b154410976d75f26c96f5d49180de15c3a5291f94fadf451fd66e8a747a3d6a2

Analysis

max time kernel
55s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wsl.2.2.1.0.x64.msi
Size

127.9MB
MD5

9fc9981ad0ed1c2f491b9e60640da2da
SHA1

a5cb4037dc41dd38e040b9fecfd6681d4d76bcdf
SHA256

b154410976d75f26c96f5d49180de15c3a5291f94fadf451fd66e8a747a3d6a2
SHA512

cb5a34eef3afc2ca5b60ba426da5d1b68622b953901b4bb289d6a164d1b8f7333e6149bf9114aa4fd25c3612c7214d402a4a75732821596b208e24941c2e716e
SSDEEP

3145728:j7UGtbu/G5X2DAuV3KY/NGNWOMboQn0WEhyCp7hjh:8eu/yXluIosNSbtyF

Score

6^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
19	2908	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WSL\msrdc.exe	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.dep.bin	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\drivers\usb\serial\ftdi_sio.ko	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\net\ipv4\tunnel4.ko	msiexec.exe
File created	C:\Program Files\WSL\hu-HU\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.order	msiexec.exe
File created	C:\Program Files\WSL\lxutil.dll	msiexec.exe
File created	C:\Program Files\WSL\rdpnanoTransport.dll	msiexec.exe
File created	C:\Program Files\WSL\cs-CZ\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\en-US\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.symbols.bin	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\drivers\net\dummy.ko	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\drivers\net\vrf.ko	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\drivers\net\bonding\bonding.ko	msiexec.exe
File created	C:\Program Files\WSL\pl-PL\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\pt-BR\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\tools\initrd.img	msiexec.exe
File created	C:\Program Files\WSL\de-DE\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\ko-KR\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\lib\libd3d12.so	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.alias	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.alias.bin	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\net\ipv6\sit.ko	msiexec.exe
File created	C:\Program Files\WSL\zh-CN\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\RdpWinStlHelper.dll	msiexec.exe
File created	C:\Program Files\WSL\wslserviceproxystub.dll	msiexec.exe
File created	C:\Program Files\WSL\da-DK\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\it-IT\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.builtin.alias.bin	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\drivers\block\nbd.ko	msiexec.exe
File created	C:\Program Files\WSL\nl-NL\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\pl-PL\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\ru-RU\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\tools\init	msiexec.exe
File created	C:\Program Files\WSL\wsl.exe	msiexec.exe
File created	C:\Program Files\WSL\fr-FR\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\wslg_desktop.rdp	msiexec.exe
File created	C:\Program Files\WSL\en-US\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\fr-FR\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\ko-KR\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\lib\libdxcore.so	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\drivers\usb\serial\ch341.ko	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\net\netfilter\xt_bpf.ko	msiexec.exe
File created	C:\Program Files\WSL\tr-TR\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.builtin.bin	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\net\netfilter\xt_CT.ko	msiexec.exe
File created	C:\Program Files\WSL\nb-NO\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\rdclientax.dll	msiexec.exe
File created	C:\Program Files\WSL\ja-JP\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.builtin	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.softdep	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\net\netfilter\xt_u32.ko	msiexec.exe
File created	C:\Program Files\WSL\wslg.rdp	msiexec.exe
File created	C:\Program Files\WSL\da-DK\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\en-GB\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\es-ES\msrdc.exe.mui	msiexec.exe
File created	C:\Program Files\WSL\es-ES\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\lib\libd3d12core.so	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.devname	msiexec.exe
File created	C:\Program Files\WSL\modules\kernel\net\ipv4\ipip.ko	msiexec.exe
File created	C:\Program Files\WSL\en-GB\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\fi-FI\rdclientax.dll.mui	msiexec.exe
File created	C:\Program Files\WSL\modules\modules.dep	msiexec.exe
File created	C:\Program Files\WSL\nb-NO\msrdc.exe.mui	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FA0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EF8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e577927.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{45FA4095-EAD8-4A12-9C37-613AD4E41354}	msiexec.exe
File created	C:\Windows\Installer\e577929.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{45FA4095-EAD8-4A12-9C37-613AD4E41354}\wsl.ico	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E88.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95A0.tmp	msiexec.exe
File created	C:\Windows\Installer\e577927.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI809B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DBC.tmp	msiexec.exe
File created	C:\Windows\Installer\{45FA4095-EAD8-4A12-9C37-613AD4E41354}\wsl.ico	msiexec.exe

