Analysis
-
max time kernel
113s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 15:21
Static task
static1
Behavioral task
behavioral1
Sample
DocuShared_Quima_FacturasPedida_177.rtf
Resource
win7-20231129-en
General
-
Target
DocuShared_Quima_FacturasPedida_177.rtf
-
Size
600KB
-
MD5
4a5bd9768fbcbc38d39d16cc2d32c5ba
-
SHA1
1376410f2b523e27e0739a747b2e1dd15bcf039d
-
SHA256
12ee9017a76069efb4e8cb3572d345a1a0402cd9a7aa015ebfee3d2e3c26dede
-
SHA512
581332cc2647f5ea2247157c55dc98f20ad9a056465d826d3e9e2cb36e4c5dd03ef70101669994471f80ae74c79f61a80370e25ca2a589bbfac75976f382a2d2
-
SSDEEP
768:FB5pxWUbptX7sZ0lpHmfLRZr6xlsw2FALJoezZ8uhnsx5555555n8xiGxB4UGX6a:FlMUVd7c0Mqb96XobQy7i
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exeWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4004 WINWORD.EXE 4004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 5196 msedge.exe 5196 msedge.exe 3184 msedge.exe 3184 msedge.exe 6080 identity_helper.exe 6080 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEmsedge.exedescription pid process target process PID 4004 wrote to memory of 3184 4004 WINWORD.EXE msedge.exe PID 4004 wrote to memory of 3184 4004 WINWORD.EXE msedge.exe PID 3184 wrote to memory of 4720 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 4720 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5184 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5196 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5196 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe PID 3184 wrote to memory of 5216 3184 msedge.exe msedge.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DocuShared_Quima_FacturasPedida_177.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://webordendecompra.s3.eu-west-2.amazonaws.com/Darth+Vader.html#bWF0aWFzLmNhbGRlcm9uQGl2aXJtYS5jb20=2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe631846f8,0x7ffe63184708,0x7ffe631847183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5252 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,7908031011039445863,16321894776875629618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x468 0x46c1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8Filesize
1KB
MD5d19a604de6ad09ed4473f92edca50651
SHA1094576690124fcf56a41b51712022c56986a1a53
SHA256ee7c1e4005553feb8039e6a6ce6d7dbc959b06c59f1d9caa6195939ebd4a4fef
SHA512365ca165f19b5bd20aed396438662375ab0525607cb92c756314ae9e94199196279986bcb86266f3ea97041ff9d3a5a3405051b72e7d7dfedb91866ebfa4f4e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62Filesize
2KB
MD53933beaf4154cd8d64d3b2066628291f
SHA18e5ab8b6d137f760e673556cde30de52b8f2e54d
SHA2566238eb54e94655c1a61e78deab675d716d820608a8c996fcbe0ab66f94f65b38
SHA512285f30328b57e4df882a7bea4a01137635ef0b36ab222e449ebc02c95df86531541021df43bd0997bf74979165ec727039d2fbc76d1c8e13069b708584e21064
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894Filesize
1KB
MD5b6cd5101bef3bcfe46fdbf61b4a1f5ff
SHA1d775f0a511e847a68df52225f7a69b017aa89fff
SHA256c0648da352ab4e017bd8ade32100c83e892d721e80f602519e0f40dbbb59bf01
