Analysis
-
max time kernel
268s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 11:45
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://minrcx.com/external/TsKecsKM-018f9fef-5bd5-2241-5c1e-cdcfd5caae7c-9N9KqD0P/download
Resource
win10v2004-20240508-en
General
-
Target
https://minrcx.com/external/TsKecsKM-018f9fef-5bd5-2241-5c1e-cdcfd5caae7c-9N9KqD0P/download
Malware Config
Extracted
asyncrat
1.0.7
CPA
5.253.84.218:54657
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\ChromeData.dll,EntryPoint" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\ChromeData.dll,EntryPoint" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exedescription pid process target process PID 4172 set thread context of 4116 4172 2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe csc.exe PID 1376 set thread context of 956 1376 2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe csc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 1652 msedge.exe 1652 msedge.exe 896 msedge.exe 896 msedge.exe 436 identity_helper.exe 436 identity_helper.exe 4004 msedge.exe 4004 msedge.exe 4636 msedge.exe 4636 msedge.exe 4636 msedge.exe 4636 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
csc.exedescription pid process Token: SeDebugPrivilege 4116 csc.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
msedge.exepid process 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe 896 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 896 wrote to memory of 2652 896 msedge.exe msedge.exe PID 896 wrote to memory of 2652 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1384 896 msedge.exe msedge.exe PID 896 wrote to memory of 1652 896 msedge.exe msedge.exe PID 896 wrote to memory of 1652 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe PID 896 wrote to memory of 4924 896 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://minrcx.com/external/TsKecsKM-018f9fef-5bd5-2241-5c1e-cdcfd5caae7c-9N9KqD0P/download1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85d2746f8,0x7ff85d274708,0x7ff85d2747182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6000 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2580 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe"C:\Users\Admin\Downloads\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f & exit2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF\1099Misc.inf1⤵
-
C:\Users\Admin\Downloads\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe"C:\Users\Admin\Downloads\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f & exit2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD5a25f0a9717d1eb6be24577592b75121f
SHA1ae2dc12506e1f83f4e04d9c3fc947a38c3532d6c
SHA256ab6e30062d5be02c353d86dd054839cdb1cfcdd27a897016dda6f397f7e47c77
SHA512d81548fc81460f8f6d65a7b3c143af5851fc5a53137044ca248fc5b665fc9270b60c3b56b3599553e44da861a880454d1031d88e395bce56c92387384cceabbb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
505B
MD5cb35b96cb0a46fb172bef5e38518c0c2
SHA1dae7e71491cc285c9006da181fdd4345658bf4a8
SHA2564af0519126ec4fb18849540179a3a545862661d333e63bd9f11ddf3f8b37d24f
SHA5123b1a8c735a723668b608e3d8ebcd315c5fb2857488d079b5029f2448bb0bacd180bf364c3d6219d8a3979ec10566d3c323db840f6667ccfeb7a56f945569cb54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD567b11ce063e9e858834dbd7868ccbbe1
SHA161219630aecdc6879f9bd76d0f59cebcf1dd29e4
SHA256571f31e86bdb50bf21a5bc3ee67c0a56fa4ebe4e1f29e407c38f9ba9ee8a7c64
SHA512f7f0c1e233e780482a83c595315087f53989952b7f49b729d6be673dba14da03665b524560046c41a29cac5f134b374bde68ceb2edf187d812c1a32b65db9516
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52adccec276fb4c293010180f57febc55
SHA1fe780f8777495fcd727a68fc03d16e4378ff026f
SHA256b09bae9de4bdf1825e2b5208eeb1cfdd2c77ae91f8569c4f728e2bede3ee3f15
SHA5128aa338fbe51c254af16e0f8b5256a8bf2881bf42ccc8d6aa9a8fac7c5d5f226a6ccc510d7d1f3fbcae4de63c438e10e110c24a9b731ff2ee2e7cec7f0ef58473
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d928a37caee70adbeeef9e6980053689
SHA1098f47057b4f485a72f2c1d669b0feda0cf74814
SHA25672eb11f3e5964fa65de51b38c92f2712b8785196635354d756f770442d15b667
SHA512a810cc76843e973e7ac0f2d4b98a88d81a8b3632c2355340db59116e04173ec3d85e69229ad0c057885b55759f1c1837460ea99aede1cb58e457f0bc2851a2e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5420ba4d967b3d02bf2f0e7839f766fe3
SHA11ed528ba5e143aceb2d5012677b2111f7c8d25c5
SHA256fc63676c2453d7132515c2e50d516585cf3c81c563520f58440ba5872ab8b731
SHA5121476d968d05d6d515ecb7497fdb27142720e64f5d384e9aae12a8e683f14a83ef36db36049b99047bc04127e3d73b79456548fec048bd086bd5a942bb0b75214
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5f6fbb345b7a306df5ac2714ed19b5ce8
SHA15277d7e7a9fd3467b90204eeb92792c7027abbbe
SHA2568490df59a7cec54a9604f48f3bf826b8f3b15e75c2275c7eb668ba9c1f9e1b48
SHA51275512948980c4a42d85a4b9f000c64e64b684921fb205b487b802da10e3d3a9e0e802e89cda8a77c1fe9ff655ac5cb8e8358610c19ebfe1fd6faa62070aa298f
-
C:\Users\Admin\Documents\ChromeData.dllFilesize
930.4MB
MD57edf883adb507383892089861850a67f
SHA1690ce3c873506be1eff982335451bbb5c0894859
SHA25655ce61f049ffe4d2c596902b20b5104db2b9d792f4b567804632065c0a054251
SHA512824b19f7445b4b8b433f0e78f1273d000c803883103450aaf863aba5b5cb266f2e057c5d55d27dc0960b09feb9b31fc1fc49099d49149fb3c1c01edf7bf389c0
-
\??\pipe\LOCAL\crashpad_896_YAZUMCEKCXIPJCRDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/956-200-0x0000000000A30000-0x0000000000A42000-memory.dmpFilesize
72KB
-
memory/1376-197-0x0000000010000000-0x0000000012D6B000-memory.dmpFilesize
45.4MB
-
memory/1376-199-0x0000000010000000-0x0000000012D6B000-memory.dmpFilesize
45.4MB
-
memory/1376-196-0x0000000010000000-0x0000000012D6B000-memory.dmpFilesize
45.4MB
-
memory/4116-190-0x0000000006090000-0x0000000006634000-memory.dmpFilesize
5.6MB
-
memory/4116-191-0x0000000005B50000-0x0000000005BB6000-memory.dmpFilesize
408KB
-
memory/4116-189-0x0000000005A40000-0x0000000005ADC000-memory.dmpFilesize
624KB
-
memory/4116-186-0x0000000000910000-0x0000000000922000-memory.dmpFilesize
72KB
-
memory/4172-187-0x0000000010000000-0x0000000012D6B000-memory.dmpFilesize
45.4MB
-
memory/4172-185-0x0000000010000000-0x0000000012D6B000-memory.dmpFilesize
45.4MB
-
memory/4172-184-0x0000000010000000-0x0000000012D6B000-memory.dmpFilesize
45.4MB