b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b.msi
Size

20.7MB
MD5

8cad37c93cf7d11f1024b814f3da0727
SHA1

fb39f4d2a74e9b600cc812ce05a77361d3282369
SHA256

b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b
SHA512

bd80292dbd8a4da9cc6b414add992c8f791e74bb7edb74fae4a4ae46fe6f6f6e7593f6fd45b21b3b6eedddb1a26214323ebb498579854c7f7c75d7d72dec42d9
SSDEEP

393216:h1z9wvtrdCjOdUprFfa69uxhGkYlwo6qFUklbOebxUf3LCDsHDM5gxp:hx9wvtrMjOdgtaMuxhGXhDb1bafbzDMu

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	4788	msiexec.exe
16	4788	msiexec.exe
20	4788	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Caribou Store Agent\agent.exe	msiexec.exe
File created	C:\Program Files\Caribou Store Agent\nssm.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e576a43.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576a43.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C18.tmp	msiexec.exe
File created	C:\Windows\Installer\e576a45.msi	msiexec.exe
File created	C:\Windows\Installer\{198F6BAC-DB05-420F-B6B6-1F0CDAED636B}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{198F6BAC-DB05-420F-B6B6-1F0CDAED636B}	msiexec.exe
File opened for modification	C:\Windows\Installer\{198F6BAC-DB05-420F-B6B6-1F0CDAED636B}\icon.ico	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4320	nssm.exe
2232	agent.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2d320b21400000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900486acc2d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d486acc2d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CAB6F89150BDF0246B6BF1C0ADDE36B6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\PackageName = "b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\ProductName = "Caribou Coffee Agent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\Version = "17367049"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\ProductIcon = "C:\\Windows\\Installer\\{198F6BAC-DB05-420F-B6B6-1F0CDAED636B}\\icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14B3E41DD6913854DA0EAEC7579618D1\CAB6F89150BDF0246B6BF1C0ADDE36B6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CAB6F89150BDF0246B6BF1C0ADDE36B6\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\PackageCode = "205A1A943CDC3A34F89AAA987C3B91FA"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14B3E41DD6913854DA0EAEC7579618D1	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2468	msedge.exe
2468	msedge.exe
4900	msedge.exe
4900	msedge.exe
5792	identity_helper.exe
5792	identity_helper.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4788	msiexec.exe
Token: SeSecurityPrivilege	2376	msiexec.exe
Token: SeCreateTokenPrivilege	4788	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4788	msiexec.exe
Token: SeLockMemoryPrivilege	4788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4788	msiexec.exe
Token: SeMachineAccountPrivilege	4788	msiexec.exe
Token: SeTcbPrivilege	4788	msiexec.exe
Token: SeSecurityPrivilege	4788	msiexec.exe
Token: SeTakeOwnershipPrivilege	4788	msiexec.exe
Token: SeLoadDriverPrivilege	4788	msiexec.exe
Token: SeSystemProfilePrivilege	4788	msiexec.exe
Token: SeSystemtimePrivilege	4788	msiexec.exe
Token: SeProfSingleProcessPrivilege	4788	msiexec.exe
Token: SeIncBasePriorityPrivilege	4788	msiexec.exe
Token: SeCreatePagefilePrivilege	4788	msiexec.exe
Token: SeCreatePermanentPrivilege	4788	msiexec.exe
Token: SeBackupPrivilege	4788	msiexec.exe
Token: SeRestorePrivilege	4788	msiexec.exe
Token: SeShutdownPrivilege	4788	msiexec.exe
Token: SeDebugPrivilege	4788	msiexec.exe
Token: SeAuditPrivilege	4788	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4788	msiexec.exe
Token: SeChangeNotifyPrivilege	4788	msiexec.exe
Token: SeRemoteShutdownPrivilege	4788	msiexec.exe
Token: SeUndockPrivilege	4788	msiexec.exe
Token: SeSyncAgentPrivilege	4788	msiexec.exe
Token: SeEnableDelegationPrivilege	4788	msiexec.exe
Token: SeManageVolumePrivilege	4788	msiexec.exe
Token: SeImpersonatePrivilege	4788	msiexec.exe
Token: SeCreateGlobalPrivilege	4788	msiexec.exe
Token: SeBackupPrivilege	392	vssvc.exe
Token: SeRestorePrivilege	392	vssvc.exe
Token: SeAuditPrivilege	392	vssvc.exe
Token: SeBackupPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe
Token: SeTakeOwnershipPrivilege	2376	msiexec.exe
Token: SeRestorePrivilege	2376	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4788	msiexec.exe
4788	msiexec.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 3272	2376	msiexec.exe	104
PID 2376 wrote to memory of 3272	2376	msiexec.exe	104
PID 2376 wrote to memory of 3344	2376	msiexec.exe	107
PID 2376 wrote to memory of 3344	2376	msiexec.exe	107
PID 3780 wrote to memory of 4900	3780	explorer.exe	111
PID 3780 wrote to memory of 4900	3780	explorer.exe	111
PID 4900 wrote to memory of 1620	4900	msedge.exe	112
PID 4900 wrote to memory of 1620	4900	msedge.exe	112
PID 4320 wrote to memory of 2232	4320	nssm.exe	110
PID 4320 wrote to memory of 2232	4320	nssm.exe	110
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 1476	4900	msedge.exe	113
PID 4900 wrote to memory of 2468	4900	msedge.exe	114
PID 4900 wrote to memory of 2468	4900	msedge.exe	114
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115
PID 4900 wrote to memory of 3804	4900	msedge.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4788

