1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf

Analysis

max time kernel
112s
max time network
114s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
15-06-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ManualsViewer-v4.3.1215.0.msi
Size

5.0MB
MD5

0deea78b6ac2236f701fa82cb5c10918
SHA1

93d39ca0a3047db121460ad61057fadc059b6c3d
SHA256

1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf
SHA512

d5393c01ee510397cbce9264b4f87ed6d79f2b3ee4cea3f9b4fca4e5ce70c08ddb3f210327375f9cdca267408125274362ebe6cf79270881bb73dc5154e24587
SSDEEP

98304:sVHYDgFMyclbrPcGJ1Ea2x3PoFpSSgGN6o:QNMyI/t0foFpngGN6o

Score

8^/10

execution persistence

Malware Config

Signatures

Blocklisted process makes network request 9 IoCs

Processes:

msiexec.exepowershell.exeMsiExec.exepowershell.exe

flow	pid	process
2	2300	msiexec.exe
3	2300	msiexec.exe
4	2300	msiexec.exe
7	2408	powershell.exe
9	2080	MsiExec.exe
10	2080	MsiExec.exe
11	2080	MsiExec.exe
12	2080	MsiExec.exe
13	224	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManualsViewerUpdater = "cmd /c \"start /min /d \"C:\\Users\\Admin\\AppData\\Local\\ManualsViewer\\\" node.exe update.js --reboot\""	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 22 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\SystemTemp\~DFE032336D6A9AB572.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F2E.tmp	msiexec.exe
File created	C:\Windows\Installer\e582f2b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D78.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C59.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D49.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e582f29.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF45F9009464177223.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3CBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F5E.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD8D158E62BEBB5C4.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1073A65D61AC2D83.TMP	msiexec.exe
File created	C:\Windows\Installer\e582f29.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C6B.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9E5CF1E9-AB5B-402B-A63F-F95DFFD84B31}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D19.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

ManualsViewer.exe

pid process

4788 ManualsViewer.exe

pid	process
4788	ManualsViewer.exe

Loads dropped DLL 27 IoCs

Processes:

MsiExec.exeMsiExec.exeManualsViewer.exe

pid	process
5008	MsiExec.exe
5008	MsiExec.exe
5008	MsiExec.exe
5008	MsiExec.exe
5008	MsiExec.exe
5008	MsiExec.exe
5008	MsiExec.exe
5008	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
5008	MsiExec.exe
5008	MsiExec.exe
4788	ManualsViewer.exe
4788	ManualsViewer.exe
4788	ManualsViewer.exe
4788	ManualsViewer.exe
4788	ManualsViewer.exe
4788	ManualsViewer.exe
4788	ManualsViewer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2408 powershell.exe
224 powershell.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ee7f732e8cf5793f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ee7f732e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ee7f732e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dee7f732e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ee7f732e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exemsiexec.exepowershell.exemsedgewebview2.exemsedgewebview2.exe

pid	process
2408	powershell.exe
2408	powershell.exe
1196	msiexec.exe
1196	msiexec.exe
224	powershell.exe
224	powershell.exe
1180	msedgewebview2.exe
1180	msedgewebview2.exe
3564	msedgewebview2.exe
3564	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedgewebview2.exe

