036a82bb69b5354a85df9eac8c66a44ae82294a1aea105e2e51da1a4a87cdb84

Analysis

max time kernel
1706s
max time network
1713s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup (1).msi
Size

4.4MB
MD5

c4de73561e5d359aee3e8626434f95c7
SHA1

1020b4a315ddc4dfd4132315a98b0a15212068ed
SHA256

036a82bb69b5354a85df9eac8c66a44ae82294a1aea105e2e51da1a4a87cdb84
SHA512

25f6186f44f19bbf7dbca2df6c29753ee80281080d7e032faeae9d2d60cbcd3bf1268dd8fb4bd882bc18ee8b7ef61446a68fc290f1dbab900c4df9e869372c61
SSDEEP

98304:eVHYDgBzP/in0iuWhi+l4OLGIHi6h9iM:+ZzPqn0iZiuHfiM

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	3316	msiexec.exe
8	3316	msiexec.exe
10	3316	msiexec.exe
48	2280	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\World Wide Solutions\World Wide Web\WorldWideWeb.ini	msiexec.exe
File created	C:\Program Files (x86)\World Wide Solutions\World Wide Web\WorldWideWeb.exe	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICA07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAA4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD0A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE120.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c95b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c95b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAF4.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{311288D1-772B-4E78-91B8-0A2E9C2BAEA9}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC3E.tmp	msiexec.exe

