ba850dc72644dbd24c699b4f8f3c4856801af23c36e14d724e061b814cd0832a

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToDesk (2)_2.exe
Size

109.3MB
MD5

496bcf85e4f82955c986a9969de65425
SHA1

a1d8c23621fdd405563d8cea6444c42da0315d38
SHA256

ba850dc72644dbd24c699b4f8f3c4856801af23c36e14d724e061b814cd0832a
SHA512

3f599613b950dfc3396891e9320dc09b476d80bae065a84f88acb65b7cf702da96057e740c34afc6f91af3436ef80400501f0aab2d422cab90484a90d9cda915
SSDEEP

3145728:rcGbmu6HFehEsw0Zfma2r9N8Qf0L8Brwm:Ilehdw0Zea2rThf1t

Score

10^/10

discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023498-50.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	ToDesk (2)_2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	irsetup.exe

Executes dropped EXE 4 IoCs

pid	Process
1252	irsetup.exe
2560	ToDesk (2).exe
2812	MSIE1CA.tmp
208	MFTVMornitor.exe

Loads dropped DLL 10 IoCs

pid	Process
1252	irsetup.exe
2560	ToDesk (2).exe
2560	ToDesk (2).exe
2560	ToDesk (2).exe
4008	MsiExec.exe
4008	MsiExec.exe
4008	MsiExec.exe
4008	MsiExec.exe
208	MFTVMornitor.exe
208	MFTVMornitor.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	MFTVMornitor.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	MFTVMornitor.exe
File opened (read-only)	\??\V:	MFTVMornitor.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	MFTVMornitor.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	MFTVMornitor.exe
File opened (read-only)	\??\T:	MFTVMornitor.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	MFTVMornitor.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	MFTVMornitor.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	MFTVMornitor.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	MFTVMornitor.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	MFTVMornitor.exe
File opened (read-only)	\??\J:	MFTVMornitor.exe
File opened (read-only)	\??\U:	MFTVMornitor.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	MFTVMornitor.exe
File opened (read-only)	\??\S:	MFTVMornitor.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	MFTVMornitor.exe
File opened (read-only)	\??\Z:	MFTVMornitor.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	MFTVMornitor.exe
File opened (read-only)	\??\X:	MFTVMornitor.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	MFTVMornitor.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023497-5.dat	upx
behavioral2/memory/1252-12-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/1252-45-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/files/0x0008000000023498-50.dat	upx
behavioral2/memory/2560-53-0x00000000744C0000-0x000000007457A000-memory.dmp	upx
behavioral2/memory/2560-80-0x00000000744C0000-0x000000007457A000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\SSD\SSD\cache_18_1	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_2	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_3	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_4	msiexec.exe
File created	C:\Program Files\SSD\SSD\ddd.exe	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_0	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE1CA.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ddfc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ddfc.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF16.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF76.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF46.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DE184F30-49FA-4B06-B385-B5885945A7D4}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE004.tmp	msiexec.exe
File created	C:\Windows\Installer\e57de00.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ToDesk (2)_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ToDesk (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFTVMornitor.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MFTVMornitor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MFTVMornitor.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4936	ipconfig.exe
2228	ipconfig.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	MFTVMornitor.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MSIE1CA.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console	mmc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@mmcbase.dll,-14008 = "Folder"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MFTVMornitor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSIE1CA.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MSIE1CA.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MSIE1CA.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mmc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	MFTVMornitor.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MSIE1CA.tmp
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	MSIE1CA.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	MFTVMornitor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	MFTVMornitor.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Recent File List	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Settings	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mmc.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Net\1 = "C:\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\PackageName = "SSD-w.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6436633746B9E645B5569C70BF5CEB5\03F481EDAF9460B43B585B8895547A4D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\LastUsedSource = "n;1;C:\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\PackageCode = "2D504149530C5BE43B5E7C8D465DD45A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03F481EDAF9460B43B585B8895547A4D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03F481EDAF9460B43B585B8895547A4D\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6436633746B9E645B5569C70BF5CEB5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\ProductName = "SSD"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3036	msiexec.exe
