Analysis
-
max time kernel
1711s -
max time network
1723s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
07-03-2022 16:43
Static task
static1
Behavioral task
behavioral1
Sample
FilesSetup.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
FilesSetup.exe
Resource
win10v2004-en-20220112
General
-
Target
FilesSetup.exe
-
Size
350.8MB
-
MD5
9c6ef6eedc7016c5fba6ba8920255042
-
SHA1
a0961165ea07828f3bf86a227d85abb8d4b11818
-
SHA256
18d2e2fb3c22f506e85bf2c858bb511b032bb373f5e3b5e34cfb0749e3032e3a
-
SHA512
c2234d3d2256036c702cfba0da2327b67ee08580e67e0fe2f76ca181493adfa2a1de0f0d351dfdca90a01f142ad312aae391ef04aa353ced5e497b49979dfacd
Malware Config
Extracted
redline
dsf
185.215.113.72:61983
-
auth_value
b821593a97a1337ef8c5a6c45313524a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/996-130-0x0000000000A50000-0x0000000000E37000-memory.dmp family_redline behavioral2/memory/996-132-0x0000000000A50000-0x0000000000E37000-memory.dmp family_redline behavioral2/memory/996-134-0x0000000000A50000-0x0000000000E37000-memory.dmp family_redline behavioral2/memory/996-137-0x0000000000A50000-0x0000000000E37000-memory.dmp family_redline behavioral2/memory/996-139-0x0000000000A50000-0x0000000000E37000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
FilesSetup.exepid process 996 FilesSetup.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dbdcf536-730f-41b7-ab7a-4a89e9abe199.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220307174441.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
FilesSetup.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 996 FilesSetup.exe 996 FilesSetup.exe 2520 msedge.exe 2520 msedge.exe 2748 msedge.exe 2748 msedge.exe 4008 identity_helper.exe 4008 identity_helper.exe 3960 msedge.exe 3960 msedge.exe 3960 msedge.exe 3960 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe 2748 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FilesSetup.exedescription pid process Token: SeDebugPrivilege 996 FilesSetup.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 2748 msedge.exe 2748 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
FilesSetup.exemsedge.exedescription pid process target process PID 996 wrote to memory of 2748 996 FilesSetup.exe msedge.exe PID 996 wrote to memory of 2748 996 FilesSetup.exe msedge.exe PID 2748 wrote to memory of 1652 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1652 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1048 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2520 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 2520 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe PID 2748 wrote to memory of 1976 2748 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FilesSetup.exe"C:\Users\Admin\AppData\Local\Temp\FilesSetup.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1bjue72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc418846f8,0x7ffc41884708,0x7ffc418847183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5420 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff643885460,0x7ff643885470,0x7ff6438854804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5768 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3404 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5480 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3436 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3324 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1728 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3436 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\AdvertisingMD5
4e9962558e74db5038d8073a5b3431aa
SHA13cd097d9dd4b16a69efbb0fd1efe862867822146
SHA2566f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\AnalyticsMD5
fad197d6ffd32d1268b9e7e8d13ab32a
SHA1b0129887a75965bb2ef56a2c39d3231e5b87265d
SHA2564e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3
SHA51201d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\CompatExceptionsMD5
900263477e1368869fbf1be99990c878
SHA1e56e199aa4119f3cc4c4d46f96daea89bbf9685a
SHA2567f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4
SHA5121035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\ContentMD5
94c183b842784d0ae69f8aa57c8ac015
SHA1c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd
SHA256aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25
SHA5125808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\CryptominingMD5
8c31feb9c3faaa9794aa22ce9f48bfbd
SHA1f5411608a15e803afc97961b310bb21a6a8bd5b6
SHA2566016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d
SHA512ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\EntitiesMD5
0d37c9d98f35f2c6524bd9b874ec93ed
SHA187d2d1149db8a1c2d91bc8d2d6e2827d2d8850f5
SHA25619ce05d2716fae5d0d6e2067a7a624c0fa7f8b02486d9469861fd30cf1c499ac
SHA51268e73804a144cbe7287c2136ab1986c4e2a97c497d5bfd36ef5db0f1fb1b4a28839d63d83019082ce61af9b42853934888ce05d6b28350742776b97fa310a575
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\FingerprintingMD5