Loads dropped DLL 8 IoCs

pid	Process
4072	MsiExec.exe
4072	MsiExec.exe
3380	MsiExec.exe
4072	MsiExec.exe
4072	MsiExec.exe
4072	MsiExec.exe
3380	MsiExec.exe
4072	MsiExec.exe

Registers COM server for autorun 1 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{60285AE6-AAF3-4456-B444-A6C2D0DEDA38}\InProcServer32\ = "C:\\Program Files\\WSL\\wsldevicehost.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{16479D2E-F0C3-4DBA-BF7A-04FFF0892B07}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}\InProcServer32\ = "C:\\Windows\\System32\\windows.storage.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4EA0C6DD-E9FF-48E7-994E-13A31D10DC60}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EA0C6DD-E9FF-48E7-994E-13A31D10DC60}\InProcServer32\ = "C:\\Program Files\\WSL\\wslserviceproxystub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EA0C6DD-E9FF-48E7-994E-13A31D10DC60}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B9C59C3-98F1-45C8-B87B-12AE3C7927E8}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B9C59C3-98F1-45C8-B87B-12AE3C7927E8}\LocalServer32\ = "\"C:\\Program Files\\WSL\\wslhost.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{16479D2E-F0C3-4DBA-BF7A-04FFF0892B07}\InProcServer32\ = "C:\\Program Files\\WSL\\wsldevicehost.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{2B9C59C3-98F1-45C8-B87B-12AE3C7927E8}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{ABB755FC-1B86-4255-83E2-E5787ABCF6C2}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ABB755FC-1B86-4255-83E2-E5787ABCF6C2}\InProcServer32\ = "C:\\Program Files\\WSL\\wsldevicehost.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7e6ad219-d1b3-42d5-b8ee-d96324e64ff6}\InProcServer32\ = "C:\\Program Files\\WSL\\wsldevicehost.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7e6ad219-d1b3-42d5-b8ee-d96324e64ff6}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{60285AE6-AAF3-4456-B444-A6C2D0DEDA38}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{16479D2E-F0C3-4DBA-BF7A-04FFF0892B07}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ABB755FC-1B86-4255-83E2-E5787ABCF6C2}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7e6ad219-d1b3-42d5-b8ee-d96324e64ff6}\InProcServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{60285AE6-AAF3-4456-B444-A6C2D0DEDA38}\InProcServer32\ThreadingModel = "Both"	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f6fb05df8479e78e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f6fb05df0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f6fb05df000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df6fb05df000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f6fb05df00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{16479D2E-F0C3-4DBA-BF7A-04FFF0892B07}\InProcServer32\ = "C:\\Program Files\\WSL\\wsldevicehost.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\WSL\command\ = "wsl.exe --cd \"%V\""	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5904AF548DAE21A4C97316A34D4E3145\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{a9b7a1b9-0671-405c-95f1-e0612cb4ce7e}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{60285AE6-AAF3-4456-B444-A6C2D0DEDA38}\AppId = "{17696EAC-9568-4CF5-BB8C-82515AAD6C09}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B297B5D6CDE19ED4E8DA02B128F0E828	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\Total\ = "0"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\WSL\ = "@wsl.exe,-2"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5904AF548DAE21A4C97316A34D4E3145\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5904AF548DAE21A4C97316A34D4E3145\SourceList\Media\2 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\www.office.com	wwahost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7F82AD86-755B-4870-86B1-D2E68DFE8A49}\AppIDFlags = "2048"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{16479D2E-F0C3-4DBA-BF7A-04FFF0892B07}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{16479D2E-F0C3-4DBA-BF7A-04FFF0892B07}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}\ = "Linux"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5904AF548DAE21A4C97316A34D4E3145\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState\EdpCleanupState = "0"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a9b7a1b9-0671-405c-95f1-e0612cb4ce7e}\AppId = "{370121D2-AA7E-4608-A86D-0BBAB9DA1A60}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7e6ad219-d1b3-42d5-b8ee-d96324e64ff6}	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "1"	wwahost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}\System.IsPinnedToNameSpaceTree = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5904AF548DAE21A4C97316A34D4E3145\ProductName = "Windows Subsystem for Linux"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	wwahost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}\ShellFolder\FolderValueFlags = "40"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B297B5D6CDE19ED4E8DA02B128F0E828\5904AF548DAE21A4C97316A34D4E3145	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com\Total = "0"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\Total	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{16479D2E-F0C3-4DBA-BF7A-04FFF0892B07}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{17696EAC-9568-4CF5-BB8C-82515AAD6C09}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{ABB755FC-1B86-4255-83E2-E5787ABCF6C2}\InProcServer32	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7F82AD86-755B-4870-86B1-D2E68DFE8A49}\AccessPermission = 