1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf

Analysis

max time kernel
90s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf.msi
Size

5.0MB
MD5

0deea78b6ac2236f701fa82cb5c10918
SHA1

93d39ca0a3047db121460ad61057fadc059b6c3d
SHA256

1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf
SHA512

d5393c01ee510397cbce9264b4f87ed6d79f2b3ee4cea3f9b4fca4e5ce70c08ddb3f210327375f9cdca267408125274362ebe6cf79270881bb73dc5154e24587
SSDEEP

98304:sVHYDgFMyclbrPcGJ1Ea2x3PoFpSSgGN6o:QNMyI/t0foFpngGN6o

Score

8^/10

execution persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 9 IoCs

Processes:

msiexec.exepowershell.exeMsiExec.exepowershell.exe

flow	pid	process
2	1216	msiexec.exe
4	1216	msiexec.exe
5	1216	msiexec.exe
6	3080	powershell.exe
7	3424	MsiExec.exe
8	3424	MsiExec.exe
9	3424	MsiExec.exe
10	3424	MsiExec.exe
12	3392	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManualsViewerUpdater = "cmd /c \"start /min /d \"C:\\Users\\Admin\\AppData\\Local\\ManualsViewer\\\" node.exe update.js --reboot\""	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 22 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e577ec5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DAF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F27.tmp	msiexec.exe
File created	C:\Windows\Installer\e577ec5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C83.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF833D7E01CC0AD500.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D5F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D80.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BEB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C3A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF423267D0BA7F3836.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F52.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9E5CF1E9-AB5B-402B-A63F-F95DFFD84B31}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF04E370F3CC7F91B3.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F38.tmp	msiexec.exe
File created	C:\Windows\Installer\e577ec7.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF601D27093069F5C.TMP	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

ManualsViewer.exe

pid process

3964 ManualsViewer.exe

pid	process
3964	ManualsViewer.exe

Loads dropped DLL 27 IoCs

Processes:

MsiExec.exeMsiExec.exeManualsViewer.exe

pid	process
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
3424	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
3964	ManualsViewer.exe
3964	ManualsViewer.exe
3964	ManualsViewer.exe
3964	ManualsViewer.exe
3964	ManualsViewer.exe
3964	ManualsViewer.exe
3964	ManualsViewer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3080 powershell.exe
3392 powershell.exe
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

1216 msiexec.exe

pid	process
1216	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000753d210c0538cc610000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000753d210c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900753d210c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d753d210c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000753d210c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exemsiexec.exepowershell.exemsedgewebview2.exemsedgewebview2.exe

pid	process
3080	powershell.exe
3080	powershell.exe
5100	msiexec.exe
5100	msiexec.exe
3392	powershell.exe
3392	powershell.exe
4724	msedgewebview2.exe
4724	msedgewebview2.exe
3740	msedgewebview2.exe
3740	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedgewebview2.exe

