hxxps://drive[.]google[.]com/file/d/1x5wEjoLpplSVkbeKzZxJwP94a7ACAG9C/view?pli=1

Analysis

max time kernel
71s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2024, 05:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1x5wEjoLpplSVkbeKzZxJwP94a7ACAG9C/view?pli=1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5296	ROMViewer.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
103	5220	msiexec.exe
105	5220	msiexec.exe
107	5220	msiexec.exe
109	5220	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
5	drive.google.com

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Lang\Italian.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Home.png	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Scanner.png	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Terminal.png	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\LMNoIpServer.map	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Lang\Taiwan.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Lang\Greek.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\rom3.chm	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Russian.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Internet.png	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ROMViewer.map	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Server\ROMServer.exe	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Server\English.lg	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Computer.png	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Server\ROMFUSClient.exe	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Phone.png	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Lang\Spanish.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Lang\Polish.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ROMViewer.exe	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\English.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Firewall.png	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Hub.png	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Lang\Turkish.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Help\rom3_tr.chm	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Lang\Ukrainian.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\rom3_ru.chm	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Camera.png	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Printer_2.png	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\LMNoIpServer.exe	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Lang\French.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Lang\German.lng	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\Server\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Printer_1.png	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\NewShortcut2_3E8C8228BDAA49F09CEDF0D9E384E2FE.exe	msiexec.exe
File created	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\NewShortcut4_091CC2A3CD4F401D84D7DD1277026C3E.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\UNINST_Uninstall_L_0CC25913205648D8812BEBFC4BCD4007.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\NewShortcut1_6AB92848793642629CC7DA100B1ED13A.exe	msiexec.exe
File created	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\NewShortcut11_F03B5AE20F664337BCBB912BCEBD64FA.exe	msiexec.exe
File created	C:\Windows\Installer\e585fc1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\UNINST_Uninstall_L_0CC25913205648D8812BEBFC4BCD4007.exe	msiexec.exe
File created	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\NewShortcut1_6AB92848793642629CC7DA100B1ED13A.exe	msiexec.exe
File created	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\NewShortcut2_3E8C8228BDAA49F09CEDF0D9E384E2FE.exe	msiexec.exe
File created	C:\Windows\Installer\e585fbf.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\NewShortcut4_091CC2A3CD4F401D84D7DD1277026C3E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{5686E484-7136-4674-A4B2-508C7B26DCA4}\NewShortcut11_F03B5AE20F664337BCBB912BCEBD64FA.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e585fbf.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5686E484-7136-4674-A4B2-508C7B26DCA4}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROMViewer.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\ProductName = "LiteManager Pro - Viewer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\Whiz Fayisal\\Whiz Fayisal\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\Version = "83886080"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\Whiz Fayisal\\Whiz Fayisal\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\PackageCode = "972353933F2CBB342BAAA8D79708B13C"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\AuthorizedLUAApp = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\61347085647F4714FA28194D4926A1BD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\61347085647F4714FA28194D4926A1BD\484E6865631747644A2B05C8B762CD4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\484E6865631747644A2B05C8B762CD4A\LiteManager__	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\SourceList\PackageName = "LiteManager Pro - Viewer.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\484E6865631747644A2B05C8B762CD4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A\ProductIcon = "C:\\Windows\\Installer\\{5686E484-7136-4674-A4B2-508C7B26DCA4}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\484E6865631747644A2B05C8B762CD4A	msiexec.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5076	msedge.exe
5076	msedge.exe
468	msedge.exe
468	msedge.exe
2608	identity_helper.exe
2608	identity_helper.exe
5432	msedge.exe
5432	msedge.exe
4316	msiexec.exe
4316	msiexec.exe
5296	ROMViewer.exe
5296	ROMViewer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5220	msiexec.exe
Token: SeSecurityPrivilege	4316	msiexec.exe
Token: SeCreateTokenPrivilege	5220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5220	msiexec.exe
Token: SeLockMemoryPrivilege	5220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5220	msiexec.exe
Token: SeMachineAccountPrivilege	5220	msiexec.exe
Token: SeTcbPrivilege	5220	msiexec.exe
Token: SeSecurityPrivilege	5220	msiexec.exe
Token: SeTakeOwnershipPrivilege	5220	msiexec.exe
Token: SeLoadDriverPrivilege	5220	msiexec.exe
Token: SeSystemProfilePrivilege	5220	msiexec.exe
Token: SeSystemtimePrivilege	5220	msiexec.exe
Token: SeProfSingleProcessPrivilege	5220	msiexec.exe
Token: SeIncBasePriorityPrivilege	5220	msiexec.exe
Token: SeCreatePagefilePrivilege	5220	msiexec.exe
Token: SeCreatePermanentPrivilege	5220	msiexec.exe
Token: SeBackupPrivilege	5220	msiexec.exe
Token: SeRestorePrivilege	5220	msiexec.exe
Token: SeShutdownPrivilege	5220	msiexec.exe
Token: SeDebugPrivilege	5220	msiexec.exe
Token: SeAuditPrivilege	5220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5220	msiexec.exe
Token: SeChangeNotifyPrivilege	5220	msiexec.exe
Token: SeRemoteShutdownPrivilege	5220	msiexec.exe
Token: SeUndockPrivilege	5220	msiexec.exe
Token: SeSyncAgentPrivilege	5220	msiexec.exe
Token: SeEnableDelegationPrivilege	5220	msiexec.exe
Token: SeManageVolumePrivilege	5220	msiexec.exe
Token: SeImpersonatePrivilege	5220	msiexec.exe
Token: SeCreateGlobalPrivilege	5220	msiexec.exe
Token: SeBackupPrivilege	228	vssvc.exe
Token: SeRestorePrivilege	228	vssvc.exe
Token: SeAuditPrivilege	228	vssvc.exe
Token: SeBackupPrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeTakeOwnershipPrivilege	4316	msiexec.exe
Token: SeBackupPrivilege	4404	srtasks.exe
Token: SeRestorePrivilege	4404	srtasks.exe
Token: SeSecurityPrivilege	4404	srtasks.exe
Token: SeTakeOwnershipPrivilege	4404	srtasks.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeTakeOwnershipPrivilege	4316	msiexec.exe
Token: SeBackupPrivilege	4404	srtasks.exe
Token: SeRestorePrivilege	4404	srtasks.exe
Token: SeSecurityPrivilege	4404	srtasks.exe
Token: SeTakeOwnershipPrivilege	4404	srtasks.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeTakeOwnershipPrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeTakeOwnershipPrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeTakeOwnershipPrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeTakeOwnershipPrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeTakeOwnershipPrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeTakeOwnershipPrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	4316	msiexec.exe
Token: SeTakeOwnershipPrivilege	4316	msiexec.exe
Token: SeRestorePrivilege	4316	msiexec.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
5220	msiexec.exe
5220	msiexec.exe
5296	ROMViewer.exe
5296	ROMViewer.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
5296	ROMViewer.exe
5296	ROMViewer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5296	ROMViewer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 4112	468	msedge.exe	86
PID 468 wrote to memory of 4112	468	msedge.exe	86
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 3032	468	msedge.exe	87
PID 468 wrote to memory of 5076	468	msedge.exe	88
PID 468 wrote to memory of 5076	468	msedge.exe	88
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89
PID 468 wrote to memory of 556	468	msedge.exe	89

