Analysis
-
max time kernel
176s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2022 09:53
Static task
static1
Behavioral task
behavioral1
Sample
MrsMajor3.0.exe
Resource
win10v2004-20220812-en
Errors
General
-
Target
MrsMajor3.0.exe
-
Size
22.1MB
-
MD5
41be05ddeba107c84bec48eaadb1b698
-
SHA1
e822d44f99418e1a4c97ead9d105277f1b0beeba
-
SHA256
c07cd03f19c84c065df380bd760bbfa8180429ea845837f12ea8a64f265e4358
-
SHA512
7a13a82de27d7d1eb9627a56c198166d724b5eb0e5b08545c7bc29838249323fd444916a5dbbd503c39a2db2aa2c598607278e8a129f99c984817e867a41f58b
-
SSDEEP
49152:3QEde0LgY0YPAb/ArM7WzgEhDpYNnCAGTtaha+OGA+dZDBlF26COKn1F/ufwTRra:3Qz+04D+i4DBz2NHlruSSDll
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
MrsMajor3.0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" MrsMajor3.0.exe -
Processes:
MrsMajor3.0.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MrsMajor3.0.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
MrsMajor3.0.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" MrsMajor3.0.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
MrsMajor3.0.exeMrsMajor3.0.exepid process 3760 MrsMajor3.0.exe 3296 MrsMajor3.0.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 5008 icacls.exe 4792 takeown.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MrsMajor3.0.exeMrsMajor3.0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation MrsMajor3.0.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation MrsMajor3.0.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4792 takeown.exe 5008 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Processes:
MrsMajor3.0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MrsMajor3.0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MrsMajor3.0.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
MrsMajor3.0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\wlp.tmp" MrsMajor3.0.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d5e560aa-5dd5-4056-8e95-285e03425ca1.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220921115448.pma setup.exe -
Drops file in Windows directory 6 IoCs
Processes:
MrsMajor3.0.exedescription ioc process File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe MrsMajor3.0.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav MrsMajor3.0.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\WinRapistI386.vbs MrsMajor3.0.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\rcur.cur MrsMajor3.0.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\ui65.exe MrsMajor3.0.exe File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\logonuiOWR.exe MrsMajor3.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 7 IoCs
Processes:
MrsMajor3.0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Cursors\No = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" MrsMajor3.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" MrsMajor3.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" MrsMajor3.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" MrsMajor3.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" MrsMajor3.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Cursors\Crosshair = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" MrsMajor3.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Cursors\IBeam = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" MrsMajor3.0.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "169" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 294997.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 992 msedge.exe 992 msedge.exe 4036 msedge.exe 4036 msedge.exe 220 msedge.exe 220 msedge.exe 2484 identity_helper.exe 2484 identity_helper.exe 4564 msedge.exe 4564 msedge.exe 724 msedge.exe 724 msedge.exe 1548 identity_helper.exe 1548 identity_helper.exe 4776 msedge.exe 4776 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
