gozi | d626dbd4711a19522a5695a113975dbed2ddaab79e402b548e004fd4706fb8c7

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2023 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a(1).msi
Size

1.9MB
MD5

40063b0d2cc2ad8d2a4f417437f00bd6
SHA1

cd9422f560eb663c44aae11ee04caf44d33f48ea
SHA256

9540647deb1906e0cd500b77f0632ffdac6d76f079ab32835cf5efa225e4e0ea
SHA512

138278449a7f0473131abc9b7d6880abe58bcc8ceef90282fa38397092e07914e282a31a47a00b6695548bf8ce4786dd60500225185129f281c1dbc9f9a09d6d
SSDEEP

49152:+pyP2OmJH6g7sJzM+C5JCNS5WPvwaq8G5tBKXUWcUAaypBG:BjJzMUp3GXgEWcpHG

Score

10^/10

gozi 1000 banker ldr4 trojan

Malware Config

Extracted

Family

gozi

Botnet

1000

https://bastarka.top

Attributes

host_keep_time
2
host_shift_time
1
idle_time
1
request_time
10

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 2 IoCs

Processes:

MSIFC6C.tmpMSIFD67.tmp

pid process

3116 MSIFC6C.tmp
2620 MSIFD67.tmp
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exerundll32.exe

pid process

4496 MsiExec.exe
4496 MsiExec.exe
4496 MsiExec.exe
4496 MsiExec.exe
4496 MsiExec.exe
2308 rundll32.exe

pid	process
3116	MSIFC6C.tmp
2620	MSIFD67.tmp

pid	process
4496	MsiExec.exe
4496	MsiExec.exe
4496	MsiExec.exe
4496	MsiExec.exe
4496	MsiExec.exe
2308	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230517160615.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\09dfef74-47af-4880-b142-24a912486196.tmp	setup.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIF6EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF797.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA87.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF8B1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD67.tmp	msiexec.exe
File created	C:\Windows\Installer\e56f235.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56f235.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5EF.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC6C.tmp	msiexec.exe
File created	C:\Windows\Installer\e56f238.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a8dca56a4fb650f70000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a8dca56a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a8dca56a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msiexec.exeMSIFD67.tmpmsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3604	msiexec.exe
3604	msiexec.exe
2620	MSIFD67.tmp
2620	MSIFD67.tmp
2148	msedge.exe
2148	msedge.exe
1440	msedge.exe
1440	msedge.exe
5500	identity_helper.exe
5500	identity_helper.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe
5872	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1440 msedge.exe
1440 msedge.exe
1440 msedge.exe
1440 msedge.exe
1440 msedge.exe
1440 msedge.exe
1440 msedge.exe

pid	process
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4228	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4228	msiexec.exe
Token: SeSecurityPrivilege	3604	msiexec.exe
Token: SeCreateTokenPrivilege	4228	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4228	msiexec.exe
Token: SeLockMemoryPrivilege	4228	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4228	msiexec.exe
Token: SeMachineAccountPrivilege	4228	msiexec.exe
Token: SeTcbPrivilege	4228	msiexec.exe
Token: SeSecurityPrivilege	4228	msiexec.exe
Token: SeTakeOwnershipPrivilege	4228	msiexec.exe
Token: SeLoadDriverPrivilege	4228	msiexec.exe
Token: SeSystemProfilePrivilege	4228	msiexec.exe
Token: SeSystemtimePrivilege	4228	msiexec.exe
Token: SeProfSingleProcessPrivilege	4228	msiexec.exe
Token: SeIncBasePriorityPrivilege	4228	msiexec.exe
Token: SeCreatePagefilePrivilege	4228	msiexec.exe
Token: SeCreatePermanentPrivilege	4228	msiexec.exe
Token: SeBackupPrivilege	4228	msiexec.exe
Token: SeRestorePrivilege	4228	msiexec.exe
Token: SeShutdownPrivilege	4228	msiexec.exe
Token: SeDebugPrivilege	4228	msiexec.exe
Token: SeAuditPrivilege	4228	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4228	msiexec.exe
Token: SeChangeNotifyPrivilege	4228	msiexec.exe
Token: SeRemoteShutdownPrivilege	4228	msiexec.exe
Token: SeUndockPrivilege	4228	msiexec.exe
Token: SeSyncAgentPrivilege	4228	msiexec.exe
Token: SeEnableDelegationPrivilege	4228	msiexec.exe
Token: SeManageVolumePrivilege	4228	msiexec.exe
Token: SeImpersonatePrivilege	4228	msiexec.exe
Token: SeCreateGlobalPrivilege	4228	msiexec.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe
Token: SeBackupPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe
Token: SeTakeOwnershipPrivilege	3604	msiexec.exe
Token: SeRestorePrivilege	3604	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exemsedge.exe

pid process

4228 msiexec.exe
1440 msedge.exe
1440 msedge.exe
1440 msedge.exe

pid	process
4228	msiexec.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exemsedge.exe

