06418670d0b6f277918df2bd3b006ceb7359f9fe620c9ee62ec5f7ae0ba8dad25386172b141d8afd85115beb6da7bfffd1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f8b8751fca2d3c7f805017ae026cea31

SHA1
85f69e9f214027cabbf87eadfcc517c1e62e8c1a

SHA256
235f47c3540c530ef55e4f69c389254b49f42fbd3e66e0c266d65a902c3dd0a8

SHA512
d9a553f407254f694ee6fa29e7dde73a65d08fecbf97079d0cdd339f8c6fe4f4c9e163e219f35b29099a3abe99af93f84fdea9ae26f0b14aaa325abb6c05d394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b9badce229e0b6061dadc23d834688ce

SHA1
ea91b9a9cb2af19d5c8da9b9de887d2eb13212fd

SHA256
41a6a61877b89c7f38305a4af54490926f5083798bc0108ebda921c8957dab37

SHA512
cfdce0cf46431b501a70c79222b150e37c694767a2803601d0d9821e95c8810eed13de62c42a71ea306bdcd31d946eb22b745faa56c4a8656714cfbf0ff1856a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
88c7dcaaeafc418283a764265d6584dc

SHA1
802940b77485d4b8450dea6cf09638ebea403bc7

SHA256
5137bce9ae3e4b3d4b007cdd6c4cc785652279aa8a6fe49202b211f7f44c5df8

SHA512
72073ef662ddb00522410cf98c1858fcad50c63c66e246308f154437c14e1c899dfaa3e5184153da865976ea752e57ea02a8de5dc298f46a785dd833e3dd27d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
df8b7f0395c410ea39e65c04bedb47d0

SHA1
e83296141e97371bfab6a7e3fef9237688903896

SHA256
0f1748a234b4a63da9a843145fc29906dda1c6ba2119e0f16f0496905d256751

SHA512
74a3b7469d73fd511aa34c2e4b3ab56ccc9a4db9954fa58c527a9deb082db5d045b81ce678a35d06d6f2c00e8066e594180ce72d505dce21e86b5838f2dce3b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87b4e18478465c190beb298706c48bb9

SHA1
7bb147c40233b227ccc52c6b7bad442430c56812

SHA256
65999d63c6b2ee9d98866f898c35abfa0f0d60b82fe3c4ec7ce090c054710a34

SHA512
d284650a3cca946b6fd57880ef78f2acc5c6f26701b130d2e820cd3dac9a77950650bfcde768b7ebadc14e95af25099d076ae260dec41dc3e7bee585b900e946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\134dd494-2bed-4c2d-8818-216b8fa0120a\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\54ba0cbc-e614-4164-9d5d-af77049c935f\index-dir\the-real-index

Filesize
2KB

MD5
244fa81cc7cae5014829c3a1961a0b55

SHA1
f971c54767490a29804c0ffbe4955a8cb350adc5

SHA256
a8e537e18687c6ec30118848ab8138e938228d59d087e8f36dd70bc607e61b36

SHA512
26901db6ba65f3774bebea80d283cc059aa5d23c8cc49225dacc4824dfeb61bb020b660ad4150b1d357e85808e01c4777910df169f900ff633865506fc2aa2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\54ba0cbc-e614-4164-9d5d-af77049c935f\index-dir\the-real-index~RFe57ddfc.TMP

Filesize
48B

MD5
89462b9195252739cec7ac7a9700dcf0

SHA1
48e6543e488d668b69cac1df729d207681179e6e

SHA256
6cdcd06b6e2627a51bfd0d4870eb911544b8d3cdaf5acda35a1a2089fed1c407

SHA512
b5a138c80bac6a97793fa405cb3be6710b69841dd62534bc64e98bc0c7ee7d88818f4ad72304eea7a2842411ab6f73fb4e32c6443c525866465aeeb9045ba8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\84789675-4001-4625-acf6-0792110a70b0\index-dir\the-real-index

Filesize
624B

MD5
5a62993b547d119608be6c6161584996

SHA1
e435575e3ac937b4dd0eae02f944571d74926289

SHA256
05b2755d2ccda4e809a428a8f08204dfd8dcd2e68cb17953b511e98a4a5fc6a3

SHA512
de158a33d77c1ddd384991c2ae2a9b7ca5e6bbda0d92d855420df75525e1a5341aca42934c9d498a01cb5f47cb64f9a59f8c3c09024f8f5af72501c8f20b7e35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\84789675-4001-4625-acf6-0792110a70b0\index-dir\the-real-index~RFe581325.TMP

Filesize
48B

MD5
859a0a52cd0d51266931c32f703beb4b

SHA1
490b4edae308b23b0480156e8419ab419a2b9eab

SHA256
1525c5c6db0f9a5129f0b881538fe02540ffc2697ec1eb4d7fc912367715c431

SHA512
4078484ec470b0b492ce9a7a7a463f6cecac8fcf495404426adb8402b4bdf02aa07dd7a6bfd67f33b4569a0791587de2ad72a65b9a53db3fec8ba064b8b9ed04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
9a3ae9eb227e6d8a29695107138f2169

