hxxps://download[.]teamviewer[.]com/download/TeamViewer_Setup_x64[.]exe?utm_source=google&utm_medium=cpc&utm_campaign=gb%7Cb%7Cpr%7C22%7Cjul%7Ctv-core-download-sn%7Cnew%7Ct0%7C0&utm_content=Download&utm_term=teamviewer+download

Analysis

max time kernel
1779s
max time network
1589s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2023 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.teamviewer.com/download/TeamViewer_Setup_x64.exe?utm_source=google&utm_medium=cpc&utm_campaign=gb%7Cb%7Cpr%7C22%7Cjul%7Ctv-core-download-sn%7Cnew%7Ct0%7C0&utm_content=Download&utm_term=teamviewer+download

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Loads dropped DLL 3 IoCs

pid	Process
4932	MsiExec.exe
4932	MsiExec.exe
4384	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	MsiExec.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.clusters	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-awt.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_common.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-print.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\trusted.libraries	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\fxplugins.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\net.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd	msiexec.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE328.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE414.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEAEB.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2F8.tmp	msiexec.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0002000000022e71-261.dat	nsis_installer_1
behavioral1/files/0x0002000000022e71-261.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Console	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Environment	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\System	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\EUDC	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133311503701302146"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MsiExec.exe

Modifies registry class 61 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\jfrfile	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Rev = "0"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A46297B6D117AA8000B0D816006\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Mode = "4"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile\shell\open\command	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A46297B6D117AA8000B0D816006	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D810000	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\FFlags = "18874449"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jfr	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 1e007180000000000000000000006abe817b2bce7646a29eeb907a5126c50000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\java.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 0c0001008421de39080000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupView = "0"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A46297B6D117AA8000B0D816006	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File"	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\javaw.exe	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"%1\" %*"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByKey:PID = "0"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\jfrfile\shell	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.jar	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\FFlags = "18874433"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A46297B6D117AA8000B0D816006\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\java.exe\IsHostApp	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a00000040010000904f1e8459ff164d8947e81bbffab36d02000000c0000000904f1e8459ff164d8947e81bbffab36d0b0000005000000030f125b7ef471a10a5f102608c9eebac0c00000050000000537def0c64fad111a2030000f81fedee0800000080000000	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A46297B6D117AA8000B0D816006\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JFRFILE\SHELL\OPEN\COMMAND	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\jfrfile\shell\open	MsiExec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4004	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1552	chrome.exe
1552	chrome.exe
2124	msiexec.exe
2124	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1552	chrome.exe
1552	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	4004	explorer.exe
Token: SeIncreaseQuotaPrivilege	4004	explorer.exe
Token: SeSecurityPrivilege	2124	msiexec.exe
Token: SeCreateTokenPrivilege	4004	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	4004	explorer.exe
Token: SeLockMemoryPrivilege	4004	explorer.exe
Token: SeIncreaseQuotaPrivilege	4004	explorer.exe
Token: SeMachineAccountPrivilege	4004	explorer.exe
Token: SeTcbPrivilege	4004	explorer.exe
Token: SeSecurityPrivilege	4004	explorer.exe
Token: SeTakeOwnershipPrivilege	4004	explorer.exe
Token: SeLoadDriverPrivilege	4004	explorer.exe
Token: SeSystemProfilePrivilege	4004	explorer.exe
Token: SeSystemtimePrivilege	4004	explorer.exe
Token: SeProfSingleProcessPrivilege	4004	explorer.exe
Token: SeIncBasePriorityPrivilege	4004	explorer.exe
Token: SeCreatePagefilePrivilege	4004	explorer.exe
Token: SeCreatePermanentPrivilege	4004	explorer.exe
Token: SeBackupPrivilege	4004	explorer.exe
Token: SeRestorePrivilege	4004	explorer.exe
Token: SeShutdownPrivilege	4004	explorer.exe
Token: SeDebugPrivilege	4004	explorer.exe
Token: SeAuditPrivilege	4004	explorer.exe
Token: SeSystemEnvironmentPrivilege	4004	explorer.exe
Token: SeChangeNotifyPrivilege	4004	explorer.exe
Token: SeRemoteShutdownPrivilege	4004	explorer.exe
Token: SeUndockPrivilege	4004	explorer.exe
Token: SeSyncAgentPrivilege	4004	explorer.exe
Token: SeEnableDelegationPrivilege	4004	explorer.exe
Token: SeManageVolumePrivilege	4004	explorer.exe
Token: SeImpersonatePrivilege	4004	explorer.exe
Token: SeCreateGlobalPrivilege	4004	explorer.exe
Token: SeBackupPrivilege	3664	vssvc.exe
Token: SeRestorePrivilege	3664	vssvc.exe
Token: SeAuditPrivilege	3664	vssvc.exe
Token: SeBackupPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
4004	explorer.exe
4004	explorer.exe
4004	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2912	1552	chrome.exe	85
PID 1552 wrote to memory of 2912	1552	chrome.exe	85
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 1432	1552	chrome.exe	86
PID 1552 wrote to memory of 4944	1552	chrome.exe	87
PID 1552 wrote to memory of 4944	1552	chrome.exe	87
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88
PID 1552 wrote to memory of 4376	1552	chrome.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://download.teamviewer.com/download/TeamViewer_Setup_x64.exe?utm_source=google&utm_medium=cpc&utm_campaign=gb%7Cb%7Cpr%7C22%7Cjul%7Ctv-core-download-sn%7Cnew%7Ct0%7C0&utm_content=Download&utm_term=teamviewer+download
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae6279758,0x7ffae6279768,0x7ffae6279778
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:2
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3160 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2508 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3760 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5156 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5440 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4640 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5280 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5612 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5308 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 --field-trial-handle=1824,i,12861398704355901237,9168147968989598928,131072 /prefetch:8
  2⤵
  PID:4360
- C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe
  "C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe"
  2⤵
  PID:512