SHA5126a8729cfed5485034c1a0df9e6619b126ed68ac07f1466a2df126a746074cc96d8e752dbe3d37f66a4024d78f2c9f445f08a1e066367f6b694903ff3a6d4d981
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_836D95EA8FAFF793C684E466D4C8CD5DFilesize
471B
MD57d4b83e92a8ed10e48601db25fd2c32e
SHA1d4a05694fefe7cf1f751cd16fc6b2f87f22f7169
SHA256ffc379f62d5e6f1e219a6940e1f8a8ea43a6875850f067dfc3f5738fbf6a21a8
SHA512ae65fbfbc7ba8232c88af63db1c294a23b4134d153e7a332abe4b0e42fe6128a4376ddd50d250de1eb06eac71a55cb6b42f8c9f7fe31f4b2e18cf35feb5bae66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8Filesize
438B
MD5324c197d3e9bf6e28eb58dabb8c83922
SHA141dc5d848b388dfecbdcd7aeea8b0a97ba5c7a3b
SHA256ca5ac7cf134b40781bd5b460f4b6c198c3d60c8f1a504fe2c141bba3846e4091
SHA51210a5c816e9a757a5d155b7fa19ac0be6fca5971a8c84649ae9c760c6226f01986511bc45e209cd08345ed66f275c889c49cb1b20dac33e257923c0708f098f3c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62Filesize
458B
MD5664e42770063581ced97d4886ffe38f8
SHA15951cfb9cc224dceb2d1cdd65ac6d53bd7f6dd7d
SHA256cc2f287b48805a8e81b9a9b52ee878edf407c64a18740f35a23ea12334187b0d
SHA512fb42a9fa8f3736187029d4082c4c9135a971ff5b0655addcb7246a6120ed885984069108a3ebcac66e42fa482e29fcb02c97a14508fa8ab3f844a2d243226e24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894Filesize
432B
MD538fa90c02182839115404f83cf827ea7
SHA1d2280e77d33b568f87ed3a30b4f8db4034dcf95d
SHA256a7ba85514896c6644b26d3c9ad10e313b1f1f19129d701a34be511d9d9e32ef3
SHA5122924147aa3ef79dbab887e5c89728664cf9920d106170fb5c61604d8993aab0f820206facfdd3a78b40f835e03845e71656ec457c201678f0d1b6a61df0ab714
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_836D95EA8FAFF793C684E466D4C8CD5DFilesize
422B
MD518fcede7ad71a5355007a0dc642aa64f
SHA1c4e682d31e792f66ef86029b1d65942ca61babe7
SHA256196d660eea1a215ce5094134bb834820678e53f8c9ca8b54e6ebcc1be225e65f
SHA5121576c33e9537ea4d3a71c0c900fca404ad71bff9c8e19559c56791a666672d49943650d1434f06dd33da2b83a4eb2086bac9f14d95e3ab62e1de4f8d6c649e11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
240B
MD56044632ada223e2806ddc2b95ed2a153
SHA1c6d1bbcb94cec0c61373a3f597e748561edb76c3
SHA256b17a42bbc3c877609996bf7d10e5d6dd02ac6b2f748677090a6983996bc8ff51
SHA5123f906534305303f07d57d5cc8ee7bf4133f5bfcb274a03f15720e4656388000b17d6973a41f8a27745f8bb6440deccd4521f0d43a7bf2108bd829cf09d78f9ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD5e2973362b5ec7c8adf4c30932ac230d7
SHA14e7604495ede05e9212c2d83243fa19b3676cc0d
SHA256ee3599f82c3991b7eba44bc4b7a9478cba5c45b54be0b178588cbafad81384ed
SHA512c3a12f293788530bccecaadb86d38dc93c68711a19e87d39da37aeaedfce4cbf9e663e072f3cd2df8915aec8e06ec6647c1dd167305e7aa6aeb8b53fd24ecb29
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
275B
MD5fa160c5611c11adeda43db3155777ab1
SHA16647b7fcbbe66532ecfaa7cff8c9d32953499eb0
SHA25687dbcd463579099b58a15d07534a07eacde9b56e802ca82a06b9d012aacaba88
SHA51237baba5ed84765bdc82d25766461badb04a5635e1a3559f4408637a7914d87e8ca7dd897d3e7777980c1cc96072a0a3bde3f3e1667e05817dd7fbf478f991954
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52f321bc9e197b76fb338505d5d427613
