Analysis
-
max time kernel
209s -
max time network
198s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-07-2024 14:54
Behavioral task
behavioral1
Sample
123ca4e6808c427238533a0893759ff35bc4a23d9404c8ab689b8163cd391a12.msi
Resource
win10-20240404-en
General
-
Target
123ca4e6808c427238533a0893759ff35bc4a23d9404c8ab689b8163cd391a12.msi
-
Size
232.4MB
-
MD5
61c2833cc970b8640db8d2d43bca6703
-
SHA1
3aca5519f2b336ad6e1a71aaec8053074a33de60
-
SHA256
123ca4e6808c427238533a0893759ff35bc4a23d9404c8ab689b8163cd391a12
-
SHA512
9678f80c2bbd4e5ccf0025750ceaa9bcac5d45232ceb97328b4cc7b916d675cb8650245f036759d56aecf9724664b4881171afc888ee0fea793ed03f06fa07b5
-
SSDEEP
6291456:PRNmz8s0sxvOQzKnjk2y/KdJRZ7nofH9Z2Tvu:hYxWQp2J/DnofH9Y
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1172-253-0x0000000002D40000-0x0000000002DD2000-memory.dmp upx behavioral1/memory/3828-267-0x0000000002D60000-0x0000000002DF2000-memory.dmp upx behavioral1/memory/3828-270-0x0000000002D60000-0x0000000002DF2000-memory.dmp upx behavioral1/memory/3828-271-0x0000000002E00000-0x0000000002E33000-memory.dmp upx -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Program Files directory 8 IoCs
Processes:
MsiExec.exedescription ioc process File created C:\Program Files\Windows Defenderr\xf4bG4uMOh\COMSupport.dll MsiExec.exe File created C:\Program Files\Windows Defenderr\xf4bG4uMOh\xf4bG4uMOh.exe MsiExec.exe File created C:\Program Files\Windows Defenderr\xf4bG4uMOh\WS_Log.dll MsiExec.exe File opened for modification C:\Program Files\Windows Defenderr\xf4bG4uMOh\WS_Log.dll MsiExec.exe File created C:\Program Files\Windows Defenderr\xf4bG4uMOh\FourierTransformLib8.dll MsiExec.exe File created C:\Program Files\Windows Defenderr\xf4bG4uMOh\ImageRestoreLib8.dll MsiExec.exe File created C:\Program Files\Windows Defenderr\xf4bG4uMOh\wavelet_3_8.dll MsiExec.exe File created C:\Program Files\Windows Defenderr\xf4bG4uMOh\dll1.dll MsiExec.exe -
Drops file in Windows directory 14 IoCs
Processes:
msiexec.exetaskmgr.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\Installer\e57fa8c.msi msiexec.exe File opened for modification C:\Windows\Installer\e57fa8c.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI359.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIFCFE.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{F51BACB0-9890-43B2-A018-A8FE1D4BBCD6} msiexec.exe File created C:\Windows\Installer\{F51BACB0-9890-43B2-A018-A8FE1D4BBCD6}\_.exe msiexec.exe File opened for modification C:\Windows\Installer\{F51BACB0-9890-43B2-A018-A8FE1D4BBCD6}\_.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIFB77.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFD8C.tmp msiexec.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe -
Executes dropped EXE 3 IoCs
Processes:
xf4bG4uMOh.exeTaskLoad.exe美图秀秀.exepid process 1172 xf4bG4uMOh.exe 3828 TaskLoad.exe 4360 美图秀秀.exe -
Loads dropped DLL 36 IoCs
Processes:
