Analysis
-
max time kernel
136s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-es -
resource tags
arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
24-05-2024 14:42
Behavioral task
behavioral1
Sample
HomeDesk.msi
Resource
win7-20240215-es
Behavioral task
behavioral2
Sample
HomeDesk.msi
Resource
win10v2004-20240226-es
General
-
Target
HomeDesk.msi
-
Size
19.5MB
-
MD5
a6c23b2846b76a423eef4a5cf25e834f
-
SHA1
bef30ddb5e74e5078847b1f9dfef573f82f63c26
-
SHA256
d3416342f6a3b32604b783995845df8e24e3e98cffaac755d2292d20504a839f
-
SHA512
d648fad3216f1b1ba2d9b9124054a4766e48cd3c0e57252af11f679eebe1f308b86e7558b5f82c48b0287d5049515504fe379b242d540d835a6f8d080f2556cf
-
SSDEEP
393216:dvEwpJKaB9QEyLiZWGGpNmOQ+Ji5FEFhJfnRx96dOuMNIKMgTl:doR5+ZlxODJiONncg6KMgJ
Malware Config
Signatures
-
Detects common strings, DLL and API in Banker_BR 1 IoCs
Hunting by known PDB files - Trojan Banker LATAM.
Processes:
resource yara_rule C:\Windows\Installer\e58c474.msi Detect_MSI_LATAM_Banker_From_LatAm -
Hunting by known EXPORT - Trojan Banker LATAM. 1 IoCs
Hunting by known EXPORT - Trojan Banker LATAM.
Processes:
resource yara_rule C:\Users\Admin\HomeDesk\AGLoader.dll Detect_Suspicious_Export_PE_Banker -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
LKdayanJELT9QDD900055.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Financeiro = "C:\\Users\\Admin\\HomeDesk\\LKdayanJELT9QDD900055.exe" LKdayanJELT9QDD900055.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC87B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e58c474.msi msiexec.exe File opened for modification C:\Windows\Installer\e58c474.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID609.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID85D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDA90.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID83C.tmp msiexec.exe File created C:\Windows\Installer\e58c478.msi msiexec.exe File created C:\Windows\Installer\SourceHash{1E9BF671-B749-45DC-A228-4E1C413B0C7C} msiexec.exe File opened for modification C:\Windows\Installer\MSIE00F.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
LKdayanJELT9QDD900055.exepid process 4484 LKdayanJELT9QDD900055.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exeLKdayanJELT9QDD900055.exepid process 4388 MsiExec.exe 4388 MsiExec.exe 4388 MsiExec.exe 4388 MsiExec.exe 4388 MsiExec.exe 4484 LKdayanJELT9QDD900055.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{9C86F06E-936A-4DCB-8FB8-80F5010CBC85} msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msiexec.exeLKdayanJELT9QDD900055.exemsedge.exepid process 2204 msiexec.exe 2204 msiexec.exe 4484 LKdayanJELT9QDD900055.exe 4484 LKdayanJELT9QDD900055.exe 2452 msedge.exe 2452 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
LKdayanJELT9QDD900055.exepid process 4484 LKdayanJELT9QDD900055.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2008 msiexec.exe Token: SeIncreaseQuotaPrivilege 2008 msiexec.exe Token: SeSecurityPrivilege 2204 msiexec.exe Token: SeCreateTokenPrivilege 2008 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2008 msiexec.exe Token: SeLockMemoryPrivilege 2008 msiexec.exe Token: SeIncreaseQuotaPrivilege 2008 msiexec.exe Token: SeMachineAccountPrivilege 2008 msiexec.exe Token: SeTcbPrivilege 2008 msiexec.exe Token: SeSecurityPrivilege 2008 msiexec.exe Token: SeTakeOwnershipPrivilege 2008 msiexec.exe Token: SeLoadDriverPrivilege 2008 msiexec.exe Token: SeSystemProfilePrivilege 2008 msiexec.exe Token: SeSystemtimePrivilege 2008 msiexec.exe Token: SeProfSingleProcessPrivilege 2008 msiexec.exe Token: SeIncBasePriorityPrivilege 2008 msiexec.exe Token: SeCreatePagefilePrivilege 2008 msiexec.exe Token: SeCreatePermanentPrivilege 2008 msiexec.exe Token: SeBackupPrivilege 