Overview

overview

6

Static

static

1

SYSTEM.Cri...3d.msi

windows7-x64

6

SYSTEM.Cri...3d.msi

windows10-2004-x64

6

Resubmissions

16-02-2024 13:22

240216-ql7mxsbg58 6

01-12-2022 12:54

221201-p47vzadd6v 7

Analysis

  • max time kernel
    72s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2024 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SYSTEM.Critical.Upgrade.Win10.0.14129a18398ef3d.msi

  • Size

    2.7MB

  • MD5

    c4b90f7b86d6a1656f0d40d3cbae8aec

  • SHA1

    893368a6b1f00b5665ba0a403042ca955842246a

  • SHA256

    8d8c15da905c23fb964b0d77e18ba404a59222f08c8eb992e5092b735a66bf5e

  • SHA512

    06ed7a65f9009e529438996184984d4d5d0689878eff8ba5e7be2e58bb6a1657ef06ca7e1e803a3773a67e3c4201ee9a7c48727626b91a91f2a2ccf813799da8

  • SSDEEP

    3072:NOiggXYJ4SsWzlV3lXHXNX9XXXDC/9MvuMz7/822I:N8gXPr/9Mv5z7/822

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 58 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
    • Modifies registry class
    PID:3744
    • C:\Windows\System32\cmd.exe
      /c fodhelper.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\system32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Windows\system32\wscript.exe
          "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/fuifxao.grb
          4⤵
            PID:4212
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:4016
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Modifies registry class
        PID:1688
        • C:\Windows\System32\cmd.exe
          /c fodhelper.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3100
          • C:\Windows\system32\fodhelper.exe
            fodhelper.exe
            3⤵
              PID:2348
              • C:\Windows\system32\wscript.exe
                "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/fuifxao.grb
                4⤵
                  PID:4128
          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
            1⤵
              PID:2648
            • C:\Windows\system32\msiexec.exe
              msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SYSTEM.Critical.Upgrade.Win10.0.14129a18398ef3d.msi
              1⤵
              • Enumerates connected drives
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              PID:960
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:4140
              • C:\Windows\System32\cmd.exe
                /c fodhelper.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4836
                • C:\Windows\system32\fodhelper.exe
                  fodhelper.exe
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3756
                  • C:\Windows\system32\wscript.exe
                    "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/fuifxao.grb
                    4⤵
                      PID:3472
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                • Modifies registry class
                PID:3900
                • C:\Windows\System32\cmd.exe
                  /c fodhelper.exe
                  2⤵
                    PID:4188
                    • C:\Windows\system32\fodhelper.exe
                      fodhelper.exe
                      3⤵
                        PID:1780
                        • C:\Windows\system32\wscript.exe
                          "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/fuifxao.grb
                          4⤵
                            PID:864
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3836
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                        1⤵
                        • Modifies registry class
                        PID:3568
                        • C:\Windows\System32\cmd.exe
                          /c fodhelper.exe
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4048
                          • C:\Windows\system32\fodhelper.exe
                            fodhelper.exe
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4588
                            • C:\Windows\system32\wscript.exe
                              "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/fuifxao.grb
                              4⤵
                                PID:3892
                        • C:\Windows\Explorer.EXE
                          C:\Windows\Explorer.EXE
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of WriteProcessMemory
                          PID:3440
                          • C:\Windows\System32\cmd.exe
                            /c fodhelper.exe
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4436
                            • C:\Windows\system32\fodhelper.exe
                              fodhelper.exe
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2600
                              • C:\Windows\system32\wscript.exe
                                "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/fuifxao.grb
                                4⤵
                                  PID:3600
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README.html
                              2⤵
                              • Enumerates system info in registry
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:3260
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ffc305846f8,0x7ffc30584708,0x7ffc30584718
                                3⤵
                                  PID:4132
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2372
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
                                  3⤵
                                    PID:3380
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
                                    3⤵
                                      PID:4460
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                                      3⤵
                                        PID:1144
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
                                        3⤵
                                          PID:4244
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
                                          3⤵
                                            PID:3868
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
                                            3⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2320
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
                                            3⤵
                                              PID:864
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
                                              3⤵
                                                PID:656
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                                                3⤵
                                                  PID:2284
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5579596688873149235,18386203528650044581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
                                                  3⤵
                                                    PID:3868
                                              • C:\Windows\system32\taskhostw.exe
                                                taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                1⤵
