Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 15:56
Static task
static1
Behavioral task
behavioral1
Sample
DeathCrypter-0.7.0.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
DeathCrypter-0.7.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
DeathCrypter-0.7.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
DeathCrypter-0.7.0.exe
Resource
win11-20240508-en
General
-
Target
DeathCrypter-0.7.0.exe
-
Size
9.8MB
-
MD5
e5b1ff36f9fca02f63e3de2fe4861b55
-
SHA1
36e275dcf39a1a963ee0113af3e9f60e2a1a40f7
-
SHA256
57ec4122db9efd9fb97b27b6844d2026fcb25333ef18f4f2a44d63ad301c7a80
-
SHA512
bf43a7e5c839de792e756dc3ec75a9be8e779f57f7ab84f7e157aa796f7569045166e1fc889d014b0411501a4f3a4656a037fba78cf44d39b4b03b965bd8e09f
-
SSDEEP
196608:t41mNygKiOPY+ZozEhjRS5jlFUMEEk1n9V4rdkACYnksmj4bsDgbC8VN0:t4Oy+OjkEhjQlFFha9WrmAmwbzCN
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/4048-5-0x000002C2F9FA0000-0x000002C2FA1B2000-memory.dmp family_agenttesla -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
DeathCrypter-0.7.0.exepid process 4048 DeathCrypter-0.7.0.exe 4048 DeathCrypter-0.7.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
DeathCrypter-0.7.0.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS DeathCrypter-0.7.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer DeathCrypter-0.7.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion DeathCrypter-0.7.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 5108 msedge.exe 5108 msedge.exe 2972 msedge.exe 2972 msedge.exe 3744 msedge.exe 3744 msedge.exe 4856 identity_helper.exe 4856 identity_helper.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DeathCrypter-0.7.0.exedescription pid process Token: SeDebugPrivilege 4048 DeathCrypter-0.7.0.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DeathCrypter-0.7.0.exemsedge.exedescription pid process target process PID 4048 wrote to memory of 2972 4048 DeathCrypter-0.7.0.exe msedge.exe PID 4048 wrote to memory of 2972 4048 DeathCrypter-0.7.0.exe msedge.exe PID 2972 wrote to memory of 4896 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4896 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4316 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 5108 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 5108 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe PID 2972 wrote to memory of 4644 2972 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DeathCrypter-0.7.0.exe"C:\Users\Admin\AppData\Local\Temp\DeathCrypter-0.7.0.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hackforums.net/member.php?action=profile&uid=54209672⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe17663cb8,0x7ffe17663cc8,0x7ffe17663cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10044005447923769828,18179922516768579301,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4316 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c1c7e2f451eb3836d23007799bc21d5f
SHA111a25f6055210aa7f99d77346b0d4f1dc123ce79
SHA256429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800
SHA5122ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56876cbd342d4d6b236f44f52c50f780f
SHA1a215cf6a499bfb67a3266d211844ec4c82128d83
SHA256ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e
SHA512dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
480B
MD5f47cbc3a0a5ee0023187c63aadc067f3
SHA1a9920e7510f0f434afe472bb457935c77efb4170
SHA2560217c5eee036946db539bce1ea3ed51a3708f85c7c6d9d3a89fa20c3ed4765e9
