hxxps://www[.]7-zip[.]org/a/7z2401[.]msi

Analysis

max time kernel
60s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.7-zip.org/a/7z2401.msi

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\7-Zip\Lang\gu.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tt.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ug.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\descript.ion	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hu.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sv.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tg.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fr.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\he.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\is.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\License.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\cy.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\da.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\el.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nb.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pa-in.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7zFM.exe	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bg.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\de.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\it.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7z.dll	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eo.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ja.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hy.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ga.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hi.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\pt-br.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sa.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\br.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kab.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ro.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ta.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\yo.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\va.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\gl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\hr.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\io.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\es.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mng.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\uk.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\lv.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mr.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\zh-tw.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7-zip.chm	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\mng2.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ast.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\co.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\id.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ka.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\sw.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7z.sfx	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ne.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ba.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\nl.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\7zG.exe	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\et.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eu.txt	msiexec.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tk.txt	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{23170F69-40C1-2701-2401-000001000000}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27F5.tmp	msiexec.exe
File created	C:\Windows\Installer\e58271f.msi	msiexec.exe
File created	C:\Windows\Installer\e58271b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58271b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d6be30f9a4b6bc740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d6be30f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d6be30f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd6be30f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d6be30f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\LanguageFiles = "Complete"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000\96F071321C0410724210000010000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\Program = "Complete"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\PackageCode = "96F071321C0410724210000020000000"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Version = "402718720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\ProductName = "7-Zip 24.01"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\PackageName = "7z2401.msi"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 534239.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3880	msedge.exe
3880	msedge.exe
448	msedge.exe
448	msedge.exe
1908	identity_helper.exe
1908	identity_helper.exe
736	msedge.exe
736	msedge.exe
4208	msiexec.exe
4208	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4552	msiexec.exe
Token: SeSecurityPrivilege	4208	msiexec.exe
Token: SeCreateTokenPrivilege	4552	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4552	msiexec.exe
Token: SeLockMemoryPrivilege	4552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4552	msiexec.exe
Token: SeMachineAccountPrivilege	4552	msiexec.exe
Token: SeTcbPrivilege	4552	msiexec.exe
Token: SeSecurityPrivilege	4552	msiexec.exe
Token: SeTakeOwnershipPrivilege	4552	msiexec.exe
Token: SeLoadDriverPrivilege	4552	msiexec.exe
Token: SeSystemProfilePrivilege	4552	msiexec.exe
Token: SeSystemtimePrivilege	4552	msiexec.exe
Token: SeProfSingleProcessPrivilege	4552	msiexec.exe
Token: SeIncBasePriorityPrivilege	4552	msiexec.exe
Token: SeCreatePagefilePrivilege	4552	msiexec.exe
Token: SeCreatePermanentPrivilege	4552	msiexec.exe
Token: SeBackupPrivilege	4552	msiexec.exe
Token: SeRestorePrivilege	4552	msiexec.exe
Token: SeShutdownPrivilege	4552	msiexec.exe
Token: SeDebugPrivilege	4552	msiexec.exe
Token: SeAuditPrivilege	4552	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4552	msiexec.exe
Token: SeChangeNotifyPrivilege	4552	msiexec.exe
Token: SeRemoteShutdownPrivilege	4552	msiexec.exe
Token: SeUndockPrivilege	4552	msiexec.exe
Token: SeSyncAgentPrivilege	4552	msiexec.exe
Token: SeEnableDelegationPrivilege	4552	msiexec.exe
Token: SeManageVolumePrivilege	4552	msiexec.exe
Token: SeImpersonatePrivilege	4552	msiexec.exe
Token: SeCreateGlobalPrivilege	4552	msiexec.exe
Token: SeBackupPrivilege	1944	vssvc.exe
Token: SeRestorePrivilege	1944	vssvc.exe
Token: SeAuditPrivilege	1944	vssvc.exe
Token: SeBackupPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeBackupPrivilege	5584	srtasks.exe
Token: SeRestorePrivilege	5584	srtasks.exe
Token: SeSecurityPrivilege	5584	srtasks.exe
Token: SeTakeOwnershipPrivilege	5584	srtasks.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe
Token: SeTakeOwnershipPrivilege	4208	msiexec.exe
Token: SeRestorePrivilege	4208	msiexec.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
4552	msiexec.exe
4552	msiexec.exe
4552	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe
448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1624	448	msedge.exe	83
PID 448 wrote to memory of 1624	448	msedge.exe	83
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 1968	448	msedge.exe	84
PID 448 wrote to memory of 3880	448	msedge.exe	85
PID 448 wrote to memory of 3880	448	msedge.exe	85
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86
PID 448 wrote to memory of 3152	448	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.7-zip.org/a/7z2401.msi
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeebe946f8,0x7ffeebe94708,0x7ffeebe94718
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2144 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,663917170620912922,12443686054034071511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:736
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2401.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58271c.rbs