MsiExec.exeMsiExec.exexf4bG4uMOh.exeTaskLoad.exe美图秀秀.exepid process 4804 MsiExec.exe 4804 MsiExec.exe 4804 MsiExec.exe 4804 MsiExec.exe 4804 MsiExec.exe 4804 MsiExec.exe 4804 MsiExec.exe 3416 MsiExec.exe 3416 MsiExec.exe 3416 MsiExec.exe 1172 xf4bG4uMOh.exe 1172 xf4bG4uMOh.exe 1172 xf4bG4uMOh.exe 1172 xf4bG4uMOh.exe 1172 xf4bG4uMOh.exe 1172 xf4bG4uMOh.exe 1172 xf4bG4uMOh.exe 1172 xf4bG4uMOh.exe 1172 xf4bG4uMOh.exe 1172 xf4bG4uMOh.exe 3828 TaskLoad.exe 3828 TaskLoad.exe 3828 TaskLoad.exe 3828 TaskLoad.exe 3828 TaskLoad.exe 3828 TaskLoad.exe 3828 TaskLoad.exe 3828 TaskLoad.exe 3828 TaskLoad.exe 3828 TaskLoad.exe 4804 MsiExec.exe 4360 美图秀秀.exe 4360 美图秀秀.exe 4360 美图秀秀.exe 4360 美图秀秀.exe 4360 美图秀秀.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe -
Modifies data under HKEY_USERS 23 IoCs
Processes:
msiexec.exeMsiExec.exeTaskLoad.exexf4bG4uMOh.exesvchost.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\demo TaskLoad.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\demo\Settings xf4bG4uMOh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications TaskLoad.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\demo\Recent File List TaskLoad.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\demo xf4bG4uMOh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\demo\Recent File List xf4bG4uMOh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\demo\Settings TaskLoad.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications xf4bG4uMOh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exexf4bG4uMOh.exeTaskLoad.exetaskmgr.exe美图秀秀.exepid process 3808 msiexec.exe 3808 msiexec.exe 1172 xf4bG4uMOh.exe 1172 xf4bG4uMOh.exe 3828 TaskLoad.exe 3828 TaskLoad.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 4360 美图秀秀.exe 4360 美图秀秀.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3324 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3892 msiexec.exe Token: SeIncreaseQuotaPrivilege 3892 msiexec.exe Token: SeSecurityPrivilege 3808 msiexec.exe Token: SeCreateTokenPrivilege 3892 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3892 msiexec.exe Token: SeLockMemoryPrivilege 3892 msiexec.exe Token: SeIncreaseQuotaPrivilege 3892 msiexec.exe Token: SeMachineAccountPrivilege 3892 msiexec.exe Token: SeTcbPrivilege 3892 msiexec.exe Token: SeSecurityPrivilege 3892 msiexec.exe Token: SeTakeOwnershipPrivilege 3892 msiexec.exe Token: SeLoadDriverPrivilege 3892 msiexec.exe Token: SeSystemProfilePrivilege 3892 msiexec.exe Token: SeSystemtimePrivilege 3892 msiexec.exe Token: SeProfSingleProcessPrivilege 3892 msiexec.exe Token: SeIncBasePriorityPrivilege 3892 msiexec.exe Token: SeCreatePagefilePrivilege 3892 msiexec.exe Token: SeCreatePermanentPrivilege 3892 msiexec.exe Token: SeBackupPrivilege 3892 msiexec.exe Token: SeRestorePrivilege 3892 msiexec.exe Token: SeShutdownPrivilege 3892 msiexec.exe Token: SeDebugPrivilege 3892 msiexec.exe Token: SeAuditPrivilege 3892 msiexec.exe Token: SeSystemEnvironmentPrivilege 3892 msiexec.exe Token: SeChangeNotifyPrivilege 3892 msiexec.exe Token: SeRemoteShutdownPrivilege 3892 msiexec.exe Token: SeUndockPrivilege 3892 msiexec.exe Token: SeSyncAgentPrivilege 3892 msiexec.exe Token: SeEnableDelegationPrivilege 3892 msiexec.exe Token: SeManageVolumePrivilege 3892 msiexec.exe Token: SeImpersonatePrivilege 3892 msiexec.exe Token: SeCreateGlobalPrivilege 3892 msiexec.exe Token: SeCreateTokenPrivilege 3892 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3892 msiexec.exe Token: SeLockMemoryPrivilege 3892 msiexec.exe Token: SeIncreaseQuotaPrivilege 3892 msiexec.exe