Loads dropped DLL 17 IoCs

pid	Process
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
1732	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2280	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e34d5b1d972792500000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e34d5b1d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e34d5b1d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de34d5b1d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e34d5b1d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1028	msiexec.exe
1028	msiexec.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
2432	msedge.exe
2432	msedge.exe
1736	msedge.exe
1736	msedge.exe
5152	identity_helper.exe
5152	identity_helper.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe
5132	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3316	msiexec.exe
Token: SeSecurityPrivilege	1028	msiexec.exe
Token: SeCreateTokenPrivilege	3316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3316	msiexec.exe
Token: SeLockMemoryPrivilege	3316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3316	msiexec.exe
Token: SeMachineAccountPrivilege	3316	msiexec.exe
Token: SeTcbPrivilege	3316	msiexec.exe
Token: SeSecurityPrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeLoadDriverPrivilege	3316	msiexec.exe
Token: SeSystemProfilePrivilege	3316	msiexec.exe
Token: SeSystemtimePrivilege	3316	msiexec.exe
Token: SeProfSingleProcessPrivilege	3316	msiexec.exe
Token: SeIncBasePriorityPrivilege	3316	msiexec.exe
Token: SeCreatePagefilePrivilege	3316	msiexec.exe
Token: SeCreatePermanentPrivilege	3316	msiexec.exe
Token: SeBackupPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeShutdownPrivilege	3316	msiexec.exe
Token: SeDebugPrivilege	3316	msiexec.exe
Token: SeAuditPrivilege	3316	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3316	msiexec.exe
Token: SeChangeNotifyPrivilege	3316	msiexec.exe
Token: SeRemoteShutdownPrivilege	3316	msiexec.exe
Token: SeUndockPrivilege	3316	msiexec.exe
Token: SeSyncAgentPrivilege	3316	msiexec.exe
Token: SeEnableDelegationPrivilege	3316	msiexec.exe
Token: SeManageVolumePrivilege	3316	msiexec.exe
Token: SeImpersonatePrivilege	3316	msiexec.exe
Token: SeCreateGlobalPrivilege	3316	msiexec.exe
Token: SeCreateTokenPrivilege	3316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3316	msiexec.exe
Token: SeLockMemoryPrivilege	3316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3316	msiexec.exe
Token: SeMachineAccountPrivilege	3316	msiexec.exe
Token: SeTcbPrivilege	3316	msiexec.exe
Token: SeSecurityPrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeLoadDriverPrivilege	3316	msiexec.exe
Token: SeSystemProfilePrivilege	3316	msiexec.exe
Token: SeSystemtimePrivilege	3316	msiexec.exe
Token: SeProfSingleProcessPrivilege	3316	msiexec.exe
Token: SeIncBasePriorityPrivilege	3316	msiexec.exe
Token: SeCreatePagefilePrivilege	3316	msiexec.exe
Token: SeCreatePermanentPrivilege	3316	msiexec.exe
Token: SeBackupPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeShutdownPrivilege	3316	msiexec.exe
Token: SeDebugPrivilege	3316	msiexec.exe
Token: SeAuditPrivilege	3316	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3316	msiexec.exe
Token: SeChangeNotifyPrivilege	3316	msiexec.exe
Token: SeRemoteShutdownPrivilege	3316	msiexec.exe
Token: SeUndockPrivilege	3316	msiexec.exe
Token: SeSyncAgentPrivilege	3316	msiexec.exe
Token: SeEnableDelegationPrivilege	3316	msiexec.exe
Token: SeManageVolumePrivilege	3316	msiexec.exe
Token: SeImpersonatePrivilege	3316	msiexec.exe
Token: SeCreateGlobalPrivilege	3316	msiexec.exe
Token: SeCreateTokenPrivilege	3316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3316	msiexec.exe
Token: SeLockMemoryPrivilege	3316	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3316	msiexec.exe
1736	msedge.exe
3316	msiexec.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe
1736	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2816	1028	msiexec.exe	87
PID 1028 wrote to memory of 2816	1028	msiexec.exe	87
PID 1028 wrote to memory of 2816	1028	msiexec.exe	87
PID 1028 wrote to memory of 3744	1028	msiexec.exe	103
PID 1028 wrote to memory of 3744	1028	msiexec.exe	103
PID 1028 wrote to memory of 3856	1028	msiexec.exe	105
PID 1028 wrote to memory of 3856	1028	msiexec.exe	105
PID 1028 wrote to memory of 3856	1028	msiexec.exe	105
PID 3856 wrote to memory of 2280	3856	MsiExec.exe	106
PID 3856 wrote to memory of 2280	3856	MsiExec.exe	106
PID 2280 wrote to memory of 1736	2280	powershell.exe	108
PID 2280 wrote to memory of 1736	2280	powershell.exe	108
PID 1736 wrote to memory of 4572	1736	msedge.exe	109
PID 1736 wrote to memory of 4572	1736	msedge.exe	109
PID 1028 wrote to memory of 1732	1028	msiexec.exe	110
PID 1028 wrote to memory of 1732	1028	msiexec.exe	110
PID 1028 wrote to memory of 1732	1028	msiexec.exe	110
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 4960	1736	msedge.exe	111
PID 1736 wrote to memory of 2432	1736	msedge.exe	112
PID 1736 wrote to memory of 2432	1736	msedge.exe	112
PID 1736 wrote to memory of 776	1736	msedge.exe	113
PID 1736 wrote to memory of 776	1736	msedge.exe	113
PID 1736 wrote to memory of 776	1736	msedge.exe	113
PID 1736 wrote to memory of 776	1736	msedge.exe	113
PID 1736 wrote to memory of 776	1736	msedge.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Setup (1).msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8922498AECA8DAA2DD3BDE101B93846C C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3744
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6EC1E98E48512F604CFE20213856CA38
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssCEEC.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiCED9.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrCEDA.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrCEDB.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://start.artificusbrowser.com/notification/?verify=110mrdd1721931110
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b04f46f8,0x7ff9b04f4708,0x7ff9b04f4718
        5⤵
        
        PID:4572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        5⤵
        
        PID:4960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
        5⤵
        
        PID:776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        5⤵
        
        PID:2560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        
        PID:4968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
        5⤵
        
        PID:1784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
        5⤵
        
        PID:5172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
        5⤵
        
        PID:5180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
        5⤵
        
        PID:5656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
        5⤵
        
        PID:5664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2388 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5132
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 79EE20BDEE88F384C7D81FCF08C9B70E E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c95c.rbs