pid process

1860 msedgewebview2.exe
1860 msedgewebview2.exe

pid	process
1860	msedgewebview2.exe
1860	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1216	msiexec.exe
Token: SeSecurityPrivilege	5100	msiexec.exe
Token: SeCreateTokenPrivilege	1216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1216	msiexec.exe
Token: SeLockMemoryPrivilege	1216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1216	msiexec.exe
Token: SeMachineAccountPrivilege	1216	msiexec.exe
Token: SeTcbPrivilege	1216	msiexec.exe
Token: SeSecurityPrivilege	1216	msiexec.exe
Token: SeTakeOwnershipPrivilege	1216	msiexec.exe
Token: SeLoadDriverPrivilege	1216	msiexec.exe
Token: SeSystemProfilePrivilege	1216	msiexec.exe
Token: SeSystemtimePrivilege	1216	msiexec.exe
Token: SeProfSingleProcessPrivilege	1216	msiexec.exe
Token: SeIncBasePriorityPrivilege	1216	msiexec.exe
Token: SeCreatePagefilePrivilege	1216	msiexec.exe
Token: SeCreatePermanentPrivilege	1216	msiexec.exe
Token: SeBackupPrivilege	1216	msiexec.exe
Token: SeRestorePrivilege	1216	msiexec.exe
Token: SeShutdownPrivilege	1216	msiexec.exe
Token: SeDebugPrivilege	1216	msiexec.exe
Token: SeAuditPrivilege	1216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1216	msiexec.exe
Token: SeChangeNotifyPrivilege	1216	msiexec.exe
Token: SeRemoteShutdownPrivilege	1216	msiexec.exe
Token: SeUndockPrivilege	1216	msiexec.exe
Token: SeSyncAgentPrivilege	1216	msiexec.exe
Token: SeEnableDelegationPrivilege	1216	msiexec.exe
Token: SeManageVolumePrivilege	1216	msiexec.exe
Token: SeImpersonatePrivilege	1216	msiexec.exe
Token: SeCreateGlobalPrivilege	1216	msiexec.exe
Token: SeCreateTokenPrivilege	1216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1216	msiexec.exe
Token: SeLockMemoryPrivilege	1216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1216	msiexec.exe
Token: SeMachineAccountPrivilege	1216	msiexec.exe
Token: SeTcbPrivilege	1216	msiexec.exe
Token: SeSecurityPrivilege	1216	msiexec.exe
Token: SeTakeOwnershipPrivilege	1216	msiexec.exe
Token: SeLoadDriverPrivilege	1216	msiexec.exe
Token: SeSystemProfilePrivilege	1216	msiexec.exe
Token: SeSystemtimePrivilege	1216	msiexec.exe
Token: SeProfSingleProcessPrivilege	1216	msiexec.exe
Token: SeIncBasePriorityPrivilege	1216	msiexec.exe
Token: SeCreatePagefilePrivilege	1216	msiexec.exe
Token: SeCreatePermanentPrivilege	1216	msiexec.exe
Token: SeBackupPrivilege	1216	msiexec.exe
Token: SeRestorePrivilege	1216	msiexec.exe
Token: SeShutdownPrivilege	1216	msiexec.exe
Token: SeDebugPrivilege	1216	msiexec.exe
Token: SeAuditPrivilege	1216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1216	msiexec.exe
Token: SeChangeNotifyPrivilege	1216	msiexec.exe
Token: SeRemoteShutdownPrivilege	1216	msiexec.exe
Token: SeUndockPrivilege	1216	msiexec.exe
Token: SeSyncAgentPrivilege	1216	msiexec.exe
Token: SeEnableDelegationPrivilege	1216	msiexec.exe
Token: SeManageVolumePrivilege	1216	msiexec.exe
Token: SeImpersonatePrivilege	1216	msiexec.exe
Token: SeCreateGlobalPrivilege	1216	msiexec.exe
Token: SeCreateTokenPrivilege	1216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1216	msiexec.exe
Token: SeLockMemoryPrivilege	1216	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msiexec.exemsedgewebview2.exe

pid process

1216 msiexec.exe
1216 msiexec.exe
1860 msedgewebview2.exe
1860 msedgewebview2.exe
1860 msedgewebview2.exe
1860 msedgewebview2.exe

pid	process
1216	msiexec.exe
1216	msiexec.exe
1860	msedgewebview2.exe
1860	msedgewebview2.exe
1860	msedgewebview2.exe
1860	msedgewebview2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exeManualsViewer.exemsedgewebview2.exe

description	pid	process	target process
PID 5100 wrote to memory of 4896	5100	msiexec.exe	MsiExec.exe
PID 5100 wrote to memory of 4896	5100	msiexec.exe	MsiExec.exe
PID 5100 wrote to memory of 4896	5100	msiexec.exe	MsiExec.exe
PID 5100 wrote to memory of 4428	5100	msiexec.exe	srtasks.exe
PID 5100 wrote to memory of 4428	5100	msiexec.exe	srtasks.exe
PID 5100 wrote to memory of 3424	5100	msiexec.exe	MsiExec.exe
PID 5100 wrote to memory of 3424	5100	msiexec.exe	MsiExec.exe
PID 5100 wrote to memory of 3424	5100	msiexec.exe	MsiExec.exe
PID 3424 wrote to memory of 3080	3424	MsiExec.exe	powershell.exe
PID 3424 wrote to memory of 3080	3424	MsiExec.exe	powershell.exe
PID 3424 wrote to memory of 3080	3424	MsiExec.exe	powershell.exe
PID 3424 wrote to memory of 3392	3424	MsiExec.exe	powershell.exe
PID 3424 wrote to memory of 3392	3424	MsiExec.exe	powershell.exe
PID 3424 wrote to memory of 3392	3424	MsiExec.exe	powershell.exe
PID 3964 wrote to memory of 1860	3964	ManualsViewer.exe	msedgewebview2.exe
PID 3964 wrote to memory of 1860	3964	ManualsViewer.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3284	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3284	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3532	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 4724	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 4724	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3248	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3248	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3248	1860	msedgewebview2.exe	msedgewebview2.exe
PID 1860 wrote to memory of 3248	1860	msedgewebview2.exe	msedgewebview2.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CFD2BF9193A08D4D31F3544D44454832 C
2⤵
- Loads dropped DLL
PID:4896

