Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

DocuSign.vhd

windows10-2004-x64

10

DocuSign.vhd

windows11-21h2-x64

7

1.Basic da...on.ps1

windows10-2004-x64

3

1.Basic da...on.ps1

windows11-21h2-x64

3

Analysis

  • max time kernel
    586s
  • max time network
    595s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 17:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DocuSign.vhd

  • Size

    270.0MB

  • MD5

    53ab0e1575f7785c7d4b774b3f70449b

  • SHA1

    43dff693fa84f727ed70eecdb019beb103d07a19

  • SHA256

    387e7dc9ff57715da374a9c768c67df9ce062d030f8417dbca0e7bb58d16f028

  • SHA512

    f13e93fa7b148c9122a93eb417621a252728d5aa2318db243ec04c552b7a5979a6a18f1b277d25823299b3211d6c083a793590551300069c7b2454f7490a9bca

  • SSDEEP

    3145728:nVlMuAqzL0BYuJ/i72qy+B1OJ3VAXpznEze5RM4vp2fpgoi:U1fKyZqyoMJwJc4B2fpG

Score
10/10
metastealercredential_accessdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz
Attributes
  • dga_seed

    21845

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • MetaStealer payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\DocuSign.vhd
    1⤵
    • Modifies registry class
    PID:3952
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3052
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:4148
      • \??\E:\DocuSign_01106524.pdf.exe
        "E:\DocuSign_01106524.pdf.exe"
        1⤵
        • Loads dropped DLL
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2876
        • \??\E:\App\PDFXEdit\PDFXEdit.exe
          "E:\App\PDFXEdit\PDFXEdit.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:380
          • C:\Windows\SYSTEM32\msiexec.exe
            msiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3388
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Enumerates connected drives
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4800
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 221EAB8D1A0900FA706FF984173A6E44
          2⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SysWOW64\ICACLS.EXE
            "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4036edb0-45ef-47aa-bfbc-6819cf6c9679\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
            3⤵
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            PID:4624
          • C:\Windows\SysWOW64\EXPAND.EXE
            "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
            3⤵
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            PID:888
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
            3⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1868
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
              4⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:4876
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x94,0x11c,0x128,0x7ff9fb4d46f8,0x7ff9fb4d4708,0x7ff9fb4d4718
                5⤵
                  PID:4132
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
                  5⤵
                    PID:3960
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4808
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
                    5⤵
                      PID:2560
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
                      5⤵
                        PID:1324
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
                        5⤵
                          PID:1260
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
                          5⤵
                            PID:3100
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4200 /prefetch:6
                            5⤵
                              PID:2864
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
                              5⤵
                                PID:5052
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3088
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
                                5⤵
                                  PID:2696
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
                                  5⤵
                                    PID:1712
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
                                    5⤵
                                      PID:3016
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
                                      5⤵
                                        PID:948
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,8225951112904243014,16255948877274705482,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3064 /prefetch:2
                                        5⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:2916
                                  • C:\Users\Admin\AppData\Local\Temp\MW-4036edb0-45ef-47aa-bfbc-6819cf6c9679\files\setup.exe
                                    "C:\Users\Admin\AppData\Local\Temp\MW-4036edb0-45ef-47aa-bfbc-6819cf6c9679\files\setup.exe" /VERYSILENT /VERYSILENT
                                    3⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1276
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\systemtask.exe"
                                      4⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:916
                                    • C:\Windows\SysWOW64\systeminfo.exe
                                      systeminfo
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      • Gathers system information
                                      PID:2592
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Microsoft\windows\systemtask.exe"
                                      4⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4052
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1368
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3048

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                    Filesize

                                    2KB

                                    MD5

                                    968cb9309758126772781b83adb8a28f

                                    SHA1

                                    8da30e71accf186b2ba11da1797cf67f8f78b47c

                                    SHA256

                                    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                    SHA512

                                    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    e765f3d75e6b0e4a7119c8b14d47d8da

                                    SHA1

                                    cc9f7c7826c2e1a129e7d98884926076c3714fc0

                                    SHA256

                                    986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

                                    SHA512

                                    a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    53bc70ecb115bdbabe67620c416fe9b3

