Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    58s
  • max time network
    56s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 09:26

General

  • Target

    cleaners/applecleaner.exe

  • Size

    3.6MB

  • MD5

    f96eb2236970fb3ea97101b923af4228

  • SHA1

    e0eed80f1054acbf5389a7b8860a4503dd3e184a

  • SHA256

    46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

  • SHA512

    2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

  • SSDEEP

    98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Checks system information in the registry 2 TTPs 1 IoCs

    System information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Enumerates system info in registry 2 TTPs 21 IoCs
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\cleaners\applecleaner.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Checks system information in the registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EpicGamesLauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1652
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:844
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im Battle.net.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start https://applecheats.cc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb821a46f8,0x7ffb821a4708,0x7ffb821a4718
          4⤵
            PID:4008
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1916 /prefetch:2
            4⤵
              PID:816
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:920
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
              4⤵
                PID:3988
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
                4⤵
                  PID:4084
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
                  4⤵
                    PID:1356
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
                    4⤵
                      PID:3912
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
                      4⤵
                        PID:5052
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
                        4⤵
                          PID:3372
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
                          4⤵
                            PID:336
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
                            4⤵
                              PID:3084
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
                              4⤵
                                PID:4664
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
                                4⤵
                                  PID:2372
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,3271009292941822049,9682969009267047869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1464
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c pause
                              2⤵
                                PID:1820
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c cls
                                2⤵
                                  PID:5104
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&1
                                  2⤵
                                    PID:3128
                                    • C:\Windows\system32\netsh.exe
                                      NETSH WINSOCK RESET
                                      3⤵
                                      • Event Triggered Execution: Netsh Helper DLL
                                      PID:544
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&1
                                    2⤵
                                      PID:5028
                                      • C:\Windows\system32\netsh.exe
                                        NETSH INT IP RESET
                                        3⤵
                                        • Event Triggered Execution: Netsh Helper DLL
                                        PID:4648
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&1
                                      2⤵
                                        PID:1064
                                        • C:\Windows\system32\netsh.exe
                                          netsh advfirewall reset
                                          3⤵
                                          • Modifies Windows Firewall
                                          • Event Triggered Execution: Netsh Helper DLL
                                          PID:4132
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&1
                                        2⤵
                                          PID:840
                                          • C:\Windows\system32\netsh.exe
                                            NETSH INTERFACE IPV4 RESET
                                            3⤵
                                            • Event Triggered Execution: Netsh Helper DLL
                                            PID:3348
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&1
                                          2⤵
                                            PID:1088
                                            • C:\Windows\system32\netsh.exe
                                              NETSH INTERFACE IPV6 RESET
                                              3⤵
                                              • Event Triggered Execution: Netsh Helper DLL
                                              PID:4656
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&1
                                            2⤵
                                              PID:2152
                                              • C:\Windows\system32\netsh.exe
                                                NETSH INTERFACE TCP RESET
                                                3⤵
                                                • Event Triggered Execution: Netsh Helper DLL
                                                PID:4552
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&1
                                              2⤵
                                                PID:3560
                                                • C:\Windows\system32\netsh.exe
                                                  NETSH INT RESET ALL
                                                  3⤵
                                                  • Event Triggered Execution: Netsh Helper DLL
                                                  PID:1096
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
                                                2⤵
                                                  PID:3020
                                                  • C:\Windows\system32\ipconfig.exe
                                                    IPCONFIG /RELEASE
                                                    3⤵
                                                    • Gathers network information
                                                    PID:4532
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
                                                  2⤵
                                                    PID:2136
                                                    • C:\Windows\system32\ipconfig.exe
                                                      IPCONFIG /RELEASE
                                                      3⤵
                                                      • Gathers network information
                                                      PID:4484
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&1
                                                    2⤵
                                                      PID:2620
                                                      • C:\Windows\system32\ipconfig.exe
                                                        IPCONFIG /FLUSHDNS
                                                        3⤵
                                                        • Gathers network information
                                                        PID:2544
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&1
                                                      2⤵
                                                        PID:1216
                                                        • C:\Windows\system32\nbtstat.exe
                                                          NBTSTAT -R
                                                          3⤵
                                                            PID:884
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&1
                                                          2⤵
                                                            PID:3800
                                                            • C:\Windows\system32\nbtstat.exe
                                                              NBTSTAT -RR
                                                              3⤵
                                                                PID:2492
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
                                                              2⤵
                                                                PID:2936
                                                                • C:\Windows\system32\ARP.EXE
                                                                  arp -a
                                                                  3⤵
                                                                    PID:888
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c arp -d >nul 2>&1
                                                                  2⤵
                                                                    PID:3792
                                                                    • C:\Windows\system32\ARP.EXE
                                                                      arp -d
                                                                      3⤵
                                                                        PID:2588
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
                                                                      2⤵
                                                                        PID:3096
                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                          WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
                                                                          3⤵
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3148
                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                      1⤵
                                                                        PID:3224
                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                        1⤵
                                                                          PID:840

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v15

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                          Filesize

