Overview

overview

10

Static

static

1

bdd01ab5e2...55.msi

windows7-x64

7

bdd01ab5e2...55.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-10-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdd01ab5e2001be0ccda94e6f70c2ac850a8652b1eba734f285f24dd0f810255.msi

  • Size

    1.9MB

  • MD5

    d76a468a9012e63f24b706c3517c877e

  • SHA1

    1aa6752889be7d67dd3f152980ea04c063e04ad0

  • SHA256

    bdd01ab5e2001be0ccda94e6f70c2ac850a8652b1eba734f285f24dd0f810255

  • SHA512

    940c067eaab6df5d2e238fe9ef9a2e7f5566254912011468e81a21a27e2958785a0787de2f114a4e6333bdd1ed96704fa6ef5397048e3085f32ee454ee4768bf

  • SSDEEP

    24576:Mt9cpVDhquBEEaNhnJztj98fF+SJaplcQA5LpzRtV:rpRhqREaNv0foSJYA5LpzLV

Score
10/10
metastealerdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz
Attributes
  • dga_seed

    21845

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • MetaStealer payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bdd01ab5e2001be0ccda94e6f70c2ac850a8652b1eba734f285f24dd0f810255.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:644
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3348
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3304
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 942949F346DAA803FD328C389DBD1DAD
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a65eccea-de40-4704-9fe7-050000dce36b\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1184
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1384
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:520
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xe4,0x128,0x7ffd8c3b46f8,0x7ffd8c3b4708,0x7ffd8c3b4718
            5⤵
              PID:2840
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
              5⤵
                PID:4488
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1544
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
                5⤵
                  PID:1376
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                  5⤵
                    PID:4644
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
                    5⤵
                      PID:2480
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
                      5⤵
                        PID:1812
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4620 /prefetch:6
                        5⤵
                          PID:1212
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
                          5⤵
                            PID:5260
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
                            5⤵
                              PID:5268
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
                              5⤵
                                PID:5448
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5640
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
                                5⤵
                                  PID:5764
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
                                  5⤵
                                    PID:5772
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2911352824562794654,1198528664162102732,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5220 /prefetch:2
                                    5⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1288
                              • C:\Users\Admin\AppData\Local\Temp\MW-a65eccea-de40-4704-9fe7-050000dce36b\files\setup.exe
                                "C:\Users\Admin\AppData\Local\Temp\MW-a65eccea-de40-4704-9fe7-050000dce36b\files\setup.exe" /VERYSILENT /VERYSILENT
                                3⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5004
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\systemtask.exe"
                                  4⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5152
                                • C:\Windows\SysWOW64\systeminfo.exe
                                  systeminfo
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  • Gathers system information
                                  PID:4644
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Microsoft\windows\systemtask.exe"
                                  4⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5628
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Checks SCSI registry key(s)
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1016
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2424
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1384

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Command and Scripting Interpreter

                              1
                              T1059

                              PowerShell

                              1
                              T1059.001

                              Persistence

                              Event Triggered Execution

                              1
                              T1546

                              Installer Packages

                              1
                              T1546.016

                              Privilege Escalation

                              Event Triggered Execution

                              1
                              T1546

                              Installer Packages

                              1
                              T1546.016

                              Defense Evasion

                              File and Directory Permissions Modification

                              1
                              T1222

                              System Binary Proxy Execution

                              1
                              T1218

                              Msiexec

                              1
                              T1218.007

                              Credential Access

                              Credentials from Password Stores

                              1
                              T1555

                              Credentials from Web Browsers

                              1
                              T1555.003

                              Unsecured Credentials

                              1
                              T1552

                              Credentials In Files

                              1
                              T1552.001

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Peripheral Device Discovery

                              2
                              T1120

                              Query Registry

                              4
                              T1012

                              System Information Discovery

                              6
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Lateral Movement

                              Collection

                              Data from Local System

                              1
                              T1005

                              Command and Control

                              Exfiltration

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                968cb9309758126772781b83adb8a28f

                                SHA1

                                8da30e71accf186b2ba11da1797cf67f8f78b47c

                                SHA256

                                92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                SHA512

                                4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                c2d9eeb3fdd75834f0ac3f9767de8d6f

                                SHA1

                                4d16a7e82190f8490a00008bd53d85fb92e379b0

                                SHA256

                                1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

                                SHA512

                                d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                e55832d7cd7e868a2c087c4c73678018

                                SHA1

                                ed7a2f6d6437e907218ffba9128802eaf414a0eb

                                SHA256

                                a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

                                SHA512

                                897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
                                Filesize

