Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 15:38
Behavioral task
behavioral1
Sample
Beatware.Internal.v1.7.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Beatware.Internal.v1.7.exe
Resource
win10v2004-20240508-en
General
-
Target
Beatware.Internal.v1.7.exe
-
Size
8.3MB
-
MD5
1fbd8db9291a9ee4622ee2accc493ba0
-
SHA1
66cdda6c2789202f6c5f92a4e9bb970f3e095a9d
-
SHA256
9fffea08116948a80151baf5271b5ba94d54e11d4c9aa7315591626d11ac0242
-
SHA512
744f62ebc60cbe7c9f23c64e5e98c5309b673a8ff2b6c743bc4c27655efcdb43ea68474d6f39160adf74baf65c5036f8ea17b73038fb6ddd04698b5b1cdcccc5
-
SSDEEP
98304:mn2ihaZdUjS6fzR1vQ6cbrgsihQ4xbNs8kwzXRuLHJD1UQ17VOhKMVtOwwMltcc:O2i0IV7RtQhihDbNs8VRORSQsKM3Hwf
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1416-2-0x00007FF7A1FF0000-0x00007FF7A296B000-memory.dmp vmprotect behavioral2/memory/1416-6-0x00007FF7A1FF0000-0x00007FF7A296B000-memory.dmp vmprotect behavioral2/memory/1416-178-0x00007FF7A1FF0000-0x00007FF7A296B000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
Beatware.Internal.v1.7.exepid process 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3332 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{53BCE86E-B1DE-41B2-A57F-216C6CB40F04} msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Beatware.Internal.v1.7.exemsedge.exemsedge.exemsedge.exepid process 1416 Beatware.Internal.v1.7.exe 1416 Beatware.Internal.v1.7.exe 1420 msedge.exe 1420 msedge.exe 1832 msedge.exe 1832 msedge.exe 1204 msedge.exe 1204 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Beatware.Internal.v1.7.execmd.exemsedge.exedescription pid process target process PID 1416 wrote to memory of 2408 1416 Beatware.Internal.v1.7.exe cmd.exe PID 1416 wrote to memory of 2408 1416 Beatware.Internal.v1.7.exe cmd.exe PID 1416 wrote to memory of 1616 1416 Beatware.Internal.v1.7.exe cmd.exe PID 1416 wrote to memory of 1616 1416 Beatware.Internal.v1.7.exe cmd.exe PID 1616 wrote to memory of 2844 1616 cmd.exe certutil.exe PID 1616 wrote to memory of 2844 1616 cmd.exe certutil.exe PID 1616 wrote to memory of 4080 1616 cmd.exe find.exe PID 1616 wrote to memory of 4080 1616 cmd.exe find.exe PID 1616 wrote to memory of 4828 1616 cmd.exe find.exe PID 1616 wrote to memory of 4828 1616 cmd.exe find.exe PID 1416 wrote to memory of 676 1416 Beatware.Internal.v1.7.exe cmd.exe PID 1416 wrote to memory of 676 1416 Beatware.Internal.v1.7.exe cmd.exe PID 1416 wrote to memory of 1832 1416 Beatware.Internal.v1.7.exe msedge.exe PID 1416 wrote to memory of 1832 1416 Beatware.Internal.v1.7.exe msedge.exe PID 1416 wrote to memory of 1196 1416 Beatware.Internal.v1.7.exe cmd.exe PID 1416 wrote to memory of 1196 1416 Beatware.Internal.v1.7.exe cmd.exe PID 1832 wrote to memory of 2804 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 2804 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1820 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1420 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 1420 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 3572 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 3572 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 3572 1832 msedge.exe msedge.exe PID 1832 wrote to memory of 3572 1832 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Beatware.Internal.v1.7.exe"C:\Users\Admin\AppData\Local\Temp\Beatware.Internal.v1.7.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware.Internal.v1.7.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware.Internal.v1.7.