Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2023 15:20
Static task
static1
Behavioral task
behavioral1
Sample
a(2).msi
Resource
win7-20230220-en
General
-
Target
a(2).msi
-
Size
1.8MB
-
MD5
7fc18c44f481a5941e2d068a2cdebe0e
-
SHA1
11b7d2d7451c80621f657662eb738966e2026098
-
SHA256
c9b591e9a5ccf5416b94aa3b4fac9bece16fb836d1ae4161dcdae295259e01aa
-
SHA512
798a262fc73b74ddf19a5d6510aa692c3c083d212e473c3b41148e2261064fafd2e74cb92001bf55e92c15141bda85ead5d79e9f93ddd16738dd073bc3eb37d7
-
SSDEEP
49152:vpyP2OmJH6g7sJzM+C5JCNS5WPvwaq7m6x:6jJzMUpc
Malware Config
Extracted
gozi
1000
https://bastarka.top
-
host_keep_time
2
-
host_shift_time
1
-
idle_time
1
-
request_time
10
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
MSIFB05.tmpMSIFBD1.tmppid process 1944 MSIFB05.tmp 3560 MSIFBD1.tmp -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exepid process 3644 MsiExec.exe 3644 MsiExec.exe 3644 MsiExec.exe 3644 MsiExec.exe 3644 MsiExec.exe 3380 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5f05046e-daaa-42bb-9fb1-816b1c8329ce.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230518172132.pma setup.exe -
Drops file in Windows directory 15 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSIF7F5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFA38.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFBD1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF263.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF62E.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A} msiexec.exe File opened for modification C:\Windows\Installer\e56f1f6.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\e56f1f6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF6AC.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIFB05.tmp msiexec.exe File created C:\Windows\Installer\e56f1f9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF552.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f9d6c693febb2fce0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f9d6c6930000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900f9d6c693000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9d6c69300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9d6c69300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msiexec.exeMSIFBD1.tmpmsedge.exemsedge.exeidentity_helper.exepid process 1272 msiexec.exe 1272 msiexec.exe 3560 MSIFBD1.tmp 3560 MSIFBD1.tmp 2732 msedge.exe 2732 msedge.exe 4960 msedge.exe 4960 msedge.exe 5740 identity_helper.exe 5740 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4960 msedge.exe 4960 msedge.exe 4960 msedge.exe 4960 msedge.exe 4960 msedge.exe 4960 msedge.exe 4960 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2232 msiexec.exe Token: SeIncreaseQuotaPrivilege 2232 msiexec.exe Token: SeSecurityPrivilege 1272 msiexec.exe Token: SeCreateTokenPrivilege 2232 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2232 msiexec.exe Token: SeLockMemoryPrivilege 2232 msiexec.exe Token: SeIncreaseQuotaPrivilege 2232 msiexec.exe Token: SeMachineAccountPrivilege 2232 msiexec.exe Token: SeTcbPrivilege 2232 msiexec.exe Token: SeSecurityPrivilege 2232 msiexec.exe Token: SeTakeOwnershipPrivilege 2232 msiexec.exe Token: SeLoadDriverPrivilege 2232 msiexec.exe Token: SeSystemProfilePrivilege 2232 msiexec.exe Token: SeSystemtimePrivilege 2232 msiexec.exe Token: SeProfSingleProcessPrivilege 2232 msiexec.exe Token: SeIncBasePriorityPrivilege 2232 msiexec.exe Token: SeCreatePagefilePrivilege 2232 msiexec.exe Token: SeCreatePermanentPrivilege 2232 msiexec.exe Token: SeBackupPrivilege 2232 msiexec.exe Token: SeRestorePrivilege 2232 msiexec.exe Token: SeShutdownPrivilege 2232 msiexec.exe Token: SeDebugPrivilege 2232 msiexec.exe Token: SeAuditPrivilege 2232 msiexec.exe Token: SeSystemEnvironmentPrivilege 2232 msiexec.exe Token: SeChangeNotifyPrivilege 2232 msiexec.exe Token: SeRemoteShutdownPrivilege 2232 msiexec.exe Token: SeUndockPrivilege 2232 msiexec.exe Token: SeSyncAgentPrivilege 2232 msiexec.exe Token: SeEnableDelegationPrivilege 2232 msiexec.exe Token: SeManageVolumePrivilege 2232 msiexec.exe Token: SeImpersonatePrivilege 2232 msiexec.exe Token: SeCreateGlobalPrivilege 2232 msiexec.exe Token: SeBackupPrivilege 4012 vssvc.exe Token: SeRestorePrivilege 4012 vssvc.exe Token: SeAuditPrivilege 4012 vssvc.exe Token: SeBackupPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeRestorePrivilege 1272 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exemsedge.exepid process 2232 msiexec.exe 4960 msedge.exe 4960 msedge.exe 4960 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exemsedge.exedescription