Token: SeMachineAccountPrivilege 3892 msiexec.exe Token: SeTcbPrivilege 3892 msiexec.exe Token: SeSecurityPrivilege 3892 msiexec.exe Token: SeTakeOwnershipPrivilege 3892 msiexec.exe Token: SeLoadDriverPrivilege 3892 msiexec.exe Token: SeSystemProfilePrivilege 3892 msiexec.exe Token: SeSystemtimePrivilege 3892 msiexec.exe Token: SeProfSingleProcessPrivilege 3892 msiexec.exe Token: SeIncBasePriorityPrivilege 3892 msiexec.exe Token: SeCreatePagefilePrivilege 3892 msiexec.exe Token: SeCreatePermanentPrivilege 3892 msiexec.exe Token: SeBackupPrivilege 3892 msiexec.exe Token: SeRestorePrivilege 3892 msiexec.exe Token: SeShutdownPrivilege 3892 msiexec.exe Token: SeDebugPrivilege 3892 msiexec.exe Token: SeAuditPrivilege 3892 msiexec.exe Token: SeSystemEnvironmentPrivilege 3892 msiexec.exe Token: SeChangeNotifyPrivilege 3892 msiexec.exe Token: SeRemoteShutdownPrivilege 3892 msiexec.exe Token: SeUndockPrivilege 3892 msiexec.exe Token: SeSyncAgentPrivilege 3892 msiexec.exe Token: SeEnableDelegationPrivilege 3892 msiexec.exe Token: SeManageVolumePrivilege 3892 msiexec.exe Token: SeImpersonatePrivilege 3892 msiexec.exe Token: SeCreateGlobalPrivilege 3892 msiexec.exe Token: SeCreateTokenPrivilege 3892 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3892 msiexec.exe Token: SeLockMemoryPrivilege 3892 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msiexec.exetaskmgr.exepid process 3892 msiexec.exe 3892 msiexec.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe 3324 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
xf4bG4uMOh.exeTaskLoad.exepid process 1172 xf4bG4uMOh.exe 3828 TaskLoad.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
msiexec.exeMsiExec.exexf4bG4uMOh.exedescription pid process target process PID 3808 wrote to memory of 4804 3808 msiexec.exe MsiExec.exe PID 3808 wrote to memory of 4804 3808 msiexec.exe MsiExec.exe PID 3808 wrote to memory of 4804 3808 msiexec.exe MsiExec.exe PID 3808 wrote to memory of 2644 3808 msiexec.exe srtasks.exe PID 3808 wrote to memory of 2644 3808 msiexec.exe srtasks.exe PID 3808 wrote to memory of 3416 3808 msiexec.exe MsiExec.exe PID 3808 wrote to memory of 3416 3808 msiexec.exe MsiExec.exe PID 3808 wrote to memory of 3416 3808 msiexec.exe MsiExec.exe PID 3808 wrote to memory of 4708 3808 msiexec.exe MsiExec.exe PID 3808 wrote to memory of 4708 3808 msiexec.exe MsiExec.exe PID 3808 wrote to memory of 4708 3808 msiexec.exe MsiExec.exe PID 4708 wrote to memory of 1172 4708 MsiExec.exe xf4bG4uMOh.exe PID 4708 wrote to memory of 1172 4708 MsiExec.exe xf4bG4uMOh.exe PID 4708 wrote to memory of 1172 4708 MsiExec.exe xf4bG4uMOh.exe PID 1172 wrote to memory of 3828 1172 xf4bG4uMOh.exe TaskLoad.exe PID 1172 wrote to memory of 3828 1172 xf4bG4uMOh.exe TaskLoad.exe PID 1172 wrote to memory of 3828 1172 xf4bG4uMOh.exe TaskLoad.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\123ca4e6808c427238533a0893759ff35bc4a23d9404c8ab689b8163cd391a12.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3892
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 16F345FB93849AB9CAB89AB875E4DFAD C2⤵
- Loads dropped DLL
PID:4804 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2644
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3528116966E2CC5C2D3DF9454C31C8832⤵