3036	msiexec.exe
208	MFTVMornitor.exe
208	MFTVMornitor.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	636	msiexec.exe
Token: SeSecurityPrivilege	3036	msiexec.exe
Token: SeCreateTokenPrivilege	636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	636	msiexec.exe
Token: SeLockMemoryPrivilege	636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	636	msiexec.exe
Token: SeMachineAccountPrivilege	636	msiexec.exe
Token: SeTcbPrivilege	636	msiexec.exe
Token: SeSecurityPrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeLoadDriverPrivilege	636	msiexec.exe
Token: SeSystemProfilePrivilege	636	msiexec.exe
Token: SeSystemtimePrivilege	636	msiexec.exe
Token: SeProfSingleProcessPrivilege	636	msiexec.exe
Token: SeIncBasePriorityPrivilege	636	msiexec.exe
Token: SeCreatePagefilePrivilege	636	msiexec.exe
Token: SeCreatePermanentPrivilege	636	msiexec.exe
Token: SeBackupPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeShutdownPrivilege	636	msiexec.exe
Token: SeDebugPrivilege	636	msiexec.exe
Token: SeAuditPrivilege	636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	636	msiexec.exe
Token: SeChangeNotifyPrivilege	636	msiexec.exe
Token: SeRemoteShutdownPrivilege	636	msiexec.exe
Token: SeUndockPrivilege	636	msiexec.exe
Token: SeSyncAgentPrivilege	636	msiexec.exe
Token: SeEnableDelegationPrivilege	636	msiexec.exe
Token: SeManageVolumePrivilege	636	msiexec.exe
Token: SeImpersonatePrivilege	636	msiexec.exe
Token: SeCreateGlobalPrivilege	636	msiexec.exe
Token: SeBackupPrivilege	1760	vssvc.exe
Token: SeRestorePrivilege	1760	vssvc.exe
Token: SeAuditPrivilege	1760	vssvc.exe
Token: SeBackupPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
636	msiexec.exe
636	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1252	irsetup.exe
1252	irsetup.exe
4308	mmc.exe
4308	mmc.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 1252	3660	ToDesk (2)_2.exe	82
PID 3660 wrote to memory of 1252	3660	ToDesk (2)_2.exe	82
PID 3660 wrote to memory of 1252	3660	ToDesk (2)_2.exe	82
PID 1252 wrote to memory of 636	1252	irsetup.exe	84
PID 1252 wrote to memory of 636	1252	irsetup.exe	84
PID 1252 wrote to memory of 636	1252	irsetup.exe	84
PID 1252 wrote to memory of 2560	1252	irsetup.exe	85
PID 1252 wrote to memory of 2560	1252	irsetup.exe	85
PID 1252 wrote to memory of 2560	1252	irsetup.exe	85
PID 3036 wrote to memory of 4156	3036	msiexec.exe	98
PID 3036 wrote to memory of 4156	3036	msiexec.exe	98
PID 3036 wrote to memory of 4008	3036	msiexec.exe	100
PID 3036 wrote to memory of 4008	3036	msiexec.exe	100
PID 3036 wrote to memory of 4008	3036	msiexec.exe	100
PID 3036 wrote to memory of 2812	3036	msiexec.exe	101
PID 3036 wrote to memory of 2812	3036	msiexec.exe	101
PID 2812 wrote to memory of 3988	2812	MSIE1CA.tmp	102
PID 2812 wrote to memory of 3988	2812	MSIE1CA.tmp	102
PID 3988 wrote to memory of 4936	3988	cmd.exe	104
PID 3988 wrote to memory of 4936	3988	cmd.exe	104
PID 2812 wrote to memory of 1560	2812	MSIE1CA.tmp	105
PID 2812 wrote to memory of 1560	2812	MSIE1CA.tmp	105
PID 2812 wrote to memory of 704	2812	MSIE1CA.tmp	107
PID 2812 wrote to memory of 704	2812	MSIE1CA.tmp	107
PID 704 wrote to memory of 2472	704	cmd.exe	109
PID 704 wrote to memory of 2472	704	cmd.exe	109
PID 704 wrote to memory of 924	704	cmd.exe	110
PID 704 wrote to memory of 924	704	cmd.exe	110
PID 704 wrote to memory of 1352	704	cmd.exe	111
PID 704 wrote to memory of 1352	704	cmd.exe	111
PID 2812 wrote to memory of 4488	2812	MSIE1CA.tmp	112
PID 2812 wrote to memory of 4488	2812	MSIE1CA.tmp	112
PID 4308 wrote to memory of 208	4308	mmc.exe	116
PID 4308 wrote to memory of 208	4308	mmc.exe	116
PID 4308 wrote to memory of 208	4308	mmc.exe	116
PID 208 wrote to memory of 4324	208	MFTVMornitor.exe	117
PID 208 wrote to memory of 4324	208	MFTVMornitor.exe	117
PID 208 wrote to memory of 4324	208	MFTVMornitor.exe	117
PID 4324 wrote to memory of 2228	4324	cmd.exe	119
PID 4324 wrote to memory of 2228	4324	cmd.exe	119
PID 4324 wrote to memory of 2228	4324	cmd.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ToDesk (2)_2.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk (2)_2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\ToDesk (2)_2.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2392887640-1187051047-2909758433-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\SSD-w.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:636
- - C:\ToDesk (2).exe
    "C:\ToDesk (2).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 42829177F4D89BA0C8DFF28A0CCAC99B
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4008
- C:\Windows\Installer\MSIE1CA.tmp
  "C:\Windows\Installer\MSIE1CA.tmp"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4936
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\4cMc8.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1560
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\Mt9DJ.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:2472
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:924
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:1352
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\K0Ryl\2B378~w\p+C:\Users\Public\Pictures\K0Ryl\2B378~w\w C:\Users\Public\Pictures\K0Ryl\2B378~w\libcurl.dll
    3⤵
    PID:4488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Public\Pictures\K0Ryl\2B378~w\MFTVMornitor.exe
  "C:\Users\Public\Pictures\K0Ryl\2B378~w\MFTVMornitor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ddff.rbs