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4428

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6C37A4C4A72955521F8D49EFEDEED65D
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss806E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi805B.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr805C.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr805D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\ManualsViewer\pss9D14.ps1" -propFile "C:\Users\Admin\AppData\Local\ManualsViewer\msi9D01.txt" -scriptFile "C:\Users\Admin\AppData\Local\ManualsViewer\scr9D02.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\ManualsViewer\scr9D03.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2092

C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe
"C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe" /register
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3964

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=3964.1984.14273552456120101371
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1860

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x130,0x7ffe896f3cb8,0x7ffe896f3cc8,0x7ffe896f3cd8
3⤵
PID:3284

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1356,959302532322656455,13071372710480753849,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
3⤵
PID:3532

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1356,959302532322656455,13071372710480753849,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1356,959302532322656455,13071372710480753849,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2488 /prefetch:8
3⤵
PID:3248

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1356,959302532322656455,13071372710480753849,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
3⤵
PID:2076

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1356,959302532322656455,13071372710480753849,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
3⤵
PID:4560

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1356,959302532322656455,13071372710480753849,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4964 /prefetch:8
3⤵
PID:4828

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1356,959302532322656455,13071372710480753849,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView" --webview-exe-name=ManualsViewer.exe --webview-exe-version=4.3.1215.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4808 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577ec6.rbs

Filesize
1.8MB

MD5
97081aa4c1c8be9aa487d936f5c8ab41

SHA1
d10bda54bec81c2c1218307f28b9ed1945bc8a22

SHA256
8be30a501a7362477d149fa47c6e12f298f8932b4677270a5f2c528c2b2560b2

SHA512
f9aaad532baad8fe6fd806c419366c810f0134ac63e14e3d5ab96fe8b8aedff6e6c33fdaa8edfa5fdbce57c8ed64ebe2f9f556e54f4b3051878db59e1278b5f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_4B24743B8F91CE797D24B8FCFCA3C262

Filesize
1KB

MD5
bd6642f6f18d1cadb47b25a67311ce84

SHA1
ca5938e8da11c49241344a3e232ec0c1d1923e45

SHA256
657b7b4ab5dcdc7127d30553ae81821014eda37b168f704bedf7af8b7859f4ef

SHA512
389a9843017a170d145141593055bc1c52f91b198a8e661b725803912b3ac74bf01588962527bcb6966248a7a4de71d8035a8dbc5f47c0c1056f218f64251008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
d3ba48f3ee2d874be776cc759f8374af

SHA1
1b2daffdf94f324e4eadddb4d467cd83c2c35da7

SHA256
14d40199051d3831f868002aec1db2b90ee8bb378ddd801c1cdebb35b98a7272

SHA512
93b542f508343d538b562a645fe3ef7686b9e48cac5a184d790ae863efd2e1e910080cd84cc3bbe6282ae4f8c856feb266101b68e4ccbb6c0f11e0bce280e6e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_4B24743B8F91CE797D24B8FCFCA3C262

Filesize
536B

MD5
30151a519607c9a62907360a63075bfe

SHA1
4f2f0f0c2ea98155b18eed2433d926c0b7d18a84

SHA256
4a22d5f09ae377c631866b6ab247ef33024b9ed92a86982ee0a99edc43202ada

SHA512
e851ea8416e5a5f059bb1552d7ed4b349b8612538925327383564a7762fc3cc5ae0e2aa13a414e3557aa71aca15f57768306ea846ae13b2313b9096656f2064a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
20859aaced4b125284614cb62a45d9e1