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:968

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4004

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1128
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DE376A106EB912C5388522CBFD6332F5
  2⤵
  - Loads dropped DLL
  PID:4932
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 61BE98F362582D1087ED47428CC6B6A1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:4384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58dd6c.rbs

Filesize
454KB

MD5
c6021a205d3427902a855274ee49c1a5

SHA1
22aee0fc61c39aa41ecb2bfb47df3a9d27732fe5

SHA256
415ae9dd2597a09bcec6562ec878bf0116ab92f31b77fa3ea454acb3a32d16b0

SHA512
cf2edddf0bb9633f1c24c71f9c63a91aa2a12be6c6b481eda01c3b459a4e7809c42e679c80bd330267ebed9c1bd7be37b4843af146b59ebffd3164d53c1151fd

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
179B

MD5
a5faf4e66923a5e88b36a6870997226e

SHA1
beca76f0c0eb17c2172ae87591e8dc32b9dfe4f6

SHA256
23cd88c245b607594fe1d8503652e8eed009309050c80e78db530cbbc441aaea

SHA512
89db8058b6cd6248ec4da3ff9087391f184ea5b41cc795402ca7d22750436835686858bfdbb269b4e78b48bc935a5c0315c83e038ee081c61a364e47fee1af2f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
175B

MD5
8c665911afe1655b517579f464ddfab3

SHA1
86b10fd780a2342239adf2cefab298bd0cb5ef9c

SHA256
d028440df1416e0f09f8404ca504d7613c105aed36c4f1c54f601132c8dede52

SHA512
8c3f624411c335131da39f0c7ca0810862521d7470b043d77b6ac144757f2e64a4ec9da17361feab48128c3f2293c1b023d90352ab72b832b82fbe0241b147d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e43d03ec13cbc6e7b1dde52c9fbbbad4

SHA1
a06cee9a383dd646d3a3c71751826af9baa01458

SHA256
13892c902ed247b6b450ea399d2e133c00a03ce4e3e5e9c11c31c836f4c5090a

SHA512
00f7b13d29765b88fd662a4c6c7aa5bb8d5b07c39d9f517f569bb6f52954a830f26aff85141e1f25692faf36ff688edbe0dc3114eaedfcc84cb38e16e254a0a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
238ed798501bae51a053c50102b92673

SHA1
286d29019104f9f1b71f0432dc344a1e84efe396

SHA256
b81f48ffc407efabb00ca90a42ecc6ec219fcebb3798756c24ae871d49afbf5a

SHA512
3c71b64de81a07689f1c5973e1001f58ddcb4f9f05159549587dfdc3b2c733f3f77b0af7958b6329d0a432e74f01bdd93a8ff1348f7477af16b7ef526925cdd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0cd8659ad65f630f746ba148f908c2af