pid process

396 msedgewebview2.exe
396 msedgewebview2.exe
396 msedgewebview2.exe

pid	process
396	msedgewebview2.exe
396	msedgewebview2.exe
396	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2300	msiexec.exe
Token: SeSecurityPrivilege	1196	msiexec.exe
Token: SeCreateTokenPrivilege	2300	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2300	msiexec.exe
Token: SeLockMemoryPrivilege	2300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2300	msiexec.exe
Token: SeMachineAccountPrivilege	2300	msiexec.exe
Token: SeTcbPrivilege	2300	msiexec.exe
Token: SeSecurityPrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeLoadDriverPrivilege	2300	msiexec.exe
Token: SeSystemProfilePrivilege	2300	msiexec.exe
Token: SeSystemtimePrivilege	2300	msiexec.exe
Token: SeProfSingleProcessPrivilege	2300	msiexec.exe
Token: SeIncBasePriorityPrivilege	2300	msiexec.exe
Token: SeCreatePagefilePrivilege	2300	msiexec.exe
Token: SeCreatePermanentPrivilege	2300	msiexec.exe
Token: SeBackupPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeShutdownPrivilege	2300	msiexec.exe
Token: SeDebugPrivilege	2300	msiexec.exe
Token: SeAuditPrivilege	2300	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2300	msiexec.exe
Token: SeChangeNotifyPrivilege	2300	msiexec.exe
Token: SeRemoteShutdownPrivilege	2300	msiexec.exe
Token: SeUndockPrivilege	2300	msiexec.exe
Token: SeSyncAgentPrivilege	2300	msiexec.exe
Token: SeEnableDelegationPrivilege	2300	msiexec.exe
Token: SeManageVolumePrivilege	2300	msiexec.exe
Token: SeImpersonatePrivilege	2300	msiexec.exe
Token: SeCreateGlobalPrivilege	2300	msiexec.exe
Token: SeCreateTokenPrivilege	2300	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2300	msiexec.exe
Token: SeLockMemoryPrivilege	2300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2300	msiexec.exe
Token: SeMachineAccountPrivilege	2300	msiexec.exe
Token: SeTcbPrivilege	2300	msiexec.exe
Token: SeSecurityPrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeLoadDriverPrivilege	2300	msiexec.exe
Token: SeSystemProfilePrivilege	2300	msiexec.exe
Token: SeSystemtimePrivilege	2300	msiexec.exe
Token: SeProfSingleProcessPrivilege	2300	msiexec.exe
Token: SeIncBasePriorityPrivilege	2300	msiexec.exe
Token: SeCreatePagefilePrivilege	2300	msiexec.exe
Token: SeCreatePermanentPrivilege	2300	msiexec.exe
Token: SeBackupPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeShutdownPrivilege	2300	msiexec.exe
Token: SeDebugPrivilege	2300	msiexec.exe
Token: SeAuditPrivilege	2300	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2300	msiexec.exe
Token: SeChangeNotifyPrivilege	2300	msiexec.exe
Token: SeRemoteShutdownPrivilege	2300	msiexec.exe
Token: SeUndockPrivilege	2300	msiexec.exe
Token: SeSyncAgentPrivilege	2300	msiexec.exe
Token: SeEnableDelegationPrivilege	2300	msiexec.exe
Token: SeManageVolumePrivilege	2300	msiexec.exe
Token: SeImpersonatePrivilege	2300	msiexec.exe
Token: SeCreateGlobalPrivilege	2300	msiexec.exe
Token: SeCreateTokenPrivilege	2300	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2300	msiexec.exe
Token: SeLockMemoryPrivilege	2300	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msiexec.exemsedgewebview2.exe

pid process

2300 msiexec.exe
2300 msiexec.exe
396 msedgewebview2.exe
396 msedgewebview2.exe
396 msedgewebview2.exe
396 msedgewebview2.exe

pid	process
2300	msiexec.exe
2300	msiexec.exe
396	msedgewebview2.exe
396	msedgewebview2.exe
396	msedgewebview2.exe
396	msedgewebview2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exeManualsViewer.exemsedgewebview2.exe

description	pid	process	target process
PID 1196 wrote to memory of 5008	1196	msiexec.exe	MsiExec.exe
PID 1196 wrote to memory of 5008	1196	msiexec.exe	MsiExec.exe
PID 1196 wrote to memory of 5008	1196	msiexec.exe	MsiExec.exe
PID 1196 wrote to memory of 5040	1196	msiexec.exe	srtasks.exe
PID 1196 wrote to memory of 5040	1196	msiexec.exe	srtasks.exe
PID 1196 wrote to memory of 2080	1196	msiexec.exe	MsiExec.exe
PID 1196 wrote to memory of 2080	1196	msiexec.exe	MsiExec.exe
PID 1196 wrote to memory of 2080	1196	msiexec.exe	MsiExec.exe
PID 2080 wrote to memory of 2408	2080	MsiExec.exe	powershell.exe
PID 2080 wrote to memory of 2408	2080	MsiExec.exe	powershell.exe
PID 2080 wrote to memory of 2408	2080	MsiExec.exe	powershell.exe
PID 2080 wrote to memory of 224	2080	MsiExec.exe	powershell.exe
PID 2080 wrote to memory of 224	2080	MsiExec.exe	powershell.exe
PID 2080 wrote to memory of 224	2080	MsiExec.exe	powershell.exe
PID 4788 wrote to memory of 396	4788	ManualsViewer.exe	msedgewebview2.exe
PID 4788 wrote to memory of 396	4788	ManualsViewer.exe	msedgewebview2.exe
PID 396 wrote to memory of 3472	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 3472	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 4728	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 1180	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 1180	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 2528	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 2528	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 2528	396	msedgewebview2.exe	msedgewebview2.exe
PID 396 wrote to memory of 2528	396	msedgewebview2.exe	msedgewebview2.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ManualsViewer-v4.3.1215.0.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2300

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F2E09D08F954CC4C74FAA22EEABB32E0 C
2⤵
- Loads dropped DLL
PID:5008

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:5040

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7B50266AF4579338C456419C324C2055
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss30D2.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi30B0.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr30B1.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr30B2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\ManualsViewer\pss4E72.ps1" -propFile "C:\Users\Admin\AppData\Local\ManualsViewer\msi4E60.txt" -scriptFile "C:\Users\Admin\AppData\Local\ManualsViewer\scr4E61.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\ManualsViewer\scr4E62.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3480

C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe
"C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe" /register
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4788

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=4788.1252.6005455686885923100
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:396

