Overview

overview

10

Static

static

10

Videos/64/64.exe

windows11-21h2-x64

3

Videos/64/86.exe

windows11-21h2-x64

3

Videos/64/...E.html

windows11-21h2-x64

3

Videos/64/dump.bat

windows11-21h2-x64

9

Videos/64/mimidrv.sys

windows11-21h2-x64

10

Videos/64/...tz.dll

windows11-21h2-x64

3

Videos/64/mimilib.dll

windows11-21h2-x64

3

Videos/64/...ol.dll

windows11-21h2-x64

3

Videos/Adv...69.exe

windows11-21h2-x64

4

Videos/Cap...E.html

windows11-21h2-x64

3

Videos/PsExec.exe

windows11-21h2-x64

3

Videos/PsExec64.exe

windows11-21h2-x64

3

Videos/READ_NOTE.html

windows11-21h2-x64

3

Videos/crypt154.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    267s
  • max time network
    290s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250211-en
  • resource tags

    arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-02-2025 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Videos/crypt154.exe

  • Size

    728KB

  • MD5

    ee91aeacff16d4ef5fe74b7252291665

  • SHA1

    88adb2573e183e44babf88005298cab9a9901d2d

  • SHA256

    ea585b7e84b67e8170b76f87115c0fc8423fe6d7184db32ba32b5bfc155e2b34

  • SHA512

    d12cf47211a38fe595d855fe336f30946a0a76a4a559e0430e212f68601cd28cab63ffd4acd04c76f4f83950ad2261efb49dff6a2b03fd2aaa4617bc49b1b8a4

  • SSDEEP

    12288:R/7tmBxTq87Rro7jx0/O2EbiJtzhCg3sph0lhSMXliuqJTJRg9J:RztmTqwRrSjx0/OpiDhdSh0lhSMXltqe

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\READ_NOTE.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">mgQbvPbsvhip0v+ymQN4Q+iHOpiN+PQ6qV8h6uMviECr/KzPighnoURdLJlhtQ0vO13xtNCcDz4zyO+3baDLmcA9JA4cyWtBKA/YsugtYsu4kvLmcgJJAuPQNYuVAr0UHxjY/QXiHV6fYDYXcGjUJMoRJeRkZcRBhBSynQX35kMS7TwuBsU8j2jJsT2/TAs68AOrufFol7iZ2yNrRMjc363XN4nDdvRfI7sn3HfHkdVfQyduVVC4QxhUlPub3eJHr3v6oRSYEifo/jpkGmL98dSgViBVtaXDWC1EPKRQyXtGNJgBV8l44/zL3mCMzQUHUlj5ZwbzWQz7kGSurtMRfQ==�</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Renames multiple (939) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes system backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3304
      • C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe
        "C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Enumerates connected drives
        • Sets desktop wallpaper using registry
        • Drops file in Program Files directory
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2036
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1840
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /All /Quiet
              5⤵
              • Interacts with shadow copies
              PID:2060
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4340
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete backup -keepVersion:0 -quiet
              5⤵
              • Deletes system backups
              • Drops file in Windows directory
              PID:4840
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1924
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5076
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic.exe SHADOWCOPY /nointeractive"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1872
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4272
            • C:\Windows\system32\bcdedit.exe
              bcdedit.exe /set {default} recoverynabled No
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:1672
      • C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe
        \\?\C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe -network -skip_misc
        2⤵
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c pause
          3⤵
            PID:744
        • C:\Windows\System32\NOTEPAD.EXE
          "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TraceInvoke.bat
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:464
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3528
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Njk3M0I4MjQtQkJFNC00MDY3LUFDM0UtNUI1Q0MzMkY3RURFfSIgdXNlcmlkPSJ7RTIxMzBENkYtMjNFNy00NDI0LTk1RjQtMUI0MDc4RkEzRTgwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkM4MDQwRjAtNkM5MC00NUM4LTgxRkItNDlEREM4ODAyQzgyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGluc3RhbGxkYXRldGltZT0iMTczOTI2OTY5MSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzQxNTU5NTI1MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxODMyNjk2MTgiLz48L2FwcD48L3JlcXVlc3Q-
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:4272
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:1248
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Njk3M0I4MjQtQkJFNC00MDY3LUFDM0UtNUI1Q0MzMkY3RURFfSIgdXNlcmlkPSJ7RTIxMzBENkYtMjNFNy00NDI0LTk1RjQtMUI0MDc4RkEzRTgwfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntEMEQ1NzExMS1EQTg5LTRDQUUtQTI4NC1CQzMwQTQ5MkQwNTd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtFK3hiQXo2WTZzVTEyODliUzZxbDRWUkxia2pmQlVHVE1Kc2pySHI0NGlJPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNiIgY29ob3J0PSJycmZAMC42NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI2IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9Ins4RjQ4MDZDRS05RTE4LTQzNTItQUQ0My00NjU1MkU4OTJGQjR9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjYiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4Mzc0NTE0OTc3MTc5MTAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSI2IiByPSI2IiBhZD0iNjYxNiIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7MTg1OEYzNkUtRTU1OC00NUFELUEyMjktOTIwNkYyNDcyOTE3fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGNvaG9ydD0icnJmQDAuODUiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI2IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9IntFRjUxRkNBOC00RDk0LTQ0OTgtQTVBMC01RDQyRjQzMzQ0MzB9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
          1⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:3872
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Program Files\Microsoft Office\root\Office16\Winword.exe
            "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\3005895718\payload.dat"
            2⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            PID:3064

