Analysis
-
max time kernel
176s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21-09-2022 09:53
Errors
General
-
Target
MrsMajor3.0.exe
-
Size
22.1MB
-
MD5
41be05ddeba107c84bec48eaadb1b698
-
SHA1
e822d44f99418e1a4c97ead9d105277f1b0beeba
-
SHA256
c07cd03f19c84c065df380bd760bbfa8180429ea845837f12ea8a64f265e4358
-
SHA512
7a13a82de27d7d1eb9627a56c198166d724b5eb0e5b08545c7bc29838249323fd444916a5dbbd503c39a2db2aa2c598607278e8a129f99c984817e867a41f58b
-
SSDEEP
49152:3QEde0LgY0YPAb/ArM7WzgEhDpYNnCAGTtaha+OGA+dZDBlF26COKn1F/ufwTRra:3Qz+04D+i4DBz2NHlruSSDll
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Detected potential entity reuse from brand microsoft.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies Control Panel 7 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 22 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=MrsMajor3.0.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffada0446f8,0x7ffada044708,0x7ffada0447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5260 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5816 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6d35a5460,0x7ff6d35a5470,0x7ff6d35a54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=MrsMajor3.0.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x9c,0xfc,0x100,0xf8,0x104,0x7ffada0446f8,0x7ffada044708,0x7ffada0447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,2123672224670728089,17418630023104183920,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,2123672224670728089,17418630023104183920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Adds Run key to start application
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffada0446f8,0x7ffada044708,0x7ffada0447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4224 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5556 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5276 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6464 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6896 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\MrsMajor3.0.exe"C:\Users\Admin\Downloads\MrsMajor3.0.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f C:\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" C:\ /granted "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 004⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x498 0x4c41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3943055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5727230d7b0f8df1633bc043529f5c15d
SHA15b24d959d4c5dcf8125125dbee37225d6160af18
SHA25654961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998
SHA51235735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5727230d7b0f8df1633bc043529f5c15d
SHA15b24d959d4c5dcf8125125dbee37225d6160af18
SHA25654961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998
SHA51235735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58be9513fd38b94d4f6b5011b68b60326
SHA147feef421fe8de09e36ca685e9cf19d404aa8917
SHA2565bf3203e8be948e62917ebab13e1b21aec105c473089b233874fac8e5748bb2d
SHA512cb3dbfa46f3ee28956deab38fefa8276f9efa6ea978ff6b7f810f7f9ba106ed569f017cf5c840ae90fc5f83a1e6dbe50efef8e3412f4f38452a00915b2cc58bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
192B
MD57d501f3a25c85ab6bcb80679329ccb9d
SHA107db40b514be379cf7d2abd93ac104d3027e7394
SHA256f57802c03c083a2536e7c518beb6a7fdf4c79402103096f9abd13c3cb74afd15
SHA5122aadfc4982596e266b54a6d44d6d0b6b2ad5c28ee9e71bdaa6422b1d04f48c749beb890ae4c93b55137a117adeb11fcb730b07090f7b5d9842b04d76975f810f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-indexFilesize
48B
MD5a954828dcd3f7f4ce787397b55fbea5d
SHA1ff00757b75d3183a0745e97b2fcb25107dc5c920
SHA256637bb63ddf54234532852a54094ec01bf2a3601a767f087c1d55a5fb408e03ac