                                    SHA1

                                    af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

                                    SHA256

                                    b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

                                    SHA512

                                    cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
                                    Filesize

                                    20KB

                                    MD5

                                    70d3c31b62ab04951bb7e500ca3e5ad0

                                    SHA1

                                    bf7f79d2d803d2abc75a960ce6135aa4d464639c

                                    SHA256

                                    b45abdf5ad72d29e812f5fc49d8834a1cfd94a98785ee3d194e95694dad04a2d

                                    SHA512

                                    a8d07439bac5b86c1c00cff8c74a653d9c803dc1d5a154b177239e78714390bd4cc32d467dbab23e3f5c3b75e0c0104df654ea209c1fc8de1172058223173053

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                    Filesize

                                    184B

                                    MD5

                                    0144f813407aa0fe300436850b359a93

                                    SHA1

                                    335b4016acb582f6110429d8742e639a007f61dc

                                    SHA256

                                    50d8020d11f3876e18a3fd05209f5962ed94f352efe00e30aa2e7ebc20424d9b

                                    SHA512

                                    de88771cc91785f7ae776a4e4bbdc2573d9ba209304577eff120521dcc806fdbf86bc33d66cef4c8ed8252e47a3abb65bb9813efe18085be74dce6fa4e7268bc

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    bb81bf5a16eaa7fb27f007fc3010be5a

                                    SHA1

                                    3e472449f5414442ff1641bede290d91e048f7c4

                                    SHA256

                                    9d68a9348063901d7b27b5bc9178484d28f477a6356fee5e3339343fc2fdabb4

                                    SHA512

                                    2a668c7da866e7268f29fb746d8329ffe254349a3b8ac1a369f600c32de6cb67fa534d7395df88e2d749a6b7ea8ecba715ca621fe20d4288886940366fc62b80

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    dea0cf6ce45a6b7a08607c4e62116939

                                    SHA1

                                    d3e4c4da929a460df1c405757ccb695bb2885a50

                                    SHA256

                                    c91567e50594a047ec337c496bb180dbce65e0f54b96b4b2d7d39bfec973938a

                                    SHA512

                                    5b9010274a86456ba58664b0523df7ace7683e5d2f82e1278d819360afd88a93098fd9e15a12270f0d285ecad0fa6e8f5e1d4f4a2360201c68d945b304da608a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    0ee352669bfc8c126017b431d05e0cbe

                                    SHA1

                                    965aaf44675f016d2c3baa561cb99bcae19243e3

                                    SHA256

                                    f303e402c93104892bc8489a10b443f8606cf680b44e56018f88b6ce55310c72

                                    SHA512

                                    b6598c284cefc9175754cfa46e197bad09ca65138b175df3bd4cafa2453fe77fd2dc9d17a454efe62e91de5b4e27513cdfafde81274e9bf2d3839345e8e304b4

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    3d8cb44d9db22348c7d90bc1062a2d2b

                                    SHA1

                                    23e45a4e0d8dc29a9761bc8eba8cf81fc9565bd1

                                    SHA256

                                    da475ef0a1cff1bf7feb97e89a32394a4f5778632e373284d32621bad7310fc1

                                    SHA512

                                    33440e4159428d6ba9fb9b5bf06be305ddce5bd4c2a789f2e255933b16b8ffe65cb00e3d62f80fb2661a9f342951c2a415c2f67a56512beeac8062b5a0aab1ad

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    04435e52afa7d8f4f3004c993c507dfb

                                    SHA1

                                    aa418772a64550afaf61e9e7a8c042ad81e38690

                                    SHA256

                                    ca6eb4d0f1fc2ab5fc5e6aa4cad916e3cc04edc5cb1300c64c3b8c2b0585686d

                                    SHA512

                                    9f9d82996198f33082c8bd4470577c6fe453f368f6e85b2ae6cb956370c922155685f1c8ea3f40a609fbc263281fe7ad98db3d6a4f309d41fe968ea66f0bc105

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    ef0ed8113704aeafc0ba5ead8451e050

