Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-05-2024 15:26
General
-
Target
https://www.mediafire.com/file/fo2c3qdonwtm9t2/ShowPop.zip/file
Malware Config
Extracted
redline
194.26.232.43:20746
Signatures
-
Detect ZGRat V1 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 37 IoCs
-
Suspicious behavior: EnumeratesProcesses 61 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/fo2c3qdonwtm9t2/ShowPop.zip/file1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe902246f8,0x7ffe90224708,0x7ffe902247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5600 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6608 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6184 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6000 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2124,12927997041354392944,10769054924681699368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ShowPop\PopShow\" -ad -an -ai#7zMap11357:92:7zEvent257521⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe"C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV1.exe"C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV1.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe"C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IncMoreV2.exe.logFilesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.logFilesize
2KB
MD5e34b053c93dcb4160094249280888117
SHA1bd7cd93042c200c5fb012bccf3cd9f72d7e79cef
SHA2562bc71ddd63acfb9d101892e29033c75b4023727e1cadc489ecb2421c1960eaa8
SHA512f8753ec3f9f413e1fac84caa1905509a978dfc63211dcd0a889a4283840ae2e6e9101e1f7ee7d582acc5e0ae722fdab8f6047aa02cee28869a094b4f494897f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024Filesize
502KB
MD5add520996e437bff5d081315da187fbf
SHA12e489fe16f3712bf36df00b03a8a5af8fa8d4b42
SHA256922b951591d52d44aa7015ebc95cab08192aa435b64f9016673ac5da1124a8b4
SHA5122220fa232537d339784d7cd999b1f617100acdea7184073e6a64ea4e55db629f85bfa70ffda1dc2fd32bdc254f5856eeeb87d969476a2e36b5973d2f0eb86497
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD52f6ef0fb340476c1b0760078ac99c503
SHA1ec8f94f77ea606c06afa44c3b1983c46b046a16e
SHA256bbe5f9775188fb50f3f969235df3872fe3acb35026e713d98325acbe7dda5650
SHA51224da5f239769a07f0a285710cf0a90d753bc209758fab60253d097aa5bc29a628d976718db857b72643f36d99779831142ef8aeee4baa8c5f6231ec9664c78fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD582a88853fa9bfab173248b9709c87085
SHA1cfc0405dda08241a840e62ce5dab51910f0c46d2
SHA256f342c1db04ee06ea7148011b143fbbd627de6e67c990341465bdd5e8d19ff61a
SHA512b5a62ee4663b25fd0bc2eaaa7d573af4e255eb83161b9c5ea125330605dc6c9378443e48d373c2077d264aa1ee22851fd6ef724dd4af62edfbfcdeefe74e6455
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
32KB
MD553ad1f54976f4558c7e79c475ed7a147
SHA1e2613a5bdf037230d35d4c54310a442732e8508d
SHA256d37b33b3a0b223c6c2db7931f1963c30a3f04f76387287ce762e2b582011b68f
SHA512b169b8ecdfb0da7fe7113cca1bb0f754bd1e40820b756947b798abb5cabdb232f392bf9743a7feed574ff11f974a116cf84f4c1922884bf638b10693eb99c6d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD560ba630adc33d6f9c4c46d9a137468fa
SHA1d6b39715551f8cab1efcf132f3b9cc201fc9a786
SHA2565a8eaae59164d424db87028787fc33dc1832a4b73bbfae16a52e8e83770a2fb8
SHA51298d3d9e7bd5fc67910a70ae85619455e81b4fea109d895451bdcce60f4262d80afae8c9d071ca277e4dc86efe5a8452a3a06410f3f323b6be17ca15905f5cd42
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5c397f5a6060f8842d3b79a2de49cfa3a
SHA11ba258aec085e21d2aaa24395ae5996fd7bb4ec7
SHA2569c67f630342d0a5549462704785554bdcb3c901597c7c9fead12427aa3fe89b2
SHA5127dd93203a2056ed19973696ab73d22d15834a6ec2316bf4411c2e2f1ccabe7c9adc79d866abca4a00a4d0183c0244317c73d62fa6f66b5dfa97cda49667dfb76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
10KB
MD5ec26c37cbb596ffd26adc8b290b98138
SHA1b58aa292ac2aaa3f711b9ba047dbd056097a91dd
SHA2560c78aab1e67d56dde62513286e38410cbc5e45527ce11a1ea2fa9a88b2bbff62
