agenttesla | f1686113be61c6e568deeb7f672333d9a4d397c353419bafff454cdba38a9c51

Analysis

max time kernel
127s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
29/08/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

phantomlauncher-setup.msi
Size

5.4MB
MD5

d495d8473e1083d4db7809c5fa692e57
SHA1

77490e8a6933b4f45cd697d918379f7c0461dcd0
SHA256

f1686113be61c6e568deeb7f672333d9a4d397c353419bafff454cdba38a9c51
SHA512

482edfe2432ddfaa6be705cd405cb4ca7c5fad9ecdfd3fb538df235cd57ee80b871d73de0c2a4d844c7247c391d09744d4a96051a8bbac6296ab8c41c713f1e0
SSDEEP

98304:kW0sTN/Gq3/ccFv5TC7/3Ac/ePpQpGoNTPY237oZwUEqNJAGl+hu8uSSTuf6xx:GsTN/Gq3/J0v1oo1Yy7oZXEOCRhLoTd

Score

10^/10

agenttesla discovery keylogger persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001aafe-228.dat	family_agenttesla
behavioral1/memory/244-231-0x00000000057D0000-0x00000000059E4000-memory.dmp	family_agenttesla

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\netstandard.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Runtime.InteropServices.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Diagnostics.TextWriterTraceListener.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.ObjectModel.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Security.Claims.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Resources.ResourceManager.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Net.Http.Rtc.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Diagnostics.TraceSource.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.IO.FileSystem.DriveInfo.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Net.NetworkInformation.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.ComponentModel.EventBasedAsync.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Xml.XPath.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\Guna.UI2.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Xml.XPath.XDocument.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Text.Encoding.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Security.Cryptography.Encoding.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\Microsoft.Win32.Primitives.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Diagnostics.Tools.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Xml.ReaderWriter.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Net.Primitives.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Net.Http.WebRequest.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.ComponentModel.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Text.RegularExpressions.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.ComponentModel.Primitives.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Net.Http.Formatting.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Xml.XmlSerializer.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.ComponentModel.TypeConverter.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Runtime.InteropServices.WindowsRuntime.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Collections.Concurrent.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\Costura.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Reflection.Extensions.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Collections.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Numerics.Vectors.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Runtime.Handles.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Diagnostics.StackTrace.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Security.Principal.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Threading.ThreadPool.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Net.WebHeaderCollection.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Linq.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Net.WebSockets.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.ValueTuple.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.IO.IsolatedStorage.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Diagnostics.Tracing.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Collections.NonGeneric.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Threading.Tasks.Parallel.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Threading.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.IO.MemoryMappedFiles.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Security.Cryptography.Primitives.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Runtime.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Diagnostics.Debug.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Memory.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\discord-rpc-w32.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Security.Cryptography.X509Certificates.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Runtime.Numerics.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Threading.Thread.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Security.SecureString.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Resources.Writer.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Globalization.Extensions.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.IO.Pipes.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\Newtonsoft.Json.Bson.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Diagnostics.DiagnosticSource.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Net.Http.dll	msiexec.exe
File created	C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Xml.XmlDocument.dll	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B14.tmp	msiexec.exe
File created	C:\Windows\Installer\e588a1e.msi	msiexec.exe
File created	C:\Windows\Installer\e588a1a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e588a1a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8ECF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{34378CFF-392A-4E55-A8B8-BC9CD4F81B4B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9586.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
244	PhantomLauncher.exe