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1x5wEjoLpplSVkbeKzZxJwP94a7ACAG9C/view?pli=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3dd746f8,0x7fff3dd74708,0x7fff3dd74718
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,14678268886503328869,16884315050608130026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5608

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Whiz Fayisal\Whiz Fayisal\LiteManager Pro - Viewer.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5220
- C:\Program Files (x86)\LiteManager Pro - Viewer\ROMViewer.exe
  "C:\Program Files (x86)\LiteManager Pro - Viewer\ROMViewer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5296

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Whiz Fayisal\Whiz Fayisal\code for rdp.txt
1⤵
PID:5720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585fc0.rbs

Filesize
16KB

MD5
c998bff37a5236f4d8d039fc763c7d74

SHA1
a1490deaf66083b2bfbe3a5fbd9d8b3877d0e00f

SHA256
3006e7ca1100893b532d73d14ea97839acbc23b9cb75326f8d3576ac7f7b5266

SHA512
594db2237149604d5f024ac3ab33b0b88392dda312e5bd315ea3e03c06353ddc32ab07bc7cc4d8d51cd6a21ddb2867629337d3ccc531b4cbde8e128d08b750c5

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\English.lng

Filesize
275KB

MD5
03b18affcb07918a600f341ac3076a7c

SHA1
d9e479966d04b92a4019467fb15d33d913c77cb5

SHA256
0dfeb3f7b1cef98840277dae66c07b7f4c0ecc53993e9b9a0ff07cbab26f65b2

SHA512
d13c2766e3ece0957d7ef7719c0b338b723abb88af0e0243e3af3b7175c814405d51e6da4bff8c1f44e0c8f0a4fe45ce346e1718693e95f5ea29637325889d23

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Camera.png

Filesize
4KB

MD5
82780a772279e1f75ce793b7982c1d2a

SHA1
55147f5df09f5e8fd99bb3930ef7112429bf463c

SHA256
3e7bff4b4ad55dbe5bd2d23d686d603ae58b1eb184977753d4694c41868554e6

SHA512
f87a1f556e2fda29e0519123ecd038d7b39c683e17356a83abcc070aaa455e7c189f256f6176999759a6645d6d4b7aa2b235528ae1e8bae2c465b46d211d132d

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Computer.png

Filesize
3KB

MD5
86ac68c44847590f2cd5e93e5c5d14a0

SHA1
86832d6db9b5255c30735aeabb6826da2fd43b7d

SHA256
b09adfc8db26485923e13b85d81840805628f6c24c262c65a6e04dd320094642

SHA512
302dd6b9a498808481e7ea20de495ce2ddf788c154a8ebfa990386f897172d7b92e5128f1d6e3300c7d19f9a79852549fcd4f41f502c8455e1575038a2d4a8cd

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Firewall.png

Filesize
4KB

MD5
94e762ccbe60ea056e93062aea15dc84

SHA1
6bb0cee15af701d588714620f2d5f8fa0e76d69c

SHA256
d04dbdc09a090a487a4140046587899029c5dbc424c381bcb65e2a186f01091f

SHA512
210ec618bc8e3d24fc7321072ebcd71652cda4ccdbcfc573eff324483fe564e4c3cb2cf94f6b92130f9095acdfac618d53f19a27ca7c9a2f1fcf5a46124ff1ef

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Home.png

Filesize
4KB

MD5
90748ab4974c9cbc20f5f3b5fc550872

SHA1
1c3970090256eaf2706f96acd41af93a0f25fbc1

SHA256
0b263a9b2e671ca2f22bd7dfeadea5486e6735bfe5c89825a2fd55f3cd7dbcee

SHA512
2c0bac85388617165de2033e937121eed1209c0e8d30f3857cb87a735dd49a5bfdeaf4ca4efb74f484ed158ddc2fd15189b87247de6474ada1a5a79c9e33a082

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Hub.png

Filesize
2KB

MD5
21d7b3c4f5adaee6ba8126c7e974965b

SHA1
03c923f11ce4920aac6f1cdca84cbde2cdcbf53a

SHA256
8b4016c877a616269f2e69f4ac3556db86096b6eb31bb6a45da86fece5ab74aa

SHA512
c3e69c5fab3c7d678ef97eaa301d3a2a9275f7f8a57955cc8037790eafdc9e83f4a2e81a9860f756a98db94e857c1d946a1f6bed4a6765ab42f273432dfc35e6

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Internet.png

Filesize
6KB

MD5
d9b9dfb8bfc0495b2d9f5a54e6a3ac4c

SHA1
0b3fc66952ef475addcaa4ba8474b4a8ea220f16

SHA256
512a5061b1400bb02a3c6850595811027e07567c1ed6760eb2f9744c4a72d1ba

SHA512
59c260b1220416db6fbe3b703f47d4e83be41d4a83a98811ee4e078d28ef1f62c3a7dff2a9ff54f2219d116e1b530d8aa6b4fc3a43b6ccdce53bfea1e5f99a7d