b51076d21461e00fcbf3dbd2c9e96b2b
SHA131311536cf570f2f9c88d21f03a935ac6e233231
SHA25621a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993
SHA5123e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\OtherMD5
cd0395742b85e2b669eaec1d5f15b65b
SHA143c81d1c62fc7ff94f9364639c9a46a0747d122e
SHA2562b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707
SHA5124df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\SocialMD5
152b745da17397ed5a2f3059bb157600
SHA147bf4e575ba1acf47dcc99f1800f753b4cc65ef6
SHA256ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8
SHA5124984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\AdvertisingMD5
d024831cae8599f0edee70275d99e843
SHA169e08b543802b130da5305cbb0140bda5601079c
SHA2560b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978
SHA512ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\AnalyticsMD5
4cefbb980962973a354915a49d1b0f4d
SHA11d20148cab5cdadb85fad6041262584a12c2745d
SHA25666de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a
SHA5126a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\ContentMD5
7f077f40c2d1ce8e95faa8fdb23ed8b4
SHA12c329e3e20ea559974ddcaabc2c7c22de81e7ad2
SHA256bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf
SHA512c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\CryptominingMD5
4ec1eda0e8a06238ff5bf88569964d59
SHA1a2e78944fcac34d89385487ccbbfa4d8f078d612
SHA256696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5
SHA512c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\EntitiesMD5
ba60431b366f83677a5bf1a2e4601799
SHA183f828c27de5429e25c38c36ba77e069d5c7b2de
SHA256ab895ef5f75efd49dbb4fcdf7529e50ca622d13433e067bcf8a1f1127a944da3
SHA512aa9ff0374fb3d4bff7ee5a78dd5ace340da4af1a844f453a40b2723a91b32e6e3f4bd736fb3f3cb210b016109660a7b5cc8440901c6bb410e61530286a4e0200
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\FingerprintingMD5
a004023825237dadc8f934758ff9eaf2
SHA1c981a900b5ce63884635cedfe5ba722416021cb2
SHA2563c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7
SHA512e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\OtherMD5
c6c7f3ee1e17acbff6ac22aa89b02e4e
SHA1bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b
SHA256a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4
SHA51286ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\SocialMD5
976b1cf7e3442f88cd8ba26d3f0965bb
SHA1b75438dc71de4ac761d94a215ddbffadcd1225b0
SHA256decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541
SHA512d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\StagingMD5
9ca5eb41a53645be63d247ad8a9a7869
SHA12e98b04b5a2efb04d20bc7fe51b05c4e4841205b
SHA256f67c58a61ddef715b01debc66ddc0e3c365295ac9870328f6b8bdbcb02a6b8c9
SHA5127dd7d295ccce957490f025eef124b22c809f140a96003126b801bbbdd94eb2115ee59e7d16dd1f020b1d6eaaff66853b9de2cbf7092c1692f40dbe21ab346fd8
-
\??\pipe\LOCAL\crashpad_2748_OXEOUQYUVMNLPIQKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/996-141-0x0000000076340000-0x00000000768F3000-memory.dmpFilesize
5.7MB
-
memory/996-143-0x00000000051D0000-0x00000000051E2000-memory.dmpFilesize
72KB
-
memory/996-151-0x00000000061E0000-0x0000000006256000-memory.dmpFilesize
472KB
-
memory/996-152-0x00000000062E0000-0x00000000062FE000-memory.dmpFilesize
120KB
-
memory/996-153-0x0000000006D80000-0x0000000006F42000-memory.dmpFilesize
1.8MB
-
memory/996-154-0x0000000007480000-0x00000000079AC000-memory.dmpFilesize
5.2MB
-
memory/996-131-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/996-149-0x0000000006600000-0x0000000006BA4000-memory.dmpFilesize
5.6MB
-
memory/996-148-0x0000000005560000-0x00000000055C6000-memory.dmpFilesize
408KB
-
memory/996-147-0x0000000005110000-0x0000000005728000-memory.dmpFilesize
6.1MB
-
memory/996-146-0x000000006E4C0000-0x000000006E50C000-memory.dmpFilesize
304KB
-
memory/996-145-0x0000000005250000-0x000000000528C000-memory.dmpFilesize
240KB
-
memory/996-144-0x0000000005300000-0x000000000540A000-memory.dmpFilesize
1.0MB
-
memory/996-150-0x0000000006140000-0x00000000061D2000-memory.dmpFilesize
584KB
-
memory/996-142-0x0000000005730000-0x0000000005D48000-memory.dmpFilesize
6.1MB
-
memory/996-130-0x0000000000A50000-0x0000000000E37000-memory.dmpFilesize
3.9MB
-
memory/996-140-0x0000000072CB0000-0x0000000072D39000-memory.dmpFilesize
548KB
-
memory/996-139-0x0000000000A50000-0x0000000000E37000-memory.dmpFilesize
3.9MB
-
memory/996-138-0x0000000074220000-0x00000000749D0000-memory.dmpFilesize
7.7MB
-
memory/996-137-0x0000000000A50000-0x0000000000E37000-memory.dmpFilesize
3.9MB
-
memory/996-136-0x0000000002780000-0x0000000002781000-memory.dmpFilesize
4KB
-
memory/996-135-0x0000000076DD0000-0x0000000076FE5000-memory.dmpFilesize
2.1MB
-
memory/996-134-0x0000000000A50000-0x0000000000E37000-memory.dmpFilesize
3.9MB
-
memory/996-133-0x0000000002720000-0x0000000002766000-memory.dmpFilesize
280KB
-
memory/996-132-0x0000000000A50000-0x0000000000E37000-memory.dmpFilesize
3.9MB
-
memory/1976-163-0x00007FFC4F840000-0x00007FFC4F841000-memory.dmpFilesize
4KB