                                    SHA1

                                    f5fcd3b378f0b2e417661f8da577d72e9ba5b93b

                                    SHA256

                                    06cd20332fa05d1a244d7d322c71170764b37af804fab61807c880b8352ec41b

                                    SHA512

                                    dd0f7e60ecd9842b35825c0153018b7152e7060cee0dad869c37009f1356fd85fa2aba9fcc5d4ae5c6362492b08bccfd5dd1934ac2c3932ac5032f313cc83c71

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    18KB

                                    MD5

                                    9d2b18307ca927c42a279d862b8310b2

                                    SHA1

                                    6668c48d28a33d994b24efb8b35dda769fc87d2a

                                    SHA256

                                    bb4cdb683e9d86216b0d776767c64797260e65b94cd1cf5e9dcbff4d8e34ba23

                                    SHA512

                                    9ec8afcc24537306e9bf45ee372dfee87e901cd27528dda852b7fe6ba687741b388fc293043bcf3fc221681809a924486eac872f78e409056ce7360a9dce8fbe

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi
                                    Filesize

                                    1.6MB

                                    MD5

                                    e4ac19312fa3761fccfef682e3c6a294

                                    SHA1

                                    cf0d6215439ed971a570fc591d1fa1873d5ffdd2

                                    SHA256

                                    43e898d536e59020c3f83ee2501871a8746eb63c1fbc6c68127a72557e1d724f

                                    SHA512

                                    a6ae363a7cd22d80ef21ec996e0597ce74651bc5d6ed4ea74c7d8f603792a083be3269e674e69d66877f33c1c31d40d8e0ab0c6fbee52e4f5ccddd72f7d479f3

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\MW-4036edb0-45ef-47aa-bfbc-6819cf6c9679\files.cab
                                    Filesize

                                    1.3MB

                                    MD5

                                    6491f402f8c7e173e5c39e5aca1cae70

                                    SHA1

                                    69a9d086e45faa37f0cb530816c5d0dc9f41865c

                                    SHA256

                                    7c93971cdf5f474af0a3962eb994da97b7b2b7a9ff68ddfdc1f3cc7306711c82

                                    SHA512

                                    bab95427526601913327afe912758a3cb92592422b7ac6e3068bce16f3e991afafe3635bcf163437f8e16d3a71c8a6bd0b0a41c2c6a44d386117602255f36693

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\MW-4036edb0-45ef-47aa-bfbc-6819cf6c9679\msiwrapper.ini
                                    Filesize

                                    1KB

                                    MD5

                                    da5df255c5ffd1a3463f1b306e64e308

                                    SHA1

                                    7b996c8dd647ad9dc1dcc0d128b46f4cdf2e7170

                                    SHA256

                                    29a6cc7ba5f6e2183b94abb4f138a7747e0f76c1ffb35ae166f35701b75a6b7e

                                    SHA512

                                    d5ae1d582474f8d6431e3a96e19250726897ee33222d94038e91eb7a94d9a85b1278bd8180b16bdf22c61281a9581d6e80b925aac76e46cc8add8ea1b3c56b96

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j3sjonqv.rg0.ps1
                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\nsmC730.tmp\System.dll
                                    Filesize

                                    11KB

                                    MD5

                                    bf712f32249029466fa86756f5546950

                                    SHA1

                                    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

                                    SHA256

                                    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

                                    SHA512

                                    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\nsmC730.tmp\launcher.ini
                                    Filesize

                                    231B

                                    MD5

                                    51af01dcd135e3fd6ca517a2a0838018

                                    SHA1

                                    6809531ae339efe437f786ec06256b8fb6adff33

                                    SHA256

                                    1a642192722b70acb34945adc2f9779f37a49e4dde1e839861a9f74326028b39

                                    SHA512

                                    f9d9cfc4dbafa31d2b761e9b2604c5f7c77fea21a691f3cf4a5ab2dea8a968a540b027df57a8e28b8297b4de2e1d21ee08cf3086f5cc7bb9deac1711c5431ea5

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\nsmC730.tmp\newadvsplash.dll
                                    Filesize