SHA1
0f039388f9ddc21742c2e21cc4eb7d748559d987

SHA256
2ec760b2d84c95f3f95779cbced5cd80eed92df35f5f82aa0be74d0e47a0cca0

SHA512
7fe8f4c51152a5fd1cf60e6df31dcbae72a383991b508bf0439aa3b1905843fefcb34cc5e93059315f07d7753f3ad2e412a8fa249d3ed835830f6e02ee9ab5d5

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe

Filesize
275KB

MD5
3e34fe938047483111053beb4bada320

SHA1
6bc5b1d97ec9f6efe792c7c4600191a75c437e8c

SHA256
d79db4add67490ec6070fb0750ab667becec4751d5316c81f8e2c6813d0fcbcd

SHA512
8ec758c9ea9a4aa066f3641d3ee3ed41d5c3417273081f65f355d28e47b11556b2457ad3770af3fef1491977f9d6c1d91be849a1eb73e1ecbc10c5ab80e66cf7

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
cdeba3f31cd8884e6d5b8aa75e876a81

SHA1
05e31663668d0d6e1f4ce4208dfefa5480f48a08

SHA256
25b8fce53ef57f29a47cd51078ddf82a67ca0c0a3c972a5dccb91c32769f5303

SHA512
0e0dee14cfad0c9df31722d1cf0ff1f1d76b8306d466e6c78c0f4a2c75d597744b7809772c49f53c09a0a1234db093cb7262609358a62b317da0095a876bb9b8

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
e8d438c38678ea669c923870f90f23e5

SHA1
ff8f4ecb635b066f14d51b668903c91b231c319b

SHA256
271ddd66d7de65c121c22a7c667f9c40aaf394f8a97cf053c23ea0f1d11bdf21

SHA512
cd936342471225f8d40348f00d164aadccc74f484163e9b269f0f5a604d3f2d26f0fe5c7a63e10e951b40527c75cd61b64563dd3a9cd66d293a7c5911aadea7a

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
445e1b9bf4e2fee8fc5a9c6b6d5ad618

SHA1
3873ea7179d9ffe9520f5cb7d83e5eceef733b0d

SHA256
c5fb18bfa09f5c731de00c5108f42ac3e7c903f67f1062c746caaa14c6c97cef

SHA512
68cd7f211dbf783f5f5189ca21d20f50c81a34f9ca35e1d38936896d092be4092df2404f33dde8023228b105426f57224508a5e215cfddeeecb9e308b70233a4

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
41bd05326cf9657b9df0bbf9fe714c42

SHA1
4b4a8035484c311f5fad6ba9670f81a1c67a5096

SHA256
8885e838732e75c7ac77a17d468a6b318ee9fb46232c32a5fa034808eff69090

SHA512
e2c403f64dfda620382cf04bc7ae5f47d43e12f1dc5ad77b7612e7690ac8bff027981f60e7d2813be00c5705c420b03e02110f67136c3d179a7ca737c1f01502

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Network Persistent State

Filesize
2KB

MD5
62874be14f7d30d42c7297464a3161b0

SHA1
3ad6435774cc7d0a12e9c5123b0a58bfa9ce748c

SHA256
6a249780420847d077b49a1fb8614876422bb6b82b095e3dcaf429ea8da0af20

SHA512
c9b0d68829d28b7fb5364046967928acaa39353d7eac5de9863315f2f0b4cb4a42f2b71f2cb16e53e7bf38d490d98835aa05082c0dbb3495a9116ccb70101994

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Network Persistent State~RFe57f935.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Preferences

Filesize
5KB

MD5
ec3edc01c72a54ca9be8aaf375780572

SHA1
c3b92dc1680cadd1b8d21131f36e6c9abde15282

SHA256
69faaf27b71260123bb6c0d045381e6785dc86d871668136ad7a5ed9b63a4c04

SHA512
95b7607732568f581a8cb239955f0bf108f2a3c5f3922214b6b22ee4d774727b5f983b4062f2de99c9e0155c9db13c3c1f85e27cc371879f9312b01b2ced4fb2

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Preferences~RFe57f906.TMP

Filesize
4KB

MD5
de54b09a466812c2c75cd8c8bd7f88ae

SHA1
87a0a2b47a8eee517f5d2b5dca3c1885d928dd40

SHA256
28514c447650843abe135d7ef4e762945821635422af05904f54927f280f478c

SHA512
4242212ed8f10a8dac3449fa99d98f7790a138891665462df41b14df99a94ef519e1d34189441fb46f4b5679952bad35cc9276ecf986b53222aaa43497c5497d

