Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 14:42
Static task
static1
Behavioral task
behavioral1
Sample
7ec2e77211e97af72575872b8cc081a5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7ec2e77211e97af72575872b8cc081a5.exe
Resource
win10v2004-20240412-en
General
-
Target
7ec2e77211e97af72575872b8cc081a5.exe
-
Size
3.9MB
-
MD5
7ec2e77211e97af72575872b8cc081a5
-
SHA1
6bb22149e38bc7d5b97dc36027256a8ef7c83081
-
SHA256
fcc68f6e41b44762bd7e9ce1213b366ee10790b5b0e668a8f74d050a36fdfd1f
-
SHA512
60d60f7daf3ca2e3cce69e24220b248ee88a7b110252df10086fba10feb0f5a6bbaddbdcf6e099e244706b57a0823528dba0bbc5c141b22fa912d82b9795dfbc
-
SSDEEP
49152:JYQ9p/TMILu3UAJvYIJ7PBJw47z1CgFd5Tn3ZhNvhpR1aMo2IHT:Bpgt3ZvhpR1a5HT
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7ec2e77211e97af72575872b8cc081a5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7ec2e77211e97af72575872b8cc081a5 = "\"C:\\Users\\Admin\\7ec2e77211e97af72575872b8cc081a5.exe\"" 7ec2e77211e97af72575872b8cc081a5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7ec2e77211e97af72575872b8cc081a5.exedescription pid process target process PID 2820 set thread context of 864 2820 7ec2e77211e97af72575872b8cc081a5.exe aspnet_wp.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2768 powershell.exe 2768 powershell.exe 4372 msedge.exe 4372 msedge.exe 4060 msedge.exe 4060 msedge.exe 2072 identity_helper.exe 2072 identity_helper.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2768 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe 4060 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7ec2e77211e97af72575872b8cc081a5.exeaspnet_wp.exemsedge.exedescription pid process target process PID 2820 wrote to memory of 2768 2820 7ec2e77211e97af72575872b8cc081a5.exe powershell.exe PID 2820 wrote to memory of 2768 2820 7ec2e77211e97af72575872b8cc081a5.exe powershell.exe PID 2820 wrote to memory of 864 2820 7ec2e77211e97af72575872b8cc081a5.exe aspnet_wp.exe PID 2820 wrote to memory of 864 2820 7ec2e77211e97af72575872b8cc081a5.exe aspnet_wp.exe PID 2820 wrote to memory of 864 2820 7ec2e77211e97af72575872b8cc081a5.exe aspnet_wp.exe PID 2820 wrote to memory of 864 2820 7ec2e77211e97af72575872b8cc081a5.exe aspnet_wp.exe PID 2820 wrote to memory of 864 2820 7ec2e77211e97af72575872b8cc081a5.exe aspnet_wp.exe PID 2820 wrote to memory of 864 2820 7ec2e77211e97af72575872b8cc081a5.exe aspnet_wp.exe PID 864 wrote to memory of 4060 864 aspnet_wp.exe msedge.exe PID 864 wrote to memory of 4060 864 aspnet_wp.exe msedge.exe PID 4060 wrote to memory of 1220 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 1220 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 3872 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4372 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4372 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4904 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4904 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4904 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4904 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4904 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4904 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4904 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4904 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4904 4060 msedge.exe msedge.exe PID 4060 wrote to memory of 4904 4060 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ec2e77211e97af72575872b8cc081a5.exe"C:\Users\Admin\AppData\Local\Temp\7ec2e77211e97af72575872b8cc081a5.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8e6c46f8,0x7fff8e6c4708,0x7fff8e6c47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,13357564277348803882,4452430507543626755,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3156 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8e6c46f8,0x7fff8e6c4708,0x7fff8e6c47184⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5559ff144c30d6a7102ec298fb7c261c4