Loads dropped DLL 6 IoCs

pid	Process
4160	MsiExec.exe
4160	MsiExec.exe
4724	MsiExec.exe
4724	MsiExec.exe
244	PhantomLauncher.exe
244	PhantomLauncher.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3940	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PhantomLauncher.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	PhantomLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	PhantomLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	PhantomLauncher.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4284	msiexec.exe
4284	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3940	msiexec.exe
Token: SeSecurityPrivilege	4284	msiexec.exe
Token: SeCreateTokenPrivilege	3940	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3940	msiexec.exe
Token: SeLockMemoryPrivilege	3940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3940	msiexec.exe
Token: SeMachineAccountPrivilege	3940	msiexec.exe
Token: SeTcbPrivilege	3940	msiexec.exe
Token: SeSecurityPrivilege	3940	msiexec.exe
Token: SeTakeOwnershipPrivilege	3940	msiexec.exe
Token: SeLoadDriverPrivilege	3940	msiexec.exe
Token: SeSystemProfilePrivilege	3940	msiexec.exe
Token: SeSystemtimePrivilege	3940	msiexec.exe
Token: SeProfSingleProcessPrivilege	3940	msiexec.exe
Token: SeIncBasePriorityPrivilege	3940	msiexec.exe
Token: SeCreatePagefilePrivilege	3940	msiexec.exe
Token: SeCreatePermanentPrivilege	3940	msiexec.exe
Token: SeBackupPrivilege	3940	msiexec.exe
Token: SeRestorePrivilege	3940	msiexec.exe
Token: SeShutdownPrivilege	3940	msiexec.exe
Token: SeDebugPrivilege	3940	msiexec.exe
Token: SeAuditPrivilege	3940	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3940	msiexec.exe
Token: SeChangeNotifyPrivilege	3940	msiexec.exe
Token: SeRemoteShutdownPrivilege	3940	msiexec.exe
Token: SeUndockPrivilege	3940	msiexec.exe
Token: SeSyncAgentPrivilege	3940	msiexec.exe
Token: SeEnableDelegationPrivilege	3940	msiexec.exe
Token: SeManageVolumePrivilege	3940	msiexec.exe
Token: SeImpersonatePrivilege	3940	msiexec.exe
Token: SeCreateGlobalPrivilege	3940	msiexec.exe
Token: SeCreateTokenPrivilege	3940	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3940	msiexec.exe
Token: SeLockMemoryPrivilege	3940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3940	msiexec.exe
Token: SeMachineAccountPrivilege	3940	msiexec.exe
Token: SeTcbPrivilege	3940	msiexec.exe
Token: SeSecurityPrivilege	3940	msiexec.exe
Token: SeTakeOwnershipPrivilege	3940	msiexec.exe
Token: SeLoadDriverPrivilege	3940	msiexec.exe
Token: SeSystemProfilePrivilege	3940	msiexec.exe
Token: SeSystemtimePrivilege	3940	msiexec.exe
Token: SeProfSingleProcessPrivilege	3940	msiexec.exe
Token: SeIncBasePriorityPrivilege	3940	msiexec.exe
Token: SeCreatePagefilePrivilege	3940	msiexec.exe
Token: SeCreatePermanentPrivilege	3940	msiexec.exe
Token: SeBackupPrivilege	3940	msiexec.exe
Token: SeRestorePrivilege	3940	msiexec.exe
Token: SeShutdownPrivilege	3940	msiexec.exe
Token: SeDebugPrivilege	3940	msiexec.exe
Token: SeAuditPrivilege	3940	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3940	msiexec.exe
Token: SeChangeNotifyPrivilege	3940	msiexec.exe
Token: SeRemoteShutdownPrivilege	3940	msiexec.exe
Token: SeUndockPrivilege	3940	msiexec.exe
Token: SeSyncAgentPrivilege	3940	msiexec.exe
Token: SeEnableDelegationPrivilege	3940	msiexec.exe
Token: SeManageVolumePrivilege	3940	msiexec.exe
Token: SeImpersonatePrivilege	3940	msiexec.exe
Token: SeCreateGlobalPrivilege	3940	msiexec.exe
Token: SeCreateTokenPrivilege	3940	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3940	msiexec.exe
Token: SeLockMemoryPrivilege	3940	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3940	msiexec.exe
3940	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4160	4284	msiexec.exe	72
PID 4284 wrote to memory of 4160	4284	msiexec.exe	72
PID 4284 wrote to memory of 4160	4284	msiexec.exe	72
PID 4284 wrote to memory of 3496	4284	msiexec.exe	77
PID 4284 wrote to memory of 3496	4284	msiexec.exe	77
PID 4284 wrote to memory of 4724	4284	msiexec.exe	80
PID 4284 wrote to memory of 4724	4284	msiexec.exe	80
PID 4284 wrote to memory of 4724	4284	msiexec.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\phantomlauncher-setup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 11E98A3F12EA98FB59334055C795083C C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4160
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3496
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F853E3C57EC03276588793FDFA1E154A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c8
1⤵
PID:952

C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\PhantomLauncher.exe
"C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\PhantomLauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e588a1b.rbs

Filesize
80KB

MD5
afd3fce730c865aba2a44c2cdba77bc3

SHA1
ca3f2bf428cc77b6b539f48c0ddb5eaf89f82eba

SHA256
98cca3422d521bbb8394e4ce840af3acb6b10148943d5e9542b1abe6df9b8389

SHA512
bdb4be966fbade7ca938493ce2e1658997db9cee63bfa797c83910b3abd6f443016ee76be43baebd273cb69c1f8f864ec5b783af92c1da6a936543681603bcdc

Download Submit
C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\Guna.UI2.dll

Filesize
2.1MB

MD5
c19e9e6a4bc1b668d19505a0437e7f7e

SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa

SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

Download Submit
C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\PhantomLauncher.exe