Filesize
218KB

MD5
4a736dbe4cc7112d137046d7f24a7ba2

SHA1
03ae91084cced76794730a6fe948e4d08196dac6

SHA256
a733ebb63a1a10731db3b1addb72fcc0509ab134502498fcdf3df8d4836d4b3e

SHA512
4971ae76108060ed45b36433b45d74f9c232d37b0d195c27009568b39d24cc24a8a4099248421ba8366e45cfe85382557b2e9a04411ab0ec381f0e879db9ad94

Download Submit
C:\Program Files (x86)\World Wide Solutions\World Wide Web\WorldWideWeb.ini

Filesize
538B

MD5
6acdc8d4706a9477b8beed782370a6e4

SHA1
25bb511813901d4f08abdc643cec6906988b6ce4

SHA256
bfd7b7399cd2b7995995214e85130b94f5fe704efdf9e7c6aeb67c709d1da04a

SHA512
a28e304ddbb4ae24c88117f5240e6a694e1a605a0ed1f2b02ed451b37b1625904ac1890e6f64698ef9029b3201d12ef043249524d75f9d579ee19f9f69b8e231

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

Filesize
1KB

MD5
c75b3e144031a2892308be13711c75fb

SHA1
80e2f4741a798b7af6fe19b9d94a473439c4bcd7

SHA256
c3a2829e6eb9d93f2f474e38574c8e435730049cee2cfc51d973015671036a29

SHA512
e26eb3a5526d1816f800b4333de4ae601224e5f148c94e542a6158322392faa41defc4ffa3fb00aa9ef6f847775d8b2c6f3481761de6ec6fa61f5a299a2bf295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_A9CA4191D05D34A8E11E01F09820AAAF

Filesize
1KB

MD5
143568624d585b98c72fae5f5281e8db

SHA1
7f86a14d1372925918fc0d2e953e9600ebb3e1b5

SHA256
d7796537314e9f3c50b7e7cf3dbdb9e57f0f6b8a900860faf655f5cdd8fe91f4

SHA512
cc4ac22c2e6c6c4fc66c9bf805cc0a1e3e3fda8f57dc6e6415626e2b3e8e2ad38cfa57dc11467b6cbe85d46c963a414289c4474d2e34ca52a90ec701b276ced9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

Filesize
532B

MD5
837de91f56b9c25142c04c199fffbafb

SHA1
6f9d83badf512e0d053a726498e0ae6f00d750cd

SHA256
bcb9c8accbe514369c80228cc076e91cc9f92a3a43ed41f215948f60280f3abb

SHA512
fafeebc63bfe5a2129547436016b1090267921845b30ba6b6cbe08ba92207c53b655e0bc00a34434831da1faafda62367e2de477d2ebfe8f8f4ab1f311466500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_A9CA4191D05D34A8E11E01F09820AAAF

Filesize
540B

MD5
bf45c5bcd2253d1067645f2adac6d0cb

SHA1
43d21ce6cac554a5e3307b1e188ef7acc53f51a9

SHA256
3d1f6ffa319e7f22fd7354dec2f46eebba047099545b988dfeac632ceef7d57c

SHA512
3cf53950f9f4c3bcc32764e41488b598c1193547c13c50f05e7f659b70f86d071d0601f3bdeb335d5a8f815a5de92ad972a1922d5fc5dc2416f97576b9a2ee6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1790c766c15938258a4f9b984cf68312

SHA1
15c9827d278d28b23a8ea0389d42fa87e404359f

SHA256
2e3978bb58c701f3c6b05de9349b7334a194591bec7bcf73f53527dc0991dc63

SHA512
2682d9c60c9d67608cf140b6ca4958d890bcbc3c8a8e95fcc639d2a11bb0ec348ca55ae99a5840e1f50e5c5bcf3e27c97fc877582d869d98cc4ea3448315aafb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8dc45b70cbe29a357e2c376a0c2b751b