- Loads dropped DLL
PID:3416 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5D819D51BA51A707CD1F0FCF22EC78AA E Global\MSI00002⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Program Files\Windows Defenderr\xf4bG4uMOh\xf4bG4uMOh.exe"C:\Program Files\Windows Defenderr\xf4bG4uMOh\xf4bG4uMOh.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Public\Documents\TaskLoad.exeC:\Users\Public\Documents\TaskLoad.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3828
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1852
-
C:\Users\Admin\AppData\Roaming\xiuxiuX64—\美图秀秀.exe"C:\Users\Admin\AppData\Roaming\xiuxiuX64—\美图秀秀.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4360
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD55487998c01f223fd9c5effec9926fc71
SHA1d6fddaf8e574ac1db67f3980f29b729710d02726
SHA256b3970a48d14e1c1ca1148d036e1461b0e40813bb479947bdbae56dd8875d4d3c
SHA5121c1c9e9e9dd217e3677e8c3bc3359ebf1e67cd710c073120e8e82dbce2450a2789939ed67bd96268035f3ed15dbeb063d5f88d080e71bae78f5e44c267ba387d
-
Filesize
2.0MB
MD5faf4a129b091a57c3ff694dc721d4f3b
SHA17430935f501164b46b99766ed9ab68da0db50c24
SHA256b1d13ed7409ca47f47d200f6b26d8da6a07e645ef49ddc9a28486f46bb8c41e7
SHA5120103d9bfa27c809f978a2ac805e5eb59e07f0f0eef8aecf2713d8af1bff0d54fbc24043435cb67f550d5afdd6f0a2bc5c0026b6e920efe2ad21b619bbfbb0583
-
Filesize
72KB
MD5edb6b04b2a24933d42cd83e6d2de8074
SHA1e3fdd7bcaa48912edd786c006ed8dbf9a3706be7
SHA2568b6591eec900240f2530a91347936652b7921182b4a16efb23c943b9885e7799
SHA512e41f0ddc836e510455e1226c43ae6fa34047e01564c9e527f6405abdb3e621bed883714ac5dac99018668fafe459356cd102c1e77f8fd96f246426fd72d8eb4c
-
Filesize
92KB
MD5e61e00f904f561ec9e6574ddec3bb65a
SHA16458b901d065848b44988bff89b8e7933a43d7fc
SHA25625bff93e68ed9086a8effd7c79e01fca7d3ab228b158acd57ebf583d0054e364
SHA51206ee9b0b36de98cceafa938cab3f6523be42a869d4e28ffbb1dcbdcee363eeedbf320923653cc90450d0fb8d14cbaf74768acbe78c7177747f2a637103d043ac
-
Filesize
196KB
MD58dcba1d7e17b3e1488d8ced934f6cc89
SHA1aff37e2cdba9adc6ea1be364f5c3cb602aa5d026
SHA256feaa74e655bbdf22825d5af46c975252423af6e4056d346840c48eff536a9a96
SHA51262ec5fb14e1b4743678d29bc1d5d73095c716d4bec5e4e910812ec627baf344e7cf4d0fb0e385281a5fac745420dab5ba6b8de60e7b4062aca7edc83dd5d5eb7
-
Filesize
80KB
MD5e472f2b8f36fda019a31b759a0eae43e
SHA1abbd73eec15e820fb5bc2490f0205fa583adc2f2
SHA256fcb39506b6e06d6c59e0c718457269dc77ba2f7c21cd1d68a4a99bbf36592606
SHA5123810c34c4bd613e7c255e8158a4d8ffd79910cb1d3e9f62aab5149c0f394531fb0217b6ea12635b87e37353fe88f18c30d66a40161388f552e74f6aa4b8241de
-
Filesize
340KB
MD57df01bd2cdf14bf30e3440b7bc16b6d6
SHA1eab6bd36bcafdbfcb52f65508512461f225f74fb
SHA25608fe9d71cbc99645200cf00f8d2ffb0b2abb3c8f6e4a05bda227ba3fc5aba3c5
SHA512107aee7c2d5a88d4cf8b6e9864f501d0ba01c42238b900f83eecf7390bda477623c29820cb992a435a7597d6c90d413a2b23e10907eb992b676058503b14c634
-
Filesize
36KB
MD5f0284892937a97caa61afcd3b6ddb6d4
SHA1f3c308e7e4aaa96919882994cdd21cc9f939cabd
SHA2562514913f8a6f4671a058304651289b0babe47d81c044212b3140ed1c1b643b09
SHA512058845e0a9a5892a69f24f3a77086e3f9546493ad40a0e5359aed05cf8882a9f3d7aee0449648d5cb76e51530af3e46af59a9b196cc92318334116c92dde4171
-
Filesize
13B
MD523c49d547fe2073acaf63c3705212c82