description	pid	process	target process
PID 3604 wrote to memory of 4988	3604	msiexec.exe	srtasks.exe
PID 3604 wrote to memory of 4988	3604	msiexec.exe	srtasks.exe
PID 3604 wrote to memory of 4496	3604	msiexec.exe	MsiExec.exe
PID 3604 wrote to memory of 4496	3604	msiexec.exe	MsiExec.exe
PID 3604 wrote to memory of 4496	3604	msiexec.exe	MsiExec.exe
PID 3604 wrote to memory of 3116	3604	msiexec.exe	MSIFC6C.tmp
PID 3604 wrote to memory of 3116	3604	msiexec.exe	MSIFC6C.tmp
PID 3604 wrote to memory of 3116	3604	msiexec.exe	MSIFC6C.tmp
PID 3604 wrote to memory of 2620	3604	msiexec.exe	MSIFD67.tmp
PID 3604 wrote to memory of 2620	3604	msiexec.exe	MSIFD67.tmp
PID 3604 wrote to memory of 2620	3604	msiexec.exe	MSIFD67.tmp
PID 1440 wrote to memory of 1568	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1568	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2212	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2148	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 2148	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1452	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1452	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1452	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1452	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1452	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1452	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1452	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1452	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 1452	1440	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a(1).msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4228

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4988

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 80D161FB8EFEECC1A49D3F2F4301A3FB
2⤵
- Loads dropped DLL
PID:4496

C:\Windows\Installer\MSIFC6C.tmp
"C:\Windows\Installer\MSIFC6C.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,ping
2⤵
- Executes dropped EXE
PID:3116

C:\Windows\Installer\MSIFD67.tmp
"C:\Windows\Installer\MSIFD67.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\Admin\AppData\Roaming\MSTX340/Information_psw.pdf
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,ping
1⤵
- Loads dropped DLL
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\Admin\AppData\Roaming\MSTX340/Information_psw.pdf
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb465646f8,0x7ffb46564708,0x7ffb46564718
2⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
2⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
2⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
2⤵
PID:1028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
2⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5456 /prefetch:6
2⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
2⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
2⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
- Drops file in Program Files directory
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff68fc25460,0x7ff68fc25470,0x7ff68fc25480
3⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
2⤵
PID:5512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
2⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3851515206725763150,7379609922713868119,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3196 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
71e2dd98ef63bb7972bc33d1a65d217a

SHA1
530e34b047ed93deb7ca5f330077e1e8f0bde481

SHA256
01d718c897baab5a7be937988a35e577cf5aa99c84b6858e9caa67ee4d94d7b6

SHA512
fcd2a15f210c90d0bcc5c5edd10fe520c006b58e4e9e762959808365029a52cf73b2f6b5676ad2e3f1b401598a1529dab612d00cce50436fbf8f290792a569f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
be5fabff2fc1c49ba9d178f79c33e5f2

SHA1
2f7912a892c1813bcbc6117eac1d0d149324b50a

SHA256
aab07efc09bae4532c48722cb2d6445131d008b909db7a99d795e2af1a4a0abb

SHA512
7304093f7da1375bf06492a57e660872bdf29b1d274b43c44ae2b2053aa013512f9a7ca81d8673db4df8a93393fe6ffd1c2376962db7e4790d9f921369fd6340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5809ba91a7c6607c62b68048f1839005

SHA1
0f29b3e8e82310571bbe75783ba9c3519177e5d3

SHA256
8e0722cba404ce38ef4e08aaf8aef6a3cae0824016bb0936ea4f6d6674e2f629

SHA512
d0b738b157b9b2c5949cfb3ab01e66f5da27ee2d3c271668dd3da65b53648704032816a2014a7fd8e36715fae697ea9fb29c9ab4b0af7fb0b3491b77c91da410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
cb0c907a9f02763e2df10f7dedbce050

SHA1
137f894841dc521c87efc70c71c3bf269a9f19a9

SHA256
f5c90a4eef6462d4dfc22e933d6cd9f0b73a7b60d72bb0c01cf4ba3e785103e8

SHA512
f5fdf1413dfebea7858ee03a9541861f8815cb065139deef4d80e4ef4d75770e9eece87c9d013d490cbde6ae4a13b70825f4c4ce218429a8d7ba0c0a7324da1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e61e596d-d9b0-4ce7-8ff4-96a8d07952fa.tmp
Filesize
24KB

MD5
69b72d0a4a2f9cbec95b3201ca02ae2f

SHA1
fcc44ae63c9b0280a10408551a41843f8de72b21

SHA256
996c85ab362c1d17a2a6992e03fdc8a0c0372f81f8fad93970823519973c7b9c

SHA512
08d70d28f1e8d9e539a2c0fbac667a8447ea85ea7b08679139abbbbb1b6250d944468b128ed6b386782f41ca03020e3a82491acb1fe101b09635d606b1a298be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
cc76de692f51310fd4fccf77641fe408

SHA1
1e6c749903c0c72c307210c219b53e47bdfdf98f

SHA256
bad5b21f1d2b2559966bc2e16c4431a2db8bcf0029e80c44c7ecead108dcb1a7

SHA512
7897a753ec8c8cc803e563bdd90ddf6c05ba52adc98723375cea1a73570efa2cb2506e6cefea46748adc280ea5662b7d4ea691db5b40c287dabf8cc544f3e915

