Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1706s
  • max time network
    1713s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 18:10

General

  • Target

    Setup (1).msi

  • Size

    4.4MB

  • MD5

    c4de73561e5d359aee3e8626434f95c7

  • SHA1

    1020b4a315ddc4dfd4132315a98b0a15212068ed

  • SHA256

    036a82bb69b5354a85df9eac8c66a44ae82294a1aea105e2e51da1a4a87cdb84

  • SHA512

    25f6186f44f19bbf7dbca2df6c29753ee80281080d7e032faeae9d2d60cbcd3bf1268dd8fb4bd882bc18ee8b7ef61446a68fc290f1dbab900c4df9e869372c61

  • SSDEEP

    98304:eVHYDgBzP/in0iuWhi+l4OLGIHi6h9iM:+ZzPqn0iZiuHfiM

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 14 IoCs
  • Loads dropped DLL 17 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Setup (1).msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3316
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8922498AECA8DAA2DD3BDE101B93846C C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2816
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3744
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 6EC1E98E48512F604CFE20213856CA38
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3856
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssCEEC.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiCED9.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrCEDA.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrCEDB.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://start.artificusbrowser.com/notification/?verify=110mrdd1721931110
            4⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b04f46f8,0x7ff9b04f4708,0x7ff9b04f4718
              5⤵
                PID:4572
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
                5⤵
                  PID:4960
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2432
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
                  5⤵
                    PID:776
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
                    5⤵
                      PID:2560
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
                      5⤵
                        PID:4968
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
                        5⤵
                          PID:1784
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
                          5⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5152
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
                          5⤵
                            PID:5172
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
                            5⤵
                              PID:5180
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
                              5⤵
                                PID:5656
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
                                5⤵
                                  PID:5664
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2388 /prefetch:2
                                  5⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5132
                          • C:\Windows\syswow64\MsiExec.exe
                            C:\Windows\syswow64\MsiExec.exe -Embedding 79EE20BDEE88F384C7D81FCF08C9B70E E Global\MSI0000
                            2⤵
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:1732
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                          • Checks SCSI registry key(s)
                          PID:1504
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:404
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2344

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Config.Msi\e57c95c.rbs

                              Filesize

                              218KB

                              MD5

                              4a736dbe4cc7112d137046d7f24a7ba2

                              SHA1

                              03ae91084cced76794730a6fe948e4d08196dac6

                              SHA256

                              a733ebb63a1a10731db3b1addb72fcc0509ab134502498fcdf3df8d4836d4b3e

                              SHA512

                              4971ae76108060ed45b36433b45d74f9c232d37b0d195c27009568b39d24cc24a8a4099248421ba8366e45cfe85382557b2e9a04411ab0ec381f0e879db9ad94

                            • C:\Program Files (x86)\World Wide Solutions\World Wide Web\WorldWideWeb.ini

                              Filesize

                              538B

                              MD5

                              6acdc8d4706a9477b8beed782370a6e4

                              SHA1

                              25bb511813901d4f08abdc643cec6906988b6ce4

                              SHA256

                              bfd7b7399cd2b7995995214e85130b94f5fe704efdf9e7c6aeb67c709d1da04a

                              SHA512

                              a28e304ddbb4ae24c88117f5240e6a694e1a605a0ed1f2b02ed451b37b1625904ac1890e6f64698ef9029b3201d12ef043249524d75f9d579ee19f9f69b8e231

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

                              Filesize

                              1KB

                              MD5

                              c75b3e144031a2892308be13711c75fb

                              SHA1

                              80e2f4741a798b7af6fe19b9d94a473439c4bcd7

                              SHA256

                              c3a2829e6eb9d93f2f474e38574c8e435730049cee2cfc51d973015671036a29

                              SHA512

                              e26eb3a5526d1816f800b4333de4ae601224e5f148c94e542a6158322392faa41defc4ffa3fb00aa9ef6f847775d8b2c6f3481761de6ec6fa61f5a299a2bf295