msedge.exemsedge.exepid process 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEshutdown.exedescription pid process Token: 33 1668 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1668 AUDIODG.EXE Token: SeShutdownPrivilege 4284 shutdown.exe Token: SeRemoteShutdownPrivilege 4284 shutdown.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
Processes:
msedge.exemsedge.exepid process 220 msedge.exe 220 msedge.exe 220 msedge.exe 220 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 1868 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MrsMajor3.0.exemsedge.exemsedge.exedescription pid process target process PID 948 wrote to memory of 220 948 MrsMajor3.0.exe msedge.exe PID 948 wrote to memory of 220 948 MrsMajor3.0.exe msedge.exe PID 220 wrote to memory of 3940 220 msedge.exe msedge.exe PID 220 wrote to memory of 3940 220 msedge.exe msedge.exe PID 948 wrote to memory of 4808 948 MrsMajor3.0.exe msedge.exe PID 948 wrote to memory of 4808 948 MrsMajor3.0.exe msedge.exe PID 4808 wrote to memory of 4464 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 4464 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 1156 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 992 4808 msedge.exe msedge.exe PID 4808 wrote to memory of 992 4808 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe PID 220 wrote to memory of 2320 220 msedge.exe msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
MrsMajor3.0.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MrsMajor3.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=MrsMajor3.0.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffada0446f8,0x7ffada044708,0x7ffada0447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5260 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5816 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6d35a5460,0x7ff6d35a5470,0x7ff6d35a54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5361534664558065115,3751211244511117593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=MrsMajor3.0.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x9c,0xfc,0x100,0xf8,0x104,0x7ffada0446f8,0x7ffada044708,0x7ffada0447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,2123672224670728089,17418630023104183920,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,2123672224670728089,17418630023104183920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Adds Run key to start application
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffada0446f8,0x7ffada044708,0x7ffada0447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4224 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5556 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5276 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6464 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6896 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\MrsMajor3.0.exe"C:\Users\Admin\Downloads\MrsMajor3.0.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\windows\system32\takeown.exe"C:\windows\system32\takeown.exe" /f C:\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\windows\system32\icacls.exe"C:\windows\system32\icacls.exe" C:\ /granted "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 004⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,18422444512716467645,9403018566815803993,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x498 0x4c41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3943055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5727230d7b0f8df1633bc043529f5c15d
SHA15b24d959d4c5dcf8125125dbee37225d6160af18
SHA25654961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998
SHA51235735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5727230d7b0f8df1633bc043529f5c15d
SHA15b24d959d4c5dcf8125125dbee37225d6160af18
SHA25654961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998
SHA51235735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58be9513fd38b94d4f6b5011b68b60326
SHA147feef421fe8de09e36ca685e9cf19d404aa8917
SHA2565bf3203e8be948e62917ebab13e1b21aec105c473089b233874fac8e5748bb2d