SHA512c8a0c6eb526b3821c3117689d4fbafad64c924acd5e59d98bad634fe72292256081c7e45e7d6acfd7b4f64749c40679065b51265e16935d92be9f702cbad3a2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
10KB
MD5c2840f1f82f2358f1d4416f8412f1508
SHA15d5acb6d9e852d676b8e24756c32fcd6c45a5b84
SHA2567c09b3e48083bba6854d7ed0dcece741972622e7547387690befe43bc82bcb55
SHA512a6baffe6426532c79c6918ce87dcd248bad9efd4309f6e6d64e71aa188dd7e9ef41d749c9886cce80c6e3d78d1d5c9de86e898a711dcdd5b7c39368992e9d93b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5026179481ad696141dace55012b2f675
SHA1ad38f1e6158288ca4a1116d8570cc048f3217b44
SHA2568a2857ea2b45b8106f807850a5d6ef23f7495590aae590b57b7da696f95efd33
SHA512d168935413b833b694e86e61f28df73362cacc33f17829f615550b768725ecd8e3da56366c1d7d142792b12613f2b20ff5bef67e83e4f137a09873376570e540
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c796.TMPFilesize
48B
MD50c2547bc62776ed1ce00026813c63fc4
SHA1eacb00927fb326fe71325252462d52f3e89e72f3
SHA2568c37baddcf8a428841b39d8b99834d7b1e64b70bfb7da13df4047f8f64a2a43c
SHA51278efbfad92760db2e768ebe670e486fc9d0d733fce33ffe064d0cdf29f525ae84e752308174b7b03e8900d56bad1756e277b0346192b9f6558f63a1ac10bf961
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58d7c5932d515a27b6cdfdf8e9b7cc1ea
SHA1f5034b7e9adf8a8afb51fd74fe457907cfe75a00
SHA256ae1e73f91d03e59c82fb366dd252e971822bb01b67967826496ffc3c76f5c742
SHA51220890bd5f5ab800682b631ed8f4036f36983a36e547fe9743ffd4d5b0e41d410f48c3a0695ca1e9b7407a0005c80ddcc0c595747c6dd15240b394b98269478da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579e53.TMPFilesize
1KB
MD56722515e138c7064bf2d5379e11564a6
SHA1ef39a631223d9916adb8b4e050c0a1df87afa7fc
SHA256dd92c9207b66781fa2862fb538693568f9d8f150ff0324d6134c458b47e6fcde
SHA512c14d95a444c8556d1ff0c925eed324d47e1dcaddf7938efdd7fecaa984a5f1974b2cdbf14e599709febc37a29134a7c82c45874742d560308035715e8902b7f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD57d6588f0a89038a58dfb582468aa448a
SHA150688dcb45a1e27d8a40471e3a9b2a05742d0d80
SHA256e3cac0d005c741758798b034a127e527dee6052ce1aa7e1501f9c1217601fd84
SHA51225cfa33301ad9edfef7d307e833e817de3dd12aa013885950dc70088bedc731e485545168f42ef5ba44647ee200949bb0cc6daa637f96959712e13909d798372
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50e2882412d828e156508b43f75bea032
SHA16a389baf7856dbb8782a047b17cf416521a930b7
SHA256701d62c244fb7e830051951ff9c7cd2e53e8310517b3d2c8f065075cc4ce0f64
SHA512c68195dcc519b2a82edc775afb3fa9f1a9a0373379e984f7ec6bfa9d4d4e75e85d5a69f786b817b35226516d8c75a3f8d6e14a9f89f99b819c4c50683940af1b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD542373a7ca043af988952f155ce5b914b
SHA1a136c946a42e9a7c1b6f907f7591d63f5246ad5d
SHA2568d1bfedd61c0b3c7efefc81462de8ebf77e24e4415e41522ebfbb5af3a7ea5cf
SHA512a4e740ca58a45d791021b7abb6033444e59fcdb872a34e6671d9c2bf97e9ebd4ec399523bcf5a9843f78f64dc031d9a12709a56b3045c935b96c003738014ab7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD549a8008d83877c00784175a19acd8d87
SHA126ff5a881cbcd544610618aec0401873ffb9a7d7
SHA256b3e2b976ff764063acc06893a682db7fc0599db8b5319759a24b2e410b59314c
SHA5127815f69977ca5e33a0d2e3b6d53c4d59881ffc16d76e030ab533b7c09f208410d3f6797b5249b09d7d0d28b0395c2073b4575ddc974def10baa8dffc36ee81e3
-
C:\Users\Admin\AppData\Local\Temp\Tmp2DC2.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
10KB
MD5ad7841727c8cd0fde23ae02c70879ccb
SHA12e56cb3be72bc58539b509371f961262beed70e1
SHA2569885ec577500c8b337c61fe5f6e1af352aa10494b6954efdb07f7f73cbc9c991
SHA51289dc61e2df37d77518409e4a1750cbd33d007ce41b8efcff5b46e904b91eec6f52a71dd839ea5adb80fed3990389274d38d4631a5fb07882eb94a65598d4d974
-
C:\Users\Admin\AppData\Roaming\d3d9.dllFilesize
399KB
MD520f5b4bc6124662b3c4f3705859f5b74
SHA1ca131bc8dbf513b54620c49ff881b16cda09f034
SHA256ec2b3e731921dfd83bc9838c1bd3bd939c40afe67012e70b3c9ff550b2fe3759
SHA512fae5e630468169c08beabcd033e1274faf68421921cd76135ef2fc73c5ce05b8d426690af32e08c14d8824a82b111a762f080c6993a1894cb7f5529fc0553257