SHA512d17e9aeeac636d4457d1560625d6393403523f2a473b01c0016d26224e63f58206a4a2003df776a6a47b175b3c9f998eeb54ab6371c7f78d4a4265b26de980db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOGFilesize
281B
MD5d35129a9a0f754aed8dbc0c91c7288b6
SHA1bf1b1c5e39a64313a8e14e94a2a38e0feeaaded6
SHA256363b922901e405e3c25d005029985af6623221fef76515841dec2767525e9261
SHA5126a90667a369e63a4a31f9a725a50844495e3118e30399992eb97d44d5951240bfe5e2d5d27e976f373346fd5e64bec736a99d376b61e14b8564120188ec3b688
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\FaviconsFilesize
20KB
MD507988bcda7f08639ea6f38ce20d67656
SHA1338967261cf147341ca232a77fb04dcec6580086
SHA2566842a37d9ea2b399729f4f524ec82a26e2186c194025dd1f452f2163398d2a13
SHA5126a6ecec15f6ed05935a258d9716262a21eec9a994167f2010712c27feb06f5dc396a1c6a55167f2d6a5facf4ff23847b4b46742a022381bf485a42a1a2d48ba5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\indexFilesize
256KB
MD589a8ba0d2490a3f13ced9245a8232d21
SHA18481bccc81a9b66c0a34df6b452a08908e4f72ca
SHA2568ccd0d38ff6c1ce7fc7def0e447a88804d114fdff91c7c51889d5b2bb86e30d4
SHA512e41d2d22b710644e935a3e77a274a438bde9033e4b8db69e75bfa7fab73c51115cf58c56ff40304d666f8a6e0eceb38a4cf5ac4d574ed71110ddbbf296f8888d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD505504ea4995474e1fc1f5eb9d7a12305
SHA128fe8a4409b8ed7976f6b592b91925071e850875
SHA2562b2550e637e8b25b0060866ace4031b243f623929654d15572326caa3d75bb44
SHA512932626d291f50506ac6cc136023c5f121146606c035e883d66dab9acb6c2beba8c5419a97a8695ef485732c8ffd1716b1f105cf09ee349cfa4fc385b8c940d01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
2KB
MD55f1bf3553b6e91abc41053ce222ee0cd
SHA121bf08a8bf5784c1c352e565a987bf81f50823c0
SHA25694b00c2c27ffa8392ff21362c94092b2a9da93cc6c69cb5da498e284e0f2f56a
SHA512e6fba408319b6e4340fe410ff96802dc2d38fd49aa7ea20c632e68d52a5a6d817948962e1aab8b510fd8d52dcda883e316863631e4c013da9159e1edb5b4a6d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a45208b219c72b87063ef6369e73002c
SHA1f7526153653c65bf067128afe1cc6ac82c05784a
SHA256749dd0cbf19b7a534ebc9049ccaee9161cfd9b4e40aca381b08f70a82f9c44ef
SHA51299ab22082dbf5a081d0123a371fd3bf1842f97c01ad2a955df6e825909e947d278bd413fb0675237a23c497760fec74abc952a92f9a6d45a66336538ba2b5df3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD596591c046fa6b20fab45353cb48f6fb6
SHA13a6691bf67feb86ea5291248f125ed7780c01173
SHA25644ec97221a1783ef88f7564e542d8e643a56b03aecf45ef1f9296f371a9d6d7e
SHA512f2014235f213c20f1019aea777f3031143cdec22c41e43a2002cad9301e6a86f9944f4551010412e3b3a68a2734bcb5563ca33f8d13c3dbc746deaf7d3c1164e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13308234892004103Filesize
5KB
MD5a69e100649b64aa4c05352d3ec00d31d
SHA11708d9afcba51ef426d25dbd80fe9980e88eee4d
SHA256a6138ce24e48c7e3ede95d07d43383dfa96f5f47b780356837d3c81c381a08ee
SHA512661d49a6129f5001a6dbb4c96c554d8566dbf00b2d68daf98809bed0be1d5ef5416dac68aef0e55416425c6a73b1d8b443618bb9c97622ab54aa7ca778838c60
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.logFilesize
112B
MD5a499b405c4dba2b1a6ced6f186cf7152
SHA1676534d07086d457d5b255b41974c0a0f9d924c1
SHA25642a5f2673f28258fbcbdfeba92acfe02245aa35ace5784131768d54562a05ab3
SHA5128e2cfcfd5bac5874102ec1e71174db29ba2f74575e79bb5cf3c1d1870545b41ca05e4129cac387b9a5239fcb2d062b7f75d89ab058f975f07ba1759416216930
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD532ce12a351377e1d1f0a104202121898
SHA1317efed38ceca248416e7bda9c16597db29826cb
SHA256d3038540305546ed0b9367f6cefbf5ad45854d7f6d774e7e0c79707b55e14b36
SHA5122b515389a4172bd9f47aedaf58e00ff07a485217915a13c5e26e753dce57f486ffa8d63dedac8754eb80259c02186a5dc7c67aaab065b5441f4575272d83b687
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
323B
MD5328e46f9927c5cf7d6c0e82b2c2dd403
SHA1bb942ed0f6a14ffe750b441fe8beb8ad27bb45b3
