Overview

overview

10

Static

static

1

de8fb6c7ed...f43.js

windows7-x64

8

de8fb6c7ed...f43.js

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de8fb6c7ed0b575a5e05b191643751c1d0c89c542a34c00cfcdaf99a6de98f43.js

  • Size

    63KB

  • MD5

    a0ca7b2e74a0a3cf5a8962c1325024ae

  • SHA1

    81a45727e33fe1a557069cd77c092b0d29f8aaff

  • SHA256

    de8fb6c7ed0b575a5e05b191643751c1d0c89c542a34c00cfcdaf99a6de98f43

  • SHA512

    4272161dc9ea7995eee14fe4ed76534e3ab959e8a60add820924414ce30e0ba655c9d3a5ffe32eab4d4c1012bf22e7a2549d2b59eb9025d81c5277076a23fa77

  • SSDEEP

    1536:DgzzUIs6n3rc/G/zCSYCXyN6IknpNcpRP6bM:DgzzUIg+LCSYCX2inpNcj64

Score
10/10
metastealerdiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz
Attributes
  • dga_seed

    21845

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • MetaStealer payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\de8fb6c7ed0b575a5e05b191643751c1d0c89c542a34c00cfcdaf99a6de98f43.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\setup.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2304
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1552
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C16BE993A330F3BE3200EB126FE02598
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-61914790-1c43-4be2-9cf5-0cb7f5e55ef8\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:3504
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:5076
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3272
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffaf79846f8,0x7ffaf7984708,0x7ffaf7984718
            5⤵
              PID:3628
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
              5⤵
                PID:920
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1892
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
                5⤵
                  PID:4056
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                  5⤵
                    PID:4548
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                    5⤵
                      PID:1908
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
                      5⤵
                        PID:4092
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5148 /prefetch:6
                        5⤵
                          PID:5088
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
                          5⤵
                            PID:640
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
                            5⤵
                              PID:2532
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
                              5⤵
                                PID:3644
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4892
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
                                5⤵
                                  PID:5296
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
                                  5⤵
                                    PID:5304
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8324915172381414614,10913971146046758421,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2652 /prefetch:2
                                    5⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3944
                              • C:\Users\Admin\AppData\Local\Temp\MW-61914790-1c43-4be2-9cf5-0cb7f5e55ef8\files\setup.exe
                                "C:\Users\Admin\AppData\Local\Temp\MW-61914790-1c43-4be2-9cf5-0cb7f5e55ef8\files\setup.exe" /VERYSILENT /VERYSILENT
                                3⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3796
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\systemtask.exe"
                                  4⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1092
                                • C:\Windows\SysWOW64\systeminfo.exe
                                  systeminfo
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Gathers system information
                                  PID:5684
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Microsoft\windows\systemtask.exe"
                                  4⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:760
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Checks SCSI registry key(s)
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3512
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1544
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3156

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                968cb9309758126772781b83adb8a28f

                                SHA1

                                8da30e71accf186b2ba11da1797cf67f8f78b47c

                                SHA256

                                92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                SHA512

                                4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                2783c40400a8912a79cfd383da731086

                                SHA1

                                001a131fe399c30973089e18358818090ca81789

                                SHA256

                                331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

                                SHA512

                                b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                ff63763eedb406987ced076e36ec9acf

                                SHA1

                                16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

                                SHA256

                                8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

                                SHA512

                                ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
                                Filesize

                                20KB

                                MD5

                                e0195cf58949faaf95d29491698250a9

                                SHA1

                                74f1c40416f71012c4394f820f44a4df5461dc11

                                SHA256

                                2d75c4694e8e8fb90b81b599e86450791a2d0ab91d3650d4c2c7949266913d98

                                SHA512

                                0b50d642726e148fe2221c21a07b95fde1f78eabe9a69c70cb34397209e4ab3e207cca30658a73117c4e3bbc46700a576ace28a2a7849bb05c6e44a290910fba

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                184B

                                MD5

                                0144f813407aa0fe300436850b359a93

                                SHA1

                                335b4016acb582f6110429d8742e639a007f61dc

                                SHA256

                                50d8020d11f3876e18a3fd05209f5962ed94f352efe00e30aa2e7ebc20424d9b

                                SHA512

                                de88771cc91785f7ae776a4e4bbdc2573d9ba209304577eff120521dcc806fdbf86bc33d66cef4c8ed8252e47a3abb65bb9813efe18085be74dce6fa4e7268bc