01000480580000006800000000000000140000000200440003000000000014000b00000001010000000000050b000000000014000b00000001010000000000050a000000000014000b0000000101000000000005120000000102000000000005200000002002000001020000000000052000000020020000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{60285AE6-AAF3-4456-B444-A6C2D0DEDA38}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}\SortOrderIndex = "119"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5904AF548DAE21A4C97316A34D4E3145\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38541BDC-F54F-4CEB-85D0-37F0F3D2617E}\ = "ILxssUserSession"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\WSL\command\ = "wsl.exe --cd \"%V\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5904AF548DAE21A4C97316A34D4E3145	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}\Instance	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}\Instance\InitPropertyBag\ResName = "\\\\wsl.localhost"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5904AF548DAE21A4C97316A34D4E3145\PackageCode = "B36BC2873F27B244B91078F904403116"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{2B9C59C3-98F1-45C8-B87B-12AE3C7927E8}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\WSL\Extended	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2B4A4D1-2754-4140-A2EB-9A76D9D7CDC6}\Instance\InitPropertyBag\DisplayType = "2"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\WSL	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\ = "0"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{370121D2-AA7E-4608-A86D-0BBAB9DA1A60}\LocalService = "WSLService"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{17696EAC-9568-4CF5-BB8C-82515AAD6C09}\AppIDFlags = "2048"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\WSL\command\ = "wsl.exe --cd \"%V\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4EA0C6DD-E9FF-48E7-994E-13A31D10DC60}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{7F82AD86-755B-4870-86B1-D2E68DFE8A49}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7e6ad219-d1b3-42d5-b8ee-d96324e64ff6}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5904AF548DAE21A4C97316A34D4E3145	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5904AF548DAE21A4C97316A34D4E3145\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5904AF548DAE21A4C97316A34D4E3145\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{38541BDC-F54F-4CEB-85D0-37F0F3D2617E}	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2880	msiexec.exe
2880	msiexec.exe
2576	wwahost.exe
2576	wwahost.exe
1000	LocalBridge.exe
1000	LocalBridge.exe
1000	LocalBridge.exe
1000	LocalBridge.exe
1000	LocalBridge.exe
1000	LocalBridge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2908	msiexec.exe
Token: SeSecurityPrivilege	2880	msiexec.exe
Token: SeCreateTokenPrivilege	2908	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2908	msiexec.exe
Token: SeLockMemoryPrivilege	2908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2908	msiexec.exe
Token: SeMachineAccountPrivilege	2908	msiexec.exe
Token: SeTcbPrivilege	2908	msiexec.exe
Token: SeSecurityPrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeLoadDriverPrivilege	2908	msiexec.exe
Token: SeSystemProfilePrivilege	2908	msiexec.exe
Token: SeSystemtimePrivilege	2908	msiexec.exe
Token: SeProfSingleProcessPrivilege	2908	msiexec.exe
Token: SeIncBasePriorityPrivilege	2908	msiexec.exe
Token: SeCreatePagefilePrivilege	2908	msiexec.exe
Token: SeCreatePermanentPrivilege	2908	msiexec.exe
Token: SeBackupPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeShutdownPrivilege	2908	msiexec.exe
Token: SeDebugPrivilege	2908	msiexec.exe
Token: SeAuditPrivilege	2908	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2908	msiexec.exe
Token: SeChangeNotifyPrivilege	2908	msiexec.exe
Token: SeRemoteShutdownPrivilege	2908	msiexec.exe
Token: SeUndockPrivilege	2908	msiexec.exe
Token: SeSyncAgentPrivilege	2908	msiexec.exe
Token: SeEnableDelegationPrivilege	2908	msiexec.exe
Token: SeManageVolumePrivilege	2908	msiexec.exe
Token: SeImpersonatePrivilege	2908	msiexec.exe
Token: SeCreateGlobalPrivilege	2908	msiexec.exe
Token: SeBackupPrivilege	1616	vssvc.exe
Token: SeRestorePrivilege	1616	vssvc.exe
Token: SeAuditPrivilege	1616	vssvc.exe
Token: SeBackupPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeBackupPrivilege	5080	srtasks.exe
Token: SeRestorePrivilege	5080	srtasks.exe
Token: SeSecurityPrivilege	5080	srtasks.exe
Token: SeTakeOwnershipPrivilege	5080	srtasks.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeBackupPrivilege	5080	srtasks.exe
Token: SeRestorePrivilege	5080	srtasks.exe
Token: SeSecurityPrivilege	5080	srtasks.exe
Token: SeTakeOwnershipPrivilege	5080	srtasks.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2908	msiexec.exe
2908	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	wwahost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 5080	2880	msiexec.exe	107
PID 2880 wrote to memory of 5080	2880	msiexec.exe	107
PID 2880 wrote to memory of 4072	2880	msiexec.exe	109
PID 2880 wrote to memory of 4072	2880	msiexec.exe	109
PID 2880 wrote to memory of 3380	2880	msiexec.exe	110
PID 2880 wrote to memory of 3380	2880	msiexec.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wsl.2.2.1.0.x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 73BCD52004BED9082FCDF6EFA51CBD40 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4072
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding AD1033389435F9A47FB162C63DF27DFA
  2⤵
  - Loads dropped DLL
  PID:3380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:2500