SHA1
25d623cea817f86b8427db53b82340410c1489b2

SHA256
511cfb6bedbad2530b5cc5538b6ec2184fc4f85947ba4c8166d0bb9f5fe2703a

SHA512
3ce0f52675feb16d6e62aae1c50767da178b93bdae28bacf6df3a2f72b8cc75b09c5092d9065e0872e5d09fd9ffe0c6931d6ae1943ddb1927b85d60659ef866e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
952ad1581f3d95e1f53cc04e1c349100

SHA1
478566b12258b8f80ae035a27603f738650322f0

SHA256
7c49ef562b589946beb2496a17396a3ecdf7885cc6dd7852d9b918dfe662c5b1

SHA512
0b7d8e78ca78c5dfd8dbfc9a6c19e81f75f310f8e7d1bac137c77ed39543b724d2e429bf7d7b20fb6b2be3b8f35d2e2f3bd6c4047d86d09562d610bc56204ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
716B

MD5
d59b837a5da3965c80a5b617270ea482

SHA1
d3af00359283e3d6a8f0c7f01ebc1197271bab17

SHA256
0f478e5123de4501150c358c7ba8dce8d17ac3d34c5a8616c81a969b7b7f9489

SHA512
3c661471f807eed2b952c218959f0fe58abe3e1b91a11c051e70ab564b3b794af2ff5f0cc3d1d7695a40406a2ef42ceedbdd0c7134ed6ccab78221e52c90d9e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
525baf3927274f64cdcec1f8048f9809

SHA1
2cc3fb15b81eeb69f48ecfcd7a434ddc88732975

SHA256
028a89d0d0c51d64696a6f31d818e983426f67dd474d132c16d756e0a02fb2ea

SHA512
17abd483c15957d548a33e440aa9084ff06b4254c998f651521d3e3fd233d5b477be3736e43b1da1bc10df90b83efc61a39156cd5077f547969c61aea48eb86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb3118559ae742a9a2cbcc273fc09eb7

SHA1
04ab7e09c11dac0a8d2bdd556410b03c97d61f8d

SHA256
9fa6adcb4844328d99efd562985b27f70e7a3800d67c01f6b8134cec96877a91

SHA512
95c7d0a42de3ba53f4a46d3be4ca117d9888e73a779d99cf3e1443cbfe17cba6d75899b618ce1fd6610de349995c0c66bf37084d046999c2474f16cccc4ce6b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cb465de4d08e87215feac0a73fba7af2

SHA1
05365cca100d0a790c0d074305364a1c9e3056ba

SHA256
8a371c5b3070fbee279e583745808fbb8dbab006a73c62ce23ab31614535702c

SHA512
0a6c01473f1532abcaeaf9e54249a5954247a9cfd270ad0832b1c22f76215996c269f6acd01e0699583b5f6990774e76d2d2b027703b6e33d03e67fe8b6c4ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI830B.tmp

Filesize
819KB

MD5
3604517a3e6e69ba339239cf82fc94a5

SHA1
c4757e31f9c8a90ee5de233792da71c8915050c5

SHA256
bdd1d14c9cb54b19f6a7f37adbc7537ce8fd2f6fa59a74a4a90b08c7979708d2

SHA512
c22ffc410886fae221dfee6ab469e44694f87cecce14d505a059f5fe01c1b4e1ad93c15b78c7623e821a37737491e89c627ddae5d03c407a877835ab6d611619

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI88ED.tmp

Filesize
1.1MB

MD5
cc048c7aadc4adf3a29d429f1f5eead0

SHA1
6b4d89df901427fe955be2d58ad91a6de30be9d6

SHA256
d23c6ac751423ff6961694437e67d7b608102bd351e3e0cd10d34d026a1a08ca

SHA512
0e67c0a4db70e19ead49f6c0fd41045f3fd9ee688d75a6da2916e347b70783843fa0e3d6cfc2b0bcd5e16a6045ba27707dff655556ebc725c126082e45cee2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqx0eziv.1hf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssCEEC.ps1