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_A9CA4191D05D34A8E11E01F09820AAAF

                              Filesize

                              1KB

                              MD5

                              143568624d585b98c72fae5f5281e8db

                              SHA1

                              7f86a14d1372925918fc0d2e953e9600ebb3e1b5

                              SHA256

                              d7796537314e9f3c50b7e7cf3dbdb9e57f0f6b8a900860faf655f5cdd8fe91f4

                              SHA512

                              cc4ac22c2e6c6c4fc66c9bf805cc0a1e3e3fda8f57dc6e6415626e2b3e8e2ad38cfa57dc11467b6cbe85d46c963a414289c4474d2e34ca52a90ec701b276ced9

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

                              Filesize

                              532B

                              MD5

                              837de91f56b9c25142c04c199fffbafb

                              SHA1

                              6f9d83badf512e0d053a726498e0ae6f00d750cd

                              SHA256

                              bcb9c8accbe514369c80228cc076e91cc9f92a3a43ed41f215948f60280f3abb

                              SHA512

                              fafeebc63bfe5a2129547436016b1090267921845b30ba6b6cbe08ba92207c53b655e0bc00a34434831da1faafda62367e2de477d2ebfe8f8f4ab1f311466500

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_A9CA4191D05D34A8E11E01F09820AAAF

                              Filesize

                              540B

                              MD5

                              bf45c5bcd2253d1067645f2adac6d0cb

                              SHA1

                              43d21ce6cac554a5e3307b1e188ef7acc53f51a9

                              SHA256

                              3d1f6ffa319e7f22fd7354dec2f46eebba047099545b988dfeac632ceef7d57c

                              SHA512

                              3cf53950f9f4c3bcc32764e41488b598c1193547c13c50f05e7f659b70f86d071d0601f3bdeb335d5a8f815a5de92ad972a1922d5fc5dc2416f97576b9a2ee6e

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              1790c766c15938258a4f9b984cf68312

                              SHA1

                              15c9827d278d28b23a8ea0389d42fa87e404359f

                              SHA256

                              2e3978bb58c701f3c6b05de9349b7334a194591bec7bcf73f53527dc0991dc63

                              SHA512

                              2682d9c60c9d67608cf140b6ca4958d890bcbc3c8a8e95fcc639d2a11bb0ec348ca55ae99a5840e1f50e5c5bcf3e27c97fc877582d869d98cc4ea3448315aafb

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              8dc45b70cbe29a357e2c376a0c2b751b

                              SHA1

                              25d623cea817f86b8427db53b82340410c1489b2

                              SHA256

                              511cfb6bedbad2530b5cc5538b6ec2184fc4f85947ba4c8166d0bb9f5fe2703a

                              SHA512

                              3ce0f52675feb16d6e62aae1c50767da178b93bdae28bacf6df3a2f72b8cc75b09c5092d9065e0872e5d09fd9ffe0c6931d6ae1943ddb1927b85d60659ef866e

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                              Filesize

                              120B

                              MD5

                              952ad1581f3d95e1f53cc04e1c349100

                              SHA1

                              478566b12258b8f80ae035a27603f738650322f0

                              SHA256

                              7c49ef562b589946beb2496a17396a3ecdf7885cc6dd7852d9b918dfe662c5b1

                              SHA512

                              0b7d8e78ca78c5dfd8dbfc9a6c19e81f75f310f8e7d1bac137c77ed39543b724d2e429bf7d7b20fb6b2be3b8f35d2e2f3bd6c4047d86d09562d610bc56204ce0

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                              Filesize

