2236cb10b63bf29763bdeef87a10345cbeed21836978776f5a581ae85cee433f

Analysis

max time kernel
1796s
max time network
1800s
platform
windows10-2004_x64
resource
win10v2004-20240426-de
resource tags

arch:x64arch:x86image:win10v2004-20240426-delocale:de-deos:windows10-2004-x64systemwindows
submitted
23-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crypter.exe
Size

11.1MB
MD5

07a86dc8a247e5025a1569d8a97f72fe
SHA1

f878d2981e38fe99a0291467fbf5c6649de5c1a4
SHA256

2236cb10b63bf29763bdeef87a10345cbeed21836978776f5a581ae85cee433f
SHA512

5fcd4186a7d979a661b5faed13fde7c1e531811feba2258d4b968ce62529561cb1d1a816123be04758e33579b50815de4b3a8ee62da7b54c7b5a521e9a44047e
SSDEEP

196608:tU+gmbg3yNQl4Ik+i8I4GA81G+LDadKGa2KOZo45AB+cQN63G8hubGNi:2uol4Iz5G1za9a27ZoAc+cQN63GAi

Score

9^/10

defense_evasion evasion execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Disables Task Manager via registry modification
evasion

Loads dropped DLL 41 IoCs

Processes:

Crypter.exe

pid	process
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe
1676	Crypter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Crypter.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Crypter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Crypter.exe"	Crypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2312 1676 WerFault.exe Crypter.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5064 schtasks.exe

pid	pid_target	process	target process
2312	1676	WerFault.exe	Crypter.exe

pid	process
5064	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.EXE

pid process

1164 vssadmin.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

4808 msedge.exe
4808 msedge.exe
1456 msedge.exe
1456 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1456 msedge.exe
1456 msedge.exe
1456 msedge.exe

pid	process
1164	vssadmin.EXE

pid	process
4808	msedge.exe
4808	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Crypter.exevssvc.exe

description	pid	process
Token: 35	1676	Crypter.exe
Token: SeBackupPrivilege	3964	vssvc.exe
Token: SeRestorePrivilege	3964	vssvc.exe
Token: SeAuditPrivilege	3964	vssvc.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Crypter.exe

pid process

1676 Crypter.exe
1676 Crypter.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Crypter.exeCrypter.execmd.execmd.execmd.exemsedge.exe

description	pid	process	target process
PID 4924 wrote to memory of 1676	4924	Crypter.exe	Crypter.exe
PID 4924 wrote to memory of 1676	4924	Crypter.exe	Crypter.exe
PID 4924 wrote to memory of 1676	4924	Crypter.exe	Crypter.exe
PID 1676 wrote to memory of 2296	1676	Crypter.exe	cmd.exe
PID 1676 wrote to memory of 2296	1676	Crypter.exe	cmd.exe
PID 1676 wrote to memory of 2296	1676	Crypter.exe	cmd.exe
PID 2296 wrote to memory of 5064	2296	cmd.exe	schtasks.exe
PID 2296 wrote to memory of 5064	2296	cmd.exe	schtasks.exe
PID 2296 wrote to memory of 5064	2296	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 1032	1676	Crypter.exe	cmd.exe
PID 1676 wrote to memory of 1032	1676	Crypter.exe	cmd.exe
PID 1676 wrote to memory of 1032	1676	Crypter.exe	cmd.exe
PID 1032 wrote to memory of 4108	1032	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 4108	1032	cmd.exe	schtasks.exe
PID 1032 wrote to memory of 4108	1032	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 4204	1676	Crypter.exe	cmd.exe
PID 1676 wrote to memory of 4204	1676	Crypter.exe	cmd.exe
PID 1676 wrote to memory of 4204	1676	Crypter.exe	cmd.exe
PID 4204 wrote to memory of 5100	4204	cmd.exe	schtasks.exe
PID 4204 wrote to memory of 5100	4204	cmd.exe	schtasks.exe
PID 4204 wrote to memory of 5100	4204	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 1456	1676	Crypter.exe	msedge.exe
PID 1676 wrote to memory of 1456	1676	Crypter.exe	msedge.exe
PID 1456 wrote to memory of 4744	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 4744	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe
PID 1456 wrote to memory of 3408	1456	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /tn updater47 /sc once /sd 01/01/1901 /tr "vssadmin Delete Shadows /All /Quiet" /st 00:00 /rl highest /ru SYSTEM /f"
3⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn updater47 /sc once /sd 01/01/1901 /tr "vssadmin Delete Shadows /All /Quiet" /st 00:00 /rl highest /ru SYSTEM /f
4⤵
- Creates scheduled task(s)
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /run /i /tn updater47"
3⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /i /tn updater47
4⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /delete /tn updater47 /f"
3⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn updater47 /f
4⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.coindesk.com/information/what-is-bitcoin/
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7fff764a46f8,0x7fff764a4708,0x7fff764a4718
4⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,14031051583665953614,16020789078550890099,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
4⤵
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,14031051583665953614,16020789078550890099,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,14031051583665953614,16020789078550890099,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
4⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14031051583665953614,16020789078550890099,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
4⤵
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14031051583665953614,16020789078550890099,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
4⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,14031051583665953614,16020789078550890099,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
4⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1164
3⤵
- Program crash
PID:2312