SHA512eb93c2d561754388f38a72bf84c3c40aab456b3261149c0264e9fb42160bb6bebd6ea41c0844d4e805728a5359e0ef7c65cb74b8fce5bc9c1f2abe1ca41a0b91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD599e69aa2580b46ad7f6f2e5aa21a152e
SHA1792e557f836d7e5ef1fa0c96a8ca34cfc6baa5a0
SHA256ea78594c266091dd7f2f2d3fcba177c0cca14907d594715c03427bbe11766e50
SHA512d5eb14dd0f8a056311584eb76fa3aa66cdff6f59fb4e7a45a721ba132550d5655767579472deedf186619609bec0b21d89495f315d11e49b7d10523ee2b74703
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD598d8afc41b7a5c8c42310d7a53a22ac7
SHA101535679063b97ca2f0da459c629f67f13a0caa3
SHA2565fbcb078e7be213b2b2d8b161354080bc57a424f070d4d3448893262c1ff54a3
SHA51296c91815b9415376c58faddb888021aa5584e59e5a7b34364f171aae01a1f2b3383449ccf3191d831d8aaa2ee954098c4c0307beeebf9405e5d931d1cd2d49ee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e72f61faaa75eb98933f4b5cbd5f93a1
SHA171f9bc50b7fb75aa27c48acecb0cfeef597d5c15
SHA25627efa1953fbc13d6e62b96ed93bb83df63734c6737cc5078c5320349f3ddc8f4
SHA512c8734f8369bc6ee2bbc47678fd7c55be52b96c376d8caa0dd651e339a6cc21dcaf42b46fa8cc2df1908b7921fc1482087a3eb69133f83ac7c6fc60833cba9415
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5a6183f7107afb086887fce24417d9a01
SHA193b0a68a0673ccf364493b1d619aab0df6a9eb18
SHA2563f799f92f3ca619203d98d06ba225cc3914201fd652e3d90abf6ba8b3e26d49f
SHA512a2e5e6c897ba6f3f5cc09ff97c2cbe91108a90b501337add85d36ebfe99857a41705f5bc67e1b68edd41da77106da0d890d6fe927a4434a16a42b4341de93c6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5bbbd1ce8ec4da29c538c2fad708c2176
SHA151b30c3c8af758fddb216ffcbe4a7bd77aaf8f15
SHA256ab043be0a149bd0e7161a43e495c304fe2cf29ae4d014372b944dfba4cc53e01
SHA512aa3d2c04233d10528d94d043b7f5d1a24dc6a74a20956792dc3da4dba5605969c63d97b7301f465fc2efc9a635b8762ffca41c5bc3f8012efb0d9d454d03382c
-
\??\pipe\LOCAL\crashpad_2972_KOUOFQNJXRMUILAWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4048-25-0x000002C2FC0E0000-0x000002C2FC3EC000-memory.dmpFilesize
3.0MB
-
memory/4048-5-0x000002C2F9FA0000-0x000002C2FA1B2000-memory.dmpFilesize
2.1MB
-
memory/4048-10-0x000002C2FA410000-0x000002C2FA432000-memory.dmpFilesize
136KB
-
memory/4048-9-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmpFilesize
10.8MB
-
memory/4048-0-0x00007FFE0ABB3000-0x00007FFE0ABB5000-memory.dmpFilesize
8KB
-
memory/4048-8-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmpFilesize
10.8MB
-
memory/4048-36-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmpFilesize
10.8MB
-
memory/4048-7-0x000002C2E14E0000-0x000002C2E14F2000-memory.dmpFilesize
72KB
-
memory/4048-6-0x000002C2FA1B0000-0x000002C2FA260000-memory.dmpFilesize
704KB
-
memory/4048-12-0x000002C2FADC0000-0x000002C2FADFC000-memory.dmpFilesize
240KB
-
memory/4048-4-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmpFilesize
10.8MB
-
memory/4048-132-0x00007FFE0ABB3000-0x00007FFE0ABB5000-memory.dmpFilesize
8KB
-
memory/4048-133-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmpFilesize
10.8MB
-
memory/4048-143-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmpFilesize
10.8MB
-
memory/4048-144-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmpFilesize
10.8MB
-
memory/4048-145-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmpFilesize
10.8MB
-
memory/4048-3-0x000002C2F9E30000-0x000002C2F9FA2000-memory.dmpFilesize
1.4MB
-
memory/4048-2-0x000002C2DFC40000-0x000002C2DFC41000-memory.dmpFilesize
4KB
-
memory/4048-1-0x000002C2DE320000-0x000002C2DF822000-memory.dmpFilesize
21.0MB