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1000

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577928.rbs

Filesize
25KB

MD5
e47b050db55ed5e7efdf0013a04ceaa2

SHA1
fe20a88e36cca9551254bd8d2a9b284d81c4f038

SHA256
4e2d5cb80be9a734a1099f2642ddc283ddf4675065dca791cdc5095d7697b878

SHA512
e9108d6293be7f1c09feb5c82808b0e8df3942238ef4d0131cddf3014255b4376860449ecb9107fabb9cf7e0351df7955ef258ff6dd2778ea11f49066483c123

Download Submit
C:\Program Files\WSL\en-US\msrdc.exe.mui

Filesize
48KB

MD5
e5dd38ac042a82478b5a22202f0469d3

SHA1
ab416b170cfbfb11d0becf2003c2e5902768674c

SHA256
98f1e7a8379966054fc1982f5e3065c95b2a282f23290813c1848f409a9426e5

SHA512
96415e215c328bada6f0fb3a7c1c6efd99a3c72598f6dda36f363dc9b1c73e6f4c1240cd294011584addbd458d316a6d2fb4df561fcf552b21dc734de643b060

Download Submit
C:\Program Files\WSL\en-US\rdclientax.dll.mui

Filesize
140KB

MD5
ccbfff03cb8c73d29871c3f92a398d79

SHA1
e3c2173b035552d1e4203d1cc715efc6c2bf575f

SHA256
0934975b9f238d5291de1abf1705f648194c1f9b47bde7ca84b50ff62508c463

SHA512
1b644319b72ca5c14dfca09da07fd42eea1e41e05e0fc35d2b3d14dc9c633542f038778661c6afc08cc4bf9e3beac6393ec4b85b411917823b582a30c04bb686

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WSL.lnk

Filesize
2KB

MD5
e1ebb993fc7892e1732903c6239b90c1

SHA1
d08a17dd58f4452e132d670c67d099f2117f0730

SHA256
335116ffb46ad7bcfbe6aeb4492f2aa1a8f13fb6572c450225fe195fafc58034

SHA512
67a401815a682ba8261a4e2c4fe2abce952ef389152fe31e5e47b02e97eabe5d82225dcf3fca6489243827a07a513b0adec4e8d0dc9b1a04ab2fad43772c2b0f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WSL.lnk