C:\Windows\system32\vssadmin.EXE
C:\Windows\system32\vssadmin.EXE Delete Shadows /All /Quiet
1⤵
- Interacts with shadow copies
PID:1164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1676 -ip 1676
1⤵
PID:2412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
978062ba87415018f18250d5b1104bcf

SHA1
c7d20e4def3df66d28a9c7003894e25f91ac05dd

SHA256
a89e944783cdcbcf868398cb461434df3cd653b614bc3c32ae68c1e687f6567c

SHA512
f8ec6f6348a0b8ebb860ecf6521657336f1e09263747e75d2ae2d6ba0830ea8e69b33eaf846ac01173342f9f89c9ca0974efcc47949b91c61a2790cd7832b0e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
6da17d51fa14224b6bc8f9244e42e95f

SHA1
1668437d2707612ff3f350e242a893c8684de5a4

SHA256
0a8bd55b8cfb45426068fea1c4068816f5b0846e54eaf05e8367b1118f2572f2

SHA512
b8665271623f2e3a1cc7e41f818c694ebe3d582d5d51e2100dff31953bc3f804cd0e36b6f63f5859579a271e110f1a9ee924759c57c127af63277971c6ff5227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7426693515fbd0e19a518c183b1efa59

SHA1
e87943f66284892531c3157d26e1c5303e377f99

SHA256
9fe8651f9cb2caf4a090e5cb1a1cc006d2522ace8ea5ae472dc9b678fe63e4e3

SHA512
966df1a5285366d0ac89ded0877a6f31e6f1b60607e121d2756d32ae5328cbf9a3c9672b13cb7cd1c1a17b379f843e46039f083c8110d903d752a14e40b73589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b3a90ff44243b038ab8a1cf22cfc92a0

SHA1
f2ce34e2c9ea84e2411e4bd0a851e57f8dbf7dd7

SHA256
2d85c48790a63d741b4adc53d524a0358f5c20c7f9fffed2993a9c32e0b3df4e

SHA512
c9029786b02fe377540aea50804c3ad46db0b34c1928d76e37cde078800ea913ab36478d11dd8b0b85a8875e5f4980edd40b824dd6031278a84848cc5afa32cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4ae8ade909d17f3de3c193936f1ea053

SHA1
59afcc4ab1a4e06c2623823327f0697fbe13a0fd

SHA256
ee2e8f0e512a07f65e4352614155122286566e098ae00019c63b82e95373d528

SHA512
82b01efc1b385b2a3e1e1d9cadcb75d7f62f15197ba9cd33489d2aec296237fb6e2685feb30b84402c83e552c36256c69af1390b97fbb79097ea1f9908707a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Cipher\_Salsa20.cp37-win32.pyd
Filesize
11KB

MD5
9e16e7fabf05143024bbce1e9548c28a

SHA1
afad2741926756893e9ba4f2c35be17afd5529d3

SHA256
58d89ecb81460861817dcbca7664d0c92617bf38b8ab5f9e7b3ad3d0ddf7188e

SHA512
f8cb4a8eb3f8e14f5c77f08842a49f68ecfe0303111e041ff04a05b660bb1d979f22dd0d9cb551416f6edd6f89e8b8932e4ef315b0590e87d91f688f44d0e7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Cipher\_raw_cbc.cp37-win32.pyd
Filesize
10KB

