1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf

Analysis

max time kernel
69s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ManualsViewer-v4.3.1215.0.msi
Size

5.0MB
MD5

0deea78b6ac2236f701fa82cb5c10918
SHA1

93d39ca0a3047db121460ad61057fadc059b6c3d
SHA256

1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf
SHA512

d5393c01ee510397cbce9264b4f87ed6d79f2b3ee4cea3f9b4fca4e5ce70c08ddb3f210327375f9cdca267408125274362ebe6cf79270881bb73dc5154e24587
SSDEEP

98304:sVHYDgFMyclbrPcGJ1Ea2x3PoFpSSgGN6o:QNMyI/t0foFpngGN6o

Score

6^/10

execution persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManualsViewerUpdater = "cmd /c \"start /min /d \"C:\\Users\\Admin\\AppData\\Local\\ManualsViewer\\\" node.exe update.js --reboot\""	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c3fc.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9E5CF1E9-AB5B-402B-A63F-F95DFFD84B31}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI176.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI486.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c3fc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B77.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF414.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI205.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B6.tmp	msiexec.exe

Loads dropped DLL 18 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid	process
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe
2960	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2712 powershell.exe

pid	process
2712	powershell.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exemsiexec.exe

pid process

2712 powershell.exe
2712 powershell.exe
2712 powershell.exe
5060 msiexec.exe
5060 msiexec.exe

pid	process
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
5060	msiexec.exe
5060	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1748	msiexec.exe
Token: SeSecurityPrivilege	5060	msiexec.exe
Token: SeCreateTokenPrivilege	1748	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1748	msiexec.exe
Token: SeLockMemoryPrivilege	1748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1748	msiexec.exe
Token: SeMachineAccountPrivilege	1748	msiexec.exe
Token: SeTcbPrivilege	1748	msiexec.exe
Token: SeSecurityPrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeLoadDriverPrivilege	1748	msiexec.exe
Token: SeSystemProfilePrivilege	1748	msiexec.exe
Token: SeSystemtimePrivilege	1748	msiexec.exe
Token: SeProfSingleProcessPrivilege	1748	msiexec.exe
Token: SeIncBasePriorityPrivilege	1748	msiexec.exe
Token: SeCreatePagefilePrivilege	1748	msiexec.exe
Token: SeCreatePermanentPrivilege	1748	msiexec.exe
Token: SeBackupPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeShutdownPrivilege	1748	msiexec.exe
Token: SeDebugPrivilege	1748	msiexec.exe
Token: SeAuditPrivilege	1748	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1748	msiexec.exe
Token: SeChangeNotifyPrivilege	1748	msiexec.exe
Token: SeRemoteShutdownPrivilege	1748	msiexec.exe
Token: SeUndockPrivilege	1748	msiexec.exe
Token: SeSyncAgentPrivilege	1748	msiexec.exe
Token: SeEnableDelegationPrivilege	1748	msiexec.exe
Token: SeManageVolumePrivilege	1748	msiexec.exe
Token: SeImpersonatePrivilege	1748	msiexec.exe
Token: SeCreateGlobalPrivilege	1748	msiexec.exe
Token: SeCreateTokenPrivilege	1748	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1748	msiexec.exe
Token: SeLockMemoryPrivilege	1748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1748	msiexec.exe
Token: SeMachineAccountPrivilege	1748	msiexec.exe
Token: SeTcbPrivilege	1748	msiexec.exe
Token: SeSecurityPrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeLoadDriverPrivilege	1748	msiexec.exe
Token: SeSystemProfilePrivilege	1748	msiexec.exe
Token: SeSystemtimePrivilege	1748	msiexec.exe
Token: SeProfSingleProcessPrivilege	1748	msiexec.exe
Token: SeIncBasePriorityPrivilege	1748	msiexec.exe
Token: SeCreatePagefilePrivilege	1748	msiexec.exe
Token: SeCreatePermanentPrivilege	1748	msiexec.exe
Token: SeBackupPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeShutdownPrivilege	1748	msiexec.exe
Token: SeDebugPrivilege	1748	msiexec.exe
Token: SeAuditPrivilege	1748	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1748	msiexec.exe
Token: SeChangeNotifyPrivilege	1748	msiexec.exe
Token: SeRemoteShutdownPrivilege	1748	msiexec.exe
Token: SeUndockPrivilege	1748	msiexec.exe
Token: SeSyncAgentPrivilege	1748	msiexec.exe
Token: SeEnableDelegationPrivilege	1748	msiexec.exe
Token: SeManageVolumePrivilege	1748	msiexec.exe
Token: SeImpersonatePrivilege	1748	msiexec.exe
Token: SeCreateGlobalPrivilege	1748	msiexec.exe
Token: SeCreateTokenPrivilege	1748	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1748	msiexec.exe
Token: SeLockMemoryPrivilege	1748	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1748 msiexec.exe
1748 msiexec.exe