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x1bc,0x7ffaf72e3cb8,0x7ffaf72e3cc8,0x7ffaf72e3cd8
3⤵
PID:3472

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1892,4146069953081522302,1434917401091246937,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
3⤵
PID:4728

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,4146069953081522302,1434917401091246937,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,4146069953081522302,1434917401091246937,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2344 /prefetch:8
3⤵
PID:2528

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1892,4146069953081522302,1434917401091246937,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
3⤵
PID:884

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1892,4146069953081522302,1434917401091246937,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
3⤵
PID:3872

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1892,4146069953081522302,1434917401091246937,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4224 /prefetch:8
3⤵
PID:4140

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,4146069953081522302,1434917401091246937,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=5052 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1892,4146069953081522302,1434917401091246937,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
3⤵
PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582f2a.rbs
Filesize
1.8MB

MD5
cfeea4bad3a13699800b493186e7a7b8

SHA1
2ec58d5d89322acddf4c122893860dd237fbe4f0

SHA256
71197b0a14bc589c411cee9a02338a315bb1a9a3b4c39ab79279761320704d28

SHA512
01020439ff4d26ae8f692244dffffdca502de520091be1bc877aa5c5be5e5871df3939c7d6fba72ff150806dc1fcb4010d43a193d8aa16e020712adb3846f3b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_4B24743B8F91CE797D24B8FCFCA3C262
Filesize
1KB

MD5
94b5e5c658bd14c419d4d0881a6a5ad6

SHA1
83bb1787a2a1bc730475cfc6d581f02426a66c1e

SHA256
fcf1937ecdf04f82526059afe293e2d693f9fb881dcc99cc7862b6021b826207

SHA512
19735f6ff418dcee79436b2c770f0ab365348d23990a167d856292dc53de608fce5e0aa5706a9ac6abedaab01ea4c8e4b467d9bed1aadbb68837f7076a7f3c4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize
1KB

MD5
767ae1d6e1c7bcd251b598199f361b39

SHA1
6c1eb27934eb0f94892c63df5ce95dafac0582ad

SHA256
39e17c9d21c8fa1671c35db217e3b0a6af18288dada7dfa1f9e0a47794d958af

SHA512
56099bd2d9c3278b14f3f20b935f5b7a9c3666400712b21d7c5d428302e647a087faad73330057d65e385708233b9fcd8b34d510bfc4c6e4b4853c94fe4af7cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_4B24743B8F91CE797D24B8FCFCA3C262
Filesize
536B

MD5
d6a66653b894fb87c95990318844ca05

SHA1
031ac26090c76c7fa0506fb53a2e0e344daa6d4d

SHA256
d9c29efce15f06ad9338204f3bfee63f64b989c1dbd01ea91db159cbb5826649

SHA512
d593e939a872301c0c42b306a02e981d9037e56585e1e5c797136d14b32e90ea1835edd76c358480625600ec49f870d41b15142febfae53e642e2d90b55d9db9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize
536B

MD5
801e1653e73029c4194be3e95a87e5e3

SHA1
7306baed7447e4d2f55a685f7af84018ec1e32bd

SHA256
b7256cb8bb34cd6d4a354b8a1ae9c9094cc0dd7be922b005e3f777e69adc889f

SHA512
6f6e432a2777994a81c00e1633de37c31a97c191560582d917c669db190aa2302eea64d9ae9c80fa2d69036f25bafe4ba161d48615c15278bc5e574bb5a6cd60

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe
Filesize
275KB

MD5
3e34fe938047483111053beb4bada320

SHA1
6bc5b1d97ec9f6efe792c7c4600191a75c437e8c

SHA256
d79db4add67490ec6070fb0750ab667becec4751d5316c81f8e2c6813d0fcbcd

SHA512
8ec758c9ea9a4aa066f3641d3ee3ed41d5c3417273081f65f355d28e47b11556b2457ad3770af3fef1491977f9d6c1d91be849a1eb73e1ecbc10c5ab80e66cf7

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\8d0a1e3b-494f-4f24-974b-7ba362307318.tmp
Filesize
8KB

MD5
2f97bc960896eb2878252eacbff3fbba

SHA1
86ea03e399edc6fc0b9cab1addc93c97337f9688

SHA256
795e78b0d0338e8495e2cae6c4678710a59e9040d938deb66e2fe7780e2e1016

SHA512
c89ea99c37dc4f01ebd0d8f4d68078fd4aa78112fd4f907813c7b4ec5ac0d252285d99ea5b51d4e9f17611ecca4eb54084ede6ed46cae181a37b88798577ea1a

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Crashpad\settings.dat
Filesize
152B

MD5
9ac55e6243fd9f7b9959a2f5facd2f93

SHA1
e9bce388a0179fe7bc0a5587e9feedb0ef6dc7c5

SHA256
15bc5f0139e74a33bb45ad16a918fd47cb9741fc65aa60ab7f71cf73ce000fcb

SHA512
ef30c6ab3abfef0a80b09b9015335be1c6ebfdb0c8edf9132625ef966a6d3a2edc3e1b80c382f99345ac2648bff59465cd3163d1ed119e615a0824a655daa41e