2008 msiexec.exe Token: SeRestorePrivilege 2008 msiexec.exe Token: SeShutdownPrivilege 2008 msiexec.exe Token: SeDebugPrivilege 2008 msiexec.exe Token: SeAuditPrivilege 2008 msiexec.exe Token: SeSystemEnvironmentPrivilege 2008 msiexec.exe Token: SeChangeNotifyPrivilege 2008 msiexec.exe Token: SeRemoteShutdownPrivilege 2008 msiexec.exe Token: SeUndockPrivilege 2008 msiexec.exe Token: SeSyncAgentPrivilege 2008 msiexec.exe Token: SeEnableDelegationPrivilege 2008 msiexec.exe Token: SeManageVolumePrivilege 2008 msiexec.exe Token: SeImpersonatePrivilege 2008 msiexec.exe Token: SeCreateGlobalPrivilege 2008 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2008 msiexec.exe 2008 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exemsedge.exedescription pid process target process PID 2204 wrote to memory of 4388 2204 msiexec.exe MsiExec.exe PID 2204 wrote to memory of 4388 2204 msiexec.exe MsiExec.exe PID 2204 wrote to memory of 4388 2204 msiexec.exe MsiExec.exe PID 2204 wrote to memory of 4484 2204 msiexec.exe LKdayanJELT9QDD900055.exe PID 2204 wrote to memory of 4484 2204 msiexec.exe LKdayanJELT9QDD900055.exe PID 2204 wrote to memory of 4484 2204 msiexec.exe LKdayanJELT9QDD900055.exe PID 2452 wrote to memory of 228 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 228 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 5072 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 4048 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 4048 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 3048 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 3048 2452 msedge.exe msedge.exe PID 2452 wrote to memory of 3048 2452 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\HomeDesk.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 03697149EB8FB6283CC5175759AF07BB2⤵
- Loads dropped DLL
-
C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exe"C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffa1f2d2e98,0x7ffa1f2d2ea4,0x7ffa1f2d2eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2132 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2252 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3156 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4428 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4428 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4444 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3892 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4672 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e58c477.rbsFilesize
15KB
MD59c60804e8261b74628b0ccef0f7ebc7c
SHA195e9fb6207267065ab8116d44082e9ffeccc521c
SHA25651e1f8bcbeaf45ba80fb0842c553794efe488212d1e8f4827080af789868342f
SHA51219761b82c55dbc347c3ec4bdba0d1d200682a07148126a2ecb6439d3c18c79cc149803ab229eaa84d291c319a6f81a6c82b2f41c390725ed76728c473d412314
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD54c07962c1ad5a7b1e2b079594e6367f8
SHA1b98bb2abad60387232002476205b4c30ce3bd160
SHA25669b564f95f428e132134fa472e3bc17fdf3a526370653d9d2e59a91c730e4c45
SHA512bf34124e0890a977c6e61cda5f2199dcb0e3f62fda916dc9af7039f18fcd1857e89208f88ae505691c1836af37c09b105fc14b6f18dfdd9db69c6152ae62e4b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD501a879f7707d8d530634d8541fdd87d8
SHA10f05dc9a95e20f2564766a9f3d8d4e73e09f9369
SHA2564916e46a351b70bfcb3e22486f2451c164a0a94a34ee14e66ef78edbdb820a79
SHA512c4d6be9fb38926aefd704b10a57a0f4832db840ea7390f684b059281bce970d1ed7e0748dd813c0096f6af33af9c809a85c5076a1c4d112bb1a8997f2305d1b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5c937cd963168a933a0ccc278473dc49d
SHA11786b8bb8bb1caf62ee1b925227f20933937405e
SHA2564e33b3c810b3d44850026d321e222567babbd97d2b725d2aa1303464e584d5cc
