Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-06-2024 21:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1232385831918895114/1241146798257733744/accountify.v2.rar?ex=667007c8&is=666eb648&hm=52b677ba2c536acdba8ccd2fd2a2aa3802f7ebf4cdebccb5d288d8ba164e3cb0&
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
https://cdn.discordapp.com/attachments/1232385831918895114/1241146798257733744/accountify.v2.rar?ex=667007c8&is=666eb648&hm=52b677ba2c536acdba8ccd2fd2a2aa3802f7ebf4cdebccb5d288d8ba164e3cb0&
Resource
macos-20240611-en
General
-
Target
https://cdn.discordapp.com/attachments/1232385831918895114/1241146798257733744/accountify.v2.rar?ex=667007c8&is=666eb648&hm=52b677ba2c536acdba8ccd2fd2a2aa3802f7ebf4cdebccb5d288d8ba164e3cb0&
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File opened for modification C:\Windows\system32\SRU\SRUtmp.log svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exesdiagnhost.exesvchost.exepid process 104 msedge.exe 104 msedge.exe 3668 msedge.exe 3668 msedge.exe 3164 msedge.exe 3164 msedge.exe 1368 identity_helper.exe 1368 identity_helper.exe 5308 sdiagnhost.exe 5716 svchost.exe 5716 svchost.exe 5716 svchost.exe 5716 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
sdiagnhost.exesvchost.exedescription pid process Token: SeDebugPrivilege 5308 sdiagnhost.exe Token: SeShutdownPrivilege 5716 svchost.exe Token: SeCreatePagefilePrivilege 5716 svchost.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exemsdt.exepid process 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 4784 msdt.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3668 wrote to memory of 3116 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 3116 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 2876 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 104 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 104 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4944 3668 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1232385831918895114/1241146798257733744/accountify.v2.rar?ex=667007c8&is=666eb648&hm=52b677ba2c536acdba8ccd2fd2a2aa3802f7ebf4cdebccb5d288d8ba164e3cb0&1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe50543cb8,0x7ffe50543cc8,0x7ffe50543cd82⤵PID:3116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:2876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:104 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:82⤵PID:4944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:4584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:1696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:12⤵PID:2276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3164 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:1116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵PID:4720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:12⤵PID:3296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:12⤵PID:2008
-
C:\Windows\system32\msdt.exe-modal "524844" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFBA95.tmp" -ep "NetworkDiagnosticsWeb"2⤵
- Suspicious use of FindShellTrayWindow
PID:4784 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15524859649159396643,337965187846755240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵PID:5512
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4296
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5308 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵PID:5468
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵PID:5924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:5748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost1⤵
- Modifies data under HKEY_USERS
PID:5972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061621.000\NetworkDiagnostics.debugreport.xmlFilesize
71KB
MD56fcc2baed8200b1e9675ec82ff958003
SHA14e87771cdf4433fdf006635261dc58730e5f0052
SHA2568ec69dd51c9c69d187e4f07a4da116f3df32cbd16ed725849b718bafb8b27daa
SHA5120d8fe58f44886e554cf0881e17a6ddd189b3bd2925aa0dc80468fdb21b3a693450831ce2897e53b4e7d3b4a85c72efc765e460e5afdc8b506386432d58bf2445
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061621.000\results.xslFilesize
47KB
MD590df783c6d95859f3a420cb6af1bafe1
SHA13fe1e63ca5efc0822fc3a4ae862557238aa22f78
SHA25606db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093
SHA512e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d56e8f308a28ac4183257a7950ab5c89
SHA1044969c58cef041a073c2d132fa66ccc1ee553fe
SHA2560bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae
SHA512fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58f2eb94e31cadfb6eb07e6bbe61ef7ae