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD580a2199b1c48e2ce026cae43c187913e
SHA12d1f1e3a0db74fcaed0c7f87f01f01c1a698d4ac
SHA2563d9ba2b22473b568877d8d1f5f2dee947c72a179487483637e802396eae5de01
SHA5126ad15a2e05b7264c4cf6149b6801519c8d5ee8914ca0146ba19a9826d0ea52bb00206c645a6a8abb98db0deb7e522263096d1ca59407c2cc1838810c2343dcc0
-
C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV1.exeFilesize
1.0MB
MD5bac3bc3d1851501c03f064b5690081ee
SHA1f6e48ac8241579352a9e48a433485e3962f39e54
SHA256aa019b3fd8a1eeebd7a149eb7fe73345b667e334813bdc6033db52bf671ad04b
SHA51257e39ab8c6ea4611e70832d606bae80e969e0703437b447566dad52facd47ea9962769748effc0800fb07734c7da4ea9162e40ec158d6d286dd07ccc4267e4d8
-
C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exeFilesize
841KB
MD59688ab34aba493dfad34e3424d1811cb
SHA1ce060a74674fc9930eef50365fc1acbb781f14de
SHA2569f5cfb681b239d6f95b34463fd709df372ad803ebdbdca2105bf17869e6cd1e2
SHA512099883596e799a998586ef11f36813f798d4a65fa51c4afc8757e573cc0a07c69131e936bff139bff9786927c24ff1c105635680859443081a1b6cbba2375621
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5729f5b9f06250c18a19e38287581718a
SHA1dd6af1e08ee6f6086e922e65bd311b39f3bd794f
SHA256ed9347520afba3cf136fa4f2754f6b05d8f942820ff58fcdf37479269a99f2b7
SHA512f27a0739cec51c2931c559666fa683231c3ebf28c11b4e70aadc0eed6cdb211b513c1a97ac723d4f7b500b2d35e369ac5a07115adc65ee42bd9eaa77ee20782b
-
\??\pipe\LOCAL\crashpad_412_PWSJJJHFRTFYZEULMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1844-979-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1844-1010-0x00000000086B0000-0x00000000086FC000-memory.dmpFilesize
304KB
-
memory/3756-914-0x00000000066F0000-0x00000000067FA000-memory.dmpFilesize
1.0MB
-
memory/3756-892-0x0000000004F20000-0x0000000004F2A000-memory.dmpFilesize
40KB
-
memory/3756-917-0x0000000006800000-0x000000000684C000-memory.dmpFilesize
304KB
-
memory/3756-915-0x0000000006630000-0x0000000006642000-memory.dmpFilesize
72KB
-
memory/3756-913-0x0000000006BA0000-0x00000000071B8000-memory.dmpFilesize
6.1MB
-
memory/3756-954-0x0000000006940000-0x00000000069A6000-memory.dmpFilesize
408KB
-
memory/3756-957-0x0000000006B40000-0x0000000006B90000-memory.dmpFilesize
320KB
-
memory/3756-958-0x0000000007690000-0x0000000007852000-memory.dmpFilesize
1.8MB
-
memory/3756-959-0x0000000007D90000-0x00000000082BC000-memory.dmpFilesize
5.2MB
-
memory/3756-910-0x0000000006560000-0x000000000657E000-memory.dmpFilesize
120KB
-
memory/3756-909-0x0000000005DB0000-0x0000000005E26000-memory.dmpFilesize
472KB
-
memory/3756-888-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3756-890-0x0000000005580000-0x0000000005B24000-memory.dmpFilesize
5.6MB
-
memory/3756-891-0x0000000004FD0000-0x0000000005062000-memory.dmpFilesize
584KB
-
memory/3756-916-0x0000000006690000-0x00000000066CC000-memory.dmpFilesize
240KB
-
memory/5092-881-0x0000000000CD0000-0x0000000000DAC000-memory.dmpFilesize
880KB
-
memory/5092-882-0x0000000003100000-0x0000000003106000-memory.dmpFilesize
24KB
-
memory/5176-978-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/5176-980-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/5676-972-0x0000028461160000-0x0000028461161000-memory.dmpFilesize
4KB
-
memory/5676-971-0x0000028461160000-0x0000028461161000-memory.dmpFilesize
4KB
-
memory/5676-970-0x0000028461160000-0x0000028461161000-memory.dmpFilesize
4KB
-
memory/5676-976-0x0000028461160000-0x0000028461161000-memory.dmpFilesize
4KB
-
memory/5676-975-0x0000028461160000-0x0000028461161000-memory.dmpFilesize
4KB
-
memory/5676-966-0x0000028461160000-0x0000028461161000-memory.dmpFilesize
4KB
-
memory/5676-965-0x0000028461160000-0x0000028461161000-memory.dmpFilesize
4KB
-
memory/5676-964-0x0000028461160000-0x0000028461161000-memory.dmpFilesize
4KB
-
memory/5676-973-0x0000028461160000-0x0000028461161000-memory.dmpFilesize
4KB
-
memory/5676-974-0x0000028461160000-0x0000028461161000-memory.dmpFilesize
4KB