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Crashpad\settings.dat
Filesize
152B

MD5
fb0bfbc47b52415d53f83f00dcf1963a

SHA1
407f3106c93b93bf432eac0b9b703bce80ff5970

SHA256
f924f900883e5aa8b514e3bdb87ed7d94309f29ba636bde561ba634ac8643959

SHA512
97a35174f7b02c627c046bc57ac96079c292e8ad99062eab52e27c8a52015af1cbdc37bc3a4513811c5d5949f9ae06a6a744bfd93c71e08e447efe251b981e37

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Cache\f_000010
Filesize
22KB

MD5
1ae9f8369e537dac217f0d07326a9163

SHA1
381d5a558d62b7782d7f453b66260e4e8154882e

SHA256
d5b39a11704091c09232c563b95d76a4c12eb818f194c5ab5c9a5cf7748163f7

SHA512
effd14e9b68cb147911201c17009e3c82c027d8de3117075406c2e456fc5e05294359fd232b0cbad9c338424de2503f943b5e1fc15a5b88ba9e36d72e18b3e80

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
e4c8631223db92f22d037fd644f68384

SHA1
e2ea1b30f0d41e9a7fad7c9e6e1ebd29cb33b2bc

SHA256
309a9b2a871f1b10d3eb31cf9e812c1fe0e3e8b853f6f9ae1481b15805789096

SHA512
46c174028f4a8a8944c100d6142c157eb1de657fea6a162dc7cd59603306b90db31f465b6c22457e47cc4af9f7884afea1b86bce9a68d11493b9590a27ef0673

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
26a8db8043472f0db0878229e64655f8

SHA1
c0bc3d33732adc3091473c866b45d6dc3fbc1c66

SHA256
c7235878acea8c6c20a863ef514739a9bc5f7862b5dc5a0e57d6b34932a3ba15

SHA512
2840f3eb909007177303550b6c6cee5353202f9c604f06bf7161ad9870436c0ae5f33040327fd1b7b3463ac4a1e0951fa4033041374ff43c1434c8d48642cbee

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize
576B

MD5
031f15c96b449f08ca71bbad806f7737

SHA1
04067a85ac951d5aaaf07314eeca85eb8a95d15d

SHA256
6f4f128cd78f1c05f9b473ae2bd57c04b92052db2415d92373046c9cc7b80c6c

SHA512
03ae5bc0df400db8abcc3834eaed5285f600ad4c7762298683127fb41bb9f732924f20b1600287b9b2b827041c1a174e7b78df9159d844caff42414ba26a4415

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\GPUCache\data_1
Filesize
264KB

MD5
94f4e32bc9ef77b3dec102dea7b02983

SHA1
a6a0eb8a321757962cde68645475d0629f3ad7cf

SHA256
6ecbaae25c0313a856a53afc9ad77b02e772cd4e58fd253b26bf04d28022e0de

SHA512
513c531e0d8b1daab353beccfc65a2bf38ce590449d90f5e762d10861d6234381d02865bfbfbfb5eee6dc46bba9e410519079bfad9af119cc2f92de658d9c237

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Network Persistent State
Filesize
2KB

MD5
36561cfd3e1b7a9cddf432edfc2947e3

SHA1
69defbe9ec78f6fd7e23f05f99f4fd85e9adb443

SHA256
0a45872702e4d425728c2f199a312304739484453a5b95eeee7cd0d65cf508f2

SHA512
9c794f0e13a91f1a51adf3ff5491688ca26868d77c9bf2838c14c8ac24ae4cb332d435775c6b4c205f06b405c237507962b54c09c3f59df0cca77bb98c6e3a00

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Network Persistent State~RFe5903ee.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Preferences
Filesize
6KB

MD5
fb4f21c7313cd4b461b9b335cd05a9d9

SHA1
d9d9723e8b1f5f76aedc50ee0db7ca1b409fde8d

SHA256
54d1189c45f63314693209adeba440c91f23d6518d0873896ca6e7343245e65a

SHA512
c4a6e1bb86b4be374c3ef4333d5b4ee3da1ae47dc717432b3571b0c2bbb9c930564754cce13d3ba8f1cca3c033bf15e71d6b607ef0465ff6db5374548c04b03a

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Preferences~RFe5903bf.TMP
Filesize
4KB

MD5
08347853435ee3e64fbe8b0828a9d0bc

SHA1
b5ae69c028b871b9b88d0557c03173166cbaa94b

SHA256
e660225bd44077745191258c8e55631c4113fb56061ad9fcb2d81346aa483976

SHA512
5a0df9caa48d43b340a048a571a74a0e5eee558db3e3ae82f367428b0c0ff9ed04c55174a6b25b9bd23f5599bd14883895a3eb1009e97e190efa585d206ff21c