SHA13f42b0d5a90408689e7f7941f8db72a67d5a2eab
SHA256d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de
SHA5129f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52c4247ae9958f872eaaf1c3f95d3de7e
SHA17e2381b7506ed437e6815141b185b915c9b8b1ee
SHA256c66521a560b5be6a05f75af8bfc03dc55320373110bac5a4b45405e7253d039b
SHA512158acb8f7ea76dd4a34ec1a9b67bbd84055d699bfa11a76bed855751334f2f7af34b0df823721d5eafe4c073b4bb43baee82bb17f534e5b70949e5f924373f76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57af65479d06de6ab47cd595de84d611c
SHA187521db3b6712f7c6e2ac373783491d724ff50f7
SHA25654d333063918e25f24b881ce09ae14154b2b9b684685aedc63996a99933b47f4
SHA51252665b62cb336ac2e2f92bca800c5fab83fd54b77a9ad20dc1552a6396179299b1303f00f085991c307955e30748a69fdecc89225998cea40121d709c6170f54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5ced02ffe12c49f2fd849227d8fb46059
SHA13d356caefc487756580cf79750cf08b75e9afe47
SHA25604adc4d37fdb7c4175ed09d258be74aa6ade1bdc2c6a65abed1e5c5ca5d8a730
SHA512f34289c4543f50bd57aaed6ab73526cbf7bc809f118033b5063b12303febde3060530df1dc1a3ee99f6e046b689e4db8d06875289248cee11ea342f54875b125
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5092999e2e4f30f9a98ad47a482611ea6
SHA1c094f169e2ee1f6be49bcbd9b7269699361fdc14
SHA2563a41c40a80971a2f5356347b9ae5aa400e0a97308cda6d58374096721538eeeb
SHA512f1fd1c79da0a7f35016bacea8f6023802f8de5dd36e1a19d7ce68c06079ae5274e40fbc17c8e6071d3ee76ea7f5afd92bed4984c21d49e3e5cd1c88e33e53a5d
-
C:\Users\Admin\AppData\Local\Temp\NDFBA95.tmpFilesize
3KB
MD5a5151ede3279f7479bc9385c2babd6b7
SHA14ceeb3fbb60bb747b7efbc2e6449a216bcd635aa
SHA256b8d53094753c5495396b7387cddb9218cd7f3ffae7358fc6ab0be9429f1fa66c
SHA512753bd49cd83b2fac38ed95098e4386216d71740d119218a84c5070f3490dfb1717368d5422acd6e90c6dae24673a32057287bed43925aed5f8c63c9e4401c3fe
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4zeuhxr.qol.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\TEMP\SDIAG_17d662a0-f6d0-48ce-a634-58a811e0fefc\NetworkDiagnosticsTroubleshoot.ps1Filesize
25KB
MD5d0cfc204ca3968b891f7ce0dccfb2eda
SHA156dad1716554d8dc573d0ea391f808e7857b2206
SHA256e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a
SHA5124d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c
-
C:\Windows\TEMP\SDIAG_17d662a0-f6d0-48ce-a634-58a811e0fefc\StartDPSService.ps1Filesize
567B
MD5a660422059d953c6d681b53a6977100e
SHA10c95dd05514d062354c0eecc9ae8d437123305bb
SHA256d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813
SHA51226f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523
-
C:\Windows\TEMP\SDIAG_17d662a0-f6d0-48ce-a634-58a811e0fefc\UtilityFunctions.ps1Filesize
53KB
MD5c912faa190464ce7dec867464c35a8dc
SHA1d1c6482dad37720db6bdc594c4757914d1b1dd70
SHA2563891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201
SHA5125c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a
-
C:\Windows\TEMP\SDIAG_17d662a0-f6d0-48ce-a634-58a811e0fefc\UtilitySetConstants.ps1Filesize
2KB
MD50c75ae5e75c3e181d13768909c8240ba
SHA1288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA5128fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b
-
C:\Windows\TEMP\SDIAG_17d662a0-f6d0-48ce-a634-58a811e0fefc\en-US\LocalizationData.psd1Filesize
5KB
MD591f545459be2ff513b8d98c7831b8e54
SHA1499e4aa76fc21540796c75ba5a6a47980ff1bc21
SHA2561ccd68e58ead16d22a6385bb6bce0e2377ed573387bdafac3f72b62264d238ff
SHA512469571a337120885ee57e0c73a3954d0280fa813e11709ee792285c046f6ddaf9be5583e475e627ea5f34e8e6fb723a4681289312f0e51dc8e9894492407b911
-
C:\Windows\Temp\SDIAG_17d662a0-f6d0-48ce-a634-58a811e0fefc\DiagPackage.dllFilesize
488KB
MD5ec287e627bf07521b8b443e5d7836c92
SHA102595dde2bd98326d8608ee3ddabc481ddc39c3d
SHA25635fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694
SHA5128465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903
-
C:\Windows\Temp\SDIAG_17d662a0-f6d0-48ce-a634-58a811e0fefc\en-US\DiagPackage.dll.muiFilesize
17KB
MD544b3399345bc836153df1024fa0a81e1
SHA1ce979bfdc914c284a9a15c4d0f9f18db4d984cdd
SHA256502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d
SHA512a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4
-
\??\pipe\LOCAL\crashpad_3668_MSQKMAKNEBFDTVTLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5308-445-0x000001D37E710000-0x000001D37E732000-memory.dmpFilesize
136KB
-
memory/5716-469-0x000001E96A320000-0x000001E96A330000-memory.dmpFilesize
64KB
-
memory/5716-473-0x000001E96A360000-0x000001E96A370000-memory.dmpFilesize
64KB
-
memory/5716-478-0x000001E96A820000-0x000001E96A821000-memory.dmpFilesize
4KB