Analysis
-
max time kernel
263s -
max time network
259s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 21:13
Static task
static1
Behavioral task
behavioral1
Sample
Application664a6b82cf275.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Application664a6b82cf275.zip
Resource
win10v2004-20240508-en
General
-
Target
Application664a6b82cf275.zip
-
Size
72.8MB
-
MD5
6f7a65d8cc1d73d6377b7796e5aaf3c7
-
SHA1
8481c8d4b7dfafe086ac85b1cdc1222034fa0b11
-
SHA256
4bc48b44a70845b1d9667fb7182f8fef848b821a9dbcff1c1de0cc9fc85bf2ed
-
SHA512
b9ea40abdb98e75b48878fe8f14bdb93a7959efdb4f105e19f63a7686886477366dc01d309ab54247705d0911ab3c47be78cb6bc4e51d10066605bc77ca87a86
-
SSDEEP
1572864:mTW0tA7ochJ2Kufe5YDIoBxeb/weegXjmCGnnvzew62iZf35M+AL2FGIq1UkP:mTW0C77XbX5Ykobe0ezXjXcv363K+SP
Malware Config
Extracted
stealc
default
http://147.45.47.71
-
url_path
/eb6f29c6a60b3865.php
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
setup.exelic.exeBWPNVJNXJU.exepid process 1324 setup.exe 2396 lic.exe 3964 BWPNVJNXJU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 1340 msedge.exe 1340 msedge.exe 1960 msedge.exe 1960 msedge.exe 1048 identity_helper.exe 1048 identity_helper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 5204 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7zFM.exeAUDIODG.EXEdescription pid process Token: SeRestorePrivilege 5204 7zFM.exe Token: 35 5204 7zFM.exe Token: SeSecurityPrivilege 5204 7zFM.exe Token: SeSecurityPrivilege 5204 7zFM.exe Token: 33 3544 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3544 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
7zFM.exemsedge.exepid process 5204 7zFM.exe 5204 7zFM.exe 5204 7zFM.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe 1960 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
setup.exelic.exepid process 1324 setup.exe 2396 lic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup.exemsedge.exedescription pid process target process PID 1324 wrote to memory of 3964 1324 setup.exe BWPNVJNXJU.exe PID 1324 wrote to memory of 3964 1324 setup.exe BWPNVJNXJU.exe PID 1324 wrote to memory of 3964 1324 setup.exe BWPNVJNXJU.exe PID 1324 wrote to memory of 1960 1324 setup.exe msedge.exe PID 1324 wrote to memory of 1960 1324 setup.exe msedge.exe PID 1960 wrote to memory of 4088 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4088 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 5600 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 1340 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 1340 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe PID 1960 wrote to memory of 4236 1960 msedge.exe msedge.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Application664a6b82cf275.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Application664a6b82cf275.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\setup.exe"C:\Users\Admin\Desktop\setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\CdEWFEWfeSgreWdw\BWPNVJNXJU.exeC:\CdEWFEWfeSgreWdw\BWPNVJNXJU.exe2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=UZfBnXM8WuY2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa1aa146f8,0x7ffa1aa14708,0x7ffa1aa147183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3532 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,6394546712808452100,2750553450630983240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:13⤵
-
C:\Users\Admin\Desktop\lic.exe"C:\Users\Admin\Desktop\lic.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2c0 0x4501⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\CdEWFEWfeSgreWdw\BWPNVJNXJU.exeFilesize