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\CacheStorage\592d4eb6ea0739a91f51eeb15503e4c6c695d3fa\b9b4cfe7-9fed-4f0c-9b05-5784d41f25b8\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\CacheStorage\592d4eb6ea0739a91f51eeb15503e4c6c695d3fa\b9b4cfe7-9fed-4f0c-9b05-5784d41f25b8\index-dir\the-real-index
Filesize
408B

MD5
db51b7d4e144a773b1ef4f2de0ed53b6

SHA1
65245b6e076bf442456570a2817148e994cc541f

SHA256
10834a4ecf3a58d850a413f3ebf8237307a7b5e895f316eee82a4994f499d652

SHA512
f5239c7d9d4648b6686f18d26c4de37e41ae5e21b18c34eb93558b4854c8cf018e2322b79d0727050bdad091f5f807e5e703428a013ff647a886eccce98e73b7

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\CacheStorage\592d4eb6ea0739a91f51eeb15503e4c6c695d3fa\b9b4cfe7-9fed-4f0c-9b05-5784d41f25b8\index-dir\the-real-index~RFe586e36.TMP
Filesize
48B

MD5
c2ea9ff10b98f54cb2ebfea6823d1e82

SHA1
e790afdfb8b6ff1655575252804f4b414a62c5e2

SHA256
15ea4b89895023c90bbb30e258c94701f02482dc304962c0da9b9e2fdbdd14f2

SHA512
1b4c211afd8e529e30ca1de472209650401cb951f469e2ae2f30b3c227e79808a220c75f87ab8cd5a0cb9666d77b43981f943a8cb6f00c300ce7803ec14c5f2e

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\CacheStorage\592d4eb6ea0739a91f51eeb15503e4c6c695d3fa\index.txt
Filesize
138B

MD5
84704e0a4eeb27c76d80bd9b25849abf

SHA1
63af9badf447a4bb30c0455b100d8fbb383d845f

SHA256
690de7398b421b5350597e59175e534332d188303477dff9f7784f466a6711c7

SHA512
263ca183851f6d46a0abf0e3ad1d9c9d0f986e16972668f04087bc28267ab6dc7b9183e5c8a473aad717f4d8c072a91c890f72cf175b1499f0e236052bfbf7a6

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\CacheStorage\592d4eb6ea0739a91f51eeb15503e4c6c695d3fa\index.txt
Filesize
133B

MD5
cf89d9e0c30ee0c9786e88322f203308

SHA1
8e4a18d6efc7bde3ecd5e31bff671eef3c63151f

SHA256
c371f05b0701bd1c4c130fc2e68b739b8e0f0def26222bd4956f813b0d74ae0d

SHA512
28300b25254556a1123213283c7cc8c4ddbd936be83036ac6600e75ee8ae9b82577182817de5ab1c99534150ebc049bed4481c309b526be2778f86b3cf65808f

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
48B

MD5
6d150c117c4aef00d2d00dd6cae5ba86

SHA1
02e6c892d6c3a48afface0cad90f57da9b0ba477

SHA256
a4e461b70073181d105166d68a01fd9b893fd78644473976c9f02e04ffca3d7c

SHA512
6abca6c2171286e796137e525bdac17468e78ea9b3eb76424b9016bc326a235f5218c450230ed132d4397b3d48ae00864a7f3850839ba5fbbb9b8236c7743455

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
48B

MD5
08ea51b888fdd5298408338697f7596f

SHA1
fb4a7119f2e4edf18b45428ed532fddab8749d6e

SHA256
3feb437ff7327a09d499f3ebea39422d6224f7a1e7e7af557461bbd688c5eb6c

SHA512
421e68202ce2b77fea0de38427d5e08e2248b69b3fd12cc5b643a4656d98488e5b1e70d46cb0478d1519eab2d4bf171e6c7360ff26950e0e4a580d421dbd963b

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58bc65.TMP
Filesize
48B

MD5
d0b664510ce525792a7fccb5cf660b6b

SHA1
a822b779fb174e7aa71eba58a89561fc262eb33c

SHA256
61d130b963db9fbdfc70b2bf2ca315692f682298448be53d1e7898a2d6c2b7c5

SHA512
6c0042d6dcdfd98e2d5752b5c7189e008d7f1ad4135c3a2494b48c812733c50836ee297583b3896bb1b633264ff0e80f42b3fce83c6fdcbae7e91be8473dcfbe

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\TransportSecurity
Filesize
702B

MD5
9c8faafbe20247360943ef13d9e02161

SHA1
59b85755c08012f40a73d723afddb3be5fa133d8

SHA256
5967b20f3f25d6cd551e53f4df192ac33459f7a1cb0592435bad8ddaa71fe1e1

SHA512
b4dc1ce3c271bada63f3bd6609af643425cf4226659b1e67faa42150ff7b1ce0a9154d3fa6d5c4efe213447137c274b5484c75e081c822f9f9832fdd8482e459