Filesize
8KB

MD5
78061b29bf3d8c9da34b982e0faf3d2a

SHA1
281c057ef77636c5cccb660965f9b859b198c410

SHA256
a3330dc3352b8219779a90e1f15d6c73157926e8fe3f32b7bcf4513ecb0cfe59

SHA512
597fe395c74efb56b67dd6fe8004f5745c5f10fdf0fcd991cb61f05d01d31474a5c4ba8c975c2df6383c01924de758736ab7a3422acb4e46aa75c0b59a700968

Download Submit
C:\SSD-w.msi

Filesize
22.1MB

MD5
f5c4f7b018ee5a0f73619921fe4f45b0

SHA1
6094f951df9bf2596a91b678607c9605d9120c52

SHA256
e5764ad444c562eb4e3273913e108fc2c0360dd9bd80d3f88cf80a25e39c514a

SHA512
dede38255a0f4a7b926f3d9e1185ff364ffe0ee500c89ce5be35366e106f5d0096a4d04662de4aa9aa9f92845d32cabe26b42c9f05e4b3f72726e8ee5e0005b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8588009f37c0775b2ca08c70da61a12b

SHA1
b46b012936c50e74c92cdef6a3f2818a76235a37

SHA256
5ba9ee2908a357e83f6bb222928ad86ee6bd9f7ce233276935ff883aca6b9b38

SHA512
95e107f16687ce0a905a34611286ad3eb9c30f188db34f49582f9bb468f7b99d96877ea98ffd356508ca48b29f91bf8a67b134ab2e74d146f6cda961a044f184

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB0F2.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB0F2.tmp\nsNiuniuSkin.dll

Filesize
287KB

MD5
bb0cdff5ac2d64723007a0b4f7962a02

SHA1
410889522ee8ea7308b054f71bc4cab078295e06

SHA256
33e460a080a621cda7896e96b6f1beee802b485cf99e18b27463cd362c484b08

SHA512
b4dc2614f01f5f01d5dec9e6a41e072d01e924d8a94ac0dc1050399fd1dc3cc8d53d7ccf162d750d166fca200771b0850191b30c7caada8edea9ba6d686e2402

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB0F2.tmp\skin.zip

Filesize
733KB

MD5
121c40b2f8f3407211a14efec60088d3

SHA1
36bb7a0d4132f10cb165eb2b388489d7b9b3057c

SHA256
6c979c5efd4bca0ea050f24c2a063ce88d3fc02dfa4bc11f3bdb169da6e0875b

SHA512
23efc5b5c0ccc25ec568557f9e7a9a8237fbc86a9ccec7214b7e68482171c6a8077a8a1ffc123ce0078ec2771b00b0494a713289a2215919625e1911a5608266

Download Submit
C:\Users\Admin\AppData\Roaming\Mt9DJ.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Users\Public\Pictures\K0Ryl\2B378~w\MFTVMornitor.exe

Filesize
1.3MB

MD5
27890a1731a9bdfb4a55f0eb024f42b9

SHA1
17a603fdd0c27a933f42936e1d31018e654456bf

SHA256
340df3de91e0623f5242c4a2b58bfb59d942a50f97f504569f906ea637623c7d

SHA512
d2713923373eaad64bcab017fc30b7994bb93dda52e5a3a68088bb4c1831d92f99775ba825680867f373a6ab1682b16e22e3d76f5767940631ae3b860f8abee2

Download Submit
C:\Users\Public\Pictures\K0Ryl\2B378~w\NH.txt

Filesize
179KB

MD5
322b47be78308652e8739e7116f0ec1e

SHA1
6bfcfd212344149563f10d4709d6478e69e81c13

SHA256
56806c318c68b5be14c324a2b63ce849cccbb8e6ac4125cc30dc1101e40929bf

SHA512
a55aa8585f4c46e1cdc5f71f7068312c7358b3791495efad37856e07623a3ca61e8b0868d6b2dbd9688aee2e222ab3288505d4c68479f7ee3be58303f83f1c96

