Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 02:08
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
quasar
3.1.5
SeroXen
chinese-golden.gl.at.ply.gg:44086
$Sxr-8pC7X2mG070btopC86
-
encryption_key
X7DsXqksH10Qr4Gz4fsk
-
install_name
HAHAHAHAHA LMAOO.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Svhost
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 46326.crdownload family_quasar behavioral1/memory/3760-279-0x00000000009C0000-0x0000000000A2C000-memory.dmp family_quasar -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Sxr_Installer.batHAHAHAHAHA LMAOO.exepid process 3760 Sxr_Installer.bat 4624 HAHAHAHAHA LMAOO.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 84 ip-api.com -
Drops file in System32 directory 5 IoCs
Processes:
Sxr_Installer.batHAHAHAHAHA LMAOO.exedescription ioc process File created C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe Sxr_Installer.bat File opened for modification C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe Sxr_Installer.bat File created C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe:SmartScreen:$DATA Sxr_Installer.bat File opened for modification C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe HAHAHAHAHA LMAOO.exe File opened for modification C:\Windows\SysWOW64\SubDir HAHAHAHAHA LMAOO.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exepid process 872 schtasks.exe 6112 SCHTASKS.exe 2344 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 46326.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 5096 msedge.exe 5096 msedge.exe 3932 msedge.exe 3932 msedge.exe 6020 identity_helper.exe 6020 identity_helper.exe 636 msedge.exe 636 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Sxr_Installer.batHAHAHAHAHA LMAOO.exedescription pid process Token: SeDebugPrivilege 3760 Sxr_Installer.bat Token: SeDebugPrivilege 4624 HAHAHAHAHA LMAOO.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid process 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HAHAHAHAHA LMAOO.exepid process 4624 HAHAHAHAHA LMAOO.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3932 wrote to memory of 980 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 980 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5316 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5096 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 5096 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe PID 3932 wrote to memory of 3768 3932 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/R4t-Cra4ck3r/SeroXen_Cr4ck1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a4f946f8,0x7ff9a4f94708,0x7ff9a4f947182⤵PID:980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:22⤵PID:5316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵PID:3768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:4636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:3616
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:82⤵PID:3240
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5112 /prefetch:82⤵PID:3852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:5124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:636 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:12⤵PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵PID:624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:12⤵PID:1136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:12⤵PID:1656
-
C:\Users\Admin\Downloads\Sxr_Installer.bat"C:\Users\Admin\Downloads\Sxr_Installer.bat"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3760 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Svhost" /sc ONLOGON /tr "C:\Users\Admin\Downloads\Sxr_Installer.bat" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:872 -
C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe"C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4624 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Svhost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\HAHAHAHAHA LMAOO.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:2344 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Sxr_Installer.bat" /tr "'C:\Users\Admin\Downloads\Sxr_Installer.bat'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:6112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,3667120229084542520,16475377441034271640,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4864 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1200
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5612
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3f5fad5f-205e-4544-aee1-56a788c2e1f1.tmpFilesize
6KB
MD5d649fd526fbe2b5da19cfca7391a994d
SHA18069a399014342950db574b6884df3daa0ab5471
SHA2568921dd464fdcfdfeccd7253861b8abca5b3dda12c807a7f77a90d57d75aef717
SHA512d864e8891d0c8912fc9160b3d78b520d9a4b00963d5fe50c6c3fe98f13b981d5b77e8842f5180444a5c7a091899ebc0db98a292833a96fb2dec21c3d81761c90
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD577b0395e7018ed753d13f9b8fad42075
SHA10a470eb4eb0c3d743880bc19a47cc5fd49d195e0
SHA256bf1b1e463d86f95e234f060d9c6b2618076445e0bab47d95fded7c13f857be61
SHA512ba576c85fea18824ffa55ceef04569db666b2633a93751440bfbe138dd0813d39d65d8e29031abd9aaaaa89e9326fa7c4afaac33345b7c1cbe9c01776d8f8fc7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
579B
MD5a7d1701142cca705f833d70023ef4e1e
SHA11b76853132abfcddb4fefac42bf9df5d013c9815
SHA2566c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7
SHA512806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD532cda1d365070042d3e8329edf7780f4
SHA1f9620bdad50bdd3bbbee261e9069c6f0296794af
SHA2565d2e67989e2dd4ed6267a0ea3e211043078c00f7655aa36e5f6c9769a8cc11b0
SHA5123bfa9cc4e70d8e3798b7421120ae13e47851bc5faed2ba16a2cb3e5f5fdd9a8f65a4f43f6a24aedb914ae180378a00fe849bf64c9cc801a628a1d9d300a69fdd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56ff7ed391fb8c9527a86f0a0333dfbcf
SHA1e4053054f751af70f91d77851c9e5ff28166a080
SHA2560c3c5ac4633933b2650b37df605ee101d4fe1dd7e1e2e6ad459923b2fbb5ab3e
SHA5120827c7acd7bbd1fcd2da8b38a4905d1686ba01f0e042f0c7c12d6a248b478eb7af0c47295c9cef8ba4c1aaa66d8418cd9e4e32b1a873055469800c5e753649b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e49162231e1a7b7625a24b0353ccadaf
SHA1dba4c41500462fe78ab09957f89f43a3ed686f64
SHA25631fef6d06b297b29971c43e7872f8d7950e4ea57e1b04dfe6fac4e61770aa606
SHA5127ef6cddfdcd26fe7bfa00488cb6b90f3f27b047bd846ab9823d7ca22cbfe8e644d09b8a51f6d96dd68232a39f013a9837db0de89dda3244ab8c239e3882ebb64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f35e39a5cb7503eb3155bdb110768fb4
SHA1114fd3c51d8eba1d52f11a043eb5842246a5016c
SHA25661e578790900db258ebf6523676efcd222963fb09538644a627e17d5c1ac8902
SHA512ba5b881bdae6a16630f27854064e654efc8fd16aa077d41a52d359288d6bde68356776b33fd201e7abf98b091c29f10f2b453fb61afd30b77934ba27263db51f
-
C:\Users\Admin\Downloads\Unconfirmed 46326.crdownloadFilesize
409KB
MD59eaba1c208b8e7a0c94c109e60c5b113
SHA1a602439a57a44287dff1d980d2c959c0d934a9e4
SHA256ab6f4a4fa9bbdf8d9461023a2819b76b07d93e7d31e9d97a490f8ed4c0c0dccc
SHA512625363f1203596200cd6fdc7c9f9ce8b6af0634299dc750f490305822385d8915981c8c7a162588959dbf000a7d8b4af8d61352fd84a176207c592ded2f87fa6
-
\??\pipe\LOCAL\crashpad_3932_XQUZPIJWBBIOOUFKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3760-280-0x0000000005860000-0x0000000005E04000-memory.dmpFilesize
5.6MB
-
memory/3760-279-0x00000000009C0000-0x0000000000A2C000-memory.dmpFilesize
432KB
-
memory/3760-281-0x0000000005350000-0x00000000053E2000-memory.dmpFilesize
584KB
-
memory/3760-282-0x0000000005400000-0x0000000005466000-memory.dmpFilesize
408KB
-
memory/3760-283-0x0000000006010000-0x0000000006022000-memory.dmpFilesize
72KB
-
memory/3760-284-0x0000000006550000-0x000000000658C000-memory.dmpFilesize
240KB
-
memory/4624-292-0x0000000006D60000-0x0000000006D6A000-memory.dmpFilesize
40KB