MD5
88b3fc546fbca422bfc35472ff6cc02c

SHA1
9078c09fbf6e03500bab9e2083db0ef73f10eb9a

SHA256
23b513c7e303bec76738de739fc850ea43c551f609800d7a4c995277a5d4b5ba

SHA512
9a197e5f5e902f4a03f08e91855fd5ae347786f004ba60f1b5c8d613dfebf7d1c765f7eb04ab68d5ea7063880e54e5d7ba65b74e3a363445f83c5f19bd41d30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Cipher\_raw_cfb.cp37-win32.pyd
Filesize
9KB

MD5
a5cbbaec60b6b40043a0f902627041ac

SHA1
cc87a383ddb35ebbd136bc558057f8fe61c275d9

SHA256
fd622dad723a51a5df47a092e9ac47e75a83322232cdcf8ddaaf41e88c9136de

SHA512
43c1a2a108e737a9c323a72fc2e8dd69e08a712d53a1acdf9287f608483ee4ff8656702a40e199fc9f21797673053f13c67d4172a5d7f387c5f23a3c6b71e441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Cipher\_raw_ctr.cp37-win32.pyd
Filesize
10KB

MD5
1668f3391abb2854202d0e4e7f435520

SHA1
29d1325898ad98fc2f693964ffa94fa218be72c1

SHA256
ab293bad8d9b6cac6d0944f41c34bfe236dae4cfdc259858489d4af0a8e050e5

SHA512
bac5d5eb56283b1f07ff4a1d9ceb9f46e346de6b37863871059ed8b7031d02d7adf1c2e59cef64a6d6d71127bc928102aaa672e572b1b58e9496568b03efd929

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Cipher\_raw_ecb.cp37-win32.pyd
Filesize
8KB

MD5
f8ca1c0fe662f38422924cbfa0a97d8c

SHA1
c49ba8daf40e45bbceba4d07eab55290eb436e18

SHA256
9dcd1d062d79c7eb6361d4b17cbae53eadc592bccd4dedba2091e182673d6851

SHA512
545e9d9240521c74c8f3405ae16aa4f975a090ec00ea906f9723efe052b3df184fbde84e08ebc67d3314157a740a9b89ffbb8062f246e8982767eb473e9a44e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Cipher\_raw_ofb.cp37-win32.pyd
Filesize
9KB

MD5
92fa458ab38334f3c7d4e4fb4ade37ce

SHA1
2ce1720f477970cc7ed5c8e1480b7afb33c78d61

SHA256
ed969d1219fcd4576b56688c7d2bd306b58c99d10c0916241e5ff13350d61a3c

SHA512
21ac7552ea5a514ad7e7dd30d38c97d64b9151470efd1c9831eae9129c27063625c53528de404fbcd078336afa4fbc08948e0cbaeb840df0f5edec4ea89d1548

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Hash\_BLAKE2s.cp37-win32.pyd
Filesize
11KB

MD5
77be2ceaabc7406b3e4752d36aac79ee

SHA1
223a850889696bd9ebd4d0dce8e0aa23782f0ea7

SHA256
5593b4f8f04da26f2871c678a94634b2e448e35c06bffc52b3c7a5abbbdb7ead

SHA512
75e622a1a3a46cd29be42e1d0d6a8ea584044e3590f48ff5c1fdbca448730ec8d14f324842c485eef3a2e3778c74460e220d53bb263e068a28b1623a6bb43a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Hash\_MD5.cp37-win32.pyd
Filesize
12KB

MD5
8e55dad3d93ed8672d88d9c41a2b6f18

SHA1
74c339c9f04437de57d61d50d7dc465eacf76b35

SHA256
e88e31a9d7e82c754fca48fdc299075446b339e4d7dd38e63822d5d6245bd47b

SHA512
330e05852a5a206abc7b1677cac284bc4c6b656edba7bd8b4c3c6d1aae8d88b9bae3baf50f3216454c09f0882ac73c18cb28335454f75c4740c27c7e24b330a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Hash\_SHA1.cp37-win32.pyd
Filesize
15KB

