hxxps://www[.]7-zip[.]org/a/7z2201-x64[.]msi

Analysis

max time kernel
127s
max time network
132s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28/02/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.7-zip.org/a/7z2201-x64.msi

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ext.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\de.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\el.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\af.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	msiexec.exe
File created	C:\Program Files\7-Zip\History.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\va.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\br.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\co.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\es.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt	msiexec.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe	msiexec.exe
File created	C:\Windows\Installer\e5851e4.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DF54C4D7B3E57B5F6B.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0C97C9A24C06F83D.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx	msiexec.exe
File opened for modification	C:\Windows\Installer\e585196.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx	msiexec.exe
File created	C:\Windows\Installer\e585196.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3DD4F680422EBAF1.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{23170F69-40C1-2702-2201-000001000000}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5678.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF14C5563655B3106F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004b52018b2f23ece20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004b52018b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004b52018b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4b52018b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004b52018b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Program = "Complete"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Version = "369164288"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\PackageName = "7z2201-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\ProductName = "7-Zip 22.01 (x64 edition)"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000\96F071321C0420722210000010000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\LanguageFiles = "Complete"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\PackageCode = "96F071321C0420722210000020000000"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\7z2201-x64.msi:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 953939.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4540	msedge.exe
4540	msedge.exe
4052	msedge.exe
4052	msedge.exe
4232	identity_helper.exe
4232	identity_helper.exe
4824	msedge.exe
4824	msedge.exe
4240	msedge.exe
4240	msedge.exe
1732	msiexec.exe
1732	msiexec.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3868	msiexec.exe
Token: SeSecurityPrivilege	1732	msiexec.exe
Token: SeCreateTokenPrivilege	3868	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3868	msiexec.exe
Token: SeLockMemoryPrivilege	3868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3868	msiexec.exe
Token: SeMachineAccountPrivilege	3868	msiexec.exe
Token: SeTcbPrivilege	3868	msiexec.exe
Token: SeSecurityPrivilege	3868	msiexec.exe
Token: SeTakeOwnershipPrivilege	3868	msiexec.exe
Token: SeLoadDriverPrivilege	3868	msiexec.exe
Token: SeSystemProfilePrivilege	3868	msiexec.exe
Token: SeSystemtimePrivilege	3868	msiexec.exe
Token: SeProfSingleProcessPrivilege	3868	msiexec.exe
Token: SeIncBasePriorityPrivilege	3868	msiexec.exe
Token: SeCreatePagefilePrivilege	3868	msiexec.exe
Token: SeCreatePermanentPrivilege	3868	msiexec.exe
Token: SeBackupPrivilege	3868	msiexec.exe
Token: SeRestorePrivilege	3868	msiexec.exe
Token: SeShutdownPrivilege	3868	msiexec.exe
Token: SeDebugPrivilege	3868	msiexec.exe
Token: SeAuditPrivilege	3868	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3868	msiexec.exe
Token: SeChangeNotifyPrivilege	3868	msiexec.exe
Token: SeRemoteShutdownPrivilege	3868	msiexec.exe
Token: SeUndockPrivilege	3868	msiexec.exe
Token: SeSyncAgentPrivilege	3868	msiexec.exe
Token: SeEnableDelegationPrivilege	3868	msiexec.exe
Token: SeManageVolumePrivilege	3868	msiexec.exe
Token: SeImpersonatePrivilege	3868	msiexec.exe
Token: SeCreateGlobalPrivilege	3868	msiexec.exe
Token: SeBackupPrivilege	4760	vssvc.exe
Token: SeRestorePrivilege	4760	vssvc.exe
Token: SeAuditPrivilege	4760	vssvc.exe
Token: SeBackupPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
3868	msiexec.exe
3868	msiexec.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
1260	helppane.exe
4052	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1260	helppane.exe
1260	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1040	4052	msedge.exe	77
PID 4052 wrote to memory of 1040	4052	msedge.exe	77
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4168	4052	msedge.exe	78
PID 4052 wrote to memory of 4540	4052	msedge.exe	79
PID 4052 wrote to memory of 4540	4052	msedge.exe	79
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80
PID 4052 wrote to memory of 2408	4052	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.7-zip.org/a/7z2201-x64.msi
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3b8f3cb8,0x7ffc3b8f3cc8,0x7ffc3b8f3cd8
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4240
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,9039338958776916439,1250582585364775975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
  2⤵
  PID:4836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4680