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Phone.png

Filesize
4KB

MD5
88b1363ffbaa0fc9ecb4d26fda339923

SHA1
b5956e59bdd868eb72555393a2e334615758548b

SHA256
9ed72f5e17fe71fe5e77ab5347521e829c8a5b1b776d586f7f4c311b6046fcae

SHA512
cc35a35635a224f12e121d295c5556b5179c321456e33087ab0ea9944675e58ca8898761b646efec1a755879b0375a2f3f5f0e3cb09a03f85c2a7806c54bce13

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Printer_1.png

Filesize
4KB

MD5
b87b2c92e8ec119f6dd9cea33e90781c

SHA1
f9782ed7741c7d3c838088d451198a1d8c2c116a

SHA256
ad26dbc65c60e637a1c5efa64b58588c2370aba4f73e5ac563c41266b498bca9

SHA512
cd35d8f48efe996b2ebeba7c00476e628d4fac907d5d0f635af3c56fb4800b501476da031d7a6e1fb439e6a15a66988df1cf916dbe929474f4628dff65859f14

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Printer_2.png

Filesize
3KB

MD5
8e83b6ccd80bec29a1f437fb9e025f77

SHA1
8ce10bcad4fc573e9720525259ba33bf0b789f8a

SHA256
d32c67911e1d5da6f4d193e9a428dbcb690fc89630842d2580e415db74009bb9

SHA512
d121de2f5a9625691b3db7db44dc2a79cf9ced8da534ebba4147ac93fc7bbde07cc322eeda8423ebb86bbd83ac9473ebfd70ebf3637856d45aebf7ae7dcd7a3c

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Scanner.png

Filesize
2KB

MD5
5f41a2f0181b9f09d11d360181cb97a7

SHA1
64c19c4b4ab84027ffa790db55607b70ae6abcb0

SHA256
511d73e1bc2d17d593247aaefed7c90f49ae4f053b89c7811c349c39478a9086

SHA512
644b3135272796137f7691a773ae6203bf1d47cf1b693cd6c92230ba225c389b261cfe24e033e5b3a9df8e612a0fab7860ac4e0feabb5fc7922c9b73ce5d38bc

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ImageLib\Terminal.png

Filesize
736B

MD5
e821322cf7f5a23b40b0a4e8f748394f

SHA1
39dd67774155fe55f3c313bb4f6f99c9cc573e5c

SHA256
73b32cfadd3ed8657e318156420f78f97ac6a5a504bbd212a026e6e90c192415

SHA512
b7e97a552db3afcd4ab06fc798076ae762d9b400d06a08e84c1142e4499b5015a21296b258cc88eab4ec99f92c39ba1676aa54e9f4ee71061a3319ebad866618

Download Submit
C:\Program Files (x86)\LiteManager Pro - Viewer\ROMViewer.exe

Filesize
10.7MB

MD5
3534069b4c6ebc5126a9ceaffd6d349b

SHA1
28cff2cba4fbb324d495aea7d79d92aa6ec57c68

SHA256
ad9ce7f36d190cec129435c4f40bd552fa161f628c443578273f718957a0a1aa

SHA512
a3287e09869ef3a38cd2d998ac5aa22b8cb6da7e434b161a0b67e624829747c7da3be3f42fcd7d59e1c603c49affa0768f8b99c956e2011aa5ddedc02421e99c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
1af8767565562bbb14b12f3944dfe03e

SHA1
8530c350a00aedc8e7f86eb198af012326582ba3

SHA256
d339abc8f9847d42c79d680a713448b330843ccf654e4946a5914c01744ccfa9

SHA512
b313ee80acf3246774549bf64f971f89dc04d7af49e64f78c01fa8ed79fae6dd68de4f064f96112bb79d32b1a2b49915f1d91edb14ef08cb18e45259887bc98e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d9b552becd265f680e226411884f5a91