MD5
ddd2fdc8477c7e80c776fb30ff41ce74

SHA1
01019fc04c03eac60fa1364bb7555696562dc679

SHA256
a566bf5986de39c01993dc200490cd2bd715cb60057e6923353318dc866c7348

SHA512
9b038f2b6f465fe6cb0d846a993b4fb1ce9e3ea066e04cdc66ef64acd826fbf1259b72367f94c8df4c8ba303a7260f37aabc23d7d9823d1b16c2a81142faca88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Hash\_SHA256.cp37-win32.pyd
Filesize
17KB

MD5
9493ef9c7141ac6f22375bfb26f227a9

SHA1
148a5c6e3a8f46e677f1535ba2c5c0e3241823e7

SHA256
298ec7962281e831d8215ef5600aa9d6de5928829142ff965eafa6683c3f2c59

SHA512
61685bc2349fda05cb22c594de25412996671ae35ac493f1c0baf5fd2dbe4bda491a0eac3b38548d6be4e98ae1711166dbb62a994537f45a2543388e1150b0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Hash\_ghash_clmul.cp37-win32.pyd
Filesize
10KB

MD5
73bcb61fc18d6a4c68016afbf255fca0

SHA1
637134bd66499bbbe2c3ccf1c09472724fc26025

SHA256
84e7bd1e774f29700660d549ad94bc595e54e3c8ccadfb56d45b979ea2ea64b0

SHA512
102aa167fa2516d8be7d854c18938d89fcdeb4e6c9d50000870afc2bba95da0be3019c63f66d7978c807f47d6ac69e3531e44feaa2df2aaacc0c414f3c25151c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Hash\_ghash_portable.cp37-win32.pyd
Filesize
10KB

MD5
d5749ccbe0c908e263199bae6145d51c

SHA1
c6886f1e351ba06148c0d258c8f3de1639a9eb8f

SHA256
b6c7babf7aaabf9afcf76ba913b88adf5db61078bf3322eb3a86ded631d815ce

SHA512
ce01786f2a687b32bda9d652e6bdfd0b1b616715afc3bcd6dda8c60a8cfe0df0129deb7ff9361d67d2712e92618ca8a605704bd4cde163398c7e157ed2146595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Math\_modexp.cp37-win32.pyd
Filesize
26KB

MD5
2aa25cb1d7e7e44cc4f02b425ecdbd21

SHA1
949a5d0d9e8db141de43dd964260ede1aa306e57

SHA256
5f3f10b82274174f091c189cbd4705436d087c554977b2ec5f9a52fec45eb42e

SHA512
588338b6ea2fcf6306ab5666d07dd40afc25690c0127d15540d78c2fa3ac75fb6e79612c736b50d050390617ef7dc1d15030de78806c77169e4d5c8c4bf95e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Protocol\_scrypt.cp37-win32.pyd
Filesize
9KB

MD5
db0f490df35adc6814b9c19617ca79eb

SHA1
d285baf453a007e4d75df71c99db4b65bfb3b0a0

SHA256
da4dc7283ccbfe65be671d87ce00f8b37660b68aaf646f3fcd9d875fa9495449

SHA512
848189a0c5a068f4913f106c29d7edc63af8bdcaa83ea49a254d39643740b484312422c1b7295f4b796b80e5d3125c8947b84f1362f00b650f9eb7c02dbbfada

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Util\_cpuid_c.cp37-win32.pyd
Filesize
8KB

MD5
133032f7161e56cc3d2d245307ba777c

SHA1
f7b18a5b28d78cc9656b761209171b639a41b638

SHA256
4b7766d3bb0a1394980867d944784023cea8cc3039960f2365a9da8a75301855

SHA512
46051e41ebce67b9a7f35311bb373143e792518b11b2be8c2ea094af211de139b9a6e2321931af0e1d48f8b5bb73159ec0b620e75cf0d2202c2aeccd5ceaa779

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\Crypto\Util\_strxor.cp37-win32.pyd
Filesize
8KB

MD5
b3fee16dcf42227266d9eac062d77187

SHA1
2fdc95b1a597710b124caef40d3fe655883afa6f

SHA256
5613961c67fe9b1da5765ea09b61d2961f447f447172a42261901bdb89695d49

SHA512
c7262a23acf3bbac5de8f24a9e390f214b9794e0d07c26dea5a23b86a0ee736f52567594312c762609108ddc5af9d94410359f35f07f99ffce7bd2ed2f4b694b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\MSVCP140.dll
Filesize
432KB