SHA1
d0c0c31db7bcc30b40c77da8f12fc233979b5239

SHA256
10d964cc2501deb917a99f67d012f00fa9ae6e97cc59d9b26068ac9916cdfa28

SHA512
33041cbb849aa8dd1714d6076a701451eced6344b282e106cdc5962ef5fd41176fc113b1936d0e32dcdac729fb5a3a21df06bcb24556c571540972964088522a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
c3cdc4e41de5991e7ff51d58680ff578

SHA1
c9e2ff0403353f688be625d6a08cf7738af97f21

SHA256
63564e94f6f2492976b0f2e524910a20e6d0dbfde95b650f0022686641b5e7f1

SHA512
7af2f419dddf6f9e58f8cfeaf34a0e817280618df97d64c225106ad7f1df87195527b4e1e8589de49dddb082af31018c0257075c85afee35cad4b7eb37f21812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
b9260c2f0e4b5694577f32cac0cf2013

SHA1
0993b3cfe5be070d0a382543f68b0e4e30b9e333

SHA256
78bee4c236cf4cce9dc096ca39a6321e0455f191e650f3cfdc0175e2dee67c2d

SHA512
c56aeac4649c6c1e451cd89970e83022d60b934431b94a89e31c45e0c14701a15e4b40b071e22e1b2f7cbc2bb4cdd4ad9774b7b61d3e4eb8998540985d397158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
f77779eb54dc08e05feded5c92cc35a2

SHA1
3f67b7a2577cd6a87e18bb18b7733f99b5a045f7

SHA256
58ede28885b80c747d3b7728d5680e865c28b827d787f2ba4b4ad498ad69db77

SHA512
d2b262f1aadc851cb94ab1a23c136a057b7466dee594b2baa689f96f018a2621bf2c955a57ea31698bf9f0b9041869eace5ecca7cc2fd75c2747de48633387f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
5921dcceed4354bd3d99959f075dcdf6

SHA1
d839e4313e7839e8ea32f7a6d3b4ab113a2de014

SHA256
59bf0c9aa73448bb64b707a71aac6ec5191929c434b4506c148dfa9b1a2fc5ae

SHA512
ce5ed1b856c0851daa8bffb51a0581b6989461287de37dc3df2c78fee656ee516d0c60eecde8a746f07170b936781c9f5dc84ba3209676ab9255cb47021b400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
376da27627d71a9f7e8c7d3647e47a51

SHA1
617c7dbec07457ddcc147615a1eefdc95e5cee0a

SHA256
9db3a3c0d5602a728b7358aeaca94f77495fb3f4684e4cf50faac70559f798c2

SHA512
747e832cb86665dc1ebe38560e3f6d1f0fa4d0e2a5223816e9a2c02d4ffb2eb483e210ba19efbb9920716e22272a29b3dc9237ad008f8d04642c2dec93d5df99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
2f039278c3240d663deba86cb9246e40

SHA1
9a97146508d880e4a09aa64a186488d2cfd24aad

SHA256
110057249e0fed3985c59d284b73434af1354d9b5700ae59b211ff39d868ce52

SHA512
ba04d58923b992a3f473f624334bb4a81ce5e8b406c4cfb83d35c136aa36bcf7e3f25e798420787bef0f76a1ea2b629c3a1d4774fccc9cc6e744b408d7526e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
d79083c140545884d4ec16a08d512bf4

SHA1
c7ae02ba4c137344e3b43ef9dcb446063b13a785

SHA256
1cd48eb9a9a7cba24aaef877f677a22325b8db8ca96f86c21bc96dc478a43026

SHA512
7354d97efea2a8efe37cd7aec76038a550c395ca10a4b9dc17ec84ed2a1b35589b1978a8e5d14b6791a4440c574f3706ae492d588b07cc3899228c9cba248eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581316.TMP

Filesize
48B

MD5
c175c06686ab15a595493fe6333cff69

SHA1
adff94b6a03356bdefb92e8088552c5b3a8abae1

SHA256
df26e72bacaa2d416af02379f7365ea2e70cab7acaedc5da04051f5a0ba8ec70

SHA512
ca4e2ba472caed7e0f66190ef81dfdce103f23a8693667b09f501c5a837b253a835e8aa5b4f4458e741635831949ece667800b3e684fbf0dc29bb90abc09bc15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a2103e62fd06efb8a9ee6baa93aa0ecb

SHA1
820272d9ea9d125a94331ed7974ad39fca6ed09b

SHA256
e58c37ddbfa44184b527cf61381b061b51201c5bd22ae3b0ec2f420da3bb9bd5

SHA512
797e457d6c1d4e8e8f6cdbf09e975e5d7237446dd5980632941e4f108644c12b9b23ff321c6f23e278e9b9abab653004ccb386d468b5fc2a52f85c374a2927df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581373.TMP

Filesize
706B

MD5
92ade0846ebcd1e393ab3bca1c046c17

SHA1
b81083d8985b299f698b9ce1d49bac1f9a30969a

SHA256
5b1806f92b083c221a636b439490d605917d05382c96ae35b4ad81bb5847cbf9

SHA512
dcc2b25ab0d1d151de029f896350a6b626c9561c408e9f04f74a3c98b357b6475308f74c807c5b322d5f6d7635d6811bd61cbd5f423c44fc25c4d9a596a641e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dd8a9100715ce4664817b21251b65c0f