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=517009
  2⤵
  PID:4256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffc3b8f3cb8,0x7ffc3b8f3cc8,0x7ffc3b8f3cd8
    3⤵
    PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585197.rbs

Filesize
28KB

MD5
c008276f280b63a0ac95a384918ce4b7

SHA1
6f23f43f9b9692ac56d20f1de3e4862ca9b4a6f6

SHA256
c8562890f68d95b4427668b21b511e74aca3a3d9c8adef443042238a954c6cb9

SHA512
5d659b6557ac09e29f4dc487d8dea1dbc9c96a9737f429462077957dd206d7d4a7b6e50a667e9d3a10ca72b3eb975efcf4214d4c5963fee1e38bb92b5e5f15ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\520ebd8f-5204-4ef4-8037-01e1e3604c4b.tmp

Filesize
11KB

MD5
620811e298ab236ffaf63e03a617a90e

SHA1
dfe2ceb8090a9d73f50d1ee69f4860a2a68a3e8d

SHA256
f362ae1f66973fb78ee121c806793df6bdabce2238fe978761c1ce77722d394e

SHA512
b3725326b68edfd5a526669e353c64c4a45cde608e1a25e09a1b18fd9231ed64ad2b08a7f8abf410f6f9a7f3e1cd2e39b373c0c09ce855a5f93e19c1f0523fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
caaacbd78b8e7ebc636ff19241b2b13d

SHA1
4435edc68c0594ebb8b0aa84b769d566ad913bc8

SHA256
989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a

SHA512
c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c194bbd45fc5d3714e8db77e01ac25a

SHA1
e758434417035cccc8891d516854afb4141dd72a

SHA256
253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3

SHA512
aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06e9ba248254d58b34c89627dcf42889

SHA1
78901e534ae648eeba359be13ce2fc9b8c1f7533

SHA256
a66af1f600a21b9185c88270a1772673dc7fb42d23d448602ac8b1799bcb093c

SHA512
4b35f088992bf91a2d37dc28dda2e376bca792e78c9d804d512131cc3a92d59eebbbdb31e96b9d61ff7acd94c95ea833fe94e68a2ce56f16774cabecae7a0217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e2cd0e42c8f7b6e791f0c6a427eb39f1

SHA1
db4d2e6d0a1f9da35448631a8a03487f60fc52ca

SHA256
7ac2004f86a877c7190122701ecd021e734f9d44b88de47145c310ed6d195308

SHA512
8d5b1e03d799427a53e5a6a8ecde26b4e84ec0477486862a88d1f9766c995dcee9fa4862435756cec7d3d5130f8d3c730e8e486e206fcd32c4f51ff56ef6ff5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19d0e4675bb87383ad0630a6a2a16388

SHA1
9af157f22f9930f0f1349d93455bc924252b230e

SHA256
c7c78082de61856a1316bf60e0637c21f56a49006d3048bfea1f68c40f2bbcca

SHA512
33e371a67a94b8b12402af8863c64729cf4fd54ebdbec9ab046000fe37b5b07da7cf55af4c4de0c573e10e8d34ff19e5fb27c6279fff532c8a6a696000a0a5e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00dbd8db453ce4ee0d7f6771487b8a61

SHA1
390909c2b39d44f048a80254f72a11190e68fcd7

SHA256
fd49622e53d97aa25ecb7e19b4725cc6667e4e053f1d5c1a4ef0f04a63fde72a

SHA512
54c912464ae8cdc6a7002c3dc64bded8e786169eaada7eaa8dd5119569ed4f33fa0b80ef67e2ad529761d9df30850d26b966b88ba2e36cc1927dfa8e54c232e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
53fdf61b61774431201899dde6b9bb96

SHA1
ef87761b6262b2a79bdacc02b40b49b35db9e603

SHA256
c12c8f29122a3f4836771129094f6390c7a1bd9697d6983626ef211859918014

SHA512
daf0cdf5ccbdbac25813ea173726311e4d6952580a214bd259e074216a3b7f4d8b4a9c8c09870498420aa42ba17c6f327f0c45191a385e86e90a7c26a21b9b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe596bef.TMP