Filesize
2.7MB

MD5
5cae986a815f449d49f7af34c0fc5937

SHA1
1cad1623c2babdf85b36be9ac7d2b5bfdb8255c5

SHA256
6c4b4b34b2f3a303c8e606d098d999a59c821e33c8d7570cf3d5fc7dd1d271cd

SHA512
41ca4be5a7d2451f32055ac17cec0c079aa042d9c511a88476c8baa4da8efa3607d54a07ddb010d3d8dfc82568a0833af803cb5f59588df510af08bf9340cbb9

Download Submit
C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\PhantomLauncher.exe.config

Filesize
806B

MD5
c974cb269c188505b9d2fe4d5f34a989

SHA1
df9404d241699c48cf684ee5d41aa75b9888cf60

SHA256
88442b18b4069c24bcc49d31520af42f0cbcf0616482c84ada74b0d2be50edd6

SHA512
2373c081efcd96e4c44f06cd585a95d5fb0a3fa1d2eb172af68f5d78e4ecda95ef724b49538054fc96b33e1e0c88a09020b16319cfc73029f8225e0c05f83f6a

Download Submit
C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Diagnostics.Tracing.dll

Filesize
22KB

MD5
b1886c18cc17a6ab658ca66767a00d42

SHA1
16827b8301cd784eec1cd681a560817c6e4d7407

SHA256
d33eb1a053aefb0d237fb1e61ac768d26d7f91df030881d19cab4f0474bb1359

SHA512
4660d0adaadf35cc9b13dd872bdd31dad0f24c06644f60f49b53c840731314e3d254157eb255bcfa22f43483ad1546afbe5da38f7c69f7e8591b1fbcd269d5c0

Download Submit
C:\Program Files (x86)\Phantom-Launcher\phantomlauncher-setup\System.Runtime.dll

Filesize
28KB

MD5
f2cea947974c615270c11390733cad28

SHA1
c4d51df40f035b583e1c9959d684e2eb56ca66ef

SHA256
0db3fd1a1a59793c26d97ea989f7d347ca38a64370dcd09c893f45b7426e6e53

SHA512
0289148e3d6c8d8706fc4f04dc8bf8d60f951521cc8cde19f2e2f3117c1ed50936477504da775ed252dce8e794b9a4ef912acc2abd9ea76d63a6f8ede1824413

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE704.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
C:\Windows\Installer\e588a1a.msi

Filesize
5.4MB

MD5
d495d8473e1083d4db7809c5fa692e57

SHA1
77490e8a6933b4f45cd697d918379f7c0461dcd0

SHA256
f1686113be61c6e568deeb7f672333d9a4d397c353419bafff454cdba38a9c51

SHA512
482edfe2432ddfaa6be705cd405cb4ca7c5fad9ecdfd3fb538df235cd57ee80b871d73de0c2a4d844c7247c391d09744d4a96051a8bbac6296ab8c41c713f1e0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
60f53d07f9fa4a3c644f363501bd924f

SHA1
03ba8527a6ad23082f806eb4b2f70ec86cb6542b

SHA256
0a8c020c5f5cd11348f9c62dafb3cc8707b400715f664d9e3be9e4deee7e747e

SHA512
601b62bf94dd3fa218559d12c6f9c861b09a6141905f4f8980f924dee115a91afd65aa32f2e713fa8fc08712d7b8f37d2dc9a955e235f9a7cc9a8c6f0b8bf873

Download Submit
\??\Volume{4f38e779-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5490d7cc-57ee-4bbb-bf45-291f04679b68}_OnDiskSnapshotProp

Filesize
5KB

MD5
f27ea636bce20bc6a3c935ee26c917a6

SHA1
90641ce296bb4142178d998ca75d2e53f5570a02

SHA256
974508a498d777d3eb3f6ba28aff0cf2033939e4ddabd10392f10a1fbb2beb15

SHA512
beae5895b8f8f2ba5e282b5f5169981e5e03f43fdb1f710535d1e223f741f1352d67fd41c8a61dd59e7be322b34b93035d929597a583f9d13529ab916fbb05d7

Download Submit
memory/244-224-0x0000000000170000-0x0000000000430000-memory.dmp

Filesize
2.8MB

Download
memory/244-225-0x00000000052D0000-0x00000000057CE000-memory.dmp

Filesize
5.0MB

Download
memory/244-226-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/244-227-0x0000000004D30000-0x0000000004D3A000-memory.dmp

Filesize
40KB

Download
memory/244-231-0x00000000057D0000-0x00000000059E4000-memory.dmp

Filesize
2.1MB

Download