SHA1
b0751eb26df82809f5f1ff3fbe2d091df39ac910

SHA256
60a5a8b1aad109f01db7b21f3347aeebc69cc65140d0b5be53378f7eb556e01d

SHA512
19352cf5e213ead10a0b69ffb780e190c7525c82dbcff25258a0e5172212afb22cf17148dff864866a3a2e5413c1e479bc1a3fb8ee6fffdf9513130c1f15abd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_830C75F1D020A0754908E5BA589AACE7

Filesize
510B

MD5
7145b028e84992ad3cd5114e4d0d9702

SHA1
07325d6049c32111635181e109cf9641326d85ef

SHA256
829c8d1e788e157f2b5a0877fbb1e6c5d52aeea99c5976707666cd19089bf378

SHA512
cb65e85f18d5ec9e4030514d91d8d4c02cb99b31d9f345435969e800682185de9218f427836d45fca40a1f2906caf6a52f85e9f52c34a06a7d05fa330eee048e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
25a31cfb5aa973542526c672d28ed19b

SHA1
0bdb0c0f40f3552ca149cd3f8f70ccd5f27436a8

SHA256
d87a8bbdf9adf4473a3b88105415e75690aa73b58d1a46856e1b67c3e2401328

SHA512
05a7427e54ac95b351a1e8fafda1da549008fd360c97e4df9703375efeaff6137b3316f448da6aa2b493f26633d3c12a7487492343cf7730e3aeec03f04f3df8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
78fb5067fd41831594216789e2efd449

SHA1
cb5877bf3f354bfa445fe72ef93e5352076f07a5

SHA256
c22646f0106f1113b432e12beff330041ff0a57cc2e4b6b8cff60f8eca7c0623

SHA512
ffba6d4090fcfd810c0a667d83707a54d90710983b3714dc6f1cbc52c17acb579b5c414b7b22af3e1bdd015b9ba0e08a452ab59439b9dfd603eaae4c28008040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_830C75F1D020A0754908E5BA589AACE7

Filesize
484B

MD5
99b3c85f2ac82b551e28aa7905ac3cbf

SHA1
ac44de3dc077eb5fa128e0b7df38cb95e6e95f2e

SHA256
62eb1c89fe23e11dff83d798b0a05820146692e2f1ac14c90d795dafa5afeac6

SHA512
94c84aba575e5a23c7ef14c8f12c0a96eced86f560493989461b7ff02cb523b351e4a2dbbd2ded22314adb68b5ccceadc6bc9236c012ca6181fb8b6d37619823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
c3bfa2359a7930e2f99de0f941d55f90

SHA1
554d650db32c7dd2f869814e7f644ce48393ddea

SHA256
3eede584ee9559906e4a7cc8b4af6de549238feb9e84a6aedbf870cf01a2466c

SHA512
43374af4bf3bec5b7e35dde2096d7c01ea8b3de14d3624bcc57b337f5eb6e49d6b61466f2e7767ede92cbf446a1b8c2a6ba264755621e2a240ef3bf9f8b8656e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8745dc4c8b684aae18cd7b08a5ef3f08

SHA1
20adc62b714fc20f90474b8f5f8e6928688f2703

SHA256
12a78643f8905131bca80a053c27d5b371a64072b32ea3c2bcaff89112acfe82

SHA512
cf7a2fbfd459583025ee00527480c20f13a90ae136a181ea21580a0845e636a2477191070972ca380fecb0f66e9fbca9caa09dafb249ac067770546d8899ae49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca267b28122fd5c3f07ade50f0204c22

SHA1
31981331b8b95f97a7c3be1bf9e62153cb41b77c

SHA256
47f2bbe5545699821c749ee450b427af27f2281454c4f10657eeff4f9b3b2a58

SHA512
8d418bb1cfe3e7ae16a87b6c2676b2549727c5b20500f60fe788c243c6b8a30664c02c9fb596cfdbcb9ebbe25273a182d827f328b091ed175a77db1906eee4b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8ad7251b220aca910248f3c37ca82b6

