Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2023 16:05
Static task
static1
Behavioral task
behavioral1
Sample
a(1).msi
Resource
win7-20230220-en
General
-
Target
a(1).msi
-
Size
1.9MB
-
MD5
40063b0d2cc2ad8d2a4f417437f00bd6
-
SHA1
cd9422f560eb663c44aae11ee04caf44d33f48ea
-
SHA256
9540647deb1906e0cd500b77f0632ffdac6d76f079ab32835cf5efa225e4e0ea
-
SHA512
138278449a7f0473131abc9b7d6880abe58bcc8ceef90282fa38397092e07914e282a31a47a00b6695548bf8ce4786dd60500225185129f281c1dbc9f9a09d6d
-
SSDEEP
49152:+pyP2OmJH6g7sJzM+C5JCNS5WPvwaq8G5tBKXUWcUAaypBG:BjJzMUp3GXgEWcpHG
Malware Config
Extracted
gozi
1000
https://bastarka.top
-
host_keep_time
2
-
host_shift_time
1
-
idle_time
1
-
request_time
10
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
MSIFC6C.tmpMSIFD67.tmppid process 3116 MSIFC6C.tmp 2620 MSIFD67.tmp -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exepid process 4496 MsiExec.exe 4496 MsiExec.exe 4496 MsiExec.exe 4496 MsiExec.exe 4496 MsiExec.exe 2308 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230517160615.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\09dfef74-47af-4880-b142-24a912486196.tmp setup.exe -
Drops file in Windows directory 15 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSIF6EA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF797.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A} msiexec.exe File opened for modification C:\Windows\Installer\MSIF2F0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFA87.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF8B1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFD67.tmp msiexec.exe File created C:\Windows\Installer\e56f235.msi msiexec.exe File opened for modification C:\Windows\Installer\e56f235.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF5EF.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIFC6C.tmp msiexec.exe File created C:\Windows\Installer\e56f238.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a8dca56a4fb650f70000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a8dca56a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a8dca56a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msiexec.exeMSIFD67.tmpmsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3604 msiexec.exe 3604 msiexec.exe 2620 MSIFD67.tmp 2620 MSIFD67.tmp 2148 msedge.exe 2148 msedge.exe 1440 msedge.exe 1440 msedge.exe 5500 identity_helper.exe 5500 identity_helper.exe 5872 msedge.exe 5872 msedge.exe 5872 msedge.exe 5872 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1440 msedge.exe 1440 msedge.exe 1440 msedge.exe 1440 msedge.exe 1440 msedge.exe 1440 msedge.exe 1440 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4228 msiexec.exe Token: SeIncreaseQuotaPrivilege 4228 msiexec.exe Token: SeSecurityPrivilege 3604 msiexec.exe Token: SeCreateTokenPrivilege 4228 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4228 msiexec.exe Token: SeLockMemoryPrivilege 4228 msiexec.exe Token: SeIncreaseQuotaPrivilege 4228 msiexec.exe Token: SeMachineAccountPrivilege 4228 msiexec.exe Token: SeTcbPrivilege 4228 msiexec.exe Token: SeSecurityPrivilege 4228 msiexec.exe Token: SeTakeOwnershipPrivilege 4228 msiexec.exe Token: SeLoadDriverPrivilege 4228 msiexec.exe Token: SeSystemProfilePrivilege 4228 msiexec.exe Token: SeSystemtimePrivilege 4228 msiexec.exe Token: SeProfSingleProcessPrivilege 4228 msiexec.exe Token: SeIncBasePriorityPrivilege 4228 msiexec.exe Token: SeCreatePagefilePrivilege 4228 msiexec.exe Token: SeCreatePermanentPrivilege 4228 msiexec.exe Token: SeBackupPrivilege 4228 msiexec.exe Token: SeRestorePrivilege 4228 msiexec.exe Token: SeShutdownPrivilege 4228 msiexec.exe Token: SeDebugPrivilege 4228 msiexec.exe Token: SeAuditPrivilege 4228 msiexec.exe Token: SeSystemEnvironmentPrivilege 4228 msiexec.exe Token: SeChangeNotifyPrivilege 4228 msiexec.exe Token: SeRemoteShutdownPrivilege 4228 msiexec.exe Token: SeUndockPrivilege 4228 msiexec.exe Token: SeSyncAgentPrivilege 4228 msiexec.exe Token: SeEnableDelegationPrivilege 4228 msiexec.exe Token: SeManageVolumePrivilege 4228 msiexec.exe Token: SeImpersonatePrivilege 4228 msiexec.exe Token: SeCreateGlobalPrivilege 4228 msiexec.exe Token: SeBackupPrivilege 1056 vssvc.exe Token: SeRestorePrivilege 1056 vssvc.exe Token: SeAuditPrivilege 1056 vssvc.exe Token: SeBackupPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe Token: SeTakeOwnershipPrivilege 3604 msiexec.exe Token: SeRestorePrivilege 3604 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exemsedge.exepid process 4228 msiexec.exe 1440 msedge.exe 1440 msedge.exe 