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Direct Volume Access

        1
        T1006

        Indicator Removal

        3
        T1070

        File Deletion

        3
        T1070.004

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        4
        T1012

        System Information Discovery

        4
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Defacement

        1
        T1491

        Inhibit System Recovery

        4
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
          Filesize

          316KB

          MD5

          6599833ed5e8149843b1b531cebf41b6

          SHA1

          ee14359c58c3c46522ac56de500298a46410d2cf

          SHA256

          ac62bdf2abb021a56ea710fa432fb5f844f8e4ae377188a38b75c2cdf442af92

          SHA512

          96cef98c30fad511951512f1dbd08888aadeaf23493ece27b5606f5c25740e0f9d920c791b4c9b09c144f4865d0ad4129b15bc6e67a1025aaa3d6a62ea3b66d8

          Download Submit

        • \Device\HarddiskVolume1\READ_NOTE.html
          Filesize

          3KB

          MD5

          e52360fede65dd4b4426d6e65adab3a5

          SHA1

          8de2a549bf2d4abc4c9ba19f8465f5fdacc485d0

          SHA256

          c8bb62927fe52c7c20f85247a9a7359356c5ac370491e0a93756a63419662496

          SHA512

          6d2fa70c949bd6e5810587233d55cf2995f2524add2751e4fb4ff6d0c02c7a23aaf6922465d863a07c90650bcfea02642578d924197b01a344f61ed233881462

          Download Submit

        • memory/3064-2248-0x00007FF93A290000-0x00007FF93A2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3064-2245-0x00007FF93A290000-0x00007FF93A2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3064-2246-0x00007FF93A290000-0x00007FF93A2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3064-2247-0x00007FF93A290000-0x00007FF93A2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3064-2244-0x00007FF93A290000-0x00007FF93A2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3064-2249-0x00007FF937810000-0x00007FF937820000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3064-2250-0x00007FF937810000-0x00007FF937820000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3064-2270-0x00007FF93A290000-0x00007FF93A2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3064-2273-0x00007FF93A290000-0x00007FF93A2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3064-2272-0x00007FF93A290000-0x00007FF93A2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3064-2271-0x00007FF93A290000-0x00007FF93A2A0000-memory.dmp

          Filesize

          64KB

          Download