368KB
MD5d761ddd6b9e6480cf437df01d07ba26d
SHA10dcf98e4cf56e2f182d9a80bf1f5b82ba675ae38
SHA2565454cc245b35a3c1c6306965777c8bd88cfed4568b9b7e60830e33ff4bb4a2f9
SHA5121d976a4136f83c5c294ca4b224977fdcc5a276efb58412b84459ecc832f623eeac47f94bed9ef4eb89d3d5a9e5632034b1699807bb998953171edcb0adcd304c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
528B
MD5c144fe8af8cce80f0b53b0565dc966c7
SHA1d4d5fba8fbfb61dae38caad0120c75d396e791e6
SHA25604d8b79fee07bc6a244b9aa1373b0c26df8cbd1af65d87f0274065be90761159
SHA5121b33289f5055fcff54256a924bc6710b5f4b0d53f78b3db271fd313402379c85f33255374a5b045a5fa6648a3a54828a48cc33904b0bf143f003fa8580de273d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5fcad74c6a99e56567b145a0690883255
SHA1bea729a7b40bcef7178b160c0f419c235df82974
SHA256c8273c2e6fad75ffe9d30c77bb400abbde09966b194ae8a7a3d954deabd5397b
SHA5120e7148cb059f2d823eb3c1fbe359b4a2bd8c8621f671769479bf97d7df8a9207ee1963da3fad04a79fcb9559a725736f5527b591b01fff88aa58b94f6a35b5b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD55838d03e4335627051aec150a93064d8
SHA19873c544a1ffa327de61cd8e16c59f3434d1480b
SHA2569ed1d26a0bfb41765922255e16d2555c8cfc8f82e4a49c4e7e02210ecc2f3ca2
SHA512fd51978ff2900b85fc7a3b7366a8cb4d34843b85404af6a9a0aa23f51c644e50c915ae6301c7abffadc76c3c7c6fbcf5723259d1bf5ef4fa464cc6262fec1d84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f230a59fec6211969c81b13743961cce
SHA16af8f0103535728d3b5eae4324c3237313fc82d2
SHA256ddf5e14526f1534a4b6ebc9ab9818bc3758aa56cc01576520e51e8ab6fb5cc43
SHA512069d74597e3867246e5dc7a1442533de7bec1e7080d22168d9553f1e1c2ba680ffb74fb8ef11b4378dc8a24dbf4150319c396f1b3a6abdfdfe41051366d65841
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3269fd01-3226-4a85-ad8a-11ebf7d401d1\index-dir\the-real-indexFilesize
2KB
MD5f07905cdcabecaa7b91b07bb9c980966
SHA1351965a2ce8c190e1a68b94f7b8367c587863167
SHA256e57300d3f610ebe1a6a1c8c40c6704a890f1ed1c24e1d98da470ecddfa14330e
SHA51261082fc6cb40bb1610e87d74a3cacf76f703006868d0eca531809f6ed8a11708a6f550afdfd340dad08f0d4fc6bf98cb9aefb47002926f599317ef2804ef8c61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3269fd01-3226-4a85-ad8a-11ebf7d401d1\index-dir\the-real-index~RFe5aa970.TMPFilesize
48B
MD5d1ae358fad5838439560f5fefd411b55
SHA1545faaedc5724bf0faad24aa14ade06ed840ade2
SHA25600cb4edf0d42310ad25bf5d48f9ccd5731580b0c4528983fc4a0da7343525eaf
SHA512476ca172b5df46db07bac9b61180ac293c839acd73cd2093be88bf6d7f5a99ae96339b61c5f42e5aeb514e5ee7a0a4fdf96b5f605994824899ae8efc9abc1c6d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD5369edebdf4c336b4b9dfe42e1d9821a8
SHA133ae83aa7c0ac44cc199fedbc6d54fe0d9fa8ad9
SHA256ac30de4749bf6fe61b334e5a480bd98a1e4c6eb505d85bf28b6a78613699745b
SHA512b16fa5baf01fa65e850a7dcd5b0c86b50c25528d70cfa5177ed70e6fe596c74b72c5e3cd90e8dc2c3d0ba6e9e645080b525ea60774f33603c879aac476a5f38b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD58a469aab50d82d56564f021f59b550a6
SHA1bb62ae29bd70ad42ca0af7e1db8ba47f682cd763
SHA256189f1058a4651bab790498d2ebd3dced735fe6ea9759ae428eed8a0cd4f72db1
SHA51287a66e593ceff174ad9240166202b8d6b8cc489427668e226e77061e33cd607f1cfa175ecaa4df487824328612327d20e274ba0cb81b7040744b1eac15d37c03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
84B
MD5533c818638035c771f34f82631d36cc8
SHA1e078f9b95fa583ffcea528d63fe1bf242fb52183
SHA256602f8626bd55884324f2ed80abcddf16400ae55d088db5496aa65568ab205b8b
SHA5125256561bbde4d3456185f5e26d339b8db2c0a3e468f981dc7523642711f591c0f00a50d586ba36a1c7b2c21d14d29ad9729d5a88f0dcf29016568334c2653693
