Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2024 11:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://shorturl.at/oCDW1
Resource
win10v2004-20240226-en
General
-
Target
https://shorturl.at/oCDW1
Malware Config
Signatures
-
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exeWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 3 IoCs
Processes:
mspaint.exemspaint.exemspaint.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2452 WINWORD.EXE 2452 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemspaint.exemspaint.exemspaint.exepid process 1088 msedge.exe 1088 msedge.exe 1892 msedge.exe 1892 msedge.exe 3992 identity_helper.exe 3992 identity_helper.exe 3880 mspaint.exe 3880 mspaint.exe 4832 mspaint.exe 4832 mspaint.exe 3544 mspaint.exe 3544 mspaint.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 5016 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
mspaint.exemspaint.exeOpenWith.exeOpenWith.exemspaint.exeOpenWith.exeWINWORD.EXEpid process 3880 mspaint.exe 4832 mspaint.exe 4936 OpenWith.exe 512 OpenWith.exe 3544 mspaint.exe 5016 OpenWith.exe 2452 WINWORD.EXE 2452 WINWORD.EXE 2452 WINWORD.EXE 2452 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1892 wrote to memory of 2232 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 2232 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4680 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 1088 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 1088 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe PID 1892 wrote to memory of 4876 1892 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://shorturl.at/oCDW11⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff974f446f8,0x7ff974f44708,0x7ff974f447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4880 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,438680291307919643,988174084554790165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x5041⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnprotectRegister.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnprotectRegister.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnprotectRegister.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5fd7944a4ff1be37517983ffaf5700b11
SHA1c4287796d78e00969af85b7e16a2d04230961240
SHA256b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA51228c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a774512b00820b61a51258335097b2c9
SHA138c28d1ea3907a1af6c0443255ab610dd9285095
SHA25601946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
816B
MD55b1d94c69370f9d0fc5ea60e9bad256c
SHA1ea982f1d7fd254ca092ab634f704b8de37899c2b
SHA256516a3e35e4f723ce52408718c567972c23b53e6b30899ea0e807647393e2e0f4
SHA51215093deb78e2cbc27f6d8d6d68783ed586b95467aa3d1af8ef196ccf4c1214f8edd171a1e4e87184d16e64d04b8b482412a94f4c410018e55465844f364b3f5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
696B
MD56c96b683085dc53ccd781308002682eb
SHA115a982d5bae7dbf21b4759fc3418f81beace5d6e
SHA256a110d94357255ab68c348277dcb743b8c7daf4cf6e580908dc12448f083c269b
SHA512c9fd21a11b7c1abcaa8f944fc2aaa6856a2f5c835f97185641f40941fa3699e55719be0803bf4bb87b6a2a7c900cd3c0f4ff851a284e3108ef9b3c646f25e55f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1007B
MD529070ea216a2ec2cdb38ba6fc3c16d8a
SHA1e927f3461de06f5c544ef20390c191c6c4bc4d02
SHA2565f4eb5b1e59bfe06b2164ca43f2f623dfb607c3b556f6749d0ae448fe6bee880
SHA512270700735a09c442244e831104a11198e364e36cfaa6a558864e604654c9f2d4c6e6dc714070c5b47a08f91f124bf3d5fd9c28bca852fb92f2b2bb07bf337f09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58d48d577af7032a3f7d04fc266287cea
SHA1378949f4ff50e4fd8cbc7b4d101f81e4828f8f67
SHA2566721b54d1c8e2d84dead388054fa06143619d109baac17ceca0137c1187d7993
SHA512280571dff934339053a71f934abf67434910a33ca872dfcb6359403200c704259a86aaadee8c41a0376d98b5291873e9d5db375b8df45b4bb9fca66d6433e0b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5071f05bd050d3a70ce40f4a2a464ad46
SHA1f27f067805ccc0154bc7d2e76fa5f7c56bfdf97f
SHA256e2116891350a23f371e557f244223884ee436e15125635a484699e84cb036897
