hxxps://gofile[.]io/d/qTvFX5

Analysis

max time kernel
961s
max time network
967s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/qTvFX5

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2456	Astro Temp.exe
3496	physmeme.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3496 set thread context of 4772	3496	physmeme.exe	115

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Speech\physmeme.exe	Astro Temp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3704	3496	WerFault.exe	114

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 382211.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3896	msedge.exe
3896	msedge.exe
4236	identity_helper.exe
4236	identity_helper.exe
3832	msedge.exe
3832	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	RegAsm.exe
Token: SeBackupPrivilege	4772	RegAsm.exe
Token: SeSecurityPrivilege	4772	RegAsm.exe
Token: SeSecurityPrivilege	4772	RegAsm.exe
Token: SeSecurityPrivilege	4772	RegAsm.exe
Token: SeSecurityPrivilege	4772	RegAsm.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 3260	3896	msedge.exe	81
PID 3896 wrote to memory of 3260	3896	msedge.exe	81
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3636	3896	msedge.exe	82
PID 3896 wrote to memory of 3168	3896	msedge.exe	83
PID 3896 wrote to memory of 3168	3896	msedge.exe	83
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84
PID 3896 wrote to memory of 2220	3896	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/qTvFX5
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ff8e50b46f8,0x7ff8e50b4708,0x7ff8e50b4718
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Users\Admin\Downloads\Astro Temp.exe
  "C:\Users\Admin\Downloads\Astro Temp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Speech\physmeme.exe
    3⤵
    PID:760
  - - C:\Windows\Speech\physmeme.exe
      C:\Windows\Speech\physmeme.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3496
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 316
        5⤵
        Program crash
        
        PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c CLS
    3⤵
    PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,16205576186771251799,18242022216463842874,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3196 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3496 -ip 3496
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaaad45aced1889a90a8aa4c39f92659

SHA1
5c0130d9e8d1a64c97924090d9a5258b8a31b83c

SHA256
5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b

SHA512
0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ee50fb26a9d3f096c47ff8696c24321

SHA1
a8c83e798d2a8b31fec0820560525e80dfa4fe66

SHA256
d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f

SHA512
479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
a8adf1e7783415d634b550cace35588c

SHA1
7de71caeab15a7a3c642018f6d635866a46f7c21

SHA256
7c4e87d13046fcad22ae7d87836af7c007a631480adcafd98e222e5c36491413

SHA512
f8e8e26f2254943cca73e1facc75c949d2210882cf67503844bfe3e65b0c9a01e266f6c88cda71129698c2abdb01c7b94326d8d444aa9dba258245bb8de4de07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
856B

MD5
e6fef35211fb33bf791e988b2378e39b

SHA1
1698e79fdb6695653aa54e4307c44d82287b41e0

SHA256
f5175781e0c9e018cb2c232847cb5eed543b32564f10814ae54c80b2e16177b8

SHA512
8e1dc4e271953ec67fe1df88a596a69a73a6fcaf22cea70165e5f3aa2eadc925b71489b459c50efa2fb84c66a1f6c9a44dddaae7f021b11a43f6c0dab4a2f0f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ee38201b2d84f893e66581d27b088c20

SHA1
f6b77bb86ca3d51ed0df5bf34087f048e108a38e

SHA256
212d557957850d51d213f6f7309bfc9ec6a37ccf94d9ecf0a71f0beb4f2b54a2

SHA512
02476acb36a0cdc09569544b89af268e44cf7a0dcfbc2e8c1026870c91892c52f3ed20953fff1f86ff6d69519b820fdd366ca19c6174be0b539bbc868bc5829f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
588e82d52a5137a3be78986ea40bdcba

SHA1
4b8b4fc6ba296749e20d1e7bcd36defa96e93f3d

SHA256
fad125f15e1f609880767da0c3d880ee7e936643d4fce7cf1ac81abc735806b9

SHA512
ef33aa8618bf2f9244719709180cbda3cfcf047278f316ecd0ddd7f4b98bbbde899233320a31ca37537cdd5e4da41de0b95dd93d2d2ac9732cbec82088be7754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a704cb733b9d3a62220c68d6b6e14eee

SHA1
b64312775d68c406d66f7d1232e56d79cfe5f765

SHA256
5ff733acf62a1b37f3bea4840745600123a2e038c14aed7d9105d7ae909c24d1

SHA512
84e6ba4cb78c227d99b152912dcb15474ab7a00bb4f5cb973fdfd0b5c7237d07211b74d00444b2b3b4638377a74c52e0b245424f56b647e68143610e4517bcfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be3b21f632699ddf47d2b9ec9044d41c

SHA1
a9688b6ff6480e4aff50af59ba84f2caecf99531

SHA256
f228347fe11d021701224f30e2ae9be75de160ca3c11fead8fc2cd9f4a363905

SHA512
2a5ed53c10f0ca230052335124459d6e2cd2c6a09a97bbb611b5d38ed9744b50fb811490a23974c46f1bc946d7dea1f73e9032691a31e001b231a8c5df700fcc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 382211.crdownload

Filesize
572KB

MD5
7c02f59007b7250d85498055ce980721

SHA1
8970113c0951e66d5834366ad3fe8c88779fe1be

SHA256
d51b8ccf88fd3dbd86253ad69d131ef57d430f4bf12fefc9ef11a3e26bb962cb

SHA512
16e8129fbc623443073bb22df0c89c76a59b286c79beb78e8560fdb6e7faa6909a3eb19a26aba3bdbda404d88855b0095fd3988d1642122360e4377ae58028a9

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
543KB

MD5
991d6a160f06699bab14637b502e6cea

SHA1
48b7d896c1d70f26fed6804b6a59509cfb26a08d

SHA256
e037f2c70b2396ee3d636d14a97e22804c3828b47ba61baeefd1d38a0a919c1d

SHA512
a6b5ecc7ecc02d8cc4fe542e5e46f4d437a724c3d17897a0eba829a95dc1e2d402efffec630a4d3659f745c89fd6bb819d0712bab89e648a1f10878d817e75cb

Download Submit
memory/4772-115-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/4772-116-0x00000000055D0000-0x00000000055DA000-memory.dmp

Filesize
40KB

Download
memory/4772-114-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/4772-113-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download