SHA256b223d066c27ea4fbcad2947adbc3e78d4ab5bbae66a82d5ded675424fd998eb4
SHA5128c814b0569aa078e7e4eba13bd2170350428661bb34edd3813ad284ffb994a270a42d85bdd38e0bceae51827e5a5bad9b8a8bae7a0e53d59310972c01e968b55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top SitesFilesize
20KB
MD5f44dc73f9788d3313e3e25140002587c
SHA15aec4edc356bc673cba64ff31148b934a41d44c4
SHA2562002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983
SHA512e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD5d6d0e1916ec921cf2ae631f354ff1789
SHA1a334ace6438ddc08ee0db8f7c67f2dac178047ac
SHA2567bc767d337865cf9b91877a6b4b421b92595e96f2c66d5d88b67989f778e9723
SHA512edb82ab5945695592a2bbeac74a6b13dd15eeac7d7a414df005eb8ca47ef787b55497e2e32d62daddfa5788a7593d7455d965999bb08dd434acdf77d91bb2886
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
44KB
MD54a14ee8cc17374150d7a3acff13a17d1
SHA1d2b99f880955f51e7bec2cf7d92d206eede8da50
SHA2564fa6bca874c53229392685f94c33101a4ab75e8d7e804fddd68ba43982c5532e
SHA512bc252512ca93b459a39c3578df5249cc6cf9204568c260101f62d066ada38f60d388bc985719fb5551d4b1c9d72f217162fa7737a53f74263b3b40d2799e025a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.logFilesize
187B
MD503daacf8a6c6bb1e2801b286588e9fac
SHA1fd9fc63b72d369cf2a7aa5304180e9354a846848
SHA256c4cdeac3e0244114c57b6fd65eb3f570393eef9a7beadfcf9535b4cb09ef4dd1
SHA512a7563e4470c6aff5e30634aaa39895963a183eabe5c16b7e2d63f023bf48f4652fb4acc3b6527fdd1feb50c016430867c04358661311715fd6c9363c16abc401
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOGFilesize
279B
MD59bc6f40c7ade9cdb797b8a8e5264a0cf
SHA132f71e4bea57357b959f7f151b0ca75ccaac4699
SHA25696b3fe22f96c02ba48c2367e285312aff6eb9d3ab500978d488249b1a421614a
SHA512ba7001f046d81233864b3f111ad21b4c6f4d415df98f9ab24562bfb6b1f8c87db0ef81f26af2b55f16c0391981cf999cabd643f7a88cf5edb5a07b20bccc554e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
560B
MD500888cdebb4ec9b5464462f5e1e8c590
SHA13598f355edfb6263a1815ad2a82d901e884d907e
SHA256460f91ea1076d272a30e711c6d75a10834c89c3358ba48f8798f42bf4ed85e5b
SHA51225c66057c9cc6ade5ab5830452f91503413618d183b3761b4c64ca026da5ec0f1af228fb029f51a4a58e3926c84143b0fca2f308572bec149aa05ef9feacefd1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
297B
MD540743a74968ee49ec9ec911a5b2dd28c
SHA1d9d311f0ac4abb86cd4ca13abcf14dadfaa7f69f
SHA256ae393f980fe47ec9dc89d96ed288ca3c438b593115fb8974e60232a4329ad2c7
SHA512145a3e5f5df1ed794c07aa976566b19fa71a2af638a5862f1285cc9c40f73a991675e1bbdcb086f9bdc0ec09281d1c3633cd7dd63dbaada56b70919e84531a68
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5c8596d69fd773d78976b2a78fa7563be
SHA1d0190d2621945dadec4cb76e41cdff8b6e104e86
SHA2564f1dcbbd1acdd779e2d7686701491b520b3df46b5d7a6b01c49a9da9794818f4
SHA512af7fdcc3c935cd61e0b9f8ea2a54afafa4e359d6cf75e190cc165c7269baffd4f1cf39c6ed8648014ad7eb82158a9bfed1011e1045ab0cbace7c4cbd3c6cf5ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5ac1942d5f1e64a450fb51d6aab750ff8
SHA101c680d96421ef28329e37dd3c68fd5e07fcba28
SHA25606fe580b2f6d98badb06783919a3220e456dd8bb235c5ec5c936be9f50b8a164
SHA5122942f1ace3b0d84ff36c0586a22850145be8245e5a4d48f0a6013691ecaf62659ea1136c6b819f16d25c4d8c0b9b32b9227dd68346c765624ae9fa2cf90107be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettingsFilesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1Filesize
126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUrisFilesize
40B
MD50ab2b749877a4fe4586201c618821573
SHA1f506ff76a07f770896bde3fc8a26f02c7367005f
SHA2561b17147ac204d153ede4f58eff305e59f72c0a080f0487dd531b348e7750c81c
SHA51206cd587a8260ded84a26a024db30d41ab2d74dee46e4dabd46f53b7345943709b53e8d7547c850af85d897dcc534acf0686e9bfd7592aca7649d18d74bc03e45
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637993483835509352Filesize
4KB
MD5a99bb216924859e3d9f7b7d2e255abae