Filesize
20KB

MD5
7af19b4dd9c0b115020bba03c3db92b1

SHA1
c5944e24f88c92096a457dd3597278f8ab0b2a53

SHA256
0c774addac60b82fb29b42a5d12e37de8fe3e044492ee954f5612dd942b2d59c

SHA512
0d93eb8f49d4c493a160d3a4532cffe502603485f4b855e8e1b9e2cf727c13032e3756bf707efdf3edad3c5f5752e14470b6cf78a2e5d1e96c96217ca94c09db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\00ee9c4e-8027-4fcb-8f57-8ed7d402cfe1.tmp

Filesize
5KB

MD5
b8dadcf090f10d350bf641bf7b82db87

SHA1
79ec8ab1c446803fb027f6c037177433d007e157

SHA256
e6d902cc84c215743315f634e3442642dd91d0e45c0d1dd8238ad26edd057867

SHA512
1dc65cf4b549d46a47afea6e61d766694d17d08f99c048bc622e380ae7b05bcbc968fef5ccd356ad26f51b140818c9ce730e60de2fc8a16d8f4b89aedc35280b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8fd6fb0428211769d054ef7f75aed856

SHA1
e34245c2842fa449c4d2d09aab8cb8bf10d28bba

SHA256
decd79dfb8aac4a633f9acfbd20807eb54e114455fd250a85ec261bedd4ca132

SHA512
52d54fbd9361d63710fc4512358ab3e61b6db4ac3fff9766a9f8f003eb38796649d46d15382fd72dc53e97fae6659ed46ae4ae02f3e37c7d9f0c542ef81b85b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ede770ec01e2eda35d4dd10326fd0fc1

SHA1
586836c0c297306f8d7808b431faae389db4f43a

SHA256
c5de9c287eb802e3c0871aa92f940ec58993d5c0d2a9b56ab63b61e60ccacbdb

SHA512
11cc5e33d8f945ba344b2a99f9297b863e452d68d62ccf003c6533775154c47af9e454de480b92ed3ded2435ff2290265370fead1711cd3e2d5092ab9b4b4f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bd585d8b7aaffe25266d4752045ed405

SHA1
e7461f4fdaca522e8520538f9373def55145e9ea

SHA256
284c93d96641cb3e75de40eb7d49c5b2850bdf94a1f012dac6bdcf9b643b48d4

SHA512
2a8771fd3af3294f280fdc43a5dd81e9c79d89e7b9a34eb59864e33a94c6a984337202f1c68a0a6abeef15339ceb20bcfb133a2a48965d93a7d3265c2320e701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
01f1845f783d3dfb66ae1b03cc2b3334

SHA1
cb3a9612a6273a2112c2e0c70165028a9dc65082

SHA256
7d3bef83e425c08d79e6685fb40b4a1ad6384363754fe35679eb761f4fb73040

SHA512
07db5b38d815dad67476ed91ec9513de42e844ea20f9466e4851cdfaeab9137791f71584f811d72bf5481c35f9189e6e18b4f1290e67c7cf773c4013a367a52f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d602254cd60f5a0081bf4d36bc4f639

SHA1
de28e992836acd17d4fa2f0d12cf7f828b3ededd

SHA256
93d65a948378c7c9cb7e13bfd3546aacc3ddc668ff22e902cb8fdbcdac81c1b5

SHA512
14318f233d4605e826b49539f954247d3c2e437b3d9c692e86e29119038a16e7de60765ec1c8aac8aa5634ceb2a8c95669187dc255fb7be849efeec8bc753df9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 534239.crdownload

Filesize
1.4MB

MD5
a141303fe3fd74208c1c8a1121a7f67d

SHA1
b55c286e80a9e128fbf615da63169162c08aef94

SHA256
1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99

SHA512
2323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
441bce4214a379bb32559cbf24b86351

SHA1
e08c8eeb75ba61dabb9a6eff5c25dfab81eea605

SHA256
d354c859bbbd89f31f1cc6c17c07f7d874cb98299b18b6fd31ee12e1bd42db11

SHA512
2bf1e85dc30cec4c879617fffe97414c4c29c5fecff72476b2883c60287b1819b739ba7857644dd2d04c30cdaa943631e43e2a2ef48fdff6fe76f96c18ae033e

Download Submit
\??\Volume{f930bed6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9c41439a-c656-46e7-8979-dabadfd92716}_OnDiskSnapshotProp

Filesize
6KB

MD5
286e6be299c87a7739eec185e62f30dd

SHA1
92de9fb2f914a7dcc37c8cdec8497a0ccf669fe9

SHA256
f9e1bae82035fd262e171d58d427c0e3774142938ef7d452274fafb6fb2d2a02

SHA512
f6426b27a0dd2d08c29702399fdeced181c69022198e38d58f5fc35fefbb2a561731647178bbba27c7a6f16c2832b1a9e6ddccaf09268a83e7fd6594f7e37dac

Download Submit