SHA1
9765c6f63fc39959bb8922373738cfbdec0fb7de

SHA256
9a3e8a208e17c4e8ac19796ff3ad8b4b30723dbf743d461482cfeb44658f8855

SHA512
6ec6019e7064004a282cb78a3d0295758028d9c8cd8f5bb2d326da37bf8c96edd8ead84feaeb055eb96f81427bd9e42908fb28784f7638826344ceed9fe40d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
32c2c4b9139966417e43092e643473eb

SHA1
1ef328eaae9c2707ce5bda0474c2d049a1decd71

SHA256
d020ea9010e2dbc1a6b81a44faf13bfa3c30489f5bb8342fb4660b13e0c54a4c

SHA512
bb59e24b0415019d2c6517209b2bb94aff5996b4a600561f91d7568c9988b151444487462d98aa95f39f4627b9eb4f7ae3216045d64727ceb08b7dcaed417074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6a5b6343806ed2ba2bd8dd9ab30a37e0

SHA1
55f1833067d9a09890e98e3df153ea66f319f56d

SHA256
19bff5fa0305ac238cd903f3a8508a37de9bcec90d62f4edb19ce67a51cbae2d

SHA512
4511827b7a9cb32e058da9e40e8451e4c1e3fdbe76133b863d3aa64f936964cebfc48f2871f0c640b4d5d9d5bb45e80dde9602ddadb395d9b45ac2ab4d954c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d34ffd70733225681b609b915107e69

SHA1
b01012c6ea631ba13513369edefce3dfd2cda51b

SHA256
b45c5b742a5cdfb81c60ca2c5c8dd7871c08b1fc046537c50a8f30c9cca7ef9a

SHA512
c6c6424d9a93268bd039ef3d9bd505c33b3fdf533013450ce1b28987a20cdba99c79b00eac92ae5a79e55ca1faade846180b25c97965f7703eb9e561e8b2cb4d

Download Submit
C:\Users\Admin\Downloads\Whiz Fayisal.zip

Filesize
26.2MB

MD5
189e29351828574efebda584bd836193

SHA1
f9c5ad0ec8e7832c455edb4b39dc2c35caf44479

SHA256
92132bc2fe38e0f2b30ecfa772198dd52b295861fffe2db70387b8d8f1c5e807

SHA512
7ce36d70a7c8161527b5a51c0fbc0fbcb3934443e17f446cca63599c8b419c8d5986d7f47fd003078daeddce1e3a9b489fcfd4ea000f067e4d9384613fbe5074

Download Submit
C:\Windows\Installer\e585fbf.msi

Filesize
26.9MB

MD5
55063112f1a8d310e5a8c7e24dcedd95

SHA1
4b08a61d2d4fc41da9befd1837435d6336f625e1

SHA256
6a10d957c8f693dbc3ad90ad990c9c1712207448550e00af55476aea36cf9e55

SHA512
2dd878227a624654a53e1bd308bd7e6eb1b7e0ad0d3d7268923533adf1e5b0df57babe3824ee5bd3de4435f0f2aaf4e932ee2472596585eef3c540106cacab02

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
ac6610649d8ffb638d0191fe5bf2babb

SHA1
3950b1e5dbacfc50550928696338da692c6fb42a

SHA256
a97706965416db86df368d5fe944e57d0eefb7d86da36141b35fef49951621c7

SHA512
fc56906c1df0b1f181f7213af4fb12739862f47d57409a7fbfe2c57b38d1c6c2c7f1f656af79278755620cc03028073830355e474b651849fec6170acbc6b331

Download Submit
\??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b5cf6975-ed39-45d7-ae38-6b445fe92bf0}_OnDiskSnapshotProp

Filesize
6KB

MD5
46c84bfadb21dbd48d7530b30f9f1422

SHA1
5c2e3d06c9d99d534d8d04e46b17389dd0fb63e3

SHA256
995a238d533e0f866faafe938a069dda4266bbc90202e1e3e3adb91a42e72240

SHA512
ba0617956a0303fef2b86b0a826eb0aa65929234795861bb3f549edf29a3cd276804e5070d0568646c46c02c7aff2bae75b7bf66096c929790d12b848b1bea8d

Download Submit
memory/5296-355-0x0000000000400000-0x0000000000F47000-memory.dmp

Filesize
11.3MB

Download