SHA512cb3dbfa46f3ee28956deab38fefa8276f9efa6ea978ff6b7f810f7f9ba106ed569f017cf5c840ae90fc5f83a1e6dbe50efef8e3412f4f38452a00915b2cc58bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
192B
MD57d501f3a25c85ab6bcb80679329ccb9d
SHA107db40b514be379cf7d2abd93ac104d3027e7394
SHA256f57802c03c083a2536e7c518beb6a7fdf4c79402103096f9abd13c3cb74afd15
SHA5122aadfc4982596e266b54a6d44d6d0b6b2ad5c28ee9e71bdaa6422b1d04f48c749beb890ae4c93b55137a117adeb11fcb730b07090f7b5d9842b04d76975f810f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-indexFilesize
48B
MD5a954828dcd3f7f4ce787397b55fbea5d
SHA1ff00757b75d3183a0745e97b2fcb25107dc5c920
SHA256637bb63ddf54234532852a54094ec01bf2a3601a767f087c1d55a5fb408e03ac
SHA512d17e9aeeac636d4457d1560625d6393403523f2a473b01c0016d26224e63f58206a4a2003df776a6a47b175b3c9f998eeb54ab6371c7f78d4a4265b26de980db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOGFilesize
281B
MD5d35129a9a0f754aed8dbc0c91c7288b6
SHA1bf1b1c5e39a64313a8e14e94a2a38e0feeaaded6
SHA256363b922901e405e3c25d005029985af6623221fef76515841dec2767525e9261
SHA5126a90667a369e63a4a31f9a725a50844495e3118e30399992eb97d44d5951240bfe5e2d5d27e976f373346fd5e64bec736a99d376b61e14b8564120188ec3b688
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\FaviconsFilesize
20KB
MD507988bcda7f08639ea6f38ce20d67656
SHA1338967261cf147341ca232a77fb04dcec6580086
SHA2566842a37d9ea2b399729f4f524ec82a26e2186c194025dd1f452f2163398d2a13
SHA5126a6ecec15f6ed05935a258d9716262a21eec9a994167f2010712c27feb06f5dc396a1c6a55167f2d6a5facf4ff23847b4b46742a022381bf485a42a1a2d48ba5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\indexFilesize
256KB
MD589a8ba0d2490a3f13ced9245a8232d21
SHA18481bccc81a9b66c0a34df6b452a08908e4f72ca
SHA2568ccd0d38ff6c1ce7fc7def0e447a88804d114fdff91c7c51889d5b2bb86e30d4
SHA512e41d2d22b710644e935a3e77a274a438bde9033e4b8db69e75bfa7fab73c51115cf58c56ff40304d666f8a6e0eceb38a4cf5ac4d574ed71110ddbbf296f8888d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD505504ea4995474e1fc1f5eb9d7a12305
SHA128fe8a4409b8ed7976f6b592b91925071e850875
SHA2562b2550e637e8b25b0060866ace4031b243f623929654d15572326caa3d75bb44
SHA512932626d291f50506ac6cc136023c5f121146606c035e883d66dab9acb6c2beba8c5419a97a8695ef485732c8ffd1716b1f105cf09ee349cfa4fc385b8c940d01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
2KB
MD55f1bf3553b6e91abc41053ce222ee0cd
SHA121bf08a8bf5784c1c352e565a987bf81f50823c0
SHA25694b00c2c27ffa8392ff21362c94092b2a9da93cc6c69cb5da498e284e0f2f56a
SHA512e6fba408319b6e4340fe410ff96802dc2d38fd49aa7ea20c632e68d52a5a6d817948962e1aab8b510fd8d52dcda883e316863631e4c013da9159e1edb5b4a6d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a45208b219c72b87063ef6369e73002c
SHA1f7526153653c65bf067128afe1cc6ac82c05784a
SHA256749dd0cbf19b7a534ebc9049ccaee9161cfd9b4e40aca381b08f70a82f9c44ef
SHA51299ab22082dbf5a081d0123a371fd3bf1842f97c01ad2a955df6e825909e947d278bd413fb0675237a23c497760fec74abc952a92f9a6d45a66336538ba2b5df3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD596591c046fa6b20fab45353cb48f6fb6
SHA13a6691bf67feb86ea5291248f125ed7780c01173
SHA25644ec97221a1783ef88f7564e542d8e643a56b03aecf45ef1f9296f371a9d6d7e
SHA512f2014235f213c20f1019aea777f3031143cdec22c41e43a2002cad9301e6a86f9944f4551010412e3b3a68a2734bcb5563ca33f8d13c3dbc746deaf7d3c1164e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13308234892004103Filesize
5KB
MD5a69e100649b64aa4c05352d3ec00d31d
SHA11708d9afcba51ef426d25dbd80fe9980e88eee4d
SHA256a6138ce24e48c7e3ede95d07d43383dfa96f5f47b780356837d3c81c381a08ee
SHA512661d49a6129f5001a6dbb4c96c554d8566dbf00b2d68daf98809bed0be1d5ef5416dac68aef0e55416425c6a73b1d8b443618bb9c97622ab54aa7ca778838c60
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.logFilesize
112B
MD5a499b405c4dba2b1a6ced6f186cf7152
SHA1676534d07086d457d5b255b41974c0a0f9d924c1
SHA25642a5f2673f28258fbcbdfeba92acfe02245aa35ace5784131768d54562a05ab3
SHA5128e2cfcfd5bac5874102ec1e71174db29ba2f74575e79bb5cf3c1d1870545b41ca05e4129cac387b9a5239fcb2d062b7f75d89ab058f975f07ba1759416216930
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD532ce12a351377e1d1f0a104202121898