pid process target process PID 1272 wrote to memory of 2672 1272 msiexec.exe srtasks.exe PID 1272 wrote to memory of 2672 1272 msiexec.exe srtasks.exe PID 1272 wrote to memory of 3644 1272 msiexec.exe MsiExec.exe PID 1272 wrote to memory of 3644 1272 msiexec.exe MsiExec.exe PID 1272 wrote to memory of 3644 1272 msiexec.exe MsiExec.exe PID 1272 wrote to memory of 1944 1272 msiexec.exe MSIFB05.tmp PID 1272 wrote to memory of 1944 1272 msiexec.exe MSIFB05.tmp PID 1272 wrote to memory of 1944 1272 msiexec.exe MSIFB05.tmp PID 1272 wrote to memory of 3560 1272 msiexec.exe MSIFBD1.tmp PID 1272 wrote to memory of 3560 1272 msiexec.exe MSIFBD1.tmp PID 1272 wrote to memory of 3560 1272 msiexec.exe MSIFBD1.tmp PID 4960 wrote to memory of 4456 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4456 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 4264 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 2732 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 2732 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 548 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 548 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 548 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 548 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 548 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 548 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 548 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 548 4960 msedge.exe msedge.exe PID 4960 wrote to memory of 548 4960 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a(2).msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 82064C8F1490BCBF30AB920C0924AF6C2⤵
- Loads dropped DLL
-
C:\Windows\Installer\MSIFB05.tmp"C:\Windows\Installer\MSIFB05.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,ping2⤵
- Executes dropped EXE
-
C:\Windows\Installer\MSIFBD1.tmp"C:\Windows\Installer\MSIFBD1.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\Admin\AppData\Roaming\MSTX340/Information_psw.pdf2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,ping1⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\Admin\AppData\Roaming\MSTX340/Information_psw.pdf1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd441746f8,0x7ffd44174708,0x7ffd441747182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5412 /prefetch:62⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6b1455460,0x7ff6b1455470,0x7ff6b14554803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11724216514997699294,13643386021212881448,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cd4f5fe0fc0ab6b6df866b9bfb9dd762
SHA1a6aaed363cd5a7b6910e9b3296c0093b0ac94759
SHA2563b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81
SHA5127072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51d40312629d09d2420e992fdb8a78c1c
SHA1903950d5ba9d64ec21c9f51264272ca8dfae9540
SHA2561e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac
SHA512a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD52485df7add5f1e027dd84cf567dac6f0
SHA11fe967a3a92118ad8d260dc876d054727b7a94f4
SHA256fb0afaa391d0b99e307b02296d6943a343df665df7e2d5cb5c0e6df3d313666b
SHA512b3628d63944636053931c134bc028bfc61249f41e848596efe0b27a654f46e130b12b81bd85e0768bca4f07d6f2d1550f2a29746aa8082b45364a1851b67d8b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d3c9b6ae2ee160f4b348f85bbe017832
SHA19ad74dcbc1d94d80497fa6731077f2840f7dfd92
SHA256b21771567acc9467b940e2b0536ca73bb097e7e9cebef5dddf82a294fe2eaaba
SHA51277fc639bbae80f5d7e3def34dbbd7b37d4de9aefaeb768fa41118072f75feed6ae20d750bb13bcbd6da57766e49a7663785f70598484de8f1f767b305159d8d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5ca9752aef701bca476c066f568030262
SHA16813599f4f8fef7b2980c4672a7af7e2d35a02cb
SHA2568e1ea7ba3c212df88c79d610e845df04f96c167dc1c80dc94341c8c4d8734118
SHA5123333bc2f9abe33406d7c928720f0adc8d552b233c96161ecae9dd869944255ceee2ac219c205ba82cccc5065b4e2fba2a6a8e5864862a5aa4c8f2ae0f0344ee3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD56f686339c0b8ec349097fc087bc36eaf
SHA1a036b8fefe14a772577517e92ffea0c5ee57e0dd
SHA2567edb4fad1e059f11611d9d69907d832e48a0ea7cc4cf9dedac9594505029ddc7
SHA512a417bb4d55803b7542ac0d0a0ad791c566935a99ceda24e51d5fafe2946ee178fd33e7ac45862ea9e9581d10dc26817dba236be892e1921b35a037817802a832
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51463bf2a54e759c40d9ad64228bf7bec
SHA12286d0ac3cfa9f9ca6c0df60699af7c49008a41f
SHA2569b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df
SHA51233e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51e79203d0f70092bf25058099947d5c6
SHA120d5e2bd3a2ef807207bc3981bd5494c34839c0e