                                                • Modifies registry class
                                                PID:3140
                                                • C:\Windows\System32\cmd.exe
                                                  /c fodhelper.exe
                                                  2⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4504
                                                  • C:\Windows\system32\fodhelper.exe
                                                    fodhelper.exe
                                                    3⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:3752
                                                    • C:\Windows\system32\wscript.exe
                                                      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/fuifxao.grb
                                                      4⤵
                                                        PID:2664
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                  1⤵
                                                  • Modifies registry class
                                                  PID:2196
                                                  • C:\Windows\System32\cmd.exe
                                                    /c fodhelper.exe
                                                    2⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1576
                                                    • C:\Windows\system32\fodhelper.exe
                                                      fodhelper.exe
                                                      3⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:3332
                                                      • C:\Windows\system32\wscript.exe
                                                        "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/fuifxao.grb
                                                        4⤵
                                                          PID:4980
                                                  • C:\Windows\system32\sihost.exe
                                                    sihost.exe
                                                    1⤵
                                                    • Modifies registry class
                                                    PID:688
                                                    • C:\Windows\System32\cmd.exe
                                                      /c fodhelper.exe
                                                      2⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:4864
                                                      • C:\Windows\system32\fodhelper.exe
                                                        fodhelper.exe
                                                        3⤵
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:3296
                                                        • C:\Windows\system32\wscript.exe
                                                          "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/fuifxao.grb
                                                          4⤵
                                                            PID:2388
                                                    • C:\Windows\system32\msiexec.exe
                                                      C:\Windows\system32\msiexec.exe /V
                                                      1⤵
                                                      • Enumerates connected drives
                                                      • Drops file in Windows directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:3920
                                                      • C:\Windows\System32\MsiExec.exe
                                                        C:\Windows\System32\MsiExec.exe -Embedding 94D7362ECE8AAF5DB3D537CC47FEB6DA C
                                                        2⤵
                                                        • Loads dropped DLL
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:4476
                                                      • C:\Windows\system32\srtasks.exe
                                                        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                                        2⤵
                                                          PID:3952
                                                      • C:\Windows\system32\vssvc.exe
                                                        C:\Windows\system32\vssvc.exe
                                                        1⤵
                                                        • Checks SCSI registry key(s)
                                                        PID:4112
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:2852
                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                          1⤵
                                                            PID:2320
                                                          • C:\Windows\system32\BackgroundTaskHost.exe
                                                            "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
                                                            1⤵
                                                              PID:2348

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                              Filesize

                                                              152B

                                                              MD5

                                                              5e77545b7e1c504b2f5ce7c5cc2ce1fe

                                                              SHA1

                                                              d81a6af13cf31fa410b85471e4509124ebeaff7e

                                                              SHA256

                                                              cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

                                                              SHA512

                                                              cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\34a4d29b-2774-4457-8efc-563361c6a7e5.tmp
                                                              Filesize

                                                              111B

                                                              MD5

                                                              285252a2f6327d41eab203dc2f402c67

                                                              SHA1

                                                              acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                              SHA256

                                                              5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                              SHA512

                                                              11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                              Filesize