MD5
54628f77144e17530a8b8882d1789c90

SHA1
6b63d1cb13524b664330574fd7911f1f25dfad16

SHA256
21ecd8652ef68418a68dab73d01c1eb8a8b1fa7f6001f1c688ad78da8f7463d5

SHA512
61e90e751912a84c258e0a5662226e38ddb1a9fc5060cb4b257d3ec7a47569af1a0e402e77b5c8a258554504f40c373a49718c2296cede7cda64bc26dc469730

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\VCRUNTIME140.dll
Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_bz2.pyd
Filesize
71KB

MD5
055cfc5297933c338d8c04fd4e2462a2

SHA1
bf8f97ee8136bfe3f93485e946f2069b7ce504e0

SHA256
befc81440bbc001bd7647aca42962ee0b45b08435ee9f7140bf570af636b7dd5

SHA512
308ebb33c47b73ecd9c4e4e54ffd09aae5a96019559ef7b2a37a45bd89c42d0d5bdd21da1835fffd84a138b03662c3d68bd72725a22f1b0ddf0329438819ead7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_ctypes.pyd
Filesize
105KB

MD5
06c45d47af92a68ea6da0cc861992034

SHA1
0e8814b489e2c50e4481b69d532ca51e53274747

SHA256
b016e7ce9744a0e8fea473f1982e5d2fc355a98682054f470f4189d5fc00b8bf

SHA512
397ae19e69bdfb8bb4ec8197e5ac718d409930c6ff9e6cff979cef665ffe19aa197cca9b5a03ce7d30529d27a489b15e2a813bce1428e8dec8eb63f2148408d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_lzma.pyd
Filesize
181KB

MD5
d72665ea18965f103200ccc7ad072f85

SHA1
2b89543cd8bd1aa20e0d3150a3c394b90be0d204

SHA256
ab20e63d14259a7deca85a068796476c0efcc236a11d53b1816fc6f8956424a8

SHA512
aad0bcbeabaa50b1fdba4cf70fe281f58b62a81b680cc16ef7f238263625fc7bed9ae9321a7bf7010fe7b5bb28708bdfaa0138c4f35a52be6aaba71d03aaa3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\base_library.zip
Filesize
766KB

MD5
9b8ed9c99a7534d4ea131c813e30a181

SHA1
3f72caf6214d9f7392b1e4ef816485c8f9164c63

SHA256
d3443c5733f6778287d6c66b5b2362219d86c79aadb0f6126e47b540f7e19b43

SHA512
731a148c2532dbe2276667bcefca6c0326731c62012416111771bff5e828822d91d6100f705ceff1023706006ba7400f0821ad4537a953c2d46a0aca1da69877

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\python37.dll
Filesize
3.5MB

MD5
198dc945fa3a7215c2aa90bd296025b4

SHA1
ce991e920755d775d99ab91f40124f0aad92863d

SHA256
20cd780cf1e90778799e749812b00b1865938ef8990cd9bf2c1630787c6181c9

SHA512
a880aa55740e635e3fbd32b8128572b92f379913d405f3baf4e9ec67891ac3dd77dbed85074a958c89093ca378dac95733287a45ca89c75029a61ecde058c955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\pywintypes37.dll
Filesize
110KB

MD5
ffd5fac26740c3975af8112827d724c3

SHA1
58bddb3ecd15a04c2b402a7091d9d57325b073f7

SHA256
0315ee7826f735a72d2208b46f5cebb270e5f1fe3104a4b007aca5c813eef2a3

SHA512
2105388344c8d7b7b48130584186e585e718fe55fea627c4cd70eaf46d4e8acf4431f55bf6619f8708589d4d0ba7ecb1b1848ab763c553badaf33214c12ba73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\win32api.pyd
Filesize
101KB