SHA1
25a39fa09c7282be0f7cecce6cc7b16b4aaa5e59

SHA256
f6f54f4d74444d395e8ed7111521fc5e9531390f7eae4e74197cd30aea19d4a7

SHA512
d2b46563195aef386c63a53a7b21dc99ed653a90c2a794e33b791d1392af2464e7db200a43982d4318ea44e08dd71e89b7ddf81eaa11a71bcd57bb5e13671be5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
127cd4ba5a562865099f35323c19e8e1

SHA1
3ac4b7f8a5b0fa90172ecd1e5b3a1f2a8fa9ec93

SHA256
30faed704da5f2cdffaf3c6d6b8661c182e9e94d1dd8b7803258420cb52485e6

SHA512
1e8d04a34d0255e1cc0549f8969f5e47cdf0eedfaab18eebed1296abfd20745369c000820a528e86df383b00ad2532f5c1817cca6b7afaf0edb5401e6157b5c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
6d8054d8eec6b3b8e4a3b48a405d5377

SHA1
1d35681cd79114c9c9b8fa2b28ce8b55aac54398

SHA256
35480a29176a7cfe497ef0ff960ae16c0a37540014cf852f9ce8abf6137f3ea6

SHA512
f319944ba9615d9d8b055ea8622a7b549177da5acb3dee329b9d0aeea07c7c1a1421443e55745237ec438746559b14f0887fe92399b4b27923b5d27d5d26bda4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
7033d1935c2ca85bf76efd4ba36e515e

SHA1
9d33302c22a1a8dc88f23d5a076c91be6de81270

SHA256
6648d9eb333917bbd560da38ed516cee362a6e9614d12b5a16b41e50ae1027d1

SHA512
d33a3e753dfa5280e6cf5b03383eae00ac2f8e34288bc35690256c3651a19307cc436771e4f36ace791fea273639bc01e4438b7df621f49c52fd8e7c262be28d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
275KB

MD5
8f4f17045d8cb87d8e218bffb22f6a81

SHA1
ec96e82afefbfdba322308aa1416f28e15ea3813

SHA256
91ac5e20c36198f06e0f59b681cea2b679eb0a1869d8f546dd136e2b7ea77b1b

SHA512
9a0fc5ca288e34ee6e3fa7abc4b46cd49a4ae68d0a304e3df603dda10bcdf3e93a3232ad0c4ed6f0592963144901412eb82581f009d2c4062b0ff34dad2dcc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
275KB

MD5
7f47183a016e27c8f2e5fb4f7f5d2f07

SHA1
f892a07deab9e3aa58e70636c24c88bbbc20e481

SHA256
699a13e8d293c79fa9f372c0a581570b194ecdd04b4c2caf26897a8e35788a90

SHA512
61e5eba2ab293a03d57ac2d78252d9928e23d4b9bc2cec566ec45e1f5de2300f69e111cfef4640f9da809fc95ed143bd4a235f6bb54dc238fa90f53fb3ab11c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1552_1133417338\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1552_1133417338\cf4d40cc-272e-4b76-905e-72f95ba6b353.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\Downloads\TeamViewer_Setup_x64.exe

Filesize
52.6MB

MD5
ca44f94a17910ed3c46a7e2c71bb2d1f

SHA1
b0f77d5931308a7f4ca47c70bb691af07f4b8a5c

SHA256
499e6c428baa73b97f0693a21394ef84fa039c53c49e3cf39cef2f933eb4add0

SHA512
cdb46bd713f1a30721a325b51b3abf55cf6c5c887bcb7de36c982f3422d7f39284f0652760a34ac743ecb79b1220c9b2d4c3ffef4d4dc8a7db687a04ec6bacd1

Download Submit
C:\Windows\Installer\MSIE328.tmp

Filesize
796KB

MD5
95c185e808b6962dc0f88a6ee8445900

SHA1
e75505add092e5472b6bb95b080c8ae5c82e7f03

SHA256
f420ba35fcef55361d5c5796f26832570d9ae6f04b13c2d0bc6afd157e40fd3a

SHA512
252bdc5c49840448dc810653a5614b13cddecd8a27390d2bb33fb26d52439897153b5f7cea63377aed4f8660f548a9409e19d4abfa109f600b7de646f47b63bc