                              716B

                              MD5

                              d59b837a5da3965c80a5b617270ea482

                              SHA1

                              d3af00359283e3d6a8f0c7f01ebc1197271bab17

                              SHA256

                              0f478e5123de4501150c358c7ba8dce8d17ac3d34c5a8616c81a969b7b7f9489

                              SHA512

                              3c661471f807eed2b952c218959f0fe58abe3e1b91a11c051e70ab564b3b794af2ff5f0cc3d1d7695a40406a2ef42ceedbdd0c7134ed6ccab78221e52c90d9e7

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              525baf3927274f64cdcec1f8048f9809

                              SHA1

                              2cc3fb15b81eeb69f48ecfcd7a434ddc88732975

                              SHA256

                              028a89d0d0c51d64696a6f31d818e983426f67dd474d132c16d756e0a02fb2ea

                              SHA512

                              17abd483c15957d548a33e440aa9084ff06b4254c998f651521d3e3fd233d5b477be3736e43b1da1bc10df90b83efc61a39156cd5077f547969c61aea48eb86d

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              fb3118559ae742a9a2cbcc273fc09eb7

                              SHA1

                              04ab7e09c11dac0a8d2bdd556410b03c97d61f8d

                              SHA256

                              9fa6adcb4844328d99efd562985b27f70e7a3800d67c01f6b8134cec96877a91

                              SHA512

                              95c7d0a42de3ba53f4a46d3be4ca117d9888e73a779d99cf3e1443cbfe17cba6d75899b618ce1fd6610de349995c0c66bf37084d046999c2474f16cccc4ce6b0

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              46295cac801e5d4857d09837238a6394

                              SHA1

                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                              SHA256

                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                              SHA512

                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              206702161f94c5cd39fadd03f4014d98

                              SHA1

                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                              SHA256

                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                              SHA512

                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              11KB

                              MD5

                              cb465de4d08e87215feac0a73fba7af2

                              SHA1

                              05365cca100d0a790c0d074305364a1c9e3056ba

                              SHA256

                              8a371c5b3070fbee279e583745808fbb8dbab006a73c62ce23ab31614535702c

                              SHA512

                              0a6c01473f1532abcaeaf9e54249a5954247a9cfd270ad0832b1c22f76215996c269f6acd01e0699583b5f6990774e76d2d2b027703b6e33d03e67fe8b6c4ae5

                            • C:\Users\Admin\AppData\Local\Temp\MSI830B.tmp

                              Filesize

                              819KB

                              MD5

                              3604517a3e6e69ba339239cf82fc94a5

                              SHA1

                              c4757e31f9c8a90ee5de233792da71c8915050c5

                              SHA256

                              bdd1d14c9cb54b19f6a7f37adbc7537ce8fd2f6fa59a74a4a90b08c7979708d2

                              SHA512

                              c22ffc410886fae221dfee6ab469e44694f87cecce14d505a059f5fe01c1b4e1ad93c15b78c7623e821a37737491e89c627ddae5d03c407a877835ab6d611619

                            • C:\Users\Admin\AppData\Local\Temp\MSI88ED.tmp

                              Filesize

                              1.1MB

                              MD5

                              cc048c7aadc4adf3a29d429f1f5eead0

                              SHA1

                              6b4d89df901427fe955be2d58ad91a6de30be9d6

                              SHA256

                              d23c6ac751423ff6961694437e67d7b608102bd351e3e0cd10d34d026a1a08ca

                              SHA512

                              0e67c0a4db70e19ead49f6c0fd41045f3fd9ee688d75a6da2916e347b70783843fa0e3d6cfc2b0bcd5e16a6045ba27707dff655556ebc725c126082e45cee2fa

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqx0eziv.1hf.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • C:\Users\Admin\AppData\Local\Temp\pssCEEC.ps1

                              Filesize

                              35KB

                              MD5

                              ffb79f02b7a4c6ff5b9869fce3c1285b

                              SHA1

                              79c88af7d57430b8afcfaeeee452b9f93a004bc7

                              SHA256

                              3c98870e58cc784584fdf97f9a2c7e0ee311f10287873ccc46046c7b691e38b7

                              SHA512

                              6ff0768db251959f380feb03d0bc003d34982d9de76c76f89fdecb3c9fe18e95316fbdd77366043f0e7f57233e89267d56b9bc618d7f5c35f248cbcc71d7216d