1440 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exemsedge.exedescription pid process target process PID 3604 wrote to memory of 4988 3604 msiexec.exe srtasks.exe PID 3604 wrote to memory of 4988 3604 msiexec.exe srtasks.exe PID 3604 wrote to memory of 4496 3604 msiexec.exe MsiExec.exe PID 3604 wrote to memory of 4496 3604 msiexec.exe MsiExec.exe PID 3604 wrote to memory of 4496 3604 msiexec.exe MsiExec.exe PID 3604 wrote to memory of 3116 3604 msiexec.exe MSIFC6C.tmp PID 3604 wrote to memory of 3116 3604 msiexec.exe MSIFC6C.tmp PID 3604 wrote to memory of 3116 3604 msiexec.exe MSIFC6C.tmp PID 3604 wrote to memory of 2620 3604 msiexec.exe MSIFD67.tmp PID 3604 wrote to memory of 2620 3604 msiexec.exe MSIFD67.tmp PID 3604 wrote to memory of 2620 3604 msiexec.exe MSIFD67.tmp PID 1440 wrote to memory of 1568 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 1568 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2212 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2148 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 2148 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 1452 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 1452 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 1452 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 1452 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 1452 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 1452 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 1452 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 1452 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 1452 1440 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a(1).msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 80D161FB8EFEECC1A49D3F2F4301A3FB2⤵
- Loads dropped DLL
-
C:\Windows\Installer\MSIFC6C.tmp"C:\Windows\Installer\MSIFC6C.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,ping2⤵
- Executes dropped EXE
-
C:\Windows\Installer\MSIFD67.tmp"C:\Windows\Installer\MSIFD67.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\Admin\AppData\Roaming\MSTX340/Information_psw.pdf2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,ping1⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\Admin\AppData\Roaming\MSTX340/Information_psw.pdf1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb465646f8,0x7ffb46564708,0x7ffb465647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5456 /prefetch:62⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff68fc25460,0x7ff68fc25470,0x7ff68fc254803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3196 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5462f3c1360a4b5e319363930bc4806f6
SHA19ba5e43d833c284b89519423f6b6dab5a859a8d0
SHA256fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85
SHA5125584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d2642245b1e4572ba7d7cd13a0675bb8
SHA196456510884685146d3fa2e19202fd2035d64833
SHA2563763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1
SHA51299e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD571e2dd98ef63bb7972bc33d1a65d217a
SHA1530e34b047ed93deb7ca5f330077e1e8f0bde481
SHA25601d718c897baab5a7be937988a35e577cf5aa99c84b6858e9caa67ee4d94d7b6
SHA512fcd2a15f210c90d0bcc5c5edd10fe520c006b58e4e9e762959808365029a52cf73b2f6b5676ad2e3f1b401598a1529dab612d00cce50436fbf8f290792a569f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5be5fabff2fc1c49ba9d178f79c33e5f2
SHA12f7912a892c1813bcbc6117eac1d0d149324b50a
SHA256aab07efc09bae4532c48722cb2d6445131d008b909db7a99d795e2af1a4a0abb
SHA5127304093f7da1375bf06492a57e660872bdf29b1d274b43c44ae2b2053aa013512f9a7ca81d8673db4df8a93393fe6ffd1c2376962db7e4790d9f921369fd6340
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD55809ba91a7c6607c62b68048f1839005
SHA10f29b3e8e82310571bbe75783ba9c3519177e5d3
SHA2568e0722cba404ce38ef4e08aaf8aef6a3cae0824016bb0936ea4f6d6674e2f629
SHA512d0b738b157b9b2c5949cfb3ab01e66f5da27ee2d3c271668dd3da65b53648704032816a2014a7fd8e36715fae697ea9fb29c9ab4b0af7fb0b3491b77c91da410
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5cb0c907a9f02763e2df10f7dedbce050
SHA1137f894841dc521c87efc70c71c3bf269a9f19a9
SHA256f5c90a4eef6462d4dfc22e933d6cd9f0b73a7b60d72bb0c01cf4ba3e785103e8
SHA512f5fdf1413dfebea7858ee03a9541861f8815cb065139deef4d80e4ef4d75770e9eece87c9d013d490cbde6ae4a13b70825f4c4ce218429a8d7ba0c0a7324da1c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5130644a5f79b27202a13879460f2c31a
SHA129e213847a017531e849139c7449bce6b39cb2fa
SHA2561306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1
