Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 13:31

General

  • Target

    liquidlauncher_0.2.0_x64_en-US.msi

  • Size

    5.4MB

  • MD5

    ea701a642a913b23534a46065d6f47f3

  • SHA1

    7f620da5078bed3f8d942eb51b7c8a1567628fb1

  • SHA256

    da946a12320542b32133599e6f4f815a4064993c4f7c9b4311dade8693262897

  • SHA512

    6bd68458812efba730ba50e6c2645147b2a22e5f3d507f07103ee7af21a8b6e97915d4ba91db59b14b9f2db7d9960dd6899ee3a3afa082461409bc9b5ea7da35

  • SSDEEP

    98304:5W9Y3GEdGHzryhz++8uGxH5esA7EltV+eIiOSdWluFU0HeJpayUHQOrm:om2EUyhK+8uGxH5esD7geKiTb+JpayUK

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Sets file execution options in registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 16 IoCs
  • Registers COM server for autorun 1 TTPs 33 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks system information in the registry 2 TTPs 8 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\liquidlauncher_0.2.0_x64_en-US.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3680
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B33C55996E0ABED0DB25D8F36DAD023A C
      2⤵
      • Loads dropped DLL
      PID:2788
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4856
        • C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
          "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:4520
          • C:\Program Files (x86)\Microsoft\Temp\EU12E2.tmp\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\Temp\EU12E2.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
            4⤵
            • Sets file execution options in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks system information in the registry
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:220
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2672
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      PID:5168
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:5220
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:5248
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezE0QTM4MDZBLTNDNDktNDZGNi05MDNFLUQ0OUNEMkMwRDAzRX0iIHVzZXJpZD0ie0EwRkI5M0RGLUNCMkEtNDYwNS04RERBLTdDMjQyOTcxQ0UxN30iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7OUUwNDc0RDYtMDA3NC00NDNFLTlEMzctQzE0NjY4MjY3MUNEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE4MS41IiBuZXh0dmVyc2lvbj0iMS4zLjE4MS41IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NzQ4Njk5NjE5IiBpbnN0YWxsX3RpbWVfbXM9IjMyOCIvPjwvYXBwPjwvcmVxdWVzdD4
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks system information in the registry
      PID:5316
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:5276
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks system information in the registry
      • Drops file in Program Files directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:5436
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezE0QTM4MDZBLTNDNDktNDZGNi05MDNFLUQ0OUNEMkMwRDAzRX0iIHVzZXJpZD0ie0EwRkI5M0RGLUNCMkEtNDYwNS04RERBLTdDMjQyOTcxQ0UxN30iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7M0VCOEY5RDMtREIxQS00RjdGLTg3MjktRjYwQjg3NDhCNkYzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU3NTE5ODEyOTAiLz48L2FwcD48L3JlcXVlc3Q-
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks system information in the registry
        PID:5480
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{14A3806A-3C49-46F6-903E-D49CD2C0D03E}" /silent
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:5400
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5196

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\Temp\EU12E2.tmp\MicrosoftEdgeComRegisterShellARM64.exe

            Filesize

            179KB

            MD5

            9540ad83a08605ba1f52196424ce3067

            SHA1

            a533eb61319bce1720b55d8921691323a4178c3d

            SHA256

            b0b5d9eb6f4b176bdfbe4da0a060ad1b76c813186fae3d9a6e1b1dd9ee0d01d1

            SHA512

            bb00ee12c353c9deeb8105399b2a956343e4a1c13dd1198d0f481c4f699099a34ede80f15bb4efa9a1f68c2c12ff75da163b48bfdf30353d5ef5d4bb7c174493

          • C:\Program Files (x86)\Microsoft\Temp\EU12E2.tmp\MicrosoftEdgeUpdate.exe

            Filesize

            201KB

            MD5

            11fe091ace9d03b9ada6d5a22d12c0d0

            SHA1

            5379ebe84500d425586904e7f9ac0393ab2a9d24

            SHA256

            50f4ed60a507ce9dd1f3f4e7d53053d923cb71594374a25251746a9b2271e4ee

            SHA512

            0f39af99697332c697ca62e2708e0a9200552a55f2d3057b64e9b18df2fe2828be750b14b5336ac9518b4c1282e82cd170b64587cf56b45b840ca231108b7fdf