                                20KB

                                MD5

                                7639e0c3cdb419b21122c2d25c6c06e6

                                SHA1

                                5d92e564f9211d553701e1a826eb02bf43deb232

                                SHA256

                                e52df34ed2a7d158c26d6dd4879b2c7f4c9a92be41f1d070876baaa25f5aaac2

                                SHA512

                                2a5aef917674ba3e22c607a6d475bb2dc820df533e32ca502cf778de7cadf2d5f9d0503e6809ab1150d5e44da792a9793a85d606f2b5e043e3d48d1e3ab77534

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                184B

                                MD5

                                0144f813407aa0fe300436850b359a93

                                SHA1

                                335b4016acb582f6110429d8742e639a007f61dc

                                SHA256

                                50d8020d11f3876e18a3fd05209f5962ed94f352efe00e30aa2e7ebc20424d9b

                                SHA512

                                de88771cc91785f7ae776a4e4bbdc2573d9ba209304577eff120521dcc806fdbf86bc33d66cef4c8ed8252e47a3abb65bb9813efe18085be74dce6fa4e7268bc

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                19043cbdd467cae023377fb6a32ba4ba

                                SHA1

                                c85436b564711797afc6a1d8e68668d969a80830

                                SHA256

                                720e561100ec092aef97f6927f1e63078b792df476c94a59dcb9198e4d314d89

                                SHA512

                                8d34f6dea175f8759b0a5c8b97c7baaaee737c400d7f9618fe3787ffc541d3a29b2b4e33e189fd1af408096847e56fff8e6e618b0c64f46e6f1dd506beb8fa52

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                df5dd4ee7c939ce2877625b5abcd5069

                                SHA1

                                05523636b79bd4f24ca1d773ddac9486698f6362

                                SHA256

                                230d9ef7a1d8de306cddc676afbef9531e0a678e04e9abe5435c2021343e59c0

                                SHA512

                                acac5af616776cf15c05ddc0d006fe01bb94bf048180357d3da7b2d238e3915428b3d71d07792a32c1a058e7cac45549e5f275d3eb4ef3cd7656e63494f39e08

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                12KB

                                MD5

                                3adb926315e80de283f5837e18ec92ea

                                SHA1

                                99f038a272b1e28264cf159c985885443d6e2520

                                SHA256

                                f788f1333abfc5d056e726133640ef0b724b30a7c933cd97722dc7c2b48a3c38

                                SHA512

                                5a0a9954edac2b454909fd08482226b5e9c6ed0d7d75bdf18bdcb76eae20513064a06bd11f321bfe4ef211adf8f8823202995ce5d3dc6f028c65af043c32b5bf

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                11KB

                                MD5

                                49e2a8ebbab27f9dbc6360224c87a6ed

                                SHA1

                                e2a43a9763cf7f52af37121263a0479a54c25bfd

                                SHA256

                                3ec33352e9f04813021dffd0fbaf58dd77449a5bc697b15a09811c5e44b14ef6

                                SHA512

                                f1762da29b993f9e7568659257aeb5ff60f5d1b8d049759d825ad5ce45f70a3ccbe9613fc19f91fff86e3fc09cd9499114bc1b9d68d06c95be2b2b109fcfe9ed

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                18KB

                                MD5

                                f8d2459d6ede6671037c6b3502e639ec

                                SHA1

                                53ccaf88db0beec1ca0a00219b64f177003b7d76

                                SHA256

                                1fa33ceda5b9b6ae94a65bb3c259d232da9195760879b1e5f48e2f303ad2a29b

                                SHA512

                                96040e8d83e6ca94d408d93ed93ea872dab8f9c12c5db6b08d2ed3f31d539a63be6fe3ce1dd96aeba5e00e8a478749a6ff45287294a7e089db931deac7d16a0e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-a65eccea-de40-4704-9fe7-050000dce36b\files.cab
                                Filesize

                                1.6MB

                                MD5

                                cf6b311fd9c673b2d5bb6bc1c218db91

                                SHA1

                                be082798ac5755fecc898dea57e4a88784b51e9c

                                SHA256

                                9959d65f822a4c092e085f31490e5ea2a6909ed92595fc19ee280ba8c0646092

                                SHA512

                                e2298acf6046be3c9bd79667d3bd672b7134731b6ae5d2ed16b0278bef20720d67a99731f0b69d1f4dccc9d61b4aea726c7b6ab4d2429a0cedb1abd41535cd88

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-a65eccea-de40-4704-9fe7-050000dce36b\msiwrapper.ini
                                Filesize

                                380B

                                MD5

                                e3c3333e6e673a3a6d61834093400787

                                SHA1

                                712e1740c94c36b6fe88bec66b4fc94899188309

                                SHA256

                                04860bbf479fb8fd6e7dbeb936cc985562ec16d2207c2601cd2270ca397b4614

                                SHA512

                                c429dbb8ba738c5c883d282cbd5326aea4575b72b22d93ee6eafe2c8a6a90018a626ce836a78c3bd797caa0e499f39c93569f99d9878c5ecccbd4a08d0cec517