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://beatware.xyz/discord2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffb1acc46f8,0x7ffb1acc4708,0x7ffb1acc47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,11605255411444112631,15162273370874287575,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,11605255411444112631,15162273370874287575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,11605255411444112631,15162273370874287575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11605255411444112631,15162273370874287575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11605255411444112631,15162273370874287575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11605255411444112631,15162273370874287575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11605255411444112631,15162273370874287575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2176,11605255411444112631,15162273370874287575,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4980 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2176,11605255411444112631,15162273370874287575,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4888 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Session not found. Use latest code. You can only have app opened 1 at a time. && timeout /t 52⤵
-
C:\Windows\system32\cmd.execmd /C color b3⤵
-
C:\Windows\system32\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
384B
MD5c8b02ea7a6da92c44edb81a7b79a5883
SHA1c99250e286407580dd370fbec1a635a7de8a6cbb
SHA256bf637568c45c8ffa989626c0047c3e2486912e93f04be40ae8796d0cad6c1307
SHA512fad98f96a050e2febee46eaeab55f591efdd7e518de951719d06ddd4b2697b5859b0bab59dcecb83d0ff7668ac21db61ddf0876c15decc92b1a78fe10908b174
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
447B
MD5c25e4327be5885c43a4c1b84899f3b0b
SHA1b9d5f8356ef5ca9fc4b67e209209378805d1cdc2
SHA256028e241ffe5046e0c2bdb7f7ba8670fafc458baae4508bceed3b1b2b1fb225d5
SHA5125898c626fba49474cfe50934e60fde4aadaf045a7cb97b692f66576e2e64477ac035ab473b402c78aaa9e9f979dd3b15d5bcdc63537aeed45d08066396a2dc93
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD504c676e750013923a534fff2c3ede6a0
SHA1ae3a235f21a8785ad249ed17bbc8468be56d6a61
SHA2567f4374451f39d204c377c4ac4ee90cd509dcf0844bc30e40e811ceabd9b28b91
SHA512b987edf4bbdd7ebf729af5837aaebeaa1e14d3e42a953193eb8ad4f3131036ddcd9637a9a34e34d3f537481cf713374421e3e75bda74b6084ea236649442e289
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD59db0af0f257614467d3bdb75b64b522c
SHA154cf306cc765f1ac3c686e0733713739b87a467e
SHA2566fdeccd1b987b422188fd274d0542c9e495bc18fa6e4f520b63bc6afebda64f0
SHA512624ad26fb45120bcebdc8a24b1bcf4234b66bf70953acd9038967f76972bcff0e6e210c71590fb36ba97ee94bbdc23b412d6357fde4cb45d8b5ed9a00115f7c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5da9a978ef17bc3cc3cc9720145f9c222
SHA160f92250d059fc7f0150bff774cfc72bfea3c5f1
SHA25624cc20e026c2097e82d09422e0d48c66b41cfbe35f9c1a2be3ed294bd092f6dc
SHA5127ae25fdd54fed7f7bf6933edcc6b6bb10e45b72867d53ed37205f6341b2b35acda7fa8ed40d88a278f4bebd012a4d8fa3bcca9d9b1cf04f416cf8c1a39cc21b5
-
\??\pipe\LOCAL\crashpad_1832_HOFOYFREYVUHGITRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1416-6-0x00007FF7A1FF0000-0x00007FF7A296B000-memory.dmpFilesize
9.5MB
-
memory/1416-2-0x00007FF7A1FF0000-0x00007FF7A296B000-memory.dmpFilesize
9.5MB
-
memory/1416-1-0x00007FFB38C90000-0x00007FFB38C92000-memory.dmpFilesize
8KB
-
memory/1416-0-0x00007FF7A2085000-0x00007FF7A23EE000-memory.dmpFilesize
3.4MB
-
memory/1416-177-0x00007FF7A2085000-0x00007FF7A23EE000-memory.dmpFilesize
3.4MB
-
memory/1416-178-0x00007FF7A1FF0000-0x00007FF7A296B000-memory.dmpFilesize
9.5MB