                                                                          152B

                                                                          MD5

                                                                          4158365912175436289496136e7912c2

                                                                          SHA1

                                                                          813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

                                                                          SHA256

                                                                          354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

                                                                          SHA512

                                                                          74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                          Filesize

                                                                          152B

                                                                          MD5

                                                                          ce4c898f8fc7601e2fbc252fdadb5115

                                                                          SHA1

                                                                          01bf06badc5da353e539c7c07527d30dccc55a91

                                                                          SHA256

                                                                          bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

                                                                          SHA512

                                                                          80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT

                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          46295cac801e5d4857d09837238a6394

                                                                          SHA1

                                                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                          SHA256

                                                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                          SHA512

                                                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

                                                                          Filesize

                                                                          41B

                                                                          MD5

                                                                          5af87dfd673ba2115e2fcf5cfdb727ab

                                                                          SHA1

                                                                          d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                          SHA256

                                                                          f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                          SHA512

                                                                          de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                          Filesize

                                                                          5KB

                                                                          MD5

                                                                          d0d2d7eeb5c915ab14dd6101ffc55e3d

                                                                          SHA1

                                                                          9467a45c11fb2052d7a4404cc33598c082b8efd9

                                                                          SHA256

                                                                          6d7849f8bcca8bd7389d8f5f221f45c9c711c63a936a95d2e1d64ac409706c2d

                                                                          SHA512

                                                                          b27bd4f31008f136010a0b7cb9e14b86a71fe9dc8847c6cfb01f6cfe9bee0dd979bc7dc614214c2ac47f8eb9d2c8de587753e7f7c1e9a30da055a7019caa821d

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          18960dc120c3ad47dd5bb504d9aec9f2

                                                                          SHA1

                                                                          4333cb063e317f05f9c931ef284447b9e9ae5f2a

                                                                          SHA256

                                                                          6270889792dddcd132b033473b41d650cdf9aa1d8076719898c0f1fb0ef2e969

                                                                          SHA512

                                                                          7d1a5814a26aad3fba5c120e0eddf7f81a1ed9480a83aec1705159d69f061aff963a2fea90390f3e86ccb7d3eaca8b89274f4633261a34ac0fcfe4d00a462d16

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                          Filesize

                                                                          24KB

                                                                          MD5

                                                                          278954cfd356c523346625259046e33f

                                                                          SHA1

                                                                          dc01d0775dbc7c74913b73cb3ea294769bf4d33e

                                                                          SHA256

                                                                          c4f7f40cbcf8e4e6891513db74a32005171363e1e5d733aba477e5c4fbdd71b9

                                                                          SHA512

                                                                          33ed78145b497912d04319701345f93d0dd1e0d35aaa31dafbc4afe2c4cf759e3f95d2dd4322107269aba5aa7cac64b995ce6f8cc9c119204ba8a9134f1bef24

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          6752a1d65b201c13b62ea44016eb221f

                                                                          SHA1

                                                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                          SHA256

                                                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                          SHA512

                                                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                          Filesize

                                                                          8KB

                                                                          MD5

                                                                          47e4b452eec091c254295aa26c0db132

                                                                          SHA1

                                                                          e9e517875ed7458e908bd97f76c9eba9fef16e4c

                                                                          SHA256

                                                                          44b6e10de7030a175196908b6e621fec369ea232a37b4a15197a01896cf8344d

                                                                          SHA512

                                                                          24a94dc7a5603d806eff4c1b722d2f96ee945f6086bf6d66af176109f6ac2e7df80c5e90235c8ee0121552e41d51c572742798f59136cb9d751a0a48bd66c44a

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                                                                          Filesize

                                                                          264KB

                                                                          MD5

                                                                          f50f89a0a91564d0b8a211f8921aa7de

                                                                          SHA1

                                                                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                          SHA256

                                                                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                          SHA512

                                                                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                        • memory/4640-34-0x00007FF6D0660000-0x00007FF6D1002000-memory.dmp

                                                                          Filesize

                                                                          9.6MB

                                                                        • memory/4640-0-0x00007FF6D0660000-0x00007FF6D1002000-memory.dmp

                                                                          Filesize

                                                                          9.6MB

                                                                        • memory/4640-6-0x00007FF6D0660000-0x00007FF6D1002000-memory.dmp

                                                                          Filesize

                                                                          9.6MB

                                                                        • memory/4640-5-0x00007FF6D0660000-0x00007FF6D1002000-memory.dmp

                                                                          Filesize

                                                                          9.6MB

                                                                        • memory/4640-2-0x00007FF6D0660000-0x00007FF6D1002000-memory.dmp

                                                                          Filesize

                                                                          9.6MB

                                                                        • memory/4640-4-0x00007FF6D0660000-0x00007FF6D1002000-memory.dmp

                                                                          Filesize

                                                                          9.6MB

                                                                        • memory/4640-3-0x00007FF6D0660000-0x00007FF6D1002000-memory.dmp

                                                                          Filesize

                                                                          9.6MB

                                                                        • memory/4640-1-0x00007FFBA07F0000-0x00007FFBA07F2000-memory.dmp

                                                                          Filesize

                                                                          8KB