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\CacheStorage\592d4eb6ea0739a91f51eeb15503e4c6c695d3fa\94ed811f-7b13-4a7e-ac28-256f98ee9215\index-dir\the-real-index

Filesize
408B

MD5
bfabe3d081ee3c432234ea3cd1fff94b

SHA1
b97058ae8365e6a62e010f6be08517651eb6dafc

SHA256
c003da06b2bc9b2a3e843d5d3410f4210f5fbcd954a84258110c2ef951fe7b7d

SHA512
251a4fcee2a03fee3013c4632b480e9c2a136bf2103bd3e3a0ee1f500ac08f711225f1e5bae6d2b893d27f97d5cea309c2d409f3fadde48f64a1c824dd66ad4a

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\CacheStorage\592d4eb6ea0739a91f51eeb15503e4c6c695d3fa\94ed811f-7b13-4a7e-ac28-256f98ee9215\index-dir\the-real-index~RFe57b759.TMP

Filesize
48B

MD5
07048071c5b813792a03ee0c4abb992d

SHA1
2ac9ff66a4ef256df8471942fdca5c2de316945b

SHA256
821b9981bc88085fbc7adee0800728817a4c3e95b6b84b78a1d759cabba1e290

SHA512
b548be48a2c5b2c5ebc0b12bd4b232027e6629d98b5a147cea2e68726dc61c617057f3302c6f02b2232a90aa492cfdacb0e6d739b25609346ea65740f08b09f2

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\CacheStorage\592d4eb6ea0739a91f51eeb15503e4c6c695d3fa\index.txt

Filesize
138B

MD5
ac587d682bf597d0641b8e6fcb43aafb

SHA1
80e4074df3dfa7b411d002f704534a8d6f3fd8df

SHA256
d2e74e7d45b6ff470ee136c70369d4c02e55c08be8b5c9db13c4e508386798a0

SHA512
ba514f197498aabeb488e9f456dbefad4c5fda8df1ec9c173284448fa1ef94a85a9f75893888ac6e29db2184a1acca366d8ba28dfdd6273615b820368d65453a

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\CacheStorage\592d4eb6ea0739a91f51eeb15503e4c6c695d3fa\index.txt

Filesize
133B

MD5
7f3e71d1a75bf1e2d1dbe3a67ac58577

SHA1
8907670663e8ea3cf7184f3fe409267a47bf4bc2

SHA256
9a28709adb7abf6e115867c05d9cd1986deffd8b4444be7602a08610b33f93bf

SHA512
d2aff51a526ebf1b3603bb0a4bf4eba22a87c109df2175689e0b5deedc090021b1e0474e328c8ea8c398d7c1e64fbe21a5c7716c28bc17e81a84605f000134ad

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
47db4ae3835532960b49fddd798ecfe1

SHA1
9b966a351511d5963db8085967f1b3cee8781ec5

SHA256
a2a5efd58e2d90e3f9d5d38b9dcb61425cf2fae2c73c6bf99bbe7aa5d366d731

SHA512
0d5168f27581c1387970d7016bc87d3a7e4918dad4945125b9010e5b038cc6eace88ce70215af3c5aabcc7ce26027e9d8e46c7555b42d079285ee461395f60cd

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f8f6.TMP

Filesize
48B

MD5
5f450e84e50c62ee780b6683d9031ceb

SHA1
05898d5a326ee20b085319b6cf1c198e2be28a81

SHA256
fbefb4ffa53eec481bc299618be8ba8b4a3c818abe7c89cd32c977cb664bf5aa

SHA512
342c9f266ef3526d209e6facb0002b106619e8be4a4665f55122404a2c39ea1d9362146c7ed861654c167041dfe05ce76bf910118a621c4065bffdc83a543c1a

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Local State

Filesize
8KB

MD5
07e7b1300696d30ddb30624c4283e8c5

SHA1
e55a08ee12e3bec81ea2ea86a9579aa0d7f60bb7

SHA256
63c970ad322a37101a416a579581398941d51ddafb59aaec6932dd5f67c5a60c

SHA512
43901d8e6f5ff81a5fcd74fd86e00fdf11139668d3de2f8820b8ae7268aa017c587b7812e97d9314bae55d81f56667375d40dd35944b13a7beec456eeacbe055

