Overview

overview

10

Static

static

1

de8fb6c7ed...f43.js

windows7-x64

8

de8fb6c7ed...f43.js

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2024 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de8fb6c7ed0b575a5e05b191643751c1d0c89c542a34c00cfcdaf99a6de98f43.js

  • Size

    63KB

  • MD5

    a0ca7b2e74a0a3cf5a8962c1325024ae

  • SHA1

    81a45727e33fe1a557069cd77c092b0d29f8aaff

  • SHA256

    de8fb6c7ed0b575a5e05b191643751c1d0c89c542a34c00cfcdaf99a6de98f43

  • SHA512

    4272161dc9ea7995eee14fe4ed76534e3ab959e8a60add820924414ce30e0ba655c9d3a5ffe32eab4d4c1012bf22e7a2549d2b59eb9025d81c5277076a23fa77

  • SSDEEP

    1536:DgzzUIs6n3rc/G/zCSYCXyN6IknpNcpRP6bM:DgzzUIg+LCSYCX2inpNcj64

Score
10/10
metastealerdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz
Attributes
  • dga_seed

    21845

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • MetaStealer payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\de8fb6c7ed0b575a5e05b191643751c1d0c89c542a34c00cfcdaf99a6de98f43.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\setup.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3476
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2124
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C9C49F0820EDEE2D9AE3689B5C5BFB79
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ba3821bc-0d54-49e2-8a22-841c5632a80a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4800
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3132
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4404
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd028246f8,0x7ffd02824708,0x7ffd02824718
            5⤵
              PID:3956
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
              5⤵
                PID:3900
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3456
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
                5⤵
                  PID:1552
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
                  5⤵
                    PID:2600
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                    5⤵
                      PID:4200
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
                      5⤵
                        PID:3844
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5184 /prefetch:6
                        5⤵
                          PID:4252
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
                          5⤵
                            PID:2612
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
                            5⤵
                              PID:4708
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
                              5⤵
                                PID:2844
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5260
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
                                5⤵
                                  PID:5412
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                                  5⤵
                                    PID:5420
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,2687842118017824150,16542635894297263759,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
                                    5⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4820
                              • C:\Users\Admin\AppData\Local\Temp\MW-ba3821bc-0d54-49e2-8a22-841c5632a80a\files\setup.exe
                                "C:\Users\Admin\AppData\Local\Temp\MW-ba3821bc-0d54-49e2-8a22-841c5632a80a\files\setup.exe" /VERYSILENT /VERYSILENT
                                3⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4264
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\systemtask.exe"
                                  4⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2588
                                • C:\Windows\SysWOW64\systeminfo.exe
                                  systeminfo
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Gathers system information
                                  PID:5684
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Microsoft\windows\systemtask.exe"
                                  4⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2776
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Checks SCSI registry key(s)
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1652
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:5060
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2012

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                968cb9309758126772781b83adb8a28f

                                SHA1

                                8da30e71accf186b2ba11da1797cf67f8f78b47c

                                SHA256

                                92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                SHA512

                                4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                847d47008dbea51cb1732d54861ba9c9

                                SHA1

                                f2099242027dccb88d6f05760b57f7c89d926c0d

                                SHA256

                                10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

                                SHA512

                                bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                f9664c896e19205022c094d725f820b6

                                SHA1

                                f8f1baf648df755ba64b412d512446baf88c0184

                                SHA256

                                7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

                                SHA512

                                3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
                                Filesize

                                20KB

                                MD5

                                377619c6f3f086111fce3a6fca7f3aa6

                                SHA1

                                45359991d75df3b45aea5858b872d067ac0e920d

                                SHA256

                                ea69283cb8b7086040059c1ba322fd6faf2395eafcd8a8823d9552b54db8d93d

                                SHA512

                                a44ad7bd0ed8731c37c18462cf67cad4ceeb3a25e3c297cde9efb2ee551138b094becd1bb1711d4586b25abe9e9e1dca05fc530663d467c5f9cfe02697a88945

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                184B

                                MD5

                                0144f813407aa0fe300436850b359a93

                                SHA1

                                335b4016acb582f6110429d8742e639a007f61dc

                                SHA256

                                50d8020d11f3876e18a3fd05209f5962ed94f352efe00e30aa2e7ebc20424d9b

                                SHA512

                                de88771cc91785f7ae776a4e4bbdc2573d9ba209304577eff120521dcc806fdbf86bc33d66cef4c8ed8252e47a3abb65bb9813efe18085be74dce6fa4e7268bc