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\MW-a65eccea-de40-4704-9fe7-050000dce36b\msiwrapper.ini
                                Filesize

                                1KB

                                MD5

                                96a6b229623647fcdc24222189202283

                                SHA1

                                b4e3660c33c6ce5325836c5405df26fa7eae8773

                                SHA256

                                b98631bb1a2af2d327da8cf5a8b8c0bc9875dce8811684bc67dee44cdb495a69

                                SHA512

                                2857c21694d6f606d743f2d3d4e9622fd026fe1e4d5372564eef9f397a7c09074a9bc005ec7e4286636ab04fd1a3a40a9d45083c5b59a9e0e95cc6b7e4ca6c0f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfxllba5.edt.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Windows\Installer\MSIC6.tmp
                                Filesize

                                208KB

                                MD5

                                0c8921bbcc37c6efd34faf44cf3b0cb5

                                SHA1

                                dcfa71246157edcd09eecaf9d4c5e360b24b3e49

                                SHA256

                                fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

                                SHA512

                                ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

                                Download Submit

                              • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                Filesize

                                24.1MB

                                MD5

                                445a0d5832a012cbce5d998032d8e7c5

                                SHA1

                                712c404444225cd5c1a6c018579662af3c42ced2

                                SHA256

                                82a3fc712eadfc3e553c0d5344bce257d5bdc14cb421dcb95fac4cd5549c00f3

                                SHA512

                                074ae0994a5333f1e2f4d8be76f6ef1ab30caa0d7e732dc6419146087ef3da71b42bdb400e3753535855c1c6a72dc5a59848ca89f12b0d775f65bfb8724434c5

                                Download Submit

                              • \??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{93126598-84d5-4c73-bbf9-24fa2b57d42c}_OnDiskSnapshotProp
                                Filesize

                                6KB

                                MD5

                                5a281d3f543140868c579507b63eefb9

                                SHA1

                                11b303c26bf02ef2f4044b1e03775b00bb2d71e3

                                SHA256

                                56861b0e186a7188badebb656f4b28dad1d62e08d76217dccb7159c80ccf4165

                                SHA512

                                8c6e5e1f48407dc139677324a85ce47955a73afff527367cf7cfb67f45e9f4803630b0c9dae912bcf1eb63013ba2a5dc57661b48e60feb165dd2038bd02fb080

                                Download Submit

                              • memory/5004-186-0x0000000010000000-0x000000001072E000-memory.dmp

                                Filesize

                                7.2MB

                                Download

                              • memory/5152-207-0x0000000006150000-0x000000000616E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/5152-227-0x00000000076B0000-0x00000000076BE000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/5152-195-0x0000000005AF0000-0x0000000005B56000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/5152-208-0x0000000006190000-0x00000000061DC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5152-209-0x0000000006720000-0x0000000006752000-memory.dmp

                                Filesize

                                200KB

                                Download

                              • memory/5152-220-0x0000000006760000-0x000000000677E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/5152-210-0x000000006E880000-0x000000006E8CC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5152-221-0x0000000007380000-0x0000000007423000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/5152-222-0x0000000007AE0000-0x000000000815A000-memory.dmp

                                Filesize

                                6.5MB

                                Download

                              • memory/5152-223-0x0000000007480000-0x000000000749A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/5152-224-0x00000000074E0000-0x00000000074EA000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/5152-225-0x0000000007710000-0x00000000077A6000-memory.dmp

                                Filesize

                                600KB

                                Download

                              • memory/5152-226-0x0000000007680000-0x0000000007691000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/5152-205-0x0000000005B60000-0x0000000005EB4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/5152-228-0x00000000076C0000-0x00000000076D4000-memory.dmp

                                Filesize

                                80KB

                                Download

                              • memory/5152-229-0x00000000077D0000-0x00000000077EA000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/5152-230-0x0000000007700000-0x0000000007708000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/5152-194-0x0000000005A80000-0x0000000005AE6000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/5152-193-0x00000000058E0000-0x0000000005902000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/5152-192-0x0000000005270000-0x0000000005898000-memory.dmp

                                Filesize

                                6.2MB

                                Download

                              • memory/5152-191-0x0000000002830000-0x0000000002866000-memory.dmp

                                Filesize

                                216KB

                                Download

                              • memory/5628-251-0x0000000005B90000-0x0000000005EE4000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/5628-253-0x0000000006030000-0x000000000607C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5628-254-0x000000006EF10000-0x000000006EF5C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/5628-264-0x0000000007190000-0x0000000007233000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/5628-265-0x00000000074D0000-0x00000000074E1000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/5628-266-0x0000000007520000-0x0000000007534000-memory.dmp

                                Filesize

                                80KB

                                Download