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.WebView2\EBWebView\Local State~RFe57f8e7.TMP

Filesize
8KB

MD5
c4079f918ff1ed73f24c783ee3826b9d

SHA1
93b0b86db99a9146750bb6f109b26cdddf051259

SHA256
2322a036fb5860786d5427035e49d0485ddde0df116d65cb78a4df139d900aa3

SHA512
7b7d3e5f752510c4a06b6b2df52f0e82dbe8b87428b70e6e1d8d16aadda19e4ad2e932eca9abed0971d384e7bc26e996063a2ad34b470ed6ac68984d93683a41

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe.config

Filesize
563B

MD5
467c9988e896a5596d1c64968cdcff73

SHA1
cb35ca253aba7ed4c89d194e8e8be1c5acc79083

SHA256
dd2a10593cccb1d99df5d76e63cd5081ba7e3387aed34ded0ef9588aacd4d3a1

SHA512
1b647af7f01fefc1d4d53f8057fc277e90eea5782472a8e3b809bfbb56a69504570f21874ea1370bd6423083e1f49e869db2c7d39a35b3f176ed81c738e6f43d

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\Microsoft.Web.WebView2.Core.dll

Filesize
538KB

MD5
f1dac51a74f4799838be29934a288c5c

SHA1
1e3ef5deb4e3f7a01656fbc3b7833276c3297a2f

SHA256
a7baa548c354ef9223f4fd19d2bae33c3eb8cb987bf7b577828897388110740f

SHA512
7d2a9f31d41a5f81cadf55961bf7fcc9eaa64393427e530303bc966088978cf28b22a186cb82ba251d82d210a4bd37c753f11e058209ea0e26dd2af91e1db5ab

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\Microsoft.Web.WebView2.Wpf.dll

Filesize
46KB

MD5
9022d0f3e7b23ac1525b01d339582bd8

SHA1
97919a2bf43a7f3ada9fecb1fc9e6d5cc673f46c

SHA256
ba0de999989a0cc45e5650503d4755bb9ff56e922741d1724747147811657c5d

SHA512
82c2e5f68a39906c1b5a29d22544a0545cb51793edcd6b4326f37dbc5dc61fb5d8f848937a6dea4b66594a4c38f3d6974ecda5be7fbd6dad947e936dab7d9dd5

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\pss9D14.ps1

Filesize
36KB

MD5
0a67375974364990ff2f2cbaa6a682a1

SHA1
6944b8af9a8f766c5538fd3c9b331c32f2e347d6

SHA256
bb84a7f011d47c3920c350f6b1122700dd300e97647be541eb108ec6eef67532

SHA512
9bdb1c98af4b471299cfa9a9ef0d3db60c6bed0879b8bf8d317ef2612cf1f7fffc1216afae4666d28e1435b36284c3b4ba37d213bd058f3548e2cb10891d747f

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\scr9D02.ps1

Filesize
31KB

MD5
f72dfdad07b3f19543e3b26d872fd482

SHA1
546d3ea333aa154e36a13390a78bf693865e4994

SHA256
ee34afc112a39e8f38f125b29ff579fc5d4c45ffd3adf030530294fc5b63b5a0

SHA512
ea70f7a2f556986732f3ead3aeee70d956200622c8a9190a631fff56195dd51e4bffa2a8827c40ee2794c073a66f45715c1b8ca47ac45d6f207c3bd0ad4c8159

Download Submit
C:\Users\Admin\AppData\Local\ManualsViewer\scr9D03.txt

Filesize
328B

MD5
024569468b540858fdf2efe7f30653d1

SHA1
f1070b1626f368d3c41a64b9104eeb1d05ab77d9

SHA256
41278f854ce053d892a0d3144c8211fb367fae2d21d474b844b8b6cc184214b9

SHA512
27bee8cc687822b8e3cc56085e4ce1f8213b0bf0070ef7839ed6b841fd16c6ba4214c29f0cddf96819773e9e65d5b421e114bca5ae5f245efed320b534310540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6065284f9834e137980baae2f9e9d47c