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\TransportSecurity
Filesize
702B

MD5
faada972ab1400fec032d691b5a88dfd

SHA1
06863496b4b963af2ea92cbf60bb1ab600a6f563

SHA256
27cc909dbaba3f4da771e4af49b48d802a54131bf01b6ed146fd6e20aa33ff47

SHA512
10f5ca8f34074ceef0c69d546a824511bfc02f4528f01c9e22d1a325b8a36dd9a09f773cfb1f093bbd3fb123f35514db69dadc007d51055119a4d7fc98a0f485

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\TransportSecurity~RFe58d695.TMP
Filesize
700B

MD5
9b88be3bdc07b51dfdd177ee9d3fa947

SHA1
8264965416c05565b4e3e3173798cfb1454b31cd

SHA256
cfbc650ef410aa859f1c7cf6713a43094bd14c48177745f193c51e0fd2ff9bcf

SHA512
e8d29592fb911cc89c3ec34396692c40714a8760c847b1a73cd2a14e38b001b28440339e809da39c7dac2c5941d649899ef166b70d6bdd8c85240fe18a1fbebf

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\GrShaderCache\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Local State
Filesize
8KB

MD5
03e400828e6c0ba9a78b065642eb6e48

SHA1
98c16c80d88dcf64cd58e2b054e7ed71092c1b98

SHA256
762783e7d83e2bf84a789e31b9c61d744bbe5628d299583591e63b3709f81e70

SHA512
ad37b59c7d614052717760ec125662783f2987bca3545890bc1127e15c24cb08d13b0b0c2b7a2a4244071ed17bfafe5be29646812384e9d02caf2a8011ba214d

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.config
Filesize
563B

MD5
467c9988e896a5596d1c64968cdcff73

SHA1
cb35ca253aba7ed4c89d194e8e8be1c5acc79083

SHA256
dd2a10593cccb1d99df5d76e63cd5081ba7e3387aed34ded0ef9588aacd4d3a1

SHA512
1b647af7f01fefc1d4d53f8057fc277e90eea5782472a8e3b809bfbb56a69504570f21874ea1370bd6423083e1f49e869db2c7d39a35b3f176ed81c738e6f43d

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\Microsoft.Web.WebView2.Core.dll
Filesize
538KB

MD5
f1dac51a74f4799838be29934a288c5c

SHA1
1e3ef5deb4e3f7a01656fbc3b7833276c3297a2f

SHA256
a7baa548c354ef9223f4fd19d2bae33c3eb8cb987bf7b577828897388110740f

SHA512
7d2a9f31d41a5f81cadf55961bf7fcc9eaa64393427e530303bc966088978cf28b22a186cb82ba251d82d210a4bd37c753f11e058209ea0e26dd2af91e1db5ab

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\Microsoft.Web.WebView2.Wpf.dll
Filesize
46KB

MD5
9022d0f3e7b23ac1525b01d339582bd8

SHA1
97919a2bf43a7f3ada9fecb1fc9e6d5cc673f46c

SHA256
ba0de999989a0cc45e5650503d4755bb9ff56e922741d1724747147811657c5d

SHA512
82c2e5f68a39906c1b5a29d22544a0545cb51793edcd6b4326f37dbc5dc61fb5d8f848937a6dea4b66594a4c38f3d6974ecda5be7fbd6dad947e936dab7d9dd5

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\Newtonsoft.Json.dll
Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\pss4E72.ps1
Filesize
36KB

MD5
0a67375974364990ff2f2cbaa6a682a1

SHA1
6944b8af9a8f766c5538fd3c9b331c32f2e347d6

SHA256
bb84a7f011d47c3920c350f6b1122700dd300e97647be541eb108ec6eef67532

SHA512
9bdb1c98af4b471299cfa9a9ef0d3db60c6bed0879b8bf8d317ef2612cf1f7fffc1216afae4666d28e1435b36284c3b4ba37d213bd058f3548e2cb10891d747f

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\scr4E61.ps1
Filesize
31KB

MD5
f72dfdad07b3f19543e3b26d872fd482

SHA1
546d3ea333aa154e36a13390a78bf693865e4994

SHA256
ee34afc112a39e8f38f125b29ff579fc5d4c45ffd3adf030530294fc5b63b5a0

SHA512
ea70f7a2f556986732f3ead3aeee70d956200622c8a9190a631fff56195dd51e4bffa2a8827c40ee2794c073a66f45715c1b8ca47ac45d6f207c3bd0ad4c8159