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                3a2f4acf657fba58d62ecb2d175a756a

                                SHA1

                                98a8c3c99e9042d5dd5c27c34ced93e35a8ef723

                                SHA256

                                2ec0a7192a870da5084b6e17284a45e18ca0b279c22c325bee97ba6bf55b5163

                                SHA512

                                48411c34abd80734e2b462b54b5859d4209c7cdfc5a6a5018fbe2485f80cd23e7178b1e2551be06bfbacfdd2e31aa2788c5590255eee946c859df6df54eff141

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                c45199efb1dc95192c1b4a8e6f6ae906

                                SHA1

                                2e7eb0222326e1b196a71d171d2a27f0178c778d

                                SHA256

                                2f0550f8ebdddad69bf179a08eea598921f83e112bbd288d6badd064635b14aa

                                SHA512

                                f2dbc6c44dd26628eac68a135b7b2f794e197b56667f8fc92082d85a0e266b451667e3a6f6fea988b00f46797816ec4c451e2c36c40d0edbde5b0b6e06b0e44d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                11KB

                                MD5

                                5b4c8a149f80cc875e9302c4c3f9f93c

                                SHA1

                                0a2c0ae462b7d8bbbcc895137814264c23721a96

                                SHA256

                                4b38d7715aa7c3271536409e067e840967f9e44ba6830e939dff7d1445e323e3

                                SHA512

                                d0d5dd392b3b6dd7e02daa402ab728da019eec71afb9c8ed3f9d974996f58e7e50d45f8c9d772c135e20c7fc693b287fc3ad443a1b3cb9307768fa9a29923eb2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                3b87bcfdae78af8c30b8c7662c4dcd28

                                SHA1

                                5733c219f04c72d6a65b33ffb6b8f6d9b5db1a40

                                SHA256

                                08f8bc086c0469b1584c26013a0eacf042e154a913d71222b489d30446aa4773

                                SHA512

                                c06855ed25ed6de0bc94c0acc35ec5921d2ce753561cd6ca5dd70b69c6306316bbf2f17513c93f1379a1afa4af041090aa7ee308dd8034faca458537c84bbbd2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                bd42375c6262d998c2eef47f7670da22

                                SHA1

                                c7717ca449fe9c3bcaaba04b094d8ef86abf78a5

                                SHA256

                                0af5824ab59652581ef24fb15353f52e4083273476ae546c881711cd97068c1c

                                SHA512

                                2ea022e9844d64462069724c87fb644e846bfe88cc66d0aa390d127b5aff92a3fddcc40b1409952da99ef2e1a9e413a42dade47d505dad221e5ea86910c00a85

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-ba3821bc-0d54-49e2-8a22-841c5632a80a\files.cab
                                Filesize

                                1.7MB

                                MD5

                                645763c0faf86b715dee6d1e6d50fd82

                                SHA1

                                a6b466d5a71e3326d295ee7a2a2fc8c5bb79fd23

                                SHA256

                                12e6b630509b37f2948ffb0f5719dd00dd5934e19aa8d9301247025c1c6d7a43

                                SHA512

                                b98b9d1f43b8c011b54095756fb865b4781d1890b8842370ff26dcc992d8ac340ed97057011a165be9eea0620e68ca1d0960394ab51316f81721de5370ceb9d3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-ba3821bc-0d54-49e2-8a22-841c5632a80a\msiwrapper.ini
                                Filesize

                                380B

                                MD5

                                365ccd6920162ee032eb0280daa12c79

                                SHA1

                                827ceedb15ab7e6119c3a377d028a3a5908e2fc2

                                SHA256

                                b7928547478745353d44deb73cea9706b5142bd718da1715e33d492ec4117876

                                SHA512

                                4354a78ed32f2855f271cd78978a76dcf63960828fc6d321399861d07913f0b13782774c220e7562e1d9da6db353d1fa166cea427a1077d25e97475b9d1fcb1c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-ba3821bc-0d54-49e2-8a22-841c5632a80a\msiwrapper.ini
                                Filesize

                                1KB

                                MD5

                                f6d89337079d291250106a53bf57f167

                                SHA1

                                57414597a869ba0ed4668dda9f01e72fe5509084

                                SHA256

                                30a8acce5a94d595bd83b8ea4b65543360effd49985a0b718d93d467c9ce7db1

                                SHA512

                                9a5d3c0626f202b8b2dfb92293762cb34a1a3440d03c09aead8d929c0c975efc3a9b8ffa6223c80d05d490a45363d4ce23095be4dbeaea45db5f3be0c5799476