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3272
- C:\Windows\explorer.exe
  explorer.exe http://localhost:8090/config
  2⤵
  PID:3344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Program Files\Caribou Store Agent\nssm.exe
"C:\Program Files\Caribou Store Agent\nssm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Program Files\Caribou Store Agent\agent.exe
  "C:\Program Files\Caribou Store Agent\agent.exe"
  2⤵
  - Executes dropped EXE
  PID:2232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:8090/config
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb15df46f8,0x7ffb15df4708,0x7ffb15df4718
    3⤵
    PID:1620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
    3⤵
    PID:1476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2388 /prefetch:8
    3⤵
    PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:5136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
    3⤵
    PID:5152
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
    3⤵
    PID:5776
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
    3⤵
    PID:5864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
    3⤵
    PID:5872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
    3⤵
    PID:6136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
    3⤵
    PID:5132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3504 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e576a44.rbs

Filesize
13KB

MD5
2270a75e6e9fbe116a90913ce729968b

SHA1
c0bb35a00f01c9e01626a01beaef6b14a3437454

SHA256
7d4727c8a71ec74de545a6f8a8f39730cceaabf6da9f8756759acdbb8053a493

SHA512
5f6c0473da7f133698fbed907a6c940a15027702b6dab50a0411dd4b8411e5a98d931d76763fca82b107fc4ac33c78f95922fcc2e6e7d4703488ea2f1035f5f1

Download Submit
C:\Program Files\Caribou Store Agent\agent.exe

Filesize
2.6MB

MD5
fa3af0f79f2e833be66e967d1628c137

SHA1
d668e7113a3f6dfb103099327a05fe1ca6f95aea

SHA256
aab48007434ae5bdbd0e33948cbc24f666553a6b5a4f404c30cbe4b65663883a

SHA512
6d2fd4f24cbb5e4f421136c32efa9f8ae2138f9af5c3850b7cea8ac43d97604ff39ce66f4f1e6eaa9163d7c25e9b1b895b2291cf31d6156f81e9f29016ebc8e4

Download Submit
C:\Program Files\Caribou Store Agent\agent.exe

Filesize
1.4MB

MD5
9622a520c033e4e6d1856a0b45a4223a

SHA1
f311c8d46a6cfd21f04994586e6a4caaba6f114f

SHA256
2beb73b16c58db0bb9735bd98bc581873ba3a2455d2a0605de93732297bf77c2

SHA512
30566bc665aa5d59462e116fa2d0583a8e73307a7a06011c9d403a4413b93c59e8cb5bed24f110d609f241048e772c632f843200ce119c88e325f0cec0445549

Download Submit
C:\Program Files\Caribou Store Agent\nssm.exe

Filesize
323KB

MD5
beceae2fdc4f7729a93e94ac2ccd78cc

SHA1
47c112c23c7bdf2af24a20bd512f91ff6af76bc6

SHA256
f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97

SHA512
073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f

Download Submit
C:\ProgramData\Caribou Store Agent\settings.ini

Filesize
283B

MD5
ca238047e3625815c9aeb7712919a087

SHA1
21677149f9dbaac6eeced7a4d8932a82e1570506

SHA256
a7b249bd5b16b4864f07b1f1abb9cd0f70577337e1110be72bded30df2526607

SHA512
a96bfc425ed8d8ce84c52d9ced0ebde000c9515c67d6c43470bbeaf604951da429c2fa8fb90aaeeaa8cc71203f1fd50c53aead4f673d925a8c6084345f05ae24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
719B

MD5
28bc19a7cc607d718102b84fc9f09871

SHA1
39d1445b8267f6c64398dbdc3b36cb8bf61779ee

SHA256
2182af4e3be8732f98cb14244373d1eb042f40b516f2a4fae039b0c4f536159d

SHA512
dcc21b668fdb55133ca0fe88530be15a312f59b968842a2f9ab1a5530cdf0a74e5c01efdd5ba5832452a4b0e24a0b4088521b2bf8ccd33efdfbeec60c9eede50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D682FDDA10064185EC8111DC39DBA8EC

Filesize
59KB

MD5
d44c096c595184e731fba1319240d9d3

SHA1
43ea77ca4e0e026b0862dfb41518aa2cc2acc793

SHA256
c302a39751c76e60361bd89230b38efe2f1af8c6da42fd9b1263a9c5b72ed722

SHA512
7ec65bfe06babd24b8fa7e593544f3e1874c913e1ec60e596dce3fcd1d3f111ed803d7bf0629546e4cca869a609e9b4be4b9d505e5bffd846484f825a16e171d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
446B