pid	process
1748	msiexec.exe
1748	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 5060 wrote to memory of 4960	5060	msiexec.exe	MsiExec.exe
PID 5060 wrote to memory of 4960	5060	msiexec.exe	MsiExec.exe
PID 5060 wrote to memory of 4960	5060	msiexec.exe	MsiExec.exe
PID 5060 wrote to memory of 4072	5060	msiexec.exe	srtasks.exe
PID 5060 wrote to memory of 4072	5060	msiexec.exe	srtasks.exe
PID 5060 wrote to memory of 2960	5060	msiexec.exe	MsiExec.exe
PID 5060 wrote to memory of 2960	5060	msiexec.exe	MsiExec.exe
PID 5060 wrote to memory of 2960	5060	msiexec.exe	MsiExec.exe
PID 2960 wrote to memory of 2712	2960	MsiExec.exe	powershell.exe
PID 2960 wrote to memory of 2712	2960	MsiExec.exe	powershell.exe
PID 2960 wrote to memory of 2712	2960	MsiExec.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ManualsViewer-v4.3.1215.0.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3560F7ABCDC04C1188BA78E1E664BDA7 C
2⤵
- Loads dropped DLL
PID:4960

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4072

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CA05154735C726875592AD8B57202D08
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssF5AD.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiF5AA.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrF5AB.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrF5AC.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2288

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe
Filesize
275KB

MD5
3e34fe938047483111053beb4bada320

SHA1
6bc5b1d97ec9f6efe792c7c4600191a75c437e8c

SHA256
d79db4add67490ec6070fb0750ab667becec4751d5316c81f8e2c6813d0fcbcd

SHA512
8ec758c9ea9a4aa066f3641d3ee3ed41d5c3417273081f65f355d28e47b11556b2457ad3770af3fef1491977f9d6c1d91be849a1eb73e1ecbc10c5ab80e66cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI74E2.tmp
Filesize
738KB

MD5
d0c9613582605f3793fdad7279de428b

SHA1
8b3e9fb67c7beb20706544d360ee13c3aad9c1d1

SHA256
8bd84f1156ebdfa44afaac8a4579ba56a8c7513e3d51e00822167ea144923726

SHA512
3640a0f53730cad7323473f99a2049833db58eaed00f94b75b4a03b07cc8af99c104a40b2e888307055a5c9740b5fea4b394aa15bc78a3102088cc0770713eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgroonin.xlp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssF5AD.ps1
Filesize
36KB

MD5
7dc43ea8bb420287894f3fc68efd4d15

SHA1
f6b0f90586986f968cfa7958f917db8dda54de34

SHA256
579c430cd0bb6c24e614076155e245ff7acd74e8b429854acdc61e200c205395

SHA512
21a29042ac2b8796390b13ecbe5526485c420dc07da918de732b1c8088dc54198c349f2612cc4d800025e6fb4aa00db12997e46454cc2ccf9ad5efc51271ab3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrF5AB.ps1
Filesize
31KB

MD5
df9bb699dfb6aa697c3263769529b815

SHA1
100ef96b36711304020d60535c4d1a2bf2b235b3

SHA256
ba6d2b558c6021fc77cb888a174137d9c9874777ab3e8caa804cf9c3e2e60733

SHA512
2498780c7bcce850f44e6a211e9b83781d8df546ef1147d383aba51dc71e72249089484f9d4c4f841c0afdd98f13348940b9209eab8093ef5e748e272f73a54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrF5AC.txt
Filesize
248B

MD5
ec0695d4cdb5e693b3914d11e719bb5b

SHA1
0fc11588fed0d301afd244e7b783414e850c28ce

SHA256
1ba462462fb0eac0fdabf9fd675f513a3738eac61e364e604ed3aaa108bd7b0c

SHA512
3599d2dab6d0a6636254f02396c2608e6d5997f9e2a539c503c80b53812af4a2033d57077e00dc26688bd20ba65fbe2bb7a6d517384380238cd09916af4820d1