          • C:\Program Files (x86)\Microsoft\Temp\EU12E2.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

            Filesize

            212KB

            MD5

            7750d94e4719ba69f5f83213444c0015

            SHA1

            f2d49b2d5c3bb372a5c74513de0744f2a5f3fe5e

            SHA256

            1ab31694ff0b6283fbb6ec062d6eab9ffb26df9d6d1ba140cf60a8e7a4cb9fe5

            SHA512

            4aba2ff17870e6e20fbcfe8d31036d52d9b2ae9df1013e1140cdf321bb4da0a8f5cdbbabfbee758cd2f2bbe2a3b10f25351f9e29cc5f5d91baea6dce2c83e714

          • C:\Program Files (x86)\Microsoft\Temp\EU12E2.tmp\MicrosoftEdgeUpdateCore.exe

            Filesize

            258KB

            MD5

            3fa9ae698a600ff3422995504cd088c4

            SHA1

            bb0b798291c7e37c514d8fce11b8c777d13a6b2e

            SHA256

            a8e1533f87ac5273f908fbb67edb786f231fcae44b49dd5e6ceb3c777c1f01a9

            SHA512

            3dea12c2f30fdd5cc4125de40ad26c9f1a69abe8505c863b1469f47349d79f2b51ab037009e500291085366abf0ee2b24d16a3eb419b715894b924af656d2b04

          • C:\Program Files (x86)\Microsoft\Temp\EU12E2.tmp\NOTICE.TXT

            Filesize

            4KB

            MD5

            6dd5bf0743f2366a0bdd37e302783bcd

            SHA1

            e5ff6e044c40c02b1fc78304804fe1f993fed2e6

            SHA256

            91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

            SHA512

            f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

          • C:\Program Files (x86)\Microsoft\Temp\EU12E2.tmp\msedgeupdate.dll

            Filesize

            1.9MB

            MD5

            236ea771da416acc36df081e28b619db

            SHA1

            ae20a2793865de4d5c9cbdb9a59c4da4e1235edc

            SHA256

            ab230a2785c802686c979819ca1fa7d7b9038edafbb4869ec4c00cdc5e8ba611

            SHA512

            f166a7bdd60750fa2d8b3ca7c26f75dfd02d9e579ab8229a599c812058a68daacae64d673072d8ad31bdcee20751308d0a98fa17fa122813fbbf59d9698be659

          • C:\Program Files\liquidlauncher\liquidlauncher.exe

            Filesize

            7.4MB

            MD5

            fdb327e3628ccb342f7268807418f502

            SHA1

            106a8ae4b4f86000e936b8da5aeab2daa738d204

            SHA256

            1a4282bc50de0ba26f3e7cd82445ffbe1786e6b782f2f8dfd26edd85948beb27

            SHA512

            49416011207424d28f0fef341516c38b48d55854dc86070ce079f10b35ccfd77e61327ed0e0e50871cc6ede1f876bd099d2d32e6b9a2fe400dda03a986cf66c5

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\liquidlauncher\liquidlauncher.lnk

            Filesize

            2KB

            MD5

            8df9732e0d155281efca22078e3ad302

            SHA1

            ff18b9ec15d0412dfe666387fdd11d68d9461b8d

            SHA256

            7f7469dd52bab04c586562e255845ecfb42b9bfb9ebbd1d62597cbca7287dc79

            SHA512

            8a636b581d95237a6935b7edbd863ee5be89f2f46e702028042b5792358c7857b89531368def37769aeab41370696145fecf7d4dad063413b0d8d751c9bf729e

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\liquidlauncher\liquidlauncher.lnk~RFe58ec5f.TMP

            Filesize

            1KB

            MD5

            26c38d8c261302ce73df00fd66ed31ae

            SHA1

            f8125f1b3a904b1fa116d254ef6ad5585e3f16bc

            SHA256

            1df28b26aed0bc60406e951767df59c3f4eb08ce078451a7ed489fe935e09c1b

            SHA512

            7e2de837004aa59d5cc30729fb1450611e40fa1e386d5c343edb3bcbdd0391ab3fb287d6873b89baa7957b2d63e06b06e49b2d2ea02476d8144854f956d33a59