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                50603e6ca93a79bbac5f1542cd384b4b

                                SHA1

                                8bfc7abb5099071f20ac87ee40f252312421dd99

                                SHA256

                                76ddfe89983768658185b8607d98016e3c809bff5dd35f1e9bdb5834b8863b01

                                SHA512

                                360c03f3829f182350e2316f8b81eacb62e0a06eafc88b996ffd84a5a7d06a524cb0bf46135a56aa5977f43e96a1a5a6a421c779f5d0c9134ad1c67df6b3869a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                c87a3e6758ba410bc60b88ecc97bcb37

                                SHA1

                                874d2dbb38bbf8c048bbcf8f081eb34a97ee31a4

                                SHA256

                                20028b4714e58ef0ec5a9f102a0e2da5b92bcfc7886756ed613225ac0dff922a

                                SHA512

                                3bed9b19c3bf9fdfbfc5a47f5c896ab59a7259669e0408d91c4cda23036a7162e6985fdccfa38d52cdcabdd3609d0dd87967887923446a7262246d42d434a6f6

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                11KB

                                MD5

                                b447ae147073c64be61c813484cb1d88

                                SHA1

                                eff4054b9d15e4811c0652023f844955763436a1

                                SHA256

                                fe4da70f8d6c5eee99a247e0f2e38229736b3f33117b723aadc217ecc9b0ee7a

                                SHA512

                                da9bb67967bbbb0b836bb4028130c8622f389f39e2f4363b6b5267a4413ea00e2e71eddbe6bacf3d4b481fa06fac23818765e3f1873781f236c79cee07d82979

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                04f19128c9e5e463d7f6a1d1c92dabad

                                SHA1

                                d8f191d6bb75de2465b548b5d571c5ec6e37a2bb

                                SHA256

                                7f738289b641364bc3670e40fb47ad34c2b03b674e8f8c325c64b38e753b350f

                                SHA512

                                daa2f3b28d9b444f855ccebbf4d08d7b844a94602fefc5f13055150bc9117dc13d1b760c4056f6fd4b4a35e55e646685c86d864030f18bdce12af9b7a4734a42

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                2d21d51c685efc4a3bda81a8b91d132d

                                SHA1

                                3311db69c419080254937e9090033edfd291ae45

                                SHA256

                                00a8ce48ee55523053a26df25b96c4c12bca221684cc21242ff153ac88aee37e

                                SHA512

                                d366bbf9a6f23737639b91b2a5da6cb6d4fd4472e7973b1a1eb609439de152146ddb714024391ce8a96c641a6e41c93d5b0d12294f3dc71f210ae288c7c6e69f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-61914790-1c43-4be2-9cf5-0cb7f5e55ef8\files.cab
                                Filesize

                                1.7MB

                                MD5

                                645763c0faf86b715dee6d1e6d50fd82

                                SHA1

                                a6b466d5a71e3326d295ee7a2a2fc8c5bb79fd23

                                SHA256

                                12e6b630509b37f2948ffb0f5719dd00dd5934e19aa8d9301247025c1c6d7a43

                                SHA512

                                b98b9d1f43b8c011b54095756fb865b4781d1890b8842370ff26dcc992d8ac340ed97057011a165be9eea0620e68ca1d0960394ab51316f81721de5370ceb9d3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-61914790-1c43-4be2-9cf5-0cb7f5e55ef8\msiwrapper.ini
                                Filesize

                                1KB

                                MD5

                                a8b54b2b639c9ac8ed9cb6f2cff43ab0

                                SHA1

                                88816f660cedc955fbfab896faa69f2b64d23545

                                SHA256

                                607146d166ba43859baa368524b37048668e243fb418ccd0549bee118fb5f364

                                SHA512

                                9aae8544b8d2ec7c2c232edab7d389f63d18f0ca72378d85ec8cfbda99946cff992c586052577c4571ae4d5d367f4b16175ac9872539d6695fd6d4289e065156

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_emznslnz.eyz.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Local\setup.msi
                                Filesize