Download Submit
C:\Windows\Installer\MSI1C5.tmp
Filesize
512KB

MD5
d1395cc27fabb23ff098c0954b7725a7

SHA1
b782d01c84471849d92e130e5af448de8040bd58

SHA256
a2f7155c0ce5e3c69fdcff6d89df011a6d4715eae2853104f2480800d63eb69e

SHA512
a5c531d4cb099e91a498dd738804eaf8f47573bb802d15bc550c438ca117ea61258cc886ede7b91f83b9570f73f3bd3c08718819868a1e92249fcb3d5bcdb914

Download Submit
C:\Windows\Installer\MSI205.tmp
Filesize
757KB

MD5
5a72f5f620d7363c21dac3c062225203

SHA1
e083f31c15020d54e42103099dc240be4cbb7430

SHA256
b312faf20d72a4e44be87530beb446298c85fef73c79130c6d13aae6720f585c

SHA512
c742314859a75672f8e049ef52db54e48d34b48b9ee6c6e8677ae376d6f0aef6589ffdce90b37c9f8b987ea35d2ec42a07937ce0ba05f3158bf0c79a4f0db987

Download Submit
C:\Windows\Installer\MSIF414.tmp
Filesize
759KB

MD5
a2317ebf66616e3b13218b2b9739cf74

SHA1
9fbdf90fb9d2bc93f025c16c94347eb817908d9d

SHA256
d6a3c9c614fa4491a1bd988d86687515e15edf7e0cfde2159d0850bf2c5c7c89

SHA512
8d11a2174e3ac7eefc776ff3d95ac65517c4af78f2880b84c6ce1ed65990e769cdbd5cc3d5755cc0dd9fc69a7c2408b32dde6205503f9a67ec96008c87b1f2e3

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
616cb08610f6ea0b3a9eb3f6e3d77457

SHA1
b9787e3ebd93c41161c1775580f839987109c6d2

SHA256
3724583777fae3bd145a1b1c2851c84c016df111bfd17ac58957e5ab019b4b27

SHA512
90d48e93c8cf8e2b782cd5e2ac1a68c798ea5be43f6ffb0b1325f69d03ee43211bd72b33ae0b5224dd8539d8026b664795489f79cfcd337724ed9c2514c16c41

Download Submit
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bcd867be-6d97-4482-88c9-78c217e15af6}_OnDiskSnapshotProp
Filesize
6KB

MD5
7a9e42da0964637f8f94114e9aee08e0

SHA1
e37af8d288837018c43c4df1ae3cb7a609a86403

SHA256
13e1f8dc5c4f77cb70e1040eca54cd24ac87a9bb7f96b90bf0b3ddea3eaa73f7

SHA512
6a3f182567a246221a53ea5930b24cca65859377e2a0971bb499cfaa3e5d56c4744c1f9359428638b565c5c4acb081adb57a29f492dc885f7a53a33a20f08d3b

Download Submit
memory/2712-64-0x0000000005C00000-0x0000000005C4C000-memory.dmp

Filesize
304KB

Download
memory/2712-70-0x0000000007BB0000-0x0000000008154000-memory.dmp

Filesize
5.6MB

Download
memory/2712-62-0x0000000005740000-0x0000000005A94000-memory.dmp

Filesize
3.3MB

Download
memory/2712-66-0x0000000007530000-0x0000000007BAA000-memory.dmp

Filesize
6.5MB

Download
memory/2712-67-0x0000000006110000-0x000000000612A000-memory.dmp

Filesize
104KB

Download
memory/2712-68-0x0000000006EB0000-0x0000000006F46000-memory.dmp

Filesize
600KB

Download
memory/2712-69-0x0000000006D90000-0x0000000006DB2000-memory.dmp

Filesize
136KB

Download
memory/2712-63-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/2712-52-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/2712-51-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/2712-73-0x0000000007260000-0x0000000007422000-memory.dmp

Filesize
1.8MB

Download
memory/2712-74-0x0000000008690000-0x0000000008BBC000-memory.dmp

Filesize
5.2MB

Download
memory/2712-75-0x0000000007170000-0x0000000007202000-memory.dmp

Filesize
584KB

Download
memory/2712-50-0x0000000004C40000-0x0000000004C62000-memory.dmp

Filesize
136KB

Download
memory/2712-49-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/2712-48-0x00000000022A0000-0x00000000022D6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads