Analysis
-
max time kernel
184s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-ja -
resource tags
arch:x64arch:x86image:win10v2004-20240226-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
23-05-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
test.msi
Resource
win10v2004-20240226-ja
General
-
Target
test.msi
-
Size
2.1MB
-
MD5
bfd00224b00b9f6f07f424f75cff6836
-
SHA1
2bf889bcc9b413cec07925bac78610391faecaad
-
SHA256
c6b1b984ea4cd7a1ac0c717afe91c3cc78bd2893f7e6a0ad661f7869d4289635
-
SHA512
eab303bd75a18948c7d2e0572f7ffbc1f9165972ec06163bd7e7274b3b743103b3d160d0c1d5b4a0d92735f34f6f6c6a5b9ec6e9c7fbc33494eaf18f564dbd90
-
SSDEEP
49152:p5yULiNbhfDc7yEq9WRhd9Itc71hE7T8XX5UpAH7uidqFWV63hTI97qjfAj:e05q2t7vGA5bkWkRTI9qjY
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 1 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e5b95b5.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{B12D4003-7480-4984-8438-170405F56C92} msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsiexec.exepid process 4456 msedge.exe 4456 msedge.exe 4528 msiexec.exe 4528 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1764 msiexec.exe Token: SeIncreaseQuotaPrivilege 1764 msiexec.exe Token: SeSecurityPrivilege 4528 msiexec.exe Token: SeCreateTokenPrivilege 1764 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1764 msiexec.exe Token: SeLockMemoryPrivilege 1764 msiexec.exe Token: SeIncreaseQuotaPrivilege 1764 msiexec.exe Token: SeMachineAccountPrivilege 1764 msiexec.exe Token: SeTcbPrivilege 1764 msiexec.exe Token: SeSecurityPrivilege 1764 msiexec.exe Token: SeTakeOwnershipPrivilege 1764 msiexec.exe Token: SeLoadDriverPrivilege 1764 msiexec.exe Token: SeSystemProfilePrivilege 1764 msiexec.exe Token: SeSystemtimePrivilege 1764 msiexec.exe Token: SeProfSingleProcessPrivilege 1764 msiexec.exe Token: SeIncBasePriorityPrivilege 1764 msiexec.exe Token: SeCreatePagefilePrivilege 1764 msiexec.exe Token: SeCreatePermanentPrivilege 1764 msiexec.exe Token: SeBackupPrivilege 1764 msiexec.exe Token: SeRestorePrivilege 1764 msiexec.exe Token: SeShutdownPrivilege 1764 msiexec.exe Token: SeDebugPrivilege 1764 msiexec.exe Token: SeAuditPrivilege 1764 msiexec.exe Token: SeSystemEnvironmentPrivilege 1764 msiexec.exe Token: SeChangeNotifyPrivilege 1764 msiexec.exe Token: SeRemoteShutdownPrivilege 1764 msiexec.exe Token: SeUndockPrivilege 1764 msiexec.exe Token: SeSyncAgentPrivilege 1764 msiexec.exe Token: SeEnableDelegationPrivilege 1764 msiexec.exe Token: SeManageVolumePrivilege 1764 msiexec.exe Token: SeImpersonatePrivilege 1764 msiexec.exe Token: SeCreateGlobalPrivilege 1764 msiexec.exe Token: SeBackupPrivilege 3124 vssvc.exe Token: SeRestorePrivilege 3124 vssvc.exe Token: SeAuditPrivilege 3124 vssvc.exe Token: SeBackupPrivilege 4528 msiexec.exe Token: SeRestorePrivilege 4528 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exepid process 1764 msiexec.exe 1764 msiexec.exe 1764 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4456 wrote to memory of 380 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 380 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 4848 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 2532 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 2532 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 3196 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 3196 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 3196 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 3196 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 3196 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 3196 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 3196 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 3196 4456 msedge.exe msedge.exe PID 4456 wrote to memory of 3196 4456 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=ja --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=856 --field-trial-handle=2008,i,6187163678980365832,2290078537353632866,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffdc92f2e98,0x7ffdc92f2ea4,0x7ffdc92f2eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2236 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ja --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3136 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ja --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3320 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=ja --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=ja --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ja --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4360 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ja --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4616 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ja --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4364 --field-trial-handle=2240,i,12667931597607848844,13173202922954984161,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD5b4e5d8666f99040594ea4ff5e982502f
SHA1f23c44bbb074c30b9ebce038f86ae8b3993b72cd
SHA2568e2da0c8859d1d933c063808613a173c170e6f0a0fec0b35d117f5a1c8bc9df4
SHA5125b102b9addae24a184ab7475e18c36cf801e98cf8e667d571350e58981ddef11a7fb02bae404ed47a05018a4b769c8d4747ca5798fdf8cc8267e153f7694f8f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5eb4691f5cafc4c8649443e913009c514
SHA112b84e1752a4348daf51ac3bd4ac3b31b69aabbc
SHA25621270b366f1089d029ed7047025b03ecad2e30253cc395ec697b5e631141ec5e
SHA512cf68c7242c3a8f5634d9d34e5f560fb73358115be35f7c9456287ec0e42e88f1fe72991084476970582595bc96e7477f766223bd790c4b3931d0a3fd4fbe1c36
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD59cd51da77636b5f2218d5533ac645cbb
SHA12fd828f848c7637cf22ca78489b408a305fec5ca
SHA25618793ebd7c22e803f4c5b9ed5c66c15a43ede44379c59a05e226508d8aa76739
SHA5126f47373b2780230842713f16b4c97bf815b29a24e340b647513a7492daefe4eb6ee9e28657814fcb20ba28951f6c689f236975ee7da61af28ad7e86f7cb89ef6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
30KB
MD54e80e171a6d821c08d06249574c5e193
SHA137ed81ccd21a2a2353aa48abea3eb110565abae1
SHA256f067ef6ba9599451c1328c6d4e2f2299348147215f96b09a125eba1c93d6753f
SHA5126019074ace7756321bd57cb183a63555f6a8068715361b0fd90e4878819be4b0f53a1f154d167ecbc8944cd00725005329956ff29c32c054654c962845d2069f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
43KB
MD5f31f18ce61dd43da2fa4fce215b3b370
SHA191a26193f7fb388214c8120c33cdf5a68c6ce346
SHA256e9dc1c534096a6f33fc25ea04c4aaf7b9289e287113039ab884fedd963b56bdb
SHA5126b3eeccf5c48f95487f19d1e3534bed4238a0de0f8065b3837c43cb401fd71cca880dc3ec31236055ab0f6554f6188aed5c443902e65b762a8b9a3a7e73d19a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
33KB
MD51976a2bc35f057052b215ccb91c69571
SHA1815a4f9aeed68828cdbb4203a2231d76be0f93bb
SHA256d4419b06a7c9e4874428d877b33993e97739e00ab2692811c5a904a0929bc804
SHA512478c1fe03b4f520f330e28fc69331c039530288cea8bf0bb2a2aab2384b5120a7ae99c4379268fb224a7771dcbdc805de9561863257449c46d0b0d44aa4040c6
-
\??\pipe\crashpad_4456_NNFCPCWQWPFGRKDTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e