Filesize
203B

MD5
6c23297168e339fd2fc15d9478c68a9f

SHA1
85f5b6c3c12065f85d8e28442c15bdd727d1f9a0

SHA256
484526a9a8f363dd300446390e4e22db04d68c8785a780df7f4de11e61c9e3b5

SHA512
16263beb3a3d7a88ed9e715accefca25e1cef0d0d6efd5aa41475031e4f6b4824f45821727c0595e4fb0e94b335c6dac51b5dc2d984c02e0a45ec473592abb40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e2009c370cc6289e6f460317742d14f2

SHA1
f76b9e3a51a65e1003dc111979edda3b70d1b253

SHA256
cd027624efcdc6e065a75713401741a30a137d3f29d8a7015faf76ad760bc1a4

SHA512
904449c5e797464d67c7992bbd835a76ef5679dbb97a844814fd79b13861ef8471fcf9280b949875ed630c86f6d40783e66f1e2e5f9a4cf4191bdd5ad9271964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
18270b5400b8a8f2ad230237bf4f3627

SHA1
66b7511053b028106e32fb292c9878d23f0fbe6e

SHA256
39b660e1ba2600ef6e0fc9cc159e8f25a9ee10206cae7875271891c67d0c5013

SHA512
119718ff27adec4007faada2f038d9643351265c4a7a7129e0a91ce201d8f14020efe34b9c14f1844074d6167d2311e414576c0d30abd728cb8ca9133a5c8dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b71115cd3fba95dafb164c75ff24bbd1

SHA1
c13c2cc60da8ca547ac0a07dce8089aa53d779f3

SHA256
6c45dbcd9a1a238b3ce95d29add1b25a205a7773233ee07b6e8b0c07a148e11d

SHA512
69b494fed25e6198aa2e19d7f2b646a15572645149c340ddc97de0ba6d6b0ad3586fab739d07cdde104a93416a6de1ee964f222b856845091083df840be99057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
04001fc1a7c999054e6511cd0cd8d00b

SHA1
a1c060b1ed26246691640012b7d30f8001032bf3

SHA256
7f5b5455baddf3de769429de2d3ef4481209d5637e0b846ba70d99f14364d202

SHA512
00eb5fda29f664c41c71661a11e822949a542f654d9aac968ca76fa4f3f8dd2836e74ed268a6a66570fad66112de2644afa4428274ff2ad687e7ae675a0cfca3

Download Submit
C:\Users\Admin\Downloads\7z2201-x64.msi

Filesize
192KB

MD5
84888e9bfcd113da9dde293243d2997f

SHA1
6c8bfc3ff5eb3e5c1cfee380ff19ad563203e421

SHA256
0d5ba2dd7f227fa2a77f12b4b52f830ac45c4ce7ea26e9b28b97443c63705076

SHA512
b41853796fe495deb1f5475d98c4e4d1839f53310b86f46ac8360c7964b13f5ce52b2036d9da015710bca0b2e451a86c55989d0a18864f8f13cbecfbcade5899

Download Submit
C:\Users\Admin\Downloads\7z2201-x64.msi:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 953939.crdownload

Filesize
1.8MB

MD5
50515f156ae516461e28dd453230d448

SHA1
3209574e09ec235b2613570e6d7d8d5058a64971

SHA256
f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca

SHA512
14593ca96d416a2fbb6bbbf8adec51978e6c0fb513882d5442ab5876e28dd79be14ca9dd77acff2d3d329cb7733f7e969e784c57e1f414d00f3c7b9d581638e5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
2f1f866ee8e2451f4d1ee8894a9d28c4

SHA1
b774d19fdf4536a7dda3a6622ef24ca8601d9f03

SHA256
0f67399800ad7121c6664d188e3a4e10d8643050eb3476dae33d3d550d27dfaf

SHA512
49329b9b71640c4515eb188fcc40a3f4c49de66f4a376eb5481f5643391700d58eaecb1023a8e1ec3e79b70870a8c60fc2de93828f8099c63c27ea0b1275e561

Download Submit
\??\Volume{8b01524b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c26be582-c5ed-4762-91a8-4c6a112f1948}_OnDiskSnapshotProp

Filesize
6KB

MD5
c9415e89d2c40ab3a8deb6afe2a8a852

SHA1
4bc61c43bb8491a05854b6130eecf434b665fef4

SHA256
12661a0006df421cb0b41309f4f49bd77e98a65a8db25630db1e243ed5bbe8e4

SHA512
45a89449412f96cb31e35fa1c59d76e2970ec3647aba016413cd381a81d3c01093e715552f3697168988be734bc2fbe05a430c0252bc32e010e9600cc3c3a794

Download Submit