SHA110017eb5bc177a10a63c7a96b6354cb7085b6a09
SHA25604646b907928329cf418107a62255544dd78e45998920040883bf58dd77fbd72
SHA51262f8346acc0a466a86dd82b19c06584b8655d427a77e35063b924fcc4fe5ee5907d98bb67c0d4bd2d2450f4e7396157ffc09150fe809c715e1bd6251172c0b9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTrafficFilesize
29B
MD5ce545b52b20b2f56ffb26d2ca2ed4491
SHA1ebe904c20bb43891db4560f458e66663826aa885
SHA256e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899
SHA5121ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684Filesize
450KB
MD5a7aab197b91381bcdec092e1910a3d62
SHA135794f2d2df163223391a2b21e1610f14f46a78f
SHA2566337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b
SHA512cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774
-
\??\pipe\LOCAL\crashpad_220_AZQXPGLYFDBZKFDSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4808_JPNFOYEBKRXWXZSCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_724_GWKEHUFZMPIVZRKBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-132-0x0000000000000000-mapping.dmp
-
memory/920-165-0x0000000000000000-mapping.dmp
-
memory/992-143-0x0000000000000000-mapping.dmp
-
memory/1048-181-0x0000000000000000-mapping.dmp
-
memory/1116-229-0x0000000000000000-mapping.dmp
-
memory/1116-245-0x0000000000000000-mapping.dmp
-
memory/1156-142-0x0000000000000000-mapping.dmp
-
memory/1452-156-0x0000000000000000-mapping.dmp
-
memory/1548-225-0x0000000000000000-mapping.dmp
-
memory/1660-243-0x0000000000000000-mapping.dmp
-
memory/1756-222-0x0000000000000000-mapping.dmp
-
memory/1812-216-0x0000000000000000-mapping.dmp
-
memory/2320-145-0x0000000000000000-mapping.dmp
-
memory/2464-164-0x0000000000000000-mapping.dmp
-
memory/2468-150-0x0000000000000000-mapping.dmp
-
memory/2480-162-0x0000000000000000-mapping.dmp
-
memory/2484-168-0x0000000000000000-mapping.dmp
-
memory/3088-241-0x0000000000000000-mapping.dmp
-
memory/3296-254-0x00007FFAD4A80000-0x00007FFAD5541000-memory.dmpFilesize
10.8MB
-
memory/3296-252-0x0000000000000000-mapping.dmp
-
memory/3296-253-0x000002704F810000-0x0000027050E14000-memory.dmpFilesize
22.0MB
-
memory/3296-260-0x00007FFAD4A80000-0x00007FFAD5541000-memory.dmpFilesize
10.8MB
-
memory/3404-160-0x0000000000000000-mapping.dmp
-
memory/3464-224-0x0000000000000000-mapping.dmp
-
memory/3672-235-0x0000000000000000-mapping.dmp
-
memory/3676-233-0x0000000000000000-mapping.dmp
-
memory/3760-249-0x0000000007080000-0x0000000007624000-memory.dmpFilesize
5.6MB
-
memory/3760-247-0x0000000000000000-mapping.dmp
-
memory/3760-251-0x0000000006B20000-0x0000000006B2A000-memory.dmpFilesize
40KB
-
memory/3760-250-0x0000000006B70000-0x0000000006C02000-memory.dmpFilesize
584KB
-
memory/3760-248-0x0000000000B40000-0x000000000216A000-memory.dmpFilesize
22.2MB
-
memory/3940-133-0x0000000000000000-mapping.dmp
-
memory/3976-220-0x0000000000000000-mapping.dmp
-
memory/3976-152-0x0000000000000000-mapping.dmp
-
memory/3988-154-0x0000000000000000-mapping.dmp
-
memory/4036-146-0x0000000000000000-mapping.dmp
-
memory/4284-259-0x0000000000000000-mapping.dmp
-
memory/4404-258-0x0000000000000000-mapping.dmp
-
memory/4420-231-0x0000000000000000-mapping.dmp
-
memory/4464-135-0x0000000000000000-mapping.dmp
-
memory/4564-191-0x0000000000000000-mapping.dmp
-
memory/4612-158-0x0000000000000000-mapping.dmp
-
memory/4624-169-0x0000000000000000-mapping.dmp
-
memory/4664-198-0x0000000000000000-mapping.dmp
-
memory/4776-246-0x0000000000000000-mapping.dmp
-
memory/4792-255-0x0000000000000000-mapping.dmp
-
memory/4808-134-0x0000000000000000-mapping.dmp
-
memory/4844-237-0x0000000000000000-mapping.dmp
-
memory/4856-239-0x0000000000000000-mapping.dmp
-
memory/5008-256-0x0000000000000000-mapping.dmp
-
memory/5024-227-0x0000000000000000-mapping.dmp
-
memory/5116-166-0x0000000000000000-mapping.dmp