SHA1317efed38ceca248416e7bda9c16597db29826cb
SHA256d3038540305546ed0b9367f6cefbf5ad45854d7f6d774e7e0c79707b55e14b36
SHA5122b515389a4172bd9f47aedaf58e00ff07a485217915a13c5e26e753dce57f486ffa8d63dedac8754eb80259c02186a5dc7c67aaab065b5441f4575272d83b687
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
323B
MD5328e46f9927c5cf7d6c0e82b2c2dd403
SHA1bb942ed0f6a14ffe750b441fe8beb8ad27bb45b3
SHA256b223d066c27ea4fbcad2947adbc3e78d4ab5bbae66a82d5ded675424fd998eb4
SHA5128c814b0569aa078e7e4eba13bd2170350428661bb34edd3813ad284ffb994a270a42d85bdd38e0bceae51827e5a5bad9b8a8bae7a0e53d59310972c01e968b55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top SitesFilesize
20KB
MD5f44dc73f9788d3313e3e25140002587c
SHA15aec4edc356bc673cba64ff31148b934a41d44c4
SHA2562002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983
SHA512e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD5d6d0e1916ec921cf2ae631f354ff1789
SHA1a334ace6438ddc08ee0db8f7c67f2dac178047ac
SHA2567bc767d337865cf9b91877a6b4b421b92595e96f2c66d5d88b67989f778e9723
SHA512edb82ab5945695592a2bbeac74a6b13dd15eeac7d7a414df005eb8ca47ef787b55497e2e32d62daddfa5788a7593d7455d965999bb08dd434acdf77d91bb2886
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
44KB
MD54a14ee8cc17374150d7a3acff13a17d1
SHA1d2b99f880955f51e7bec2cf7d92d206eede8da50
SHA2564fa6bca874c53229392685f94c33101a4ab75e8d7e804fddd68ba43982c5532e
SHA512bc252512ca93b459a39c3578df5249cc6cf9204568c260101f62d066ada38f60d388bc985719fb5551d4b1c9d72f217162fa7737a53f74263b3b40d2799e025a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.logFilesize
187B
MD503daacf8a6c6bb1e2801b286588e9fac
SHA1fd9fc63b72d369cf2a7aa5304180e9354a846848
SHA256c4cdeac3e0244114c57b6fd65eb3f570393eef9a7beadfcf9535b4cb09ef4dd1
SHA512a7563e4470c6aff5e30634aaa39895963a183eabe5c16b7e2d63f023bf48f4652fb4acc3b6527fdd1feb50c016430867c04358661311715fd6c9363c16abc401
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOGFilesize
279B
MD59bc6f40c7ade9cdb797b8a8e5264a0cf
SHA132f71e4bea57357b959f7f151b0ca75ccaac4699
SHA25696b3fe22f96c02ba48c2367e285312aff6eb9d3ab500978d488249b1a421614a
SHA512ba7001f046d81233864b3f111ad21b4c6f4d415df98f9ab24562bfb6b1f8c87db0ef81f26af2b55f16c0391981cf999cabd643f7a88cf5edb5a07b20bccc554e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
560B
MD500888cdebb4ec9b5464462f5e1e8c590
SHA13598f355edfb6263a1815ad2a82d901e884d907e
SHA256460f91ea1076d272a30e711c6d75a10834c89c3358ba48f8798f42bf4ed85e5b
SHA51225c66057c9cc6ade5ab5830452f91503413618d183b3761b4c64ca026da5ec0f1af228fb029f51a4a58e3926c84143b0fca2f308572bec149aa05ef9feacefd1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
297B
MD540743a74968ee49ec9ec911a5b2dd28c
SHA1d9d311f0ac4abb86cd4ca13abcf14dadfaa7f69f
SHA256ae393f980fe47ec9dc89d96ed288ca3c438b593115fb8974e60232a4329ad2c7
SHA512145a3e5f5df1ed794c07aa976566b19fa71a2af638a5862f1285cc9c40f73a991675e1bbdcb086f9bdc0ec09281d1c3633cd7dd63dbaada56b70919e84531a68
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5c8596d69fd773d78976b2a78fa7563be
SHA1d0190d2621945dadec4cb76e41cdff8b6e104e86
SHA2564f1dcbbd1acdd779e2d7686701491b520b3df46b5d7a6b01c49a9da9794818f4
SHA512af7fdcc3c935cd61e0b9f8ea2a54afafa4e359d6cf75e190cc165c7269baffd4f1cf39c6ed8648014ad7eb82158a9bfed1011e1045ab0cbace7c4cbd3c6cf5ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5ac1942d5f1e64a450fb51d6aab750ff8
SHA101c680d96421ef28329e37dd3c68fd5e07fcba28
SHA25606fe580b2f6d98badb06783919a3220e456dd8bb235c5ec5c936be9f50b8a164
SHA5122942f1ace3b0d84ff36c0586a22850145be8245e5a4d48f0a6013691ecaf62659ea1136c6b819f16d25c4d8c0b9b32b9227dd68346c765624ae9fa2cf90107be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettingsFilesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1Filesize
126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUrisFilesize
40B
MD50ab2b749877a4fe4586201c618821573
SHA1f506ff76a07f770896bde3fc8a26f02c7367005f
SHA2561b17147ac204d153ede4f58eff305e59f72c0a080f0487dd531b348e7750c81c
