Overview

overview

10

Static

static

1

setup.msi

windows7-x64

7

setup.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2024 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.msi

  • Size

    1.9MB

  • MD5

    d76a468a9012e63f24b706c3517c877e

  • SHA1

    1aa6752889be7d67dd3f152980ea04c063e04ad0

  • SHA256

    bdd01ab5e2001be0ccda94e6f70c2ac850a8652b1eba734f285f24dd0f810255

  • SHA512

    940c067eaab6df5d2e238fe9ef9a2e7f5566254912011468e81a21a27e2958785a0787de2f114a4e6333bdd1ed96704fa6ef5397048e3085f32ee454ee4768bf

  • SSDEEP

    24576:Mt9cpVDhquBEEaNhnJztj98fF+SJaplcQA5LpzRtV:rpRhqREaNv0foSJYA5LpzLV

Score
10/10
metastealerdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz
Attributes
  • dga_seed

    21845

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • MetaStealer payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3340
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4296
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding EC9CF0D559420A9D60A96CEA35EB2EFA
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-000632a4-9cda-4398-9213-491476d37054\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2728
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3948
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4200
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3576
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ffd65eb46f8,0x7ffd65eb4708,0x7ffd65eb4718
            5⤵
              PID:2468
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
              5⤵
                PID:4844
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:464
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:8
                5⤵
                  PID:2044
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
                  5⤵
                    PID:1224
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
                    5⤵
                      PID:1712
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
                      5⤵
                        PID:5040
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5052 /prefetch:6
                        5⤵
                          PID:5164
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
                          5⤵
                            PID:5232
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
                            5⤵
                              PID:5240
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
                              5⤵
                                PID:5348
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5624
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
                                5⤵
                                  PID:5768
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
                                  5⤵
                                    PID:5776
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,2178478810886236213,11471282682231949145,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4188 /prefetch:2
                                    5⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3988
                              • C:\Users\Admin\AppData\Local\Temp\MW-000632a4-9cda-4398-9213-491476d37054\files\setup.exe
                                "C:\Users\Admin\AppData\Local\Temp\MW-000632a4-9cda-4398-9213-491476d37054\files\setup.exe" /VERYSILENT /VERYSILENT
                                3⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:232
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\systemtask.exe"
                                  4⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:6052
                                • C:\Windows\SysWOW64\systeminfo.exe
                                  systeminfo
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Gathers system information
                                  PID:1972
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Microsoft\windows\systemtask.exe"
                                  4⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1784
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Checks SCSI registry key(s)
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3984
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1932
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3748

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Command and Scripting Interpreter

                              1
                              T1059

                              PowerShell

                              1
                              T1059.001

                              Persistence

                              Event Triggered Execution

                              1
                              T1546

                              Installer Packages

                              1
                              T1546.016

                              Privilege Escalation

                              Event Triggered Execution

                              1
                              T1546

                              Installer Packages

                              1
                              T1546.016

                              Defense Evasion

                              File and Directory Permissions Modification

                              1
                              T1222

                              System Binary Proxy Execution

                              1
                              T1218

                              Msiexec

                              1
                              T1218.007

                              Credential Access

                              Credentials from Password Stores

                              1
                              T1555

                              Credentials from Web Browsers

                              1
                              T1555.003

                              Unsecured Credentials

                              1
                              T1552

                              Credentials In Files

                              1
                              T1552.001

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Peripheral Device Discovery

                              2
                              T1120

                              Query Registry

                              4
                              T1012

                              System Information Discovery

                              6
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Lateral Movement

                              Collection

                              Data from Local System

                              1
                              T1005

                              Command and Control

                              Exfiltration

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                968cb9309758126772781b83adb8a28f

                                SHA1

                                8da30e71accf186b2ba11da1797cf67f8f78b47c

                                SHA256

                                92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                SHA512

                                4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\720e8265-0906-4d89-be92-9c7ece03b96e.tmp
                                Filesize

                                11KB

                                MD5

                                f2324348ddbea9939a0372917bed2fe3

                                SHA1

                                95a541faa8c89022c0fe5747a746f9ee174017ff

                                SHA256

                                5da61e1be651c795527d0301450c3425bc10e789234fc71f564b8bdc201ef7a5

                                SHA512

                                295ce8fcdd0c8a8c8f1861337a0281374d8449200bd34327e95752c39be5e45ad4b2fcb7599b2d86d3d789c9f37af3c524cfda468411af6ecdf68c796424a64b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                d22073dea53e79d9b824f27ac5e9813e