          • C:\Users\Admin\AppData\Local\Temp\MSIBA43.tmp

            Filesize

            113KB

            MD5

            4fdd16752561cf585fed1506914d73e0

            SHA1

            f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

            SHA256

            aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

            SHA512

            3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

          • C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

            Filesize

            1.5MB

            MD5

            2fbe10e4233824fbea08ddf085d7df96

            SHA1

            17068c55b3c15e1213436ba232bbd79d90985b31

            SHA256

            5b01d964ced28c1ff850b4de05a71f386addd815a30c4a9ee210ef90619df58e

            SHA512

            4c4d256d67b6aadea45b1677ab2f0b66bef385fa09127c4681389bdde214b35351b38121d651bf47734147afd4af063e2eb2e6ebf15436ad42f1533c42278fa4

          • C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

            Filesize

            1.3MB

            MD5

            e75690babd0e3f40b3a506dc4b3c6b9a

            SHA1

            0e72e7cabd39f9809eb5b912701989c7f0375535

            SHA256

            05a75a5c10d34afdafac6956de508dfb75ca3567350ab811b5c6fa51ae1b17fe

            SHA512

            7184debfa8ebe1bc30b62d2174910dcb1559a91950977f8d857303eec21fa65efd84f512c437b167239828a77d62b5afe6687b997ba85b316494e4ec8718275c

          • C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

            Filesize

            1.1MB

            MD5

            a81eb69ed673b0aed16d608c74420198

            SHA1

            758a313325e85a88bc2e95ebbf93fc2d65626810

            SHA256

            4e70af2d9a20f844e3ea9fd4a83e1b93b25604977c041a72e00f2e7e555a468f

            SHA512

            157b3a946dfd1b178719577eeb1093f5d6ec31a00c2aca5c7641c0ceb499ee69b96d29f18fe3c8fda3c4c542ac1430251a00041f073fc00c8f908f1c3f80cbbf

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xj2hcujf.20s.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

            Filesize

            381KB

            MD5

            3e1be53bb48c4439baaf6f55a27be516

            SHA1

            c2d940e3bfc17a5b37e167ba90da8f87dc01db2a

            SHA256

            059d8ab9c61f98b74f92f70005f9f5cb4717b0a685a709bce982ed79ef7756a9

            SHA512

            6a5a2dc1b209eed8f1b38d27b344e33cf3d8b3aa02f076d8d2a136aaff4c7a84246bc98c8f8d9c6817df1b9b8ebf1e1ba1c4c1c96054a8c9600586d22b2ea4ec

          • \??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{45fdb7ab-5594-4563-94b2-c8e55abd2bab}_OnDiskSnapshotProp

            Filesize

            6KB

            MD5

            7190a8636a75bd25a9432e339d518893

            SHA1

            96222b1d5fcda2e9af5703794160aa82408c7f7c

            SHA256

            f25761746d4a0d15cd3c0a1195682e28686c00769b1fc0cd2b2b29220e81d4dd

            SHA512

            b5b3c8bb1a4a2dd89d4bf3d8252d812f365855b0dfd0e16c220a118f7555cf1a531efd51ffe5f457b86b03c08c3890b85f123073488035519eae0965b34f0720

          • memory/4856-49-0x000001969EE50000-0x000001969EE60000-memory.dmp

            Filesize

            64KB

          • memory/4856-48-0x000001969EE50000-0x000001969EE60000-memory.dmp

            Filesize

            64KB

          • memory/4856-46-0x00000196B7F00000-0x00000196B7F22000-memory.dmp

            Filesize

            136KB

          • memory/4856-47-0x00007FFBCC2B0000-0x00007FFBCCD71000-memory.dmp

            Filesize

            10.8MB

          • memory/4856-248-0x00007FFBCC2B0000-0x00007FFBCCD71000-memory.dmp

            Filesize

            10.8MB

          • memory/4856-249-0x000001969EE50000-0x000001969EE60000-memory.dmp

            Filesize

            64KB

          • memory/4856-250-0x000001969EE50000-0x000001969EE60000-memory.dmp

            Filesize

            64KB