SHA256decca6fa6de1f0dcc2b46a7c45e62d1754fda43b509d92393c628d56930851a6
SHA512b06c5cb26083e2ef7a407be262f37d83d9fee4788e30a94ce258639f7c1fb2ccb4e37ca9b77e4fb30c0fa0a9e80f94a5b9719efd2499c87deafc87d260eb0568
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5931e1e0c3f94795f5cc91bd44ea07c0e
SHA1629434f6efed21dc611fa7d135b6ea418a17a40a
SHA25672b49dbdf06ead08f57497382c086df0427de5e94bacdbd0439ff937e5747766
SHA512cc98d2ca983e5f4ecb53a9372fc4ebc357d6748dd610be19bffb48e3f9cd38eaa7f8d86be892f10ea99f11348108105e30169add384e6196d846f3170a80138d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD526e508e7f0b51bdba8cf2fb57b7a91c3
SHA1f7c22017b02eb3384da4f45197c7df87f26c61c6
SHA256242e856a62ae266797ddfc99818eb9f7e38e5f78e0aa56789b95017ce8578cad
SHA5120c1ffde9e26a1962b89efbb6af5fd7ec91dddaa9413a3918e17208907cf6de4e6a7080dfdfbbb2f8cfdea5612d078186e755545e51e61b623073908db1736acc
-
C:\Users\Admin\AppData\Roaming\MSTX340\Information_psw.pdfFilesize
397KB
MD59366b206f42efbcd96c6f3640f13413f
SHA1cc6664614d1485c02f81d85e20dd1d014ca8aae4
SHA256827c2ca7da49fe502e2ad68d9e302799fd7f61dd74e1564fef7957a37b909dbf
SHA512299a3eb8ee7d9d992bf1c2b28c7372de60ff74cdb14675ab122399634adb9ff008dd7b2adc9988363234e228e192dad78d9ec83afaed4b23a9a6446035f1a416
-
C:\Users\Admin\AppData\Roaming\MSTX340\ini.dllFilesize
197KB
MD50a1878191571315e6f53ff8b82d34233
SHA135313b3ad8f1adf404cc89ef6c778a9dca2cd879
SHA2563b57e3be3e97f299c430572ac5caa4dabdbdf04fe232da2da02300743381d19d
SHA512c1fb158496085e08ea8d80902d783db249aa453acc935ca5904fea1477af462318b6e9b6f75650aee8beda2344746d03b11ff805be402dff9a271800d43dfc56
-
C:\Users\Admin\AppData\Roaming\MSTX340\ini.dllFilesize
197KB
MD50a1878191571315e6f53ff8b82d34233
SHA135313b3ad8f1adf404cc89ef6c778a9dca2cd879
SHA2563b57e3be3e97f299c430572ac5caa4dabdbdf04fe232da2da02300743381d19d
SHA512c1fb158496085e08ea8d80902d783db249aa453acc935ca5904fea1477af462318b6e9b6f75650aee8beda2344746d03b11ff805be402dff9a271800d43dfc56
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5055e3e1d0d2cdb586aba99deb23487e6
SHA112582b5a5422ff2a215c5fd31a7204be5366b1d7
SHA2560945ff484aaed0a5233c440698506f3380f7baee7cc5d075f13d00481dcd568a
SHA51275929d27838d77e8ebb9db24572be26ba9cbd114000734ffabe65dfac338b56022da8b17785dbe137f1d30fe8c54b4ecaff8a26805c94d4fb1964b8a1ad7e37e
-
C:\Windows\Installer\MSIF263.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF263.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF552.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF552.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF62E.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF62E.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF62E.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF6AC.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF6AC.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF7F5.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIF7F5.tmpFilesize
584KB
MD58e565fd81ca10a65cc02e7901a78c95b
SHA11bca3979c233321ae527d4508cfe9b3ba825dbd3
SHA2567b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016
SHA512144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e
-
C:\Windows\Installer\MSIFB05.tmpFilesize
414KB
MD50007940f5479831428131f029d3bd8f7
SHA18ded66acbd836388c1414512025bd9004c90903b
SHA256340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320
SHA512c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf
-
C:\Windows\Installer\MSIFBD1.tmpFilesize
414KB
MD50007940f5479831428131f029d3bd8f7
SHA18ded66acbd836388c1414512025bd9004c90903b
SHA256340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320
SHA512c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5a775085462b0d855b265639a33199340
SHA18cfb9627dcdccb5d87cd31ab1f582c197f242628
SHA25634f67249c0808a641561cc24d411a859e4de15388647ef7f0bc0e19fe28be4c5
SHA51261b9986843498558e1ccf7b1d5ee7f7dfcd363884372e63142601acffc1194337f6758562ba164a76b7f6b7e43f86adfc6ed014268a1273ccb7758d987392676
-
\??\Volume{93c6d6f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d314a045-3fab-4b6e-95f2-76688d4c9e85}_OnDiskSnapshotPropFilesize
5KB
MD59e45012717f02537a038852259ae0795
SHA117300df7aedb5a688158c89e3042bf97790e197e
SHA2567a3199867133a68109d760a47dfc4df3602c9d6a2b8792967c216ab20d4d0920
SHA51266b4e8924070e41186a7b1a08c25e494e5c9b5e2f27ccfeee25bc552e8442b0711f2bb4acf3223ae15f415753a828306badc593f5c9474f96756256704ce5fbe
-
\??\pipe\LOCAL\crashpad_4960_VTLLQRSFUZELIHWFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3380-178-0x0000000180000000-0x0000000180013000-memory.dmpFilesize
76KB
-
memory/3380-177-0x000001FFBF6A0000-0x000001FFBF6A4000-memory.dmpFilesize
16KB