SHA5129b3ba9603b3083680a8b5f70f077004c35ae3f83a0e9be5c31534e7cb4747871220137c66d39cbaa311ef4fa235b39c0ee542db2f7a14759aba65f8e5b878dee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5809ff8724c4f46cdfe3e7dd37898e579
SHA1d8731eefbc209471a9395e3f90f21f54f0f96bf9
SHA2563e7c13b4e26916c0b363a78f861fe92565cc684e870c916f8fcfb95bab22b1c1
SHA5123b63838321c68a2d385d0638d7bbd9ebd423dbb89a420e968fd137c829366b1ac60036f65547d4816c4f938d9606b185ddbc9785fd328ad2459c021465143a16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
537B
MD589f6872baeacd52b56b87c12914acc2f
SHA1e70261a98c7eac5f0041dfe518e6c6427f12301d
SHA256e5f60ad158541ea5f8340e74ee3f5d8b5c7690cfbcc1da7ffb349720dfd5b2d9
SHA5120ab77bfe8458149342b96a090739f81a1f951167a87e58760be7b64fee37e07136acac8bcf7c07eda205896aa6bd8798d8fdd038c8f6be73ba8d3426b692f874
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586c90.TMPFilesize
537B
MD5ecb6309f15e43437e03a2563e10c5524
SHA107b5aa40eab8f2c9649ff16e00bda00aca3f97c9
SHA256fc3d1aef869c14816cf9cdfb738db1b2af7bc0cb779e94e4365080ebca7740a5
SHA512a12ca168e1451a0853063ccc45028fe99ec6f59b2061711f1a0663ee8693f922e1527376ca25c25f0958ab934a93fbdca1a670f80e6082fa84b8e104e3963089
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD59c1ee64bf1399c5c3b77e500b253285e
SHA162bd7ff574b83d478bb678969c10031d91e10017
SHA25670874400449aec65a4fff2226182b36b91f748e289f72f2abdaa77e7a163d646
SHA5124628c8850dd310c7d594f72e27fa45d523c8396681a53bcc3984875be61f0a067dbfc00bc609a0b836321d5c95faac37ee3cde41429a0468da82512049e1abc1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a732ec8004df8fe181b9ffdd2fce7ed8
SHA127cb466f2bce7fab69d3f045f3b35814628024df
SHA256268e98a61bb987812763c1d833a288b03b9a8e8e3de81fd4fb31bfeaf6eb71e5
SHA51219030a237c6643ec01d8fc20934e0aaaea667d6edc82156920c55d1356a89e5a74469a0598318e0457819ee3a2a49b6786c24301baee2ca743f2829f130c24e2
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbresFilesize
4KB
MD531022e71e6374bc696748cbf8e22adc6
SHA1f1caf429b3f11cae0b3598edab89af57b13754c1
SHA256d9a7e519cc95441eedd9a0a6c5c5befb675c3fcba0b196e62331a2d592127325
SHA5125c04ffb85321d3d540286de174f092c219a9f6bd0e3f32c9f5986f2e83238303c5770606eefe0caf3848f9cd0dce97b6b713d1b2d771dae97369cb821ca47436
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
201B
MD535375f95b1430c8b11ebeb931fba0dda
SHA15122d139ac357db969c191b941bd479ceb9dc59f
SHA256fd5691afe44306226fa973037fe144c3214867067cf88cb2285394888d959d5b
SHA512b9043a4d4470ac90f83244a81fad5de8944b83ba1e8ab6bbc7d29fb216c2ded74bf1c7b1ca8c84535b989075660e83f676e273a1b524f9e5dd8e04fee412cc6b
-
\??\pipe\LOCAL\crashpad_1892_MLMNEPQXDCRTTKXLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1568-467-0x000001677FE70000-0x000001677FE71000-memory.dmpFilesize
4KB
-
memory/1568-465-0x000001677FE70000-0x000001677FE71000-memory.dmpFilesize
4KB
-
memory/1568-463-0x000001677FDF0000-0x000001677FDF1000-memory.dmpFilesize
4KB
-
memory/1568-468-0x000001677FF00000-0x000001677FF01000-memory.dmpFilesize
4KB
-
memory/1568-469-0x000001677FF00000-0x000001677FF01000-memory.dmpFilesize
4KB
-
memory/1568-470-0x000001677FF10000-0x000001677FF11000-memory.dmpFilesize
4KB
-
memory/1568-471-0x000001677FF10000-0x000001677FF11000-memory.dmpFilesize
4KB
-
memory/1568-452-0x000001677F160000-0x000001677F170000-memory.dmpFilesize
64KB
-
memory/1568-456-0x000001677F1A0000-0x000001677F1B0000-memory.dmpFilesize
64KB
-
memory/2452-475-0x00007FF9524D0000-0x00007FF9524E0000-memory.dmpFilesize
64KB
-
memory/2452-476-0x00007FF9524D0000-0x00007FF9524E0000-memory.dmpFilesize
64KB
-
memory/2452-477-0x00007FF992450000-0x00007FF992645000-memory.dmpFilesize
2.0MB
-
memory/2452-478-0x00007FF992450000-0x00007FF992645000-memory.dmpFilesize
2.0MB
-
memory/2452-480-0x00007FF992450000-0x00007FF992645000-memory.dmpFilesize
2.0MB
-
memory/2452-481-0x00007FF992450000-0x00007FF992645000-memory.dmpFilesize
2.0MB
-
memory/2452-479-0x00007FF9524D0000-0x00007FF9524E0000-memory.dmpFilesize
64KB
-
memory/2452-482-0x00007FF94FCD0000-0x00007FF94FCE0000-memory.dmpFilesize
64KB
-
memory/2452-483-0x00007FF94FCD0000-0x00007FF94FCE0000-memory.dmpFilesize
64KB
-
memory/2452-474-0x00007FF9524D0000-0x00007FF9524E0000-memory.dmpFilesize
64KB
-
memory/2452-473-0x00007FF9524D0000-0x00007FF9524E0000-memory.dmpFilesize
64KB