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\scr4E62.txt
Filesize
250B

MD5
5b6dfb2146803fec3fac96ada2ad3c48

SHA1
1adff845c571de2672d0c94f6205c5dfa43db448

SHA256
eea35ba8568500cadf78dfa55b4a5e26269055e26524238cadd51f4070d5d6af

SHA512
4a64958b100a633afcf092046ba9d724274a733927b5c487cd50ae504c13ef844353fd6234d706bb8c35ebe1b6bd236493867f961c2bdf1f944635286b8a667c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6065284f9834e137980baae2f9e9d47c

SHA1
0e9371043d01661ddf590079312babf214e9c77b

SHA256
28b4c4cfe89e5132308c8be234585edc034ce52fbef99223f13cf96e8e232556

SHA512
d96710c177fc3c9c1e15401f3d1b8333d9b6a8a33d6d36ca1d32a9aefeaac42437ac05f2ec5d6ef922c38eb5b1a620b3afe07e2efb9e623659cd6b6b58c35945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
f3c0dd6f7c1318d671fe3d75cc57eb91

SHA1
2c54b80ed88014b7d7283c463142dc61e74eb7d5

SHA256
907f137b4bebbf431553e0f4997b92d4f282fb4f6eb8dfc74da346f4136ec6f5

SHA512
18ff41f773de832049d6016a6a7defef43d92d2c4d946181b96ab59aa52f3defd30fd6ca3b168a5ac88f2b9956e035caf2ce39fd67221d36e5bf8ae4cff13534

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI518B.tmp
Filesize
738KB

MD5
d0c9613582605f3793fdad7279de428b

SHA1
8b3e9fb67c7beb20706544d360ee13c3aad9c1d1

SHA256
8bd84f1156ebdfa44afaac8a4579ba56a8c7513e3d51e00822167ea144923726

SHA512
3640a0f53730cad7323473f99a2049833db58eaed00f94b75b4a03b07cc8af99c104a40b2e888307055a5c9740b5fea4b394aa15bc78a3102088cc0770713eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1mkyueyq.pmw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss30D2.ps1
Filesize
36KB

MD5
7dc43ea8bb420287894f3fc68efd4d15

SHA1
f6b0f90586986f968cfa7958f917db8dda54de34

SHA256
579c430cd0bb6c24e614076155e245ff7acd74e8b429854acdc61e200c205395

SHA512
21a29042ac2b8796390b13ecbe5526485c420dc07da918de732b1c8088dc54198c349f2612cc4d800025e6fb4aa00db12997e46454cc2ccf9ad5efc51271ab3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr30B1.ps1
Filesize
31KB

MD5
df9bb699dfb6aa697c3263769529b815

SHA1
100ef96b36711304020d60535c4d1a2bf2b235b3

SHA256
ba6d2b558c6021fc77cb888a174137d9c9874777ab3e8caa804cf9c3e2e60733

SHA512
2498780c7bcce850f44e6a211e9b83781d8df546ef1147d383aba51dc71e72249089484f9d4c4f841c0afdd98f13348940b9209eab8093ef5e748e272f73a54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr30B2.txt
Filesize
248B

MD5
ec0695d4cdb5e693b3914d11e719bb5b

SHA1
0fc11588fed0d301afd244e7b783414e850c28ce

SHA256
1ba462462fb0eac0fdabf9fd675f513a3738eac61e364e604ed3aaa108bd7b0c

SHA512
3599d2dab6d0a6636254f02396c2608e6d5997f9e2a539c503c80b53812af4a2033d57077e00dc26688bd20ba65fbe2bb7a6d517384380238cd09916af4820d1

Download Submit
C:\Windows\Installer\MSI2FC5.tmp
Filesize
759KB

MD5
a2317ebf66616e3b13218b2b9739cf74

SHA1
9fbdf90fb9d2bc93f025c16c94347eb817908d9d

SHA256
d6a3c9c614fa4491a1bd988d86687515e15edf7e0cfde2159d0850bf2c5c7c89

SHA512
8d11a2174e3ac7eefc776ff3d95ac65517c4af78f2880b84c6ce1ed65990e769cdbd5cc3d5755cc0dd9fc69a7c2408b32dde6205503f9a67ec96008c87b1f2e3

Download Submit
C:\Windows\Installer\MSI3D19.tmp
Filesize
512KB

MD5
d1395cc27fabb23ff098c0954b7725a7

SHA1
b782d01c84471849d92e130e5af448de8040bd58

SHA256
a2f7155c0ce5e3c69fdcff6d89df011a6d4715eae2853104f2480800d63eb69e

SHA512
a5c531d4cb099e91a498dd738804eaf8f47573bb802d15bc550c438ca117ea61258cc886ede7b91f83b9570f73f3bd3c08718819868a1e92249fcb3d5bcdb914

Download Submit
C:\Windows\Installer\MSI3D49.tmp
Filesize
757KB

MD5
5a72f5f620d7363c21dac3c062225203

SHA1
e083f31c15020d54e42103099dc240be4cbb7430

SHA256
b312faf20d72a4e44be87530beb446298c85fef73c79130c6d13aae6720f585c

SHA512
c742314859a75672f8e049ef52db54e48d34b48b9ee6c6e8677ae376d6f0aef6589ffdce90b37c9f8b987ea35d2ec42a07937ce0ba05f3158bf0c79a4f0db987