Filesize
2KB

MD5
f2d63b78fdf5a6d36cd3c08681c97389

SHA1
1eb7925b4f526bb2877d2d2ddbf72409e86b0997

SHA256
792b4bfe164f0b4211422d74e724792daea3962b5c443b6cd975bf280a5fbb11

SHA512
95664d2adb6a9211432e37795da469150c88c1394050e433f2a1f3470383299ce3e48790b51252fdb2fb24618130ef46cdfa786b071e4b3ea5c5288c5024bca2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WSL.lnk~RFe579952.TMP

Filesize
2KB

MD5
f1a4860b58c2b31e97a91bc30ad6858b

SHA1
09b72cb0155030d5336f4750c231b7c46b6d2afa

SHA256
7f00e825c62270c075dbf53551cdb4d592bfbbf3e7e3dce8414a52c4d7be2373

SHA512
759ac428d6241a75cdb6abc5ee80eb236770f3837a0a3dc6679808c07c522f3d4e533f69654114f309f8be1ad8d6acc04f7cf81339c6ad1be4ef7696f087fe89

Download Submit
C:\Windows\Installer\MSI809B.tmp

Filesize
2.7MB

MD5
46b84cfe069d7d6fd2db983ab58ddb80

SHA1
2d750d108bc84487a104f21e21054f5daca93ccb

SHA256
f347030b79e660f41f737028e50745d40f2fef06cfc82aaf9501949e07deb3de

SHA512
93780db0d94cf8ae24f1998a27919240ce9e0c4ead7c98d182218fc05fe8e3b6f395223267488a63d8ceac685b87e66d82484e3b59325f34daedba5981f0a6c1

Download Submit
C:\Windows\Installer\e577929.msi

Filesize
127.9MB

MD5
9fc9981ad0ed1c2f491b9e60640da2da

SHA1
a5cb4037dc41dd38e040b9fecfd6681d4d76bcdf

SHA256
b154410976d75f26c96f5d49180de15c3a5291f94fadf451fd66e8a747a3d6a2

SHA512
cb5a34eef3afc2ca5b60ba426da5d1b68622b953901b4bb289d6a164d1b8f7333e6149bf9114aa4fd25c3612c7214d402a4a75732821596b208e24941c2e716e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
67b992eb1126665b49b0a9aa0f1aa6d5

SHA1
1c29a3a42cc5c9545bf02372687a4eb1bb7e5033

SHA256
6150add3b0803d7d9c03a933fedb7e572d41566ac10aa062724b8e848cef4d06

SHA512
5b8002f567df319e535481af3e512a94e077e8e1fcadf6fe72c06499ca6df81bc6d99504447bbfcd50302c55103d1289897e7e9750a2258c1fd57013ba1b2ecb

Download Submit
\??\Volume{df05fbf6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b3603e50-a55d-4af0-a17f-db69d6a052bc}_OnDiskSnapshotProp

Filesize
6KB

MD5
bb91c007e0121765788d036b5d603fc2

SHA1
d5c24a36bf301ac57c6b48b85d46ba8eca570258

SHA256
da7a90f38d66f26eed7d2f2e8b10d7e53a5eb822453bbbf9bdc58688542ce1f6

SHA512
9de66c0903f2d7f58e4043e9f03ddd2bff724d985ea206f4c6ef381c931284e26031ee3a316301b8a0153347095a01d436fc64c18919322aed89a9cd3349c24d

Download Submit
memory/1000-178-0x00000200C7850000-0x00000200C785E000-memory.dmp

Filesize
56KB

Download
memory/1000-179-0x00000200E1D70000-0x00000200E1D7A000-memory.dmp

Filesize
40KB

Download
memory/1000-180-0x00000200E1DA0000-0x00000200E1DA8000-memory.dmp

Filesize
32KB

Download
memory/1000-181-0x00007FFF488A0000-0x00007FFF49361000-memory.dmp

Filesize
10.8MB

Download
memory/1000-182-0x00000200E3030000-0x00000200E3279000-memory.dmp

Filesize
2.3MB

Download
memory/1000-250-0x00007FFF488A0000-0x00007FFF49361000-memory.dmp

Filesize
10.8MB

Download