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jn1zez0k.e5q.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Local\setup.msi
                                Filesize

                                2.0MB

                                MD5

                                9bc2607944098921c27665592491abb8

                                SHA1

                                0721d8d7d6e667e291d71be03106c8087fa38d8f

                                SHA256

                                39619645275a452099434559fc0663b26d10516c25e7a8c57e1311cdc26c8c80

                                SHA512

                                36b7e281f96e71f401d2ab2ce80f808947889c18bd5585a3bf00db98c384d6c9da882db96d36b75eb2238b1edf8ea04323858758d7d721618d5f01252f465038

                                Download Submit

                              • C:\Windows\Installer\MSIE649.tmp
                                Filesize

                                208KB

                                MD5

                                0c8921bbcc37c6efd34faf44cf3b0cb5

                                SHA1

                                dcfa71246157edcd09eecaf9d4c5e360b24b3e49

                                SHA256

                                fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

                                SHA512

                                ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

                                Download Submit

                              • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                Filesize

                                23.7MB

                                MD5

                                00139a608577b2bac207c4dd141429c6

                                SHA1

                                cf08a3d81d09722102d6f6780db090ef4c8ff06e

                                SHA256

                                19e9f80f80e1b1647be3e96882dcc9cb3cb1ac1d2cb75973b1e4f28118b59f1b

                                SHA512

                                234e5d27bf2cb39bbffddd5b633cad5dd23e92e1fd39809cd042a33e08467cb569b6164a72be9ec5aa2e6cd7062172f5d2dabede5249f84ddc311190275dca4d

                                Download Submit

                              • \??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f9e44dd9-2475-48e8-bd09-fe036c42a964}_OnDiskSnapshotProp
                                Filesize

                                6KB

                                MD5

                                af8ce994b90489f20cd3acf139a56786

                                SHA1

                                f68ce53ce91a901d9047a0276e5af57d3a657c27

                                SHA256

                                0a56c70093e6a15ccddddf14f5448d6ec7e88d6d6b948f7f2bb46e3e83fd697a

                                SHA512

                                723bb137bcee3c74de2e04aab1bc4ba0e1c2fe0f801cbd1d62e42d589cb87a6bb47c3ecf066f484fc750dd5ec356523d70380bf17893fa8ae1b18ca5215a9d44

                                Download Submit

                              • memory/2588-213-0x00000000061B0000-0x00000000061FC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/2588-232-0x00000000076A0000-0x00000000076B1000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/2588-211-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/2588-212-0x0000000006170000-0x000000000618E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/2588-200-0x0000000005AC0000-0x0000000005B26000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/2588-216-0x000000006E7D0000-0x000000006E81C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/2588-215-0x0000000007320000-0x0000000007352000-memory.dmp

                                Filesize

                                200KB

                                Download

                              • memory/2588-227-0x0000000007380000-0x0000000007423000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/2588-226-0x0000000007360000-0x000000000737E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/2588-228-0x0000000007AE0000-0x000000000815A000-memory.dmp

                                Filesize

                                6.5MB

                                Download

                              • memory/2588-229-0x00000000074A0000-0x00000000074BA000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/2588-230-0x0000000007500000-0x000000000750A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/2588-231-0x0000000007730000-0x00000000077C6000-memory.dmp

                                Filesize

                                600KB

                                Download

                              • memory/2588-201-0x0000000005B30000-0x0000000005B96000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/2588-233-0x00000000076D0000-0x00000000076DE000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/2588-234-0x00000000076E0000-0x00000000076F4000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/2588-235-0x00000000077F0000-0x000000000780A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/2588-236-0x0000000007720000-0x0000000007728000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/2588-199-0x00000000052E0000-0x0000000005302000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/2588-198-0x0000000005420000-0x0000000005A48000-memory.dmp

                                Filesize

                                6.2MB

                                Download

                              • memory/2588-197-0x0000000002860000-0x0000000002896000-memory.dmp

                                Filesize

                                216KB

                                Download

                              • memory/2776-257-0x0000000006470000-0x00000000067C4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/2776-259-0x00000000069D0000-0x0000000006A1C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/2776-260-0x000000006E6E0000-0x000000006E72C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/2776-270-0x0000000007A80000-0x0000000007B23000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/2776-271-0x0000000007DA0000-0x0000000007DB1000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/2776-272-0x0000000007DF0000-0x0000000007E04000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/4264-193-0x0000000010000000-0x000000001072E000-memory.dmp

                                Filesize

                                7.2MB

                                Download