Download Submit
C:\Windows\Installer\e582f29.msi
Filesize
5.0MB

MD5
0deea78b6ac2236f701fa82cb5c10918

SHA1
93d39ca0a3047db121460ad61057fadc059b6c3d

SHA256
1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf

SHA512
d5393c01ee510397cbce9264b4f87ed6d79f2b3ee4cea3f9b4fca4e5ce70c08ddb3f210327375f9cdca267408125274362ebe6cf79270881bb73dc5154e24587

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
12.8MB

MD5
994e5821faf2a322fd27e26c14813ff9

SHA1
e87d8795bfa5ee183649ae29de2f0e185186fbbb

SHA256
53dc269dba67a493c9688c521351f08f66700971bd92624623cbbdac1dc4cb1a

SHA512
f813e7623da4e64eb2b1f0cf52f2cf6ab211d8e7a100b7c9dfdef7e7eb214cef2ca8f957f15c1062cbf6005b783adb4e6b485d053fa658b7328a14874cd70747

Download Submit
\??\Volume{2e737fee-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{558e36ba-1e35-4927-8beb-f6acad2ba958}_OnDiskSnapshotProp
Filesize
6KB

MD5
75d1295d5b67b16e8f9d644c1ce52b1f

SHA1
b1758a567d74f45b97784503290f31a0be0b2211

SHA256
01db67af97b9948f58c711957355ed4e895637ffc41157e599aec7bee85b78cf

SHA512
5d32625942c97d370d9c17b48a1fd6b484a11ffcb41f8548d3099ee8c6a9769a116d695a16d6bbfe4ef2617fac835e3aaebf25d842997487eff9bf6c8d8720f0

Download Submit
memory/224-210-0x0000000006650000-0x000000000669C000-memory.dmp

Filesize
304KB

Download
memory/224-208-0x0000000006180000-0x00000000064D7000-memory.dmp

Filesize
3.3MB

Download
memory/2408-83-0x0000000006C00000-0x0000000006C22000-memory.dmp

Filesize
136KB

Download
memory/2408-77-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/2408-62-0x0000000003140000-0x0000000003176000-memory.dmp

Filesize
216KB

Download
memory/2408-63-0x0000000005920000-0x0000000005F4A000-memory.dmp

Filesize
6.2MB

Download
memory/2408-64-0x0000000005760000-0x0000000005782000-memory.dmp

Filesize
136KB

Download
memory/2408-65-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/2408-66-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/2408-75-0x00000000061F0000-0x0000000006547000-memory.dmp

Filesize
3.3MB

Download
memory/2408-76-0x0000000006610000-0x000000000662E000-memory.dmp

Filesize
120KB

Download
memory/2408-79-0x0000000007F90000-0x000000000860A000-memory.dmp

Filesize
6.5MB

Download
memory/2408-80-0x0000000006B60000-0x0000000006B7A000-memory.dmp

Filesize
104KB

Download
memory/2408-82-0x0000000007910000-0x00000000079A6000-memory.dmp

Filesize
600KB

Download
memory/2408-89-0x0000000007BE0000-0x0000000007C72000-memory.dmp

Filesize
584KB

Download
memory/2408-88-0x00000000090F0000-0x000000000961C000-memory.dmp

Filesize
5.2MB

Download
memory/2408-87-0x0000000007CD0000-0x0000000007E92000-memory.dmp

Filesize
1.8MB

Download
memory/2408-84-0x0000000008610000-0x0000000008BB6000-memory.dmp

Filesize
5.6MB

Download
memory/4728-258-0x00007FFB17370000-0x00007FFB17371000-memory.dmp

Filesize
4KB

Download
memory/4728-500-0x000001952E400000-0x000001952E51E000-memory.dmp

Filesize
1.1MB

Download
memory/4728-491-0x000001952E400000-0x000001952E51E000-memory.dmp

Filesize
1.1MB

Download
memory/4788-231-0x00000000000E0000-0x0000000000128000-memory.dmp

Filesize
288KB

Download
memory/4788-235-0x0000000004CE0000-0x0000000004D92000-memory.dmp

Filesize
712KB

Download
memory/4788-241-0x00000000050A0000-0x000000000512A000-memory.dmp

Filesize
552KB

Download
memory/4788-328-0x0000000009CE0000-0x000000000A037000-memory.dmp

Filesize
3.3MB

Download
memory/4788-239-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4788-242-0x0000000005890000-0x0000000005898000-memory.dmp

Filesize
32KB

Download
memory/4788-244-0x00000000079B0000-0x00000000079BE000-memory.dmp

Filesize
56KB

Download
memory/4788-243-0x0000000008250000-0x0000000008288000-memory.dmp

Filesize
224KB

Download