                                SHA1

                                6d8a7281241248431a1571e6ddc55798b01fa961

                                SHA256

                                86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                                SHA512

                                97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                bffcefacce25cd03f3d5c9446ddb903d

                                SHA1

                                8923f84aa86db316d2f5c122fe3874bbe26f3bab

                                SHA256

                                23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                                SHA512

                                761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
                                Filesize

                                20KB

                                MD5

                                13bd1bd734b38c6607213cd2957d60f7

                                SHA1

                                e6552b1309acdda7a5c98348d8167c9e68f3991a

                                SHA256

                                7f16a4a93a3bac2f370acdfe36a2b88a2d42fd0838d23a79b87c9af65caadd93

                                SHA512

                                ab94718436c2e27fff6c24cc2bbcc24ba7f700cfb7b7fcf30c8ac911af425b5918504906b0b50d8417321da996932d61acd93331e5c060922f140395f2f20eac

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                111B

                                MD5

                                807419ca9a4734feaf8d8563a003b048

                                SHA1

                                a723c7d60a65886ffa068711f1e900ccc85922a6

                                SHA256

                                aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

                                SHA512

                                f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                184B

                                MD5

                                8beec069b3f56aadd5063695daad0b35

                                SHA1

                                47d62e84b7f3b29c94c8e4965e902d6c593229fe

                                SHA256

                                38923f4c5f21e9696d42bd4871ebce8eb78f6836d8fb187cf460bf83e169b879

                                SHA512

                                98f1edcb40be92ab7cf9eb14897b20aac2c894395a4a9a19d09c9403621be02f8f11ac302a41834602227d657dc6abdc013f952105bc5f2af6d340a7093f71cf

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                43dece9f914b9735451a111e7fdc36c7

                                SHA1

                                afee7728b37d14db88315404a06b476c8955ab90

                                SHA256

                                0b786568109ec405eb59047a04eba0cd57c3a35ad53f435af0b9b5a4ed96705a

                                SHA512

                                f8c858a338e9f5f11fdb5ca36429813a07d81d4ab0f28f27aeb7bb00c966dc939bec7622140efc50ebeb348f25615b0c753f759acbf0374126c58279ed5a698f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                cd1ee45d87b48e21668ce33f2a52ba33

                                SHA1

                                07c69815595661a01bdebb49cbda105e9eea86f1

                                SHA256

                                e7265889e675cd0ab592d77c8e9d630faed4501adba2501cb65060822e547797

                                SHA512

                                5d8600cc05c4831538f07ea61f695e3212902e43b0067b50999009ca75c46ee514389ab4262ebb822aa72f4634978aad3d79f32eb5a4cbebfd164f24593f94e8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                65df2572341a02836192b53504bba241

                                SHA1

                                6ae300fd449383a1cf23bda149ce25274d2b6503

                                SHA256

                                6f06fdd42914368091324b7224e54809bef58bf497641d3a68c3d229550b73f4

                                SHA512

                                0b8c79eae9bbb2bbc06bde182aae50d3688a0215c7cef117eb92d8e0c4d1f9a4dd4b67031387ac7dd0e07f66c4a7769947bb233b0278d33d9577209512d2c49e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                12KB

                                MD5

                                4f2b9b85546ca8c2631c81f4384561a0

                                SHA1

                                8dc524903340190baae432f3d7faf75230b1e4d0

                                SHA256

                                cc11e4abf46863924ca31f96f4d7bbb2d84f4b27925d0cfce489b355c60c0ff2

                                SHA512

                                fbcca114a29564bbadc8bad8203d2dde1212d001db0698ae87bee7eeabd6900d1ee48cd255e646c1aac167709a67985e6b6bc75eee02d92ac883592b642263cb

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                f7b644ee9c8abfeed693759529a843d7

                                SHA1

                                fcc1d375b2e06cca5d26badd0c7fe1787ba21722

                                SHA256

                                89109aca0ee73d1686a749ac16cfba32e51b3f8f19b9d7bac40a43aab7fda201

                                SHA512

                                3a152a007de5902127fa331d7721f9253684962ee3b9d8de6d75173a3b4f4c53deb57db0cdd39ad4ebfddfc03e60726dd57665ef807a20759814a2da8720773c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-000632a4-9cda-4398-9213-491476d37054\files.cab
                                Filesize