                            • C:\Users\Admin\AppData\Local\Temp\scrCEDA.ps1

                              Filesize

                              35KB

                              MD5

                              03d2b8bd9a2217a0a4ffd5a2acae8741

                              SHA1

                              f6f439e2036eb740d8cc1b4bd96b4a4df80a2339

                              SHA256

                              c847aa04bed0e2f97634215f7d8bebac5e51f6227cfd9655a3743a7dc1d8607d

                              SHA512

                              265f730f9a524eef0f99613da3376e49ce428cb5369a5517e0594d9f73ea7d5d0f05c2ffded9a3614cb2148c09c9f530e60c4e70cbf480635ff4bdbc372b8eb3

                            • C:\Windows\Installer\MSICC3E.tmp

                              Filesize

                              215KB

                              MD5

                              32fbe2ada353606f81f50faaf2e9f4ed

                              SHA1

                              bd696491057c8bee9979bd29e1ab9694eb5630b0

                              SHA256

                              18eaa658aa74d95a46b37a55a09ca64fcec3fd924787c7e1e32bdde14de556e5

                              SHA512

                              89b757348d844423b2287e9cb543f30d935637e3ba4f3a07bd8b6bed9dd9161efbcd1a8f4f62182980ee80737853ae3bb30d0ec630073f829403fcdf659a5227

                            • C:\Windows\Installer\MSICD0A.tmp

                              Filesize

                              758KB

                              MD5

                              419cea1c6064e430860508e269f0cd2f

                              SHA1

                              921841797df087a1adc93877467e30e00c7d1d7e

                              SHA256

                              10575139bca9cb43ea44a9883308fdd83cebe6df59f68036337ab72530f0a8f4

                              SHA512

                              c6597fff8febdc6aa26dc91147532af6892a49e789903fcfed57fe8131a43bbfaa59b93035a4b2bbfd580fcf098ddd478e2110890381269556f387c689fb3c35

                            • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

                              Filesize

                              23.7MB

                              MD5

                              7ed77d25fe9d7e22c22c8e2cd5cdabe6

                              SHA1

                              7df4f8aff6f253401fd809010e052d2a7701cb16

                              SHA256

                              5bdb7253cff7a83bab0642c402374ae30091f961dba07063673cb25d13b3b90a

                              SHA512

                              c925d99a6d4f7d56131824dc37ef6abdd9860b5a154295ba9f9a452e628832cfeb46747c4e6939ef72584e144b22e76f8cf8a58a533e8ed04be9e0fea1ffa405

                            • \??\Volume{1d5b4de3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b9a079aa-ec18-4808-9f85-69464439db33}_OnDiskSnapshotProp

                              Filesize

                              6KB

                              MD5

                              2c203073fee1ff08be3b106afbf5b5bf

                              SHA1

                              aa4c386c78b49a2835887d62f065e0d562c6e3ce

                              SHA256

                              8e1d1231eff739d32b55fa296e2fcda2ceba822b6f256201e4fcc0898c46966b

                              SHA512

                              b5323353563b4e43308b1d1dff3c9f125546495956574b71eab258a71ebd5b5f6ed678663a35660ace5f5cf3d953b033632cb804bd69d806d70c247b5631e60f

                            • memory/2280-102-0x000001B96F5D0000-0x000001B96F5F2000-memory.dmp

                              Filesize

                              136KB

                            • memory/2280-106-0x000001B9701A0000-0x000001B9706C8000-memory.dmp

                              Filesize

                              5.2MB

                            • memory/2280-105-0x000001B96FAA0000-0x000001B96FC62000-memory.dmp

                              Filesize

                              1.8MB