SHA1badecb08f9a6c849ce5b30c348156b45ac9120b9
SHA2565444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10
SHA5123a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e36b219dcae7d32ec82cec3245512f80
SHA16b2bd46e4f6628d66f7ec4b5c399b8c9115a9466
SHA25616bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b
SHA512fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD5148fbbab4ca9c0fbc49d8e65978ec33b
SHA13c180f2ec7777f46e2fdb97f866a9020e7efe4d0
SHA256aa7cc8e23cd74dea24e8d15783b5b4c11dfc15a34f4a5d4f66484888aa3454ce
SHA5121f448ea554689a7facc44f1f7476b8aa999d92f4263a752f8adb87323bbfe3dede8726e25565d5e81ae267f3b6cfd3ea0f8fe4c47e7900f74004d4fffba0316d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD569d69daad175e1851e89b1f2424674ed
SHA1547d4b0296608855b31f9818cc967c2f0fb6f056
SHA256351a595a4da79077f9d4efe9ea47a94b1bbc7b5e29a1ca0e9bc471221b3ff597
SHA512904d94f0fea4c09d1c030f043da39556068a7bb5ec2a2f22c863de519f750028518d5dfbed70c782ae77837bb813a876709e67fbd697c2984269dfdd7ede7f12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ae550e8c85c316d657a60fa0e76a8655
SHA13d5f919c30b3f9fa5dbc8925b5c2e0397696b4b4
SHA2569f5961530f2e1a18eb412314253c806ba8cac91925a8848f68e2681dbe9d656a
SHA512311ad73e903a6e71aea2aa77db663bedc4473e0b4bec57a8c54528ce877103e79446800338164b385c27d4d6658954897083a4a74928a63cee66e5c6abc4e076
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b29589b55e1944d31be66566ed6fd67e
SHA1c5af7f61d50790f4ffc35001c7c6d97f1d4726c6
SHA256b6e56036201392863893f3a5a55274ad85518a2383a0247599b49757bd83ca58
SHA51295f5c9b62a8594b78ac07f70754c00b9e4c676ef1b26be88073fc8eae58e74f1b2dd077b560336a8fb45a23635821029208e4a562a80b4d369055e27390b22b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
371B
MD57bb4b2f63137e3830b45696e551774df
SHA19bc4f58f6e2a9633c3f02db17f3af1def0e360c1
SHA2560d525b71420a8cb24ec456b85cc7f62b952ae029d51637d2ddc01831fecb2218
SHA512a206e6cf4dd51361b452e5d89c51a6c7ef6ac3d3992e43595defd76aa7470021ef56757c1e92a96e38b6ff635a3af25e1d2b1df349dc0bc3c0d37eff5f2e18ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b3cf.TMPFilesize
371B
MD55830dbd48334c740139f31def14e6722
SHA1bbaddbe0a0a8c0833deb1ad8e455f2ec7cb52d59
SHA25668e451f5f0f25be1e57184a6c6d7d3ef22b5dbfebca0ef7cfa5af2d2698b74be
SHA51289a6e9f98639a05f15a000ce2a6ad3a5963c81fde8a632b6eea63ff47cbef7c1e7764e20e0d253448672b34e85f6b988e0639b5a5c670e1b49067e102d8f0992
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a5292000eb2e036a408603672f336d98
SHA18a6a462a213ce36f373ecd9c977fb04f4257baac
SHA2564b7f1b5fd9b5a59f240a5ce3bfa43d5ec64df7cca97596d3a30865e7e656021a
SHA512955282f8be337f939c66ff5bac6aeecbd0a243a2955d027a7293c0d207ef7e94451e883ee4a7a9d26997cb8864c354b0a8aca6fc0403713214e2921ae5a63139
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwsl4v2e.lku.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
\??\pipe\LOCAL\crashpad_4060_RJBTSOMEAQRZKTDIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/864-17-0x0000000140000000-0x00000001400A2000-memory.dmpFilesize
648KB
-
memory/2768-0-0x000001E246910000-0x000001E246932000-memory.dmpFilesize
136KB
-
memory/2768-15-0x00007FFF7E6C0000-0x00007FFF7F181000-memory.dmpFilesize
10.8MB
-
memory/2768-12-0x000001E244890000-0x000001E2448A0000-memory.dmpFilesize
64KB
-
memory/2768-10-0x00007FFF7E6C0000-0x00007FFF7F181000-memory.dmpFilesize
10.8MB
-
memory/2768-11-0x000001E244890000-0x000001E2448A0000-memory.dmpFilesize
64KB