SHA120b5e8b7e80116a1daae958ec14a3c3d6b45fed3
SHA256ad0b993143bdf13ac876461d34801b262315692daaed51ebcff8ff77544ac5a5
SHA512f2c8c1dbc792de08dcbe4f34efb4b750e81eedb387da1352223d625ab7ca3440e1470de332be6942f6889af81ff5b4e090373023ba7699b8f00ce429bb55ac17
-
Filesize
56B
MD56f10d76e583b39191028ab57f8edbed9
SHA1fbaa6e99f3a88d1e4cd606ca45debed661135c1d
SHA256847f6e3577892365fadc94648eabdde48b9660590ba109e8387a9cb984aee476
SHA51217a2f133b321fb9ac992e03da4ada3b3e5f1e507c7656d287ea00efddc50885c9ea9f337dd6b8cd52015060b4f0f4fc7832a7a3603ed5a3b498d8da47916743c
-
Filesize
200KB
MD5078c21b8c91b86999427aa349cf5decf
SHA1b939376eaebcf6994890db24ddcb2380c1925188
SHA256ed2c6bc3e77a404b8cf61176844ad19c1fdcae19881206631e3f0831a4bd919a
SHA512a006a36fdcaf4c2403238475163553ba2fe7783fea200f28df46ea980a3907d2b24c854153b45b730195a133fcb28f60c157f33c865ea286ad8c354981cf5885
-
Filesize
494KB
MD5d1205c0fd498f6e69ae1482bbc3490c8
SHA1ca484f7e2838dff1071a60fdfc244a35e1bec8be
SHA256d38f23f952b3180db63cf4d60131024a6c5ffeb71a3be1795077da6dbc5dfb20
SHA5122fcec21ba75ee07d9f483ce745f41d4c39101d100d09bc6adf80dd5170a885e0ca48c226ab9d333471c9cb1fc2c4420793661e1aa9e492025e827419bb19c796
-
Filesize
21KB
MD5da08e194f9a7045dbb19f6e5d5d7f609
SHA17884062382bf1e7911f7e74198ca9fecec159c61
SHA2569bd52ec7e7750500de33df995fcc7e68ed1da70d125579cf76ae8f787577ef75
SHA51246720cd0677064b00a9e253953b8b6cd5141a99d0090ff0d7c4a24b830ca621878bcdfec3c56880f940662bd78f408782231bdd3cb370e06dadfee71e3e2b2b0
-
Filesize
13KB
MD537aa892a6f35bcbe9b01f0a424f5d4f6
SHA1e5d60e43a8e0a4b7371bd736e21b1a59546774af
SHA2566feeb95115d7d8a51403996fee1ad219a52151662d3a01a2d17cfb77dbd51f3b
SHA512a5d5ac494cba18bb5b2582310416dc2e146732ba4f2eddab6611393d61ac0ae839bacae0da1e85f0965575e6d6284b1180e2e3adb924f1e19d2d7586d2abbd83
-
Filesize
588KB
MD5a9941233b9415b479d3b4f3732161eab
SHA1cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7
-
Filesize
4KB
MD59bb5e7c1180f0b65d3374581a5694ab4
SHA18ef07c4e50f3dc1777cd90afab64633e2410ea59
SHA256e60d108bb9446239540b936d7d9346bef90a8baeb55d60d09983c29e5ff5c97f
SHA51265490636fd393dd047aa5f50ce6bba67c51449416dd6eff20f3166156f0fda9c4c9806d3e865aa892142ae4c1ebb0ae052b7f1578acf608c39eddde6718e74c2
-
Filesize
1.2MB
MD55d71ef22e9a4afe4257ee67a7ce2c7ec
SHA13818872bfc4d6efa863892145adf80e26c2c816e
SHA2560e82401f2105babf1a9c0221946025f32255a0b0f756f7cb302e0ee8b865b0a2
SHA512e6bf869d2aa302b7ad1cb1e36720c3482f00fe3ed7efb6c21f319c57e5becb374a53427309ebbefb3ec269f92a81dcd315c42b68b1e8bc786b28328fdb4e53df
-
Filesize
26.0MB
MD55436a7b37e8a35471959fdaf7bccb063
SHA1b27e4f7a68a90c3ecde3f895b95c82efa5d4b13a
SHA25653d1da733725b39683fba5007e1d286779e77b9910fc0951f95a0cbbd181fa4b
SHA5129101d49244c494eef9de1c179b8de7a62be68575adfafab3ac25876381a909097f5e0acd47b95e873320574ce7a73da337ae55a4b716f016195b8859be25a299
-
\??\Volume{38fc5f00-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d73704e3-630c-4dc0-b22e-2f2a20a6d100}_OnDiskSnapshotProp
Filesize5KB
MD56f2d4fcaacf263d0a951e716090e3256
SHA187c12ef370250c22a568603cadf151f651ecc4a5
SHA256a9bde629fd25f2690f11557e840dfdd5b75bd8783a2528e18a0027fab8bf2431
SHA512929477f16753a2c0dfa6d1422feb123c401173fce80344e9e87976d06a9dfbee77701760de242599a6d5f70955c49a2d53c552a6de1329f716a7290b12387ba6