SHA1
0e9371043d01661ddf590079312babf214e9c77b

SHA256
28b4c4cfe89e5132308c8be234585edc034ce52fbef99223f13cf96e8e232556

SHA512
d96710c177fc3c9c1e15401f3d1b8333d9b6a8a33d6d36ca1d32a9aefeaac42437ac05f2ec5d6ef922c38eb5b1a620b3afe07e2efb9e623659cd6b6b58c35945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
724ab97ccac0b2774b6b10b05c17e6c4

SHA1
39da47df996e87f90b86b5648871e9ecf2799130

SHA256
3835104e4131fc85bf05f4e94c83bdfe07b297c0814a69e562583f9cc2352d48

SHA512
91cf7d3f03682fd793eb5ddfe172beaef77b48e21322c3f6cc143a041d96586b26900a47f086aaae2c75c803d43fa65e698ffe5698adb03c1b99265db5c84b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3642.tmp

Filesize
738KB

MD5
d0c9613582605f3793fdad7279de428b

SHA1
8b3e9fb67c7beb20706544d360ee13c3aad9c1d1

SHA256
8bd84f1156ebdfa44afaac8a4579ba56a8c7513e3d51e00822167ea144923726

SHA512
3640a0f53730cad7323473f99a2049833db58eaed00f94b75b4a03b07cc8af99c104a40b2e888307055a5c9740b5fea4b394aa15bc78a3102088cc0770713eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m02s1u1h.ijh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss806E.ps1

Filesize
36KB

MD5
7dc43ea8bb420287894f3fc68efd4d15

SHA1
f6b0f90586986f968cfa7958f917db8dda54de34

SHA256
579c430cd0bb6c24e614076155e245ff7acd74e8b429854acdc61e200c205395

SHA512
21a29042ac2b8796390b13ecbe5526485c420dc07da918de732b1c8088dc54198c349f2612cc4d800025e6fb4aa00db12997e46454cc2ccf9ad5efc51271ab3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr805C.ps1

Filesize
31KB

MD5
df9bb699dfb6aa697c3263769529b815

SHA1
100ef96b36711304020d60535c4d1a2bf2b235b3

SHA256
ba6d2b558c6021fc77cb888a174137d9c9874777ab3e8caa804cf9c3e2e60733

SHA512
2498780c7bcce850f44e6a211e9b83781d8df546ef1147d383aba51dc71e72249089484f9d4c4f841c0afdd98f13348940b9209eab8093ef5e748e272f73a54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr805D.txt

Filesize
326B

MD5
f776e6b7ddeb8374229f0bf55233df89

SHA1
1905d3af75b68aceda6424b792aaf2fe944cdce9

SHA256
ded8e2ac37eeb7c78679c99e4ad4cf3390167855c8939b1458c4246de4a2addb

SHA512
470bfd9705cd5548f157bde578a0496aea8f723e338bdabc0bffc7f68feda5db95f4d5f825529a546d0eedde3dcb50797200061a0826c1bd9c2a879d2faf967d

Download Submit
C:\Windows\Installer\MSI7F52.tmp

Filesize
759KB

MD5
a2317ebf66616e3b13218b2b9739cf74

SHA1
9fbdf90fb9d2bc93f025c16c94347eb817908d9d

SHA256
d6a3c9c614fa4491a1bd988d86687515e15edf7e0cfde2159d0850bf2c5c7c89

SHA512
8d11a2174e3ac7eefc776ff3d95ac65517c4af78f2880b84c6ce1ed65990e769cdbd5cc3d5755cc0dd9fc69a7c2408b32dde6205503f9a67ec96008c87b1f2e3

Download Submit
C:\Windows\Installer\MSI8D80.tmp

Filesize
512KB

MD5
d1395cc27fabb23ff098c0954b7725a7

SHA1
b782d01c84471849d92e130e5af448de8040bd58

SHA256
a2f7155c0ce5e3c69fdcff6d89df011a6d4715eae2853104f2480800d63eb69e

SHA512
a5c531d4cb099e91a498dd738804eaf8f47573bb802d15bc550c438ca117ea61258cc886ede7b91f83b9570f73f3bd3c08718819868a1e92249fcb3d5bcdb914

Download Submit
C:\Windows\Installer\MSI8DAF.tmp

Filesize
757KB

MD5
5a72f5f620d7363c21dac3c062225203

SHA1
e083f31c15020d54e42103099dc240be4cbb7430

SHA256
b312faf20d72a4e44be87530beb446298c85fef73c79130c6d13aae6720f585c

SHA512
c742314859a75672f8e049ef52db54e48d34b48b9ee6c6e8677ae376d6f0aef6589ffdce90b37c9f8b987ea35d2ec42a07937ce0ba05f3158bf0c79a4f0db987