SHA10317c16ca4809b6e60a3a9fa65b7b2e5dd6402cf
SHA256fcb731be0c93dcda976fde2b932af7a776570e55ccafcf522b77ef2c1d4918b9
SHA512954cfe6aea2fe545134f895051c59552178e731bdb37453603eec2da0cae4ce346d40cae5ecede32d45638d67fa8a205274d17ebb684e5817afedcfb7cae275e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD594d71b8b427fe19a1ad7ba9ec0425899
SHA174d1595bc6f6045aa8206cd030440ad126930521
SHA2562df6664714f67f619a5a34be02626cc64fa06e6eb276b8e7409d0b7c3dbd04e1
SHA512442bbdf7b73b9fd5cc70932526fc96e23fef0917210cfe8303d2563716736665b4abb38a0d5a5a221b484e15073baf05a506b028ab09663b7989ada4418d8d2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5123039a950004be4542af141e3e5e751
SHA1a1b6ad63ffdc2ab2e207de9d619167517df9ec56
SHA256edfff00982bc7dfe5f35ccfacc2d76f50fcf0816226c5358681e768c1898b1e1
SHA512e408c857cc41fa1e2c4ba925441ff37c86b3ff164ccf999c43c99860369584fbf63db5070090a5dc8256cb9577e94af4bec66d2bad51dd8c5a9f0fd47e9f347d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresFilesize
2KB
MD503a1a3ea0331ef68eb9cbdb3cf16333c
SHA1e9f8f568462a20f3e8c53153d122c35a1ea7b148
SHA256b2f0a1f6dd55b3ea32612051fc73efdbf0ad35bd3f512088e70eb15b974ce358
SHA5126dbdaa8c0bd51a24866332db42037c9cdd0b0ac9582316f464a91ef928b5af16523d915aea05fb7d2521b7fcf32bfc9c446c7ffb64d6b67a11c723f956325bfd
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbresFilesize
2KB
MD52f268a3406e8a3758fd7dfe2a865377f
SHA1b1ed2f410f7f9644c1f8537247dee8d3aaf8dafc
SHA256ce0a72a02e18f5542542a92a02a34926d1d83bcd3e137e2813593be7016e65cf
SHA512d67da2827684eaf82fd4cff7ebea31d82cf0dd34287087875b0758b6b04869b2ddfcbdb815804318e375a1decc01a1a2e6b066b11e0e2949d45abd6abaaf969b
-
C:\Users\Admin\AppData\Local\Temp\TCD7010.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
\??\pipe\LOCAL\crashpad_3184_BEYOUYEPVXONCQIYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4004-0-0x00007FFE4EAB0000-0x00007FFE4EAC0000-memory.dmpFilesize
64KB
-
memory/4004-7-0x00007FFE8EA30000-0x00007FFE8EC25000-memory.dmpFilesize
2.0MB
-
memory/4004-5-0x00007FFE8EACD000-0x00007FFE8EACE000-memory.dmpFilesize
4KB
-
memory/4004-4-0x00007FFE4EAB0000-0x00007FFE4EAC0000-memory.dmpFilesize
64KB
-
memory/4004-6-0x00007FFE8EA30000-0x00007FFE8EC25000-memory.dmpFilesize
2.0MB
-
memory/4004-3-0x00007FFE4EAB0000-0x00007FFE4EAC0000-memory.dmpFilesize
64KB
-
memory/4004-1-0x00007FFE4EAB0000-0x00007FFE4EAC0000-memory.dmpFilesize
64KB
-
memory/4004-8-0x00007FFE8EA30000-0x00007FFE8EC25000-memory.dmpFilesize
2.0MB
-
memory/4004-2-0x00007FFE4EAB0000-0x00007FFE4EAC0000-memory.dmpFilesize
64KB
-
memory/4004-11-0x00007FFE8EA30000-0x00007FFE8EC25000-memory.dmpFilesize
2.0MB
-
memory/4004-583-0x00007FFE8EA30000-0x00007FFE8EC25000-memory.dmpFilesize
2.0MB
-
memory/4004-12-0x00007FFE8EA30000-0x00007FFE8EC25000-memory.dmpFilesize
2.0MB
-
memory/4004-14-0x00007FFE4C3C0000-0x00007FFE4C3D0000-memory.dmpFilesize
64KB
-
memory/4004-9-0x00007FFE8EA30000-0x00007FFE8EC25000-memory.dmpFilesize
2.0MB
-
memory/4004-13-0x00007FFE4C3C0000-0x00007FFE4C3D0000-memory.dmpFilesize
64KB
-
memory/4004-10-0x00007FFE8EA30000-0x00007FFE8EC25000-memory.dmpFilesize
2.0MB