Download Submit
C:\Windows\Installer\MSIE328.tmp

Filesize
796KB

MD5
95c185e808b6962dc0f88a6ee8445900

SHA1
e75505add092e5472b6bb95b080c8ae5c82e7f03

SHA256
f420ba35fcef55361d5c5796f26832570d9ae6f04b13c2d0bc6afd157e40fd3a

SHA512
252bdc5c49840448dc810653a5614b13cddecd8a27390d2bb33fb26d52439897153b5f7cea63377aed4f8660f548a9409e19d4abfa109f600b7de646f47b63bc

Download Submit
C:\Windows\Installer\MSIE414.tmp

Filesize
796KB

MD5
95c185e808b6962dc0f88a6ee8445900

SHA1
e75505add092e5472b6bb95b080c8ae5c82e7f03

SHA256
f420ba35fcef55361d5c5796f26832570d9ae6f04b13c2d0bc6afd157e40fd3a

SHA512
252bdc5c49840448dc810653a5614b13cddecd8a27390d2bb33fb26d52439897153b5f7cea63377aed4f8660f548a9409e19d4abfa109f600b7de646f47b63bc

Download Submit
C:\Windows\Installer\MSIE414.tmp

Filesize
796KB

MD5
95c185e808b6962dc0f88a6ee8445900

SHA1
e75505add092e5472b6bb95b080c8ae5c82e7f03

SHA256
f420ba35fcef55361d5c5796f26832570d9ae6f04b13c2d0bc6afd157e40fd3a

SHA512
252bdc5c49840448dc810653a5614b13cddecd8a27390d2bb33fb26d52439897153b5f7cea63377aed4f8660f548a9409e19d4abfa109f600b7de646f47b63bc

Download Submit
C:\Windows\Installer\MSIEAEB.tmp

Filesize
796KB

MD5
95c185e808b6962dc0f88a6ee8445900

SHA1
e75505add092e5472b6bb95b080c8ae5c82e7f03

SHA256
f420ba35fcef55361d5c5796f26832570d9ae6f04b13c2d0bc6afd157e40fd3a

SHA512
252bdc5c49840448dc810653a5614b13cddecd8a27390d2bb33fb26d52439897153b5f7cea63377aed4f8660f548a9409e19d4abfa109f600b7de646f47b63bc

Download Submit
C:\Windows\Installer\MSIEAEB.tmp

Filesize
796KB

MD5
95c185e808b6962dc0f88a6ee8445900

SHA1
e75505add092e5472b6bb95b080c8ae5c82e7f03

SHA256
f420ba35fcef55361d5c5796f26832570d9ae6f04b13c2d0bc6afd157e40fd3a

SHA512
252bdc5c49840448dc810653a5614b13cddecd8a27390d2bb33fb26d52439897153b5f7cea63377aed4f8660f548a9409e19d4abfa109f600b7de646f47b63bc

Download Submit
C:\Windows\Installer\MSIEAEB.tmp

Filesize
796KB

MD5
95c185e808b6962dc0f88a6ee8445900

SHA1
e75505add092e5472b6bb95b080c8ae5c82e7f03

SHA256
f420ba35fcef55361d5c5796f26832570d9ae6f04b13c2d0bc6afd157e40fd3a

SHA512
252bdc5c49840448dc810653a5614b13cddecd8a27390d2bb33fb26d52439897153b5f7cea63377aed4f8660f548a9409e19d4abfa109f600b7de646f47b63bc

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
ee0f6ae5a689aa55b4bb7142f65fd853

SHA1
0d1a71c70f527046cf3b1e7315abc1959a6c5d77

SHA256
02ca5b6ae8b919a3ad49a2050b60e955701ff81f00277d8664df6dd163102939

SHA512
89c0afabe024f2e8fafc2a21f1a5dfc4f43643455dd4b98891b67b38e0f58846a8931af2a0a3224e2b8e33c9b70a4420fd7ba7b117ddc9a8eaafd4bb33dcb98c

Download Submit
\??\Volume{7e74cb8c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{18366417-9590-49a8-b58a-6ffa4906c210}_OnDiskSnapshotProp

Filesize
5KB

MD5
0ce0bcfe849b4531c42634be2dcf5dbf

SHA1
8c755b87790e4b3569f4b554f878cc8f205686be

SHA256
99a4e4a61dd3c980cb24d6565cfbe497e2dd593b9d97973a234424cdb3ee5f6c

SHA512
e6ced9744d891541e988881c71f2717a283baf68f5a5074a19d8d1c31cc6eca3451be0f43b4173d96ad1bad4a1df954108f5f03d7ded1647e7f4d7b92210ebbb

Download Submit