SHA5123ef157ef40a5ec6ca180e3068948d503d02a92ef7853b451871b603b83596066d58fca99dfce67e7cd7c9137072cde9b1c97175e14ddae4c04af52006a08dc01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
30KB
MD5188e67fdf4b209ec386d99e5284f75e0
SHA18f2256d9926dfb1c37e07b24b9584d79354d65d0
SHA256aba7ded950dc834a0968ed29c736775e1c3ea07ca073888b61ed906ab8f363f7
SHA512dffd68e586581a993c3761431acebac1d1bb4d28c39581c18087262195f8dddc213c870bf9f6fa6be57fe1bf94a0b260ca47d8408bb6ef32fed1e698c33547bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
33KB
MD55952eafeb3ea51d37384631522af489a
SHA1aeb03376e7a31d38f22945e5f3be60064280498a
SHA25684a3c1c7d8e76959a0a203a4ee8164a6560460d4d8489d70dc354f7072954ecc
SHA512da1e59ce2719ae7ef0e377ba9241545536fc7f7ebb1ee37dd6b2223a4acbe68b6a26458e8865138ad0de32efb8afe1b3a4e0c09eb2a1222b7b9e5ec73a83bb9d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
43KB
MD54ea6f12fd136a34d02c141666b6be16f
SHA16486cc88566ee5d3fc635fccc984e82c0ad537a1
SHA2568330a3b9210376d637868ff676859bdf39cdb9681147b90b3cd2db6065a33eb0
SHA5123da4578f3052c688dbe110e7c0911580face04975bea956fcebd7ed0944b2dfd72d8f056c77dde3b53a4ae51e09c70c28e14d16872e90e64012d66c9733e1fd4
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbresFilesize
2KB
MD513e71e1398c1011daa65d4c86d1ef60d
SHA1b5671318410ce5cc80cd15917dfabccd31cf1792
SHA256a3cf6aeb6e24eb6ec656cd5a99fdfa8138940ee018748da69417aaba0b602175
SHA51298b4813edf665ae12d8eb7ce6904a25d19569e848c6f7ff9665f762c51244539afb35eaca7b9cd2ab4d8eec5c980daf3e911de977e71d0c6e11790372c7cf792
-
C:\Users\Admin\HomeDesk\AGLoader.dllFilesize
7.4MB
MD52921523030345673a00953df828679e0
SHA1bc6e603a9b3acb91f4a0c0ce3a6d032785c2e2ea
SHA256120facb1726fcffeeb2de1d2be98a421823b0d06baec1763cb6c33cffa79b001
SHA5120612580d856fbeb41c81dbcb08aef1f5fe3bf0744ef0f2f8ee6423fe4cc9f5e25852eb8150dcc439bd74d8e5a73f17f6e7a9f67cade691d57056c0e25c55f888
-
C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exeFilesize
289KB
MD5eb67273c54e78db4faffab9001148753
SHA10e6cab2fdf666e53c994718477068e51b656e078
SHA2567fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd
SHA5128fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07
-
C:\Users\Admin\HomeDesk\volume.datFilesize
3.7MB
MD577de03a0a71f4bad680c0442086fcc3e
SHA1f3732edd5d446d89a99f17f81be1736bc9ece856
SHA256259b7777d4455bc558eb1c89ad0a69151de670a5d19ffa25f972c090bc3136eb
SHA512398ec355492ec5f94aa81476bd32b75f7df944e07b9e9cd7d92feb6b94deb89dcc9f2f8c7d3f80efe1d8d7157d0d735cfa3bda246d9bb7138b746c93ac2e08f0
-
C:\Windows\Installer\MSIC87B.tmpFilesize
738KB
MD5ee45c6dffaf86ed2a76d8f969c390c08
SHA1ff5b2942ffa7d28ed3f72208e8e76391b2991b5a
SHA256118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca
SHA512a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664
-
C:\Windows\Installer\e58c474.msiFilesize
19.5MB
MD5a6c23b2846b76a423eef4a5cf25e834f
SHA1bef30ddb5e74e5078847b1f9dfef573f82f63c26
SHA256d3416342f6a3b32604b783995845df8e24e3e98cffaac755d2292d20504a839f
SHA512d648fad3216f1b1ba2d9b9124054a4766e48cd3c0e57252af11f679eebe1f308b86e7558b5f82c48b0287d5049515504fe379b242d540d835a6f8d080f2556cf
-
\??\pipe\crashpad_2452_IUFWHYBWARROKIXBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4484-160-0x00000000011C0000-0x00000000011C1000-memory.dmpFilesize
4KB
-
memory/4484-166-0x0000000072700000-0x000000007338F000-memory.dmpFilesize
12.6MB
-
memory/4484-165-0x0000000001340000-0x0000000001341000-memory.dmpFilesize
4KB
-
memory/4484-164-0x0000000001330000-0x0000000001331000-memory.dmpFilesize
4KB
-
memory/4484-163-0x0000000001320000-0x0000000001321000-memory.dmpFilesize
4KB
-
memory/4484-162-0x0000000001310000-0x0000000001311000-memory.dmpFilesize
4KB
-
memory/4484-161-0x00000000011D0000-0x00000000011D1000-memory.dmpFilesize
4KB
-
memory/4484-159-0x00000000011B0000-0x00000000011B1000-memory.dmpFilesize
4KB