MD5
86e4fe10195511f403a8c2de45bb8062

SHA1
79cd2cc3d5165078145106a284c11b4b85ccb037

SHA256
4c28231d0105af47e3d7c7241b5ec50fcbfb3e8b60d68a0dbe8180bd543b3856

SHA512
65a7949ec63d1e1d34093753f05341e51911b74c5c7d4554cf2ee8626333e6460af0b3a4f5780b7cb3c5e7ede1410f907f947542383d7660e0af6afab606928c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\win32event.pyd
Filesize
21KB

MD5
81c01660fcc6c9a4f26d24d817e5c82d

SHA1
84a00bac7de36da1156d4a2c1a24dc73630eb259

SHA256
fa88dd6a564c45605597425f5cd1379e28d2300d3d3d24aa72d823b37b1ec2a9

SHA512
d457141d2009ef0372ff63c010c0586508f581cc24ea2bb6522e53ac37d49b3f51ce28c4173fea1788fe0c33b45d796f52b9d7f975eeb62f91b765f20b130402

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\win32file.pyd
Filesize
121KB

MD5
5efdfb80e9022e95742aba4cfdc52653

SHA1
e6e27d80b107dda132024fcd471ace21871c6126

SHA256
2f2564199890176fad6cd5813f27bc83f0c9b22c44d2c81a7ff804262e2aa0bc

SHA512
c0dddb021c7efff88daf59d6e171b0508648b8d5c69eb02bab2dcc6e4561feb73a336a6557a967ef34a951007a569d80a2c25cda02887d81636f21cd38f3cfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\wx\_core.cp37-win32.pyd
Filesize
5.4MB

MD5
b4687275dd91489643e60d7941df5c72

SHA1
701d9fe7c9f6a6c9152be46c63e580b20ef8fe18

SHA256
950efad1855ba064e437cddc45f5f796cf81f763db71994222b88a9b1af8319d

SHA512
6cf79b9801bae6188e3f1c7c59741fcc6bd54a6c26e6b7c3704ac761811c523e92e4eb890e4e6ad999067da80b48a6a513df127e5185cd3bb62997b1b28dbda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\wx\siplib.cp37-win32.pyd
Filesize
89KB

MD5
1f647440c41e8b703af4ec392204dc5d

SHA1
7fd29ea233144ff44871bd4844a9762807f7405d

SHA256
6401fd5e9942c96168ab1325abf4083328101df50d297ab3c47011ac0ce732b9

SHA512
8923b875c8dd05bce1d83aba0c0f1f3b722b642cbf26727ae4cda59153a2e32f6b4c8be4851d25f0fc241f6e80392b8f74d6a784a26a791fa8d10efdf4ce6383

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\wxbase30u_net_vc140.dll
Filesize
157KB

MD5
a914f4291959d8086cdb40c55427e63f

SHA1
5dbd02ed6fd6532ab55b8be5d2812758abed8721

SHA256
26f92eebe76c29e2a85761d5f952f7782a8f2c96db322ad99bb6b8abf1752e07

SHA512
9c37b652a96a26e4ba56386df949126a6def15d6d69a74b10bbda6b240f0d6bf77e72425f0cc413303015578133076d2621830d8e23fcc0f68482b732f9686b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\wxbase30u_vc140.dll
Filesize
2.0MB

MD5
61f8bb19072351c5754c208742669c16

SHA1
b7882966f6ca7f177f0fb64f535c51144be30fe5

SHA256
2c0a84ad2b12d0b49f270c77dc99b73acc1f7bc1e49c6f194e5f3f6db337d62c

SHA512
eed7a26f1041affb2c9e8c8580642c2687dbe01960a58f058c07693acd2db23683d7c5fa0a130e3ea94459d675701207e6adb532a5d061c338c87f24e6514839

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\wxmsw30u_core_vc140.dll
Filesize
4.8MB

MD5
5aed143ddd0208a4ec46834553810610

SHA1
a8a2df91b0177eb33b77469edaf06662409a565a

SHA256
5cf6dd97dba4aba69a7cbf94f4987962f8fb248f78fc48408bb2989d45061f9c

SHA512
21cb63969800d106f72c5cdb929361dc284b32637c60a7f302be1f847c272148a88c99a94ced4c8d15c52504526fda801fa1154ee82bc9abd16494b06089286d

Download Submit
memory/1676-97-0x0000000074C00000-0x000000007515F000-memory.dmp

Filesize
5.4MB

Download