                                                              5KB

                                                              MD5

                                                              aee18f0f656dd56342e2afa67285519c

                                                              SHA1

                                                              c4bfb9c8b5855bb4a2e58e01c4caa81f43298e0f

                                                              SHA256

                                                              a9437560d538cff83dc92be5b4aa3b7ade722c6d58b6d063ddfa4c7f726eccfd

                                                              SHA512

                                                              12477233a631649d889de48a12dccfc256458be7d7d7321a5eb6a9222960f9c2c0e95922b651783aa80ef4c127488dcbec0ec228af9aa57c6dcecfb29acb4f63

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                              Filesize

                                                              5KB

                                                              MD5

                                                              aa1eb660c5f13e07e2c89f53cd779a05

                                                              SHA1

                                                              45639a4ff131b3a361054825bce671a13a7ea631

                                                              SHA256

                                                              4781b294cb28cc20ccb18c099193c06e6af92f67a9a5dfc00b2f591d82ca2fd8

                                                              SHA512

                                                              f5a38c0914d0fc27a05b5cff8a96b3b7287aee377e361711477b1085e624d5dfdaaa0d79a8e63c406bc6b9d864de91b58901e7f13bf87505fe6ede4d8d6b1732

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                                              Filesize

                                                              24KB

                                                              MD5

                                                              6db2d2ceb22a030bd1caa72b32cfbf98

                                                              SHA1

                                                              fe50f35e60f88624a28b93b8a76be1377957618b

                                                              SHA256

                                                              7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4

                                                              SHA512

                                                              d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                              Filesize

                                                              16B

                                                              MD5

                                                              6752a1d65b201c13b62ea44016eb221f

                                                              SHA1

                                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                              SHA256

                                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                              SHA512

                                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                              Filesize

                                                              10KB

                                                              MD5

                                                              066476b4cb2532cafbdce1dbbf772a03

                                                              SHA1

                                                              952c77cf29e3c1495f83b286b1a266447df74caa

                                                              SHA256

                                                              b56fdd6f60b5d84972fb680df9c62d2e70f0dbd464656ea70040559b536f9b01

                                                              SHA512

                                                              2b593559be20632709f19ebf333dc0796dc8950753448264d987fb8cb2e0b9e6004ee990179c1d6bcc59c0a4a321d9cfee8366cca8ed971ca4ee9338a569d380

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\MSI4508.tmp
                                                              Filesize

                                                              84KB

                                                              MD5

                                                              0345408e69f9976c645c0df33b36f708

                                                              SHA1

                                                              82d6140eb4b09ed215e564d86e6a47c0e26a065d

                                                              SHA256

                                                              9bb14d25e7bcae1d8249bd94d365f2c2b05896c94925d82f65cbc595ca8d6616

                                                              SHA512

                                                              de04cb10b6c1905d6584797467878569613608e99308749c2cad40901ae11b6e82eaee82ff907631bc89ba5bd09fd9f337071e5685b1c2b1a693d39e78ed679b

                                                              Download Submit

                                                            • C:\Users\Admin\Desktop\JoinReceive.xlt
                                                              Filesize

                                                              348KB

                                                              MD5

                                                              1dec2af1d7267f4f68256f6a65b2122a

                                                              SHA1

                                                              1fe06a8e6bd2c77a19161303ea8e3b13ff2d8c8e

                                                              SHA256

                                                              1edbb40ab23af10b02c32208b33c55d3c07b62c6f627222a82c01046a7fc7d8e

                                                              SHA512

                                                              6f09fb8628aaf6cb5789d9d6ac03cb3dd2f55fbbebf235cc19820b728a08c36067427d6d842af537c547cbed379fbf0324cc1046e2bcd3c360f9427b6615016a

                                                              Download Submit

                                                            • C:\Users\Admin\Pictures\README.html
                                                              Filesize

                                                              17KB

                                                              MD5

                                                              4bc6eed587953f8f6d410406579e5c39

                                                              SHA1

                                                              adc0bd6ec5ec9ee1de34442bf5edb044089b7ebd

                                                              SHA256

                                                              c0ff4fd89722e8560365ef8e74ad50411c15ce938fb57d6e92dc47dd71f20114

                                                              SHA512

                                                              926a7b81af42383f676dbe0e9a696c944cbe5892df57c6203d2bc6fbd8abfe4fd52ad96b4df16840a3ca7f14b130fea890494dac7ada184ffcdca158d6744ee6