                                1.6MB

                                MD5

                                cf6b311fd9c673b2d5bb6bc1c218db91

                                SHA1

                                be082798ac5755fecc898dea57e4a88784b51e9c

                                SHA256

                                9959d65f822a4c092e085f31490e5ea2a6909ed92595fc19ee280ba8c0646092

                                SHA512

                                e2298acf6046be3c9bd79667d3bd672b7134731b6ae5d2ed16b0278bef20720d67a99731f0b69d1f4dccc9d61b4aea726c7b6ab4d2429a0cedb1abd41535cd88

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-000632a4-9cda-4398-9213-491476d37054\msiwrapper.ini
                                Filesize

                                1KB

                                MD5

                                0e15aa54772cea3a81402396f5d2ff14

                                SHA1

                                87a23fe040a46e37551bf676a4d375c2d9883ac1

                                SHA256

                                e17d5dad5ec50338bb1261cfec8f5efe991c15e2b69072dd6eb888822ec8ef13

                                SHA512

                                9e710111575332d1e8e3570a3dda29e6eccc79eff04422c079544580626f1385aa5a9fae1fea38c2555b0547965303094f630111495da4695a5bb9239e0476e7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pcaezydf.0bk.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Windows\Installer\MSIC208.tmp
                                Filesize

                                208KB

                                MD5

                                0c8921bbcc37c6efd34faf44cf3b0cb5

                                SHA1

                                dcfa71246157edcd09eecaf9d4c5e360b24b3e49

                                SHA256

                                fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

                                SHA512

                                ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

                                Download Submit

                              • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                Filesize

                                24.1MB

                                MD5

                                9f949c66984958e7b639942cb0772dde

                                SHA1

                                ce1f5ece977829bd0f5f0cd54873e1843c660131

                                SHA256

                                118a5d7c33c11271b99dc873fd1a01d1f39bff0d71e4661c1e74006bb36ef4e5

                                SHA512

                                bead46379fbb1947579940486281e709b60fb0fb20745d01ca924331c359d474dd95f1b6659c720ad04fef6e03a58228027b68dd582ff0919acd67080b671828

                                Download Submit

                              • \??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8daeec41-06a0-4b67-936c-d043b1fb3890}_OnDiskSnapshotProp
                                Filesize

                                6KB

                                MD5

                                73c29d0ff1c04e5a3095f9f3cbdf8274

                                SHA1

                                fa683e3a5a7eca8691e408b862c18053fc7b8686

                                SHA256

                                9c0813753214824e7110319d6438dfa5854b065527163633f44ae013a87bd4b1

                                SHA512

                                484fc8b73d8575569e12a4779d88fb876ec502b8b1dfe04d6013db9dfaa59f365b8ba21503b6bd2075e84d32a222f94f2e33eaab9c99899e2d14102251cc0405

                                Download Submit

                              • memory/232-192-0x0000000010000000-0x000000001072E000-memory.dmp

                                Filesize

                                7.2MB

                                Download

                              • memory/1784-272-0x0000000007B80000-0x0000000007B94000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/1784-259-0x00000000066A0000-0x00000000066EC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/1784-254-0x0000000006040000-0x0000000006394000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/1784-260-0x000000006E360000-0x000000006E3AC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/1784-270-0x0000000007800000-0x00000000078A3000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/1784-271-0x0000000007B30000-0x0000000007B41000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/6052-213-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/6052-227-0x0000000006C60000-0x0000000006D03000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/6052-228-0x0000000007400000-0x0000000007A7A000-memory.dmp

                                Filesize

                                6.5MB

                                Download

                              • memory/6052-229-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/6052-230-0x0000000006E20000-0x0000000006E2A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/6052-231-0x0000000007050000-0x00000000070E6000-memory.dmp

                                Filesize

                                600KB

                                Download

                              • memory/6052-232-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/6052-233-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/6052-234-0x0000000007000000-0x0000000007014000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/6052-235-0x0000000007110000-0x000000000712A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/6052-236-0x0000000007040000-0x0000000007048000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/6052-226-0x0000000006040000-0x000000000605E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/6052-216-0x000000006E5A0000-0x000000006E5EC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/6052-215-0x0000000006060000-0x0000000006092000-memory.dmp

                                Filesize

                                200KB

                                Download

                              • memory/6052-212-0x0000000005A80000-0x0000000005A9E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/6052-211-0x00000000055B0000-0x0000000005904000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/6052-206-0x0000000005420000-0x0000000005486000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/6052-200-0x00000000053B0000-0x0000000005416000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/6052-199-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/6052-198-0x0000000004D80000-0x00000000053A8000-memory.dmp

                                Filesize

                                6.2MB

                                Download

                              • memory/6052-197-0x00000000008E0000-0x0000000000916000-memory.dmp

                                Filesize

                                216KB

                                Download