Download Submit
C:\Users\Admin\AppData\Roaming\MSTX340\Information_psw.pdf
Filesize
397KB

MD5
9366b206f42efbcd96c6f3640f13413f

SHA1
cc6664614d1485c02f81d85e20dd1d014ca8aae4

SHA256
827c2ca7da49fe502e2ad68d9e302799fd7f61dd74e1564fef7957a37b909dbf

SHA512
299a3eb8ee7d9d992bf1c2b28c7372de60ff74cdb14675ab122399634adb9ff008dd7b2adc9988363234e228e192dad78d9ec83afaed4b23a9a6446035f1a416

Download Submit
C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll
Filesize
791KB

MD5
3943a85ba5405de2be7de7371fe5f555

SHA1
27f1352aa9d9162316b21449ffe8bcb461633196

SHA256
9d784a60e974f1f753016bf6dbd24abd655fba9568e99fbb797d49418de34dad

SHA512
7241d058e0c3e8dbc3fe2bdb8bd48b553acb0f008d2d2275a6ce761b396d87a0da473731c754dd566cba50759e95bbd4fa87018a9fabc59af858da0918b9a792

Download Submit
C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll
Filesize
791KB

MD5
3943a85ba5405de2be7de7371fe5f555

SHA1
27f1352aa9d9162316b21449ffe8bcb461633196

SHA256
9d784a60e974f1f753016bf6dbd24abd655fba9568e99fbb797d49418de34dad

SHA512
7241d058e0c3e8dbc3fe2bdb8bd48b553acb0f008d2d2275a6ce761b396d87a0da473731c754dd566cba50759e95bbd4fa87018a9fabc59af858da0918b9a792

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
605d4858312c699a155a541a13a375c7

SHA1
f55b371235cc87f1d1db1665de0f1a2f7e8eabd0

SHA256
29c1ba952b1348c5cf67cc3f2820a81a9dca3a03bc05fcd9ceed57459c54ca7a

SHA512
61d12b52dbfba01e69b567a5bb5b89c63dcdd2b65473aa6f9ffc9c87d89f0dba38c53cb2ea77c7bf650092879d26db8b6c7218e339de7ed406b503208ded7712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
7bde0bc2c2daf15836d2b526394c6930

SHA1
59fc9ef2f2f68bfce05fc90b414a2b160043f90c

SHA256
faad6af62de228102e4febba58e6c2e313b5e8f3cf763e14fee7a09c796329ee

SHA512
a00463896ae0a07072843fbf2bb893403723c5758ee9d8f6230b12799ede512975d280f543ce82665779274f696f5ad37a9abdc36df4e0157ff4e726dd02a9f1

Download Submit
C:\Windows\Installer\MSIF2F0.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIF2F0.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIF5EF.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIF5EF.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIF6EA.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIF6EA.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIF6EA.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIF797.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIF797.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIF8B1.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIF8B1.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIFC6C.tmp
Filesize
414KB

MD5
0007940f5479831428131f029d3bd8f7

SHA1
8ded66acbd836388c1414512025bd9004c90903b

SHA256
340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320

SHA512
c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf

Download Submit
C:\Windows\Installer\MSIFD67.tmp
Filesize
414KB

MD5
0007940f5479831428131f029d3bd8f7

SHA1
8ded66acbd836388c1414512025bd9004c90903b

SHA256
340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320

SHA512
c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
11.8MB

MD5
ac0f37fb9ebc0a1650674e1ad3acd630

SHA1
ccea7981690acf31dade3d69c5c0939b66939ac5

SHA256
b5c4dc0ec65df3a5cc495ae323b96166a3b4aee3f5e3206d556294e8135ef706

SHA512
d4df11433179438d43de20d77fe53213c1aec54cc36e515461922a001728eef1dfa0c840f0ada6220d8403dee001600ea352adce9ccd18dd84d196e87fceec9e

Download Submit
\??\Volume{6aa5dca8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{95c72a2b-fe71-4337-abd6-f34dbed57735}_OnDiskSnapshotProp
Filesize
5KB

MD5
4c40e1b22f9da55aa79602e04e0d370a

SHA1
4f804ba6a24d05e2523a212b4cbf87b6c7411adf

SHA256
14a3713a479149da02760557031dee19d339351d99832976b361db5bfda3b73c

SHA512
86e86a089baddc73a64c677102c71b49cc4018adc123af3d186c8907eb653993bc591a47673f1a17ff7001ad0899afa59bc0a3ebe832f2add0600f8c74ef5551

Download Submit
\??\pipe\LOCAL\crashpad_1440_YCHPFPZIGWITOHBY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2308-177-0x0000028BAE740000-0x0000028BAE744000-memory.dmp

Filesize
16KB

Download
memory/2308-178-0x0000000180000000-0x0000000180013000-memory.dmp

Filesize
76KB

Download