SHA1
13944b544deef7eea013a1e2d4bb12d552192a7d

SHA256
c03051051ecff037f50d7fbb9c863b56de34f1c415df6c253e90309f3b7e1658

SHA512
6cc51b49b57e63d0975d0c13f372e9a4e96bac33312db5320a6b75b56339453ea2e94eb64a61ed384cfbb61c84e40674d1626858c77454f96a859042c4ecef7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c9d527a9b0dc32e218c2096ad6ac00f2

SHA1
1701bd08595f952d5d9d94d4739a35b72518f6c1

SHA256
1129417d51f3e829503b44cc48b1537a6b241a52e8eb1cc8b59a09dedb0cff39

SHA512
fd48f3d7588e24d636bdbc83bcda9b766a08a4286b8a61b8d0a20cb47c67ef3afe51449d1cc808a798807557df6df5134a98038e0e5126af7042230dae5f0977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

Filesize
77B

MD5
65c16b54c21aaa8da1a69efc61815b5f

SHA1
07f8b743e44c8ff248f02a63f694dda8435fa2ac

SHA256
f3d8e75d8063c68832b745a982a216c8fa53477746ddb45aeeb0b988a3fd0619

SHA512
a025439206704d623bb9d5007cba70d54570f01862865572b2b50548d382b88176e7e41de56483e7458b23d45fc669eb8f735852e2f085ff52f23ad75f62851a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\01ME7Y5O\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
380B

MD5
33b5a7616f5a09390143bc512cbda0b0

SHA1
659dfb037d82032b1be17ee3e1b0a7acc8d5d62d

SHA256
6458f25e8e177b17baf83d47f5a54ae26b02611e4d7f67c5bed095848f378852

SHA512
9952b0e779b1073949f2f8b5bd829b172cc7ea9bee356d53887732f6a000333934c1420c68c90cb3310f3b72a162bc1cf27676f47a89c35292b78acb0b3375cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
95a181090f41de6e98af64101a8e88a0

SHA1
50d814b3e48bd5483cfaae98bb80e1a4d6dc8564

SHA256
9f8f63e01a860299f8b67cd0c4226e98cfec7f6e881a283e4163f68843d82598

SHA512
775f4a066bf19954fd53c75398fd43d0a2cb19a828ed78bf9e85264b1116d7d6a9547a3fb8d5c590e5e5b31d1f964bae0b5828707669acda58804906c2429daf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
c073e64778700c15bab66485cd5b5d6c

SHA1
0b11a307bf7ccdffea300d4a5dd8fff84988ec12

SHA256
f16f7545ea8d6ad36f135af1d08c620c70f907b816c64aaac57605ae27999b64

SHA512
f7eab2190a0d6b3db82f3fa26eeda2b5cadfb6a7ccac121f27ed6efd8c861b9f00248f68e336708df3fca3401a821d493cdd7ce3f04ac25eb2db9d857e1df462

Download Submit
C:\Users\Admin\Desktop\~WRD0000.tmp

Filesize
11KB

MD5
5764d02eeba5be69ce18aaba155722d3

SHA1
0664e8ef2bfde32471763ec6fdec502a648ea3ba

SHA256
f06f2ee43b229edc6e4bd5afe6152ed6764eb02d1cdf1d7688640df2fa87d3fa

SHA512
dea508e2e64ef226832ae3067a4e6e3bf2bb51159ae194be62be4c898a91d5f67b041b8f0a3fda7af369a9db737cc8293b577bd63769b17b9fdfc67d05713423

Download Submit
memory/2808-953-0x00007FFF39010000-0x00007FFF39020000-memory.dmp

Filesize
64KB

Download
memory/2808-1079-0x00007FFF39010000-0x00007FFF39020000-memory.dmp

Filesize
64KB

Download
memory/2808-1077-0x00007FFF39010000-0x00007FFF39020000-memory.dmp

Filesize
64KB

Download
memory/2808-1078-0x00007FFF39010000-0x00007FFF39020000-memory.dmp

Filesize
64KB

Download
memory/2808-1076-0x00007FFF39010000-0x00007FFF39020000-memory.dmp

Filesize
64KB

Download
memory/2808-958-0x00007FFF36AA0000-0x00007FFF36AB0000-memory.dmp

Filesize
64KB

Download
memory/2808-957-0x00007FFF36AA0000-0x00007FFF36AB0000-memory.dmp

Filesize
64KB

Download
memory/2808-956-0x00007FFF39010000-0x00007FFF39020000-memory.dmp

Filesize
64KB

Download
memory/2808-955-0x00007FFF39010000-0x00007FFF39020000-memory.dmp

Filesize
64KB

Download
memory/2808-954-0x00007FFF39010000-0x00007FFF39020000-memory.dmp

Filesize
64KB

Download
memory/2808-952-0x00007FFF39010000-0x00007FFF39020000-memory.dmp

Filesize
64KB

Download