Download Submit
C:\Windows\Installer\e577ec5.msi

Filesize
5.0MB

MD5
0deea78b6ac2236f701fa82cb5c10918

SHA1
93d39ca0a3047db121460ad61057fadc059b6c3d

SHA256
1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf

SHA512
d5393c01ee510397cbce9264b4f87ed6d79f2b3ee4cea3f9b4fca4e5ce70c08ddb3f210327375f9cdca267408125274362ebe6cf79270881bb73dc5154e24587

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
0a7ee8e997c650502fa5610839ebc031

SHA1
5d234eaa7ff2a85f2db7f12de62e300d57c8d69d

SHA256
4a058f005b0758417b95375e54edf500ec9b309128b4e1b696f467d8fe69d851

SHA512
751b015dfc9bbd97ed5bcf2917e2359bd6301ed2cba48ef367ba2db28e45f3ccfd8692e9b6836c82453211899d8f860a7f6ca981c809b990844cb3ea95d32346

Download Submit
\??\Volume{0c213d75-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f68c65da-4055-4323-b0ec-50c1da6744aa}_OnDiskSnapshotProp

Filesize
6KB

MD5
5b9d20cc6d923545cfd209151ccdac30

SHA1
861752f8efa41b514f0954474189176151999029

SHA256
b3d47cdf2040ea6db8b170b218e52451aeba53b15abcb0be63284b630a0b1e0a

SHA512
0274b2c339f21157bfb02ee9d09189653f1abd664932b51481b59896926428da73dd635bbe930bf7faafc9bec708df89373efe74c4269d8bc3364afc499a85e8

Download Submit
memory/3080-77-0x0000000005DC0000-0x0000000006117000-memory.dmp

Filesize
3.3MB

Download
memory/3080-67-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/3080-90-0x0000000007870000-0x0000000007902000-memory.dmp

Filesize
584KB

Download
memory/3080-64-0x0000000002A70000-0x0000000002AA6000-memory.dmp

Filesize
216KB

Download
memory/3080-89-0x0000000008D60000-0x000000000928C000-memory.dmp

Filesize
5.2MB

Download
memory/3080-88-0x0000000007930000-0x0000000007AF2000-memory.dmp

Filesize
1.8MB

Download
memory/3080-65-0x0000000005720000-0x0000000005D4A000-memory.dmp

Filesize
6.2MB

Download
memory/3080-66-0x00000000053E0000-0x0000000005402000-memory.dmp

Filesize
136KB

Download
memory/3080-68-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/3080-85-0x0000000008280000-0x0000000008826000-memory.dmp

Filesize
5.6MB

Download
memory/3080-83-0x0000000007490000-0x0000000007526000-memory.dmp

Filesize
600KB

Download
memory/3080-84-0x0000000007440000-0x0000000007462000-memory.dmp

Filesize
136KB

Download
memory/3080-82-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/3080-81-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/3080-78-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/3080-79-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/3392-211-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/3392-209-0x00000000059B0000-0x0000000005D07000-memory.dmp

Filesize
3.3MB

Download
memory/3532-258-0x00007FFEAB500000-0x00007FFEAB501000-memory.dmp

Filesize
4KB

Download
memory/3964-236-0x00000000057F0000-0x00000000058A2000-memory.dmp

Filesize
712KB

Download
memory/3964-242-0x0000000005C40000-0x0000000005CCA000-memory.dmp

Filesize
552KB

Download
memory/3964-245-0x00000000084B0000-0x00000000084BE000-memory.dmp

Filesize
56KB

Download
memory/3964-243-0x0000000006390000-0x0000000006398000-memory.dmp

Filesize
32KB

Download
memory/3964-331-0x000000000A7D0000-0x000000000AB27000-memory.dmp

Filesize
3.3MB

Download
memory/3964-244-0x0000000008C50000-0x0000000008C88000-memory.dmp

Filesize
224KB

Download
memory/3964-240-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/3964-232-0x0000000000BE0000-0x0000000000C28000-memory.dmp

Filesize
288KB

Download