                                    8KB

                                    MD5

                                    55a723e125afbc9b3a41d46f41749068

                                    SHA1

                                    01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c

                                    SHA256

                                    0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06

                                    SHA512

                                    559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c

                                    Download Submit

                                  • C:\Windows\Installer\MSICE52.tmp
                                    Filesize

                                    208KB

                                    MD5

                                    0c8921bbcc37c6efd34faf44cf3b0cb5

                                    SHA1

                                    dcfa71246157edcd09eecaf9d4c5e360b24b3e49

                                    SHA256

                                    fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

                                    SHA512

                                    ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

                                    Download Submit

                                  • \Device\HarddiskVolume5\Data\PortableApps.comLauncherRuntimeData-DocuSign_01106524.pdf.ini
                                    Filesize

                                    86B

                                    MD5

                                    2c1ff2dc3aaf63a29cfbbdf49accb922

                                    SHA1

                                    78ab4a90de383ba674ec8240906d8e7800962fac

                                    SHA256

                                    2d7e94efafdad166211644f201d17023a449bdc7bface1d3444c21ce8b3de5f2

                                    SHA512

                                    d46eaf39ff9478dd68d59d65f3875ba1a03b5b836733c2c70ccd67566cf37d4db137f6f995bfbdc7c6e3635221ffed1a2e7a643a836e41a5c1b27f1118d81711

                                    Download Submit

                                  • memory/916-237-0x0000000005C30000-0x0000000005F84000-memory.dmp

                                    Filesize

                                    3.3MB

                                    Download

                                  • memory/916-266-0x0000000007680000-0x000000000768E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/916-238-0x0000000006120000-0x000000000613E000-memory.dmp

                                    Filesize

                                    120KB

                                    Download

                                  • memory/916-239-0x0000000006160000-0x00000000061AC000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/916-248-0x0000000006700000-0x0000000006732000-memory.dmp

                                    Filesize

                                    200KB

                                    Download

                                  • memory/916-249-0x000000006F640000-0x000000006F68C000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/916-259-0x0000000006740000-0x000000000675E000-memory.dmp

                                    Filesize

                                    120KB

                                    Download

                                  • memory/916-260-0x0000000007120000-0x00000000071C3000-memory.dmp

                                    Filesize

                                    652KB

                                    Download

                                  • memory/916-261-0x0000000007A90000-0x000000000810A000-memory.dmp

                                    Filesize

                                    6.5MB

                                    Download

                                  • memory/916-262-0x0000000007450000-0x000000000746A000-memory.dmp

                                    Filesize

                                    104KB

                                    Download

                                  • memory/916-263-0x00000000074B0000-0x00000000074BA000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/916-264-0x00000000076E0000-0x0000000007776000-memory.dmp

                                    Filesize

                                    600KB

                                    Download

                                  • memory/916-265-0x0000000007650000-0x0000000007661000-memory.dmp

                                    Filesize

                                    68KB

                                    Download

                                  • memory/916-227-0x0000000005A40000-0x0000000005AA6000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/916-267-0x0000000007690000-0x00000000076A4000-memory.dmp

                                    Filesize

                                    80KB

                                    Download

                                  • memory/916-268-0x00000000077A0000-0x00000000077BA000-memory.dmp

                                    Filesize

                                    104KB

                                    Download

                                  • memory/916-269-0x00000000076D0000-0x00000000076D8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/916-226-0x00000000059D0000-0x0000000005A36000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/916-225-0x00000000051F0000-0x0000000005212000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/916-223-0x0000000005330000-0x0000000005958000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/916-222-0x00000000027A0000-0x00000000027D6000-memory.dmp

                                    Filesize

                                    216KB

                                    Download

                                  • memory/1276-217-0x0000000010000000-0x000000001072E000-memory.dmp

                                    Filesize

                                    7.2MB

                                    Download

                                  • memory/4052-281-0x0000000005B90000-0x0000000005EE4000-memory.dmp

                                    Filesize

                                    3.3MB

                                    Download

                                  • memory/4052-292-0x0000000006380000-0x00000000063CC000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/4052-303-0x0000000007410000-0x00000000074B3000-memory.dmp

                                    Filesize

                                    652KB

                                    Download

                                  • memory/4052-293-0x0000000070610000-0x000000007065C000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/4052-304-0x0000000007740000-0x0000000007751000-memory.dmp

                                    Filesize

                                    68KB

                                    Download

                                  • memory/4052-305-0x0000000007790000-0x00000000077A4000-memory.dmp

                                    Filesize

                                    80KB

                                    Download