Filesize
35KB

MD5
ffb79f02b7a4c6ff5b9869fce3c1285b

SHA1
79c88af7d57430b8afcfaeeee452b9f93a004bc7

SHA256
3c98870e58cc784584fdf97f9a2c7e0ee311f10287873ccc46046c7b691e38b7

SHA512
6ff0768db251959f380feb03d0bc003d34982d9de76c76f89fdecb3c9fe18e95316fbdd77366043f0e7f57233e89267d56b9bc618d7f5c35f248cbcc71d7216d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrCEDA.ps1

Filesize
35KB

MD5
03d2b8bd9a2217a0a4ffd5a2acae8741

SHA1
f6f439e2036eb740d8cc1b4bd96b4a4df80a2339

SHA256
c847aa04bed0e2f97634215f7d8bebac5e51f6227cfd9655a3743a7dc1d8607d

SHA512
265f730f9a524eef0f99613da3376e49ce428cb5369a5517e0594d9f73ea7d5d0f05c2ffded9a3614cb2148c09c9f530e60c4e70cbf480635ff4bdbc372b8eb3

Download Submit
C:\Windows\Installer\MSICC3E.tmp

Filesize
215KB

MD5
32fbe2ada353606f81f50faaf2e9f4ed

SHA1
bd696491057c8bee9979bd29e1ab9694eb5630b0

SHA256
18eaa658aa74d95a46b37a55a09ca64fcec3fd924787c7e1e32bdde14de556e5

SHA512
89b757348d844423b2287e9cb543f30d935637e3ba4f3a07bd8b6bed9dd9161efbcd1a8f4f62182980ee80737853ae3bb30d0ec630073f829403fcdf659a5227

Download Submit
C:\Windows\Installer\MSICD0A.tmp

Filesize
758KB

MD5
419cea1c6064e430860508e269f0cd2f

SHA1
921841797df087a1adc93877467e30e00c7d1d7e

SHA256
10575139bca9cb43ea44a9883308fdd83cebe6df59f68036337ab72530f0a8f4

SHA512
c6597fff8febdc6aa26dc91147532af6892a49e789903fcfed57fe8131a43bbfaa59b93035a4b2bbfd580fcf098ddd478e2110890381269556f387c689fb3c35

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
7ed77d25fe9d7e22c22c8e2cd5cdabe6

SHA1
7df4f8aff6f253401fd809010e052d2a7701cb16

SHA256
5bdb7253cff7a83bab0642c402374ae30091f961dba07063673cb25d13b3b90a

SHA512
c925d99a6d4f7d56131824dc37ef6abdd9860b5a154295ba9f9a452e628832cfeb46747c4e6939ef72584e144b22e76f8cf8a58a533e8ed04be9e0fea1ffa405

Download Submit
\??\Volume{1d5b4de3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b9a079aa-ec18-4808-9f85-69464439db33}_OnDiskSnapshotProp

Filesize
6KB

MD5
2c203073fee1ff08be3b106afbf5b5bf

SHA1
aa4c386c78b49a2835887d62f065e0d562c6e3ce

SHA256
8e1d1231eff739d32b55fa296e2fcda2ceba822b6f256201e4fcc0898c46966b

SHA512
b5323353563b4e43308b1d1dff3c9f125546495956574b71eab258a71ebd5b5f6ed678663a35660ace5f5cf3d953b033632cb804bd69d806d70c247b5631e60f

Download Submit
memory/2280-102-0x000001B96F5D0000-0x000001B96F5F2000-memory.dmp

Filesize
136KB

Download
memory/2280-106-0x000001B9701A0000-0x000001B9706C8000-memory.dmp

Filesize
5.2MB

Download
memory/2280-105-0x000001B96FAA0000-0x000001B96FC62000-memory.dmp

Filesize
1.8MB

Download