MD5
750f3d2c3b70350de310a7aeb4ce01a8

SHA1
640452f563ab10be87315bfd51910bcd9e401a55

SHA256
e6808ef5834bfdee1766f9ba6fd4667cd8558e527bbd9d9d9aa506ab77146935

SHA512
39ba55fa4e012610fe68b52fb82e976fcea58cea2f0d892c363d29636ca5825ee8cc915699b3032c11930803ca9c1ffe43a1cdde3e7e0bf67ec42d23374f6245

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D682FDDA10064185EC8111DC39DBA8EC

Filesize
308B

MD5
59d290035b43d37b13f415e50113334a

SHA1
c38ef73c5a43fdc6ab73f5688a0885538409fe59

SHA256
86fad88904bdadc8ffb916fc883145e66dee6229d0eaadd600f7cb391c8010bb

SHA512
be046cf7dfe37759e7d1cd5a63af97e85f550f6452154022312dd89c83cfaf12be156392ebbaf235941e5448ef2eeab21f4e4006619e0fbb1f5ca0d1a1e5e7c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
153df151cf0ea22df17d2e50302d0488

SHA1
7896e79e64d610b1ee35f0d2f700246ff1e60a04

SHA256
63460f8ce78fbdd9f1a997d2ad0ed870becb861d95e989bbe4af4e7cc22ccd9d

SHA512
796122c6b29fbe87f95387bd682d4f96f4dd109f57fce85621139f13b825d86ed8f0206e7acfca8e0f2782a7ff38eb79e51af07deb0f5d5ec7529886e517799f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82b61bbed08baddad92f598fb9a472d5

SHA1
ffc95be685582dd414f7092d43c9c32420118a8f

SHA256
10cfb0e5ecd93eb5bf9c5a1bb0ab2a2f21cc951bf896e107c569aa9558a630fe

SHA512
45e1f168088f2fc903a6e66e3d12b273fb2c206c166f1f2e3b31699a2bdc5213c161546bf834c95dfbb3cb4a88b71eb5b53958997c41d5d8f824d83cde815cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d270f3671d886173defcbe759df82dcf

SHA1
1c54912a77322dbc448913b97159cd7b3fe65f98

SHA256
8936873de30b3c14e0942402582d453cbf2dd9e6351e1cb2c9bf37724db324fe

SHA512
5cbd8fce5b9d1221eb19fde27828bd8d6ca00ded99699b22f583dee67a572aba642fbeb4a020e48aba70aa780149e76acd54a2a14cfe0b85dc5fb080a4ccff1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b72fa32ed94d261b129a8a8f539ff0cd

SHA1
8585070c343fb54bf7e71add391d57e8d4f09d35

SHA256
e8f6b4d9fe629ff4bf9884f963024930d33615f76ee4197318944737ddaed162

SHA512
326b9508bc854637eba8aef43091d0246990a3ee5810f693db4418dc7583728d7dbb14ef949756f65f20997c0f178827b593640c0258081cbadafbecf2793ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a0e069467eb8c60de9e328a58b0be29b

SHA1
dc20812137a8a051baaa2524090e821895a61a9d

SHA256
778b0773a6a8a7503a8586042d2d80a29cc8101d1069959106db3a662e5f1ece

SHA512
1fb5df644f2814c0dc1da382c7d78889d7133cc03e862d65e7348a089135182c93a5648936d03fa48a53cd7c76e2472fbedee8ec514be3920c5ac9a2333ab677

Download Submit
C:\Windows\Installer\e576a43.msi

Filesize
12.6MB

MD5
fc03130287142f12ebcdccea7325adc9

SHA1
44606aa0c2c0087472f6f3796857ebb6ae851840

SHA256
d767c8990cc471c09d36d52eca53c0a6e1de093a163aca4fb622d33c56d6b2e1

SHA512
e7304c98cfd8848651d43cd2e7b8575f14a1533b7b07fce1de71822dc78b6590028dc44b88d26772389d954d451b2917d610a8eaab17a3475c26e44b8bc5cd23

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
42KB

MD5
13c44f6fd8d6764715626ac8c8c7e6c0

SHA1
482992759adfa66856b5eca419042d062f9e7941

SHA256
2c1f5e16a6983ad7d60d79ae41f01241ed7869551cde62bd2bca7c7ec79457f5

SHA512
96501bd74d9bb86416a71e6482c685d69a16325a55d928d20a56526ff909784d10599028eec7354e8b1646fe61f9b35da0740bdb52d82afc07e9bcac35dafc3a

Download Submit
\??\Volume{2dcc6a48-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{826799e3-aec8-46a5-af39-a9cbf391af50}_OnDiskSnapshotProp

Filesize
6KB

MD5
ad5b8a51fbdf6ce67773dd8e714c7710

SHA1
b7e94f3bdbf69662d70ff1439b62ab5d2851cd27

SHA256
98bf3da381a946b26f40718a82611ebc8822a864a9a477b9a9e6f08993139b27

SHA512
2fd36152ca93bf1eed7091e5b6987ac4314665fc0d4f84d15bfe02627177bff3ff7d6dc3f3b4730d60171d1babb93b68b46a7eb96a87a9ae6b234d1950dedb44

Download Submit