SHA512fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e61e596d-d9b0-4ce7-8ff4-96a8d07952fa.tmpFilesize
24KB
MD569b72d0a4a2f9cbec95b3201ca02ae2f
SHA1fcc44ae63c9b0280a10408551a41843f8de72b21
SHA256996c85ab362c1d17a2a6992e03fdc8a0c0372f81f8fad93970823519973c7b9c
SHA51208d70d28f1e8d9e539a2c0fbac667a8447ea85ea7b08679139abbbbb1b6250d944468b128ed6b386782f41ca03020e3a82491acb1fe101b09635d606b1a298be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5cc76de692f51310fd4fccf77641fe408
SHA11e6c749903c0c72c307210c219b53e47bdfdf98f
SHA256bad5b21f1d2b2559966bc2e16c4431a2db8bcf0029e80c44c7ecead108dcb1a7
SHA5127897a753ec8c8cc803e563bdd90ddf6c05ba52adc98723375cea1a73570efa2cb2506e6cefea46748adc280ea5662b7d4ea691db5b40c287dabf8cc544f3e915
-
C:\Users\Admin\AppData\Roaming\MSTX340\Information_psw.pdfFilesize
397KB
MD59366b206f42efbcd96c6f3640f13413f
SHA1cc6664614d1485c02f81d85e20dd1d014ca8aae4
SHA256827c2ca7da49fe502e2ad68d9e302799fd7f61dd74e1564fef7957a37b909dbf
SHA512299a3eb8ee7d9d992bf1c2b28c7372de60ff74cdb14675ab122399634adb9ff008dd7b2adc9988363234e228e192dad78d9ec83afaed4b23a9a6446035f1a416
-
C:\Users\Admin\AppData\Roaming\MSTX340\ini.dllFilesize
791KB
MD53943a85ba5405de2be7de7371fe5f555
SHA127f1352aa9d9162316b21449ffe8bcb461633196
SHA2569d784a60e974f1f753016bf6dbd24abd655fba9568e99fbb797d49418de34dad
SHA5127241d058e0c3e8dbc3fe2bdb8bd48b553acb0f008d2d2275a6ce761b396d87a0da473731c754dd566cba50759e95bbd4fa87018a9fabc59af858da0918b9a792
-
C:\Users\Admin\AppData\Roaming\MSTX340\ini.dllFilesize
791KB
MD53943a85ba5405de2be7de7371fe5f555
SHA127f1352aa9d9162316b21449ffe8bcb461633196
SHA2569d784a60e974f1f753016bf6dbd24abd655fba9568e99fbb797d49418de34dad
SHA5127241d058e0c3e8dbc3fe2bdb8bd48b553acb0f008d2d2275a6ce761b396d87a0da473731c754dd566cba50759e95bbd4fa87018a9fabc59af858da0918b9a792
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5605d4858312c699a155a541a13a375c7
SHA1f55b371235cc87f1d1db1665de0f1a2f7e8eabd0
SHA25629c1ba952b1348c5cf67cc3f2820a81a9dca3a03bc05fcd9ceed57459c54ca7a
SHA51261d12b52dbfba01e69b567a5bb5b89c63dcdd2b65473aa6f9ffc9c87d89f0dba38c53cb2ea77c7bf650092879d26db8b6c7218e339de7ed406b503208ded7712
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD57bde0bc2c2daf15836d2b526394c6930
SHA159fc9ef2f2f68bfce05fc90b414a2b160043f90c
SHA256faad6af62de228102e4febba58e6c2e313b5e8f3cf763e14fee7a09c796329ee
SHA512a00463896ae0a07072843fbf2bb893403723c5758ee9d8f6230b12799ede512975d280f543ce82665779274f696f5ad37a9abdc36df4e0157ff4e726dd02a9f1
-
C:\Windows\Installer\MSIF2F0.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF2F0.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF5EF.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF5EF.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF6EA.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF6EA.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF6EA.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF797.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF797.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF8B1.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF8B1.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIFC6C.tmpFilesize
414KB
MD50007940f5479831428131f029d3bd8f7
SHA18ded66acbd836388c1414512025bd9004c90903b
SHA256340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320
SHA512c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf
-
C:\Windows\Installer\MSIFD67.tmpFilesize
414KB
MD50007940f5479831428131f029d3bd8f7
SHA18ded66acbd836388c1414512025bd9004c90903b
SHA256340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320
SHA512c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
11.8MB
MD5ac0f37fb9ebc0a1650674e1ad3acd630
SHA1ccea7981690acf31dade3d69c5c0939b66939ac5
SHA256b5c4dc0ec65df3a5cc495ae323b96166a3b4aee3f5e3206d556294e8135ef706
SHA512d4df11433179438d43de20d77fe53213c1aec54cc36e515461922a001728eef1dfa0c840f0ada6220d8403dee001600ea352adce9ccd18dd84d196e87fceec9e
-
\??\Volume{6aa5dca8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{95c72a2b-fe71-4337-abd6-f34dbed57735}_OnDiskSnapshotPropFilesize
5KB
MD54c40e1b22f9da55aa79602e04e0d370a
SHA14f804ba6a24d05e2523a212b4cbf87b6c7411adf
SHA25614a3713a479149da02760557031dee19d339351d99832976b361db5bfda3b73c
SHA51286e86a089baddc73a64c677102c71b49cc4018adc123af3d186c8907eb653993bc591a47673f1a17ff7001ad0899afa59bc0a3ebe832f2add0600f8c74ef5551
-
\??\pipe\LOCAL\crashpad_1440_YCHPFPZIGWITOHBYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2308-177-0x0000028BAE740000-0x0000028BAE744000-memory.dmpFilesize
16KB
-
memory/2308-178-0x0000000180000000-0x0000000180013000-memory.dmpFilesize
76KB