SHA51206cd587a8260ded84a26a024db30d41ab2d74dee46e4dabd46f53b7345943709b53e8d7547c850af85d897dcc534acf0686e9bfd7592aca7649d18d74bc03e45
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637993483835509352Filesize
4KB
MD5a99bb216924859e3d9f7b7d2e255abae
SHA110017eb5bc177a10a63c7a96b6354cb7085b6a09
SHA25604646b907928329cf418107a62255544dd78e45998920040883bf58dd77fbd72
SHA51262f8346acc0a466a86dd82b19c06584b8655d427a77e35063b924fcc4fe5ee5907d98bb67c0d4bd2d2450f4e7396157ffc09150fe809c715e1bd6251172c0b9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTrafficFilesize
29B
MD5ce545b52b20b2f56ffb26d2ca2ed4491
SHA1ebe904c20bb43891db4560f458e66663826aa885
SHA256e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899
SHA5121ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684Filesize
450KB
MD5a7aab197b91381bcdec092e1910a3d62
SHA135794f2d2df163223391a2b21e1610f14f46a78f
SHA2566337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b
SHA512cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774
-
\??\pipe\LOCAL\crashpad_220_AZQXPGLYFDBZKFDSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4808_JPNFOYEBKRXWXZSCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_724_GWKEHUFZMPIVZRKBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-132-0x0000000000000000-mapping.dmp
-
memory/920-165-0x0000000000000000-mapping.dmp
-
memory/992-143-0x0000000000000000-mapping.dmp
-
memory/1048-181-0x0000000000000000-mapping.dmp
-
memory/1116-229-0x0000000000000000-mapping.dmp
-
memory/1116-245-0x0000000000000000-mapping.dmp
-
memory/1156-142-0x0000000000000000-mapping.dmp
-
memory/1452-156-0x0000000000000000-mapping.dmp
-
memory/1548-225-0x0000000000000000-mapping.dmp
-
memory/1660-243-0x0000000000000000-mapping.dmp
-
memory/1756-222-0x0000000000000000-mapping.dmp
-
memory/1812-216-0x0000000000000000-mapping.dmp
-
memory/2320-145-0x0000000000000000-mapping.dmp
-
memory/2464-164-0x0000000000000000-mapping.dmp
-
memory/2468-150-0x0000000000000000-mapping.dmp
-
memory/2480-162-0x0000000000000000-mapping.dmp
-
memory/2484-168-0x0000000000000000-mapping.dmp
-
memory/3088-241-0x0000000000000000-mapping.dmp
-
memory/3296-254-0x00007FFAD4A80000-0x00007FFAD5541000-memory.dmpFilesize
10.8MB
-
memory/3296-252-0x0000000000000000-mapping.dmp
-
memory/3296-253-0x000002704F810000-0x0000027050E14000-memory.dmpFilesize
22.0MB
-
memory/3296-260-0x00007FFAD4A80000-0x00007FFAD5541000-memory.dmpFilesize
10.8MB
-
memory/3404-160-0x0000000000000000-mapping.dmp
-
memory/3464-224-0x0000000000000000-mapping.dmp
-
memory/3672-235-0x0000000000000000-mapping.dmp
-
memory/3676-233-0x0000000000000000-mapping.dmp
-
memory/3760-249-0x0000000007080000-0x0000000007624000-memory.dmpFilesize
5.6MB
-
memory/3760-247-0x0000000000000000-mapping.dmp
-
memory/3760-251-0x0000000006B20000-0x0000000006B2A000-memory.dmpFilesize
40KB
-
memory/3760-250-0x0000000006B70000-0x0000000006C02000-memory.dmpFilesize
584KB
-
memory/3760-248-0x0000000000B40000-0x000000000216A000-memory.dmpFilesize
22.2MB
-
memory/3940-133-0x0000000000000000-mapping.dmp
-
memory/3976-220-0x0000000000000000-mapping.dmp
-
memory/3976-152-0x0000000000000000-mapping.dmp
-
memory/3988-154-0x0000000000000000-mapping.dmp
-
memory/4036-146-0x0000000000000000-mapping.dmp
-
memory/4284-259-0x0000000000000000-mapping.dmp
-
memory/4404-258-0x0000000000000000-mapping.dmp
-
memory/4420-231-0x0000000000000000-mapping.dmp
-
memory/4464-135-0x0000000000000000-mapping.dmp
-
memory/4564-191-0x0000000000000000-mapping.dmp
-
memory/4612-158-0x0000000000000000-mapping.dmp
-
memory/4624-169-0x0000000000000000-mapping.dmp
-
memory/4664-198-0x0000000000000000-mapping.dmp
-
memory/4776-246-0x0000000000000000-mapping.dmp
-
memory/4792-255-0x0000000000000000-mapping.dmp
-
memory/4808-134-0x0000000000000000-mapping.dmp
-
memory/4844-237-0x0000000000000000-mapping.dmp
-
memory/4856-239-0x0000000000000000-mapping.dmp
-
memory/5008-256-0x0000000000000000-mapping.dmp
-
memory/5024-227-0x0000000000000000-mapping.dmp
-
memory/5116-166-0x0000000000000000-mapping.dmp