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
82B
MD58fcada2512f40e1a78fac912e6de49cb
SHA1fbdc8ef9f7fda3e7a7a6b2b1e08e88acd53e206b
SHA256eaa6be246cd58dc93fe406c2bde2e1765db31cb113fd7b486c5cda9e8cb5ee57
SHA5124af0da7292774b7df49a5b9377b95d7071216f6464823c5480747093d28b342566eccbe83ce86dc3a82e09ef05b6043d1be94ccd01850dfbea9ba9d08b6fb2c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5f43b5dc2658247e11740460a68bf65b7
SHA1c8b503511f3a0be6607c5d38d0d6cfdcb9d170fa
SHA2569a1de6e15c0dfab47ecf6bc0bcbfb5cc081c6e77ae7c8f87115e1a4635c5ced3
SHA5123d2c2db5597e62d9f092007d026216e42fbbdf559198ad818030a9ecf291651909c381fd9a50929c4fdbcc1ae98d58cd77ce2dc4d42acf1e52527a278dad3657
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a9f7d.TMPFilesize
48B
MD5c16f1166af9e2e4f4a94afa382b38133
SHA1e601a0df027b6be21086b3cea86aaa07ac7ed4fd
SHA2561771d957b102c7de3e8b75e350d2b466c1fa4e0004e1986d1d4a20d1ffa84ca7
SHA5122979910484ce273a48fd35217f7aaff3665cb0b88d39ba74cbc64e694ce51d9ccdfe53ac50194ad27ba609e2eeb2c2964f2156a19b79669cd0afab522799fdc8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD587f1a45c181c3acd0ce652a312f51f45
SHA1c73a8f2eca6ec6e8d29c8ec3c3dc0b319a0ee8c4
SHA25695c3163f6b154f78e76562e87bf4bfc89c6108860ec8331c1fc7e77ff0258fa7
SHA5121f22468e7804f4bf20472e8cd9318de0c402a800cd29da8def2830de1d00e35895f6a79245051824e3de545fab54e68f5321180bb0503f05874418b19f1bf28a
-
C:\Users\Admin\Desktop\data\data.datFilesize
1.2MB
MD5f2d3bcb9a38dfa4a90daccb9ca2a3b54
SHA17867f9902cd17d7af4e6a671a6e50c3dfd3ef9ad
SHA256f073ec203af3d6f8aeddcd8e0c2cc003009224fc3b3c5545eb3add89bcab0890
SHA512c3411d08305b6c46cfb1d1faa5e280e3a202859c54b2f4fa8383544085d8a13ec6ba2ff31bc8ba7719152ec5de9e03bc8170e73b04b9a76b54c9136ac8fe9186
-
C:\Users\Admin\Desktop\data\program.PNGFilesize
696KB
MD5a3d4494188555fd642820346806fd1d8
SHA153a37fb21d1fdc91cdea14721eeecac83cc2825c
SHA256ace20dad2b8ef82a5f8674afc8e9ca05f5f3f63efc798d66b43eb7124dc802ca
SHA512a4265bf8fb50fbdb1b13b3d03126b2ec354cbd4c0ee9baa51911700e1be73753f549b1a8cdace269b674afaab04b03f545a2a383f3fd8a0b7898b8498a4a25e4
-
C:\Users\Admin\Desktop\lic.exeFilesize
3.9MB
MD51e2d2f3f618279ed722045f6342793f6
SHA14b80a65885b4eb69fd6e240db592a8da8d7ad334
SHA256400a80b5166f7ad96f834fecea54ba07244ef90a40a9878ecf843c3e140f304c
SHA512dcec0fc10ba64fa47ea005fd9edc4b0396d613daba5723054e960766a3fa87b4dab06c522b200ab13dc135006f3f7adbb44c43c93fa9f0b2564c6d034dd41143
-
\??\pipe\LOCAL\crashpad_1960_IGBXYGQCIRIXXEDDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1324-122-0x0000000000D60000-0x00000000034F0000-memory.dmpFilesize
39.6MB
-
memory/1324-117-0x0000000000D60000-0x00000000034F0000-memory.dmpFilesize
39.6MB
-
memory/1324-119-0x0000000000D60000-0x00000000034F0000-memory.dmpFilesize
39.6MB
-
memory/1324-136-0x0000000000D60000-0x00000000034F0000-memory.dmpFilesize
39.6MB
-
memory/1324-115-0x0000000000D60000-0x00000000034F0000-memory.dmpFilesize
39.6MB
-
memory/1324-103-0x0000000000D60000-0x00000000034F0000-memory.dmpFilesize
39.6MB
-
memory/1324-124-0x0000000000D60000-0x00000000034F0000-memory.dmpFilesize
39.6MB
-
memory/1324-100-0x0000000000D60000-0x00000000034F0000-memory.dmpFilesize
39.6MB
-
memory/2396-114-0x0000000000400000-0x00000000007FB000-memory.dmpFilesize
4.0MB
-
memory/2396-148-0x0000000000400000-0x00000000007FB000-memory.dmpFilesize
4.0MB
-
memory/3964-113-0x00000000009D0000-0x0000000000C0B000-memory.dmpFilesize
2.2MB
-
memory/3964-108-0x00000000009D0000-0x0000000000C0B000-memory.dmpFilesize
2.2MB