                                                              Download Submit

                                                            • C:\Users\Public\asgotqcji.grb
                                                              Filesize

                                                              19KB

                                                              MD5

                                                              2f1e3d59db15530902bc910cf67d053b

                                                              SHA1

                                                              0dcf5ec6aabaa5103a5dce772a062fba93089507

                                                              SHA256

                                                              173f1b2f284f3221b1e1b2e97a3f50ff1a97488e2ec44a6dfc1c75ab9bb6e4ef

                                                              SHA512

                                                              fb4a115cf99f1f080742e109267dfb1fce071781d5d8d80176c4ba3a4af172aeb49c17deaba5a3187a08f462c0332179c1816113e8f6c6253de4bef39c017731

                                                              Download Submit

                                                            • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                                              Filesize

                                                              7.7MB

                                                              MD5

                                                              6e7b90f04129b4968d6050f02f716eab

                                                              SHA1

                                                              f5ab43b5669edd792dde4248de29e25806ffe45b

                                                              SHA256

                                                              01c0b1b9e1f07b7685d4a10519aa1ed544ad618f5122a0f1d375ed1ebcb3fff6

                                                              SHA512

                                                              3ce9cc4c4bb760d1c3e6df0275e59c7404d2cfecdcae7086a23fd4a2380d0c7a68a05b00b429b5fb164daa67680588a4cc14fbebc43f9effba9a4fd0eac8dc88

                                                              Download Submit

                                                            • \??\Volume{05dfbecd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5501d76f-9ee2-4a30-9406-146712730964}_OnDiskSnapshotProp
                                                              Filesize

                                                              6KB

                                                              MD5

                                                              0769202c9bce944158d1ca26b3a95189

                                                              SHA1

                                                              20b449db76e831d72df3b89161215b26bd370284

                                                              SHA256

                                                              9a1e311b610f510869528d2a4add6c38997d811a35266279e22b7443ea72b8ef

                                                              SHA512

                                                              d26b6eb734bf609fd93c634a950e6a17cb50310d903ebdd34af6b267774b7cbdcf4910295339cb8f509060475fdcc7dc342850790dd78ac00ae8bce0fc61c6c5

                                                              Download Submit

                                                            • \??\pipe\LOCAL\crashpad_3260_TIOEEOWHPDAQXEVL
                                                              MD5

                                                              d41d8cd98f00b204e9800998ecf8427e

                                                              SHA1

                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                              SHA256

                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                              SHA512

                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                              Download Submit

                                                            • memory/688-10-0x00000205331A0000-0x00000205331B3000-memory.dmp

                                                              Filesize

                                                              76KB

                                                              Download

                                                            • memory/4476-15-0x00000237C7E60000-0x00000237C7E61000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4476-14-0x00000237C7E40000-0x00000237C7E41000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4476-11-0x00000237C7E00000-0x00000237C7E01000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4476-12-0x00000237C7E20000-0x00000237C7E21000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4476-9-0x00000237C7DD0000-0x00000237C7DD1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4476-8-0x00000237C5C40000-0x00000237C5C41000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4476-7-0x00000237C5C30000-0x00000237C5C31000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4476-6-0x00000237C5C00000-0x00000237C5C01000-memory.dmp

                                                              Filesize

                                                              4KB

                                                              Download

                                                            • memory/4476-5-0x00000237C5BE0000-0x00000237C5BF4000-memory.dmp

                                                              Filesize

                                                              80KB

                                                              Download

                                                            • memory/4476-4-0x0000000180000000-0x0000000180018000-memory.dmp

                                                              Filesize

                                                              96KB

                                                              Download