                                2.0MB

                                MD5

                                9bc2607944098921c27665592491abb8

                                SHA1

                                0721d8d7d6e667e291d71be03106c8087fa38d8f

                                SHA256

                                39619645275a452099434559fc0663b26d10516c25e7a8c57e1311cdc26c8c80

                                SHA512

                                36b7e281f96e71f401d2ab2ce80f808947889c18bd5585a3bf00db98c384d6c9da882db96d36b75eb2238b1edf8ea04323858758d7d721618d5f01252f465038

                                Download Submit

                              • C:\Windows\Installer\MSID64B.tmp
                                Filesize

                                208KB

                                MD5

                                0c8921bbcc37c6efd34faf44cf3b0cb5

                                SHA1

                                dcfa71246157edcd09eecaf9d4c5e360b24b3e49

                                SHA256

                                fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

                                SHA512

                                ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

                                Download Submit

                              • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                Filesize

                                23.7MB

                                MD5

                                efba68e529f10c0012ad0cb1005f440f

                                SHA1

                                4e8393128d53c38151cb57da43920ad5018a9e21

                                SHA256

                                d6de52aa4aab24045a91be8400e9514dad01d19dd5c25534c04628a9ca26470e

                                SHA512

                                fd9ca19018ec2c88dcce98d16ea9d4c100cd42a0d978fe288d446e216a8188e0bc9417da02dbb3c2d26ab35ef019b668632e08983083cda86e8467ead36c0cdf

                                Download Submit

                              • \??\Volume{851c08bf-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{01b5b09c-444c-4d64-b996-38f85d1d6288}_OnDiskSnapshotProp
                                Filesize

                                6KB

                                MD5

                                686339d5136cf19a20b9e89baa821596

                                SHA1

                                3480e94961d870be5cc61eacdbc11efb94aec7c4

                                SHA256

                                d1911a59888580eeec74d48655b6c3eaf6c425903625896eb1009c17c5304b52

                                SHA512

                                485cd876795817e6434153e276e930f750abc05355d05a1e67862e8367d2a9a2c9dde764e8b9b4fb28855780189019dc048b929a5b4a4979048b0285423e0527

                                Download Submit

                              • memory/760-254-0x000000006E6A0000-0x000000006E6EC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/760-242-0x0000000005AB0000-0x0000000005E04000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/760-253-0x00000000061E0000-0x000000000622C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/760-264-0x0000000007370000-0x0000000007413000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/760-265-0x00000000076A0000-0x00000000076B1000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/1092-206-0x0000000006340000-0x000000000635E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/1092-209-0x000000006E790000-0x000000006E7DC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/1092-219-0x0000000006920000-0x000000000693E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/1092-220-0x0000000007360000-0x0000000007403000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/1092-221-0x0000000007CB0000-0x000000000832A000-memory.dmp

                                Filesize

                                6.5MB

                                Download

                              • memory/1092-222-0x0000000007670000-0x000000000768A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/1092-224-0x00000000076D0000-0x00000000076DA000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/1092-225-0x0000000007900000-0x0000000007996000-memory.dmp

                                Filesize

                                600KB

                                Download

                              • memory/1092-226-0x0000000007870000-0x0000000007881000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/1092-227-0x00000000078B0000-0x00000000078BE000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/1092-228-0x00000000078C0000-0x00000000078D4000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/1092-229-0x00000000079A0000-0x00000000079BA000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/1092-230-0x00000000078F0000-0x00000000078F8000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/1092-208-0x0000000007320000-0x0000000007352000-memory.dmp

                                Filesize

                                200KB

                                Download

                              • memory/1092-207-0x0000000006370000-0x00000000063BC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/1092-205-0x0000000005E60000-0x00000000061B4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/1092-194-0x0000000005BC0000-0x0000000005C26000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/1092-195-0x0000000005CE0000-0x0000000005D46000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/1092-193-0x00000000053A0000-0x00000000053C2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/1092-192-0x0000000005590000-0x0000000005BB8000-memory.dmp

                                Filesize

                                6.2MB

                                Download

                              • memory/1092-191-0x0000000002A50000-0x0000000002A86000-memory.dmp

                                Filesize

                                216KB

                                Download

                              • memory/3796-187-0x0000000010000000-0x000000001072E000-memory.dmp

                                Filesize

                                7.2MB

                                Download