Download Submit
C:\Users\Public\Pictures\K0Ryl\2B378~w\WinOSDMornitor.dll

Filesize
146KB

MD5
333ac5b9d015628823718f3b46eb3a53

SHA1
85cf85e5cfee990160980e399ce0acbd54dbf305

SHA256
5e7d6d77bf5459d64fc19e4a699af9f44e2909a9250b0b140abead986db1107e

SHA512
0e9f5778f03f970722dd843f40c86b2799e982d355d19414d54d75377ad2435adaf6ff577585d8c0dd822839bf41aeee01072cdec580b891150ad9af11da6610

Download Submit
C:\Users\Public\Pictures\K0Ryl\2B378~w\libcurl.dll

Filesize
1.9MB

MD5
2adb0e0580a7bb31b1b6f2d0c53b7638

SHA1
9e9570fc25685b475f3e9adc00f1f9a5a73994ec

SHA256
a3e5f177cea52bd87cef1ba36f567f92e222f9dadc825d58c648948d2f0b6d46

SHA512
888aab70a7817ac7cee9c0a242e76e0c2d65f37c39295e7980de9ea4e36473030ece17f8ac367aea28fdd5a33e003e7ffa3bc717971406406b8d5127e452dee2

Download Submit
C:\Users\Public\Pictures\K0Ryl\2B378~w\p

Filesize
994KB

MD5
5b0a3eafb0c4a58927e86b285e3a193a

SHA1
7881600224d983028589cae055794ca4981b627e

SHA256
56d1c4fb0b35f6a2fc5dfc4942feb8cd45e8f5c85cc4348f9808afbfcb5802d8

SHA512
517305fcd4c312d0329f4a645a4220bd3ad4173ffc11f5514b2279edf069366c33d02c66941611e53ef61c9c52efec8720c1330039a9cc5cb23a8d0a8de32d3c

Download Submit
C:\Users\Public\Pictures\K0Ryl\2B378~w\w

Filesize
994KB

MD5
973c6dad7dbc199df7634efd981ea1b9

SHA1
625391483bc1e1080778b85e329895615be7ebed

SHA256
6224a8489d81c1638b81d708a4468753045f7786df2e736d611fbfd2a0a3d68e

SHA512
9d6d862f02a27180c3def58df1c0de33fb0572fadacfa3210b5f543007ab182814788714d3f2b2127dcf27c0d7b8bbbe7501ae6c0a4d1cb86299abf53f793ddd

Download Submit
C:\Users\Public\Pictures\K0Ryl\2B378~w\zlib1.dll

Filesize
73KB

MD5
c7d4d685a0af2a09cbc21cb474358595

SHA1
b784599c82bb90d5267fd70aaa42acc0c614b5d2

SHA256
e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc

SHA512
fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b

Download Submit
C:\Windows\Installer\MSIDE69.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSIE1CA.tmp

Filesize
14.3MB

MD5
4232d722afdfd6093f238ce386b251f4

SHA1
8c57d7053fc82c5097c0060090295ae47bf32359

SHA256
33af017dd14feafcfa51c105bbac88b4048cd703ca1c6bc0346f6c7cf73d71fa

SHA512
d00ceffdc69822807543b623dda773dedce09cf8429bd3497333a3b6acdc602b86d4d39257f93517a41cb6f4792c8a69b0ea549621854d2fc342e157b00049d4

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
427dd559bb53c1bd728ca58b3796e72d

SHA1
389cadd35a71569ca719b3611255ee659a7a7aaa

SHA256
1521b67104f9f0de84e119d7e714f70711601be3992349fae59563abb37ca3a7

SHA512
69467c4366bae7da75ecb6fcbcc50923971f72e5014d7e85d8c79e08a03a7fa46aaab1b8b8c44bf804efda22f74426821a6ed845c3de55be6f90bb5eb727fe58

Download Submit
\??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{03208d49-7944-428b-88ab-df51e3d39ce5}_OnDiskSnapshotProp

Filesize
6KB

MD5
aa4db70886acfaa080b8f34e209405c0

SHA1
c6cdbfe27ed071c9f2d1676ff5cab164d529a0f1

SHA256
7415c1e4e64e4c938e73d7c017b5b6b39acdd7da7a21bf2c3048578f09b2e122

SHA512
0d6e8af5861778a14ba4ce30be67e40ee1829247aa776b2b1b6826bc56575f9544e25e75aad6755505ecc50542e70cd844410e389481001975cd2a85f500b132

Download Submit
memory/208-162-0x0000000003320000-0x0000000003389000-memory.dmp

Filesize
420KB

Download
memory/208-167-0x0000000003320000-0x0000000003389000-memory.dmp

Filesize
420KB

Download
memory/208-166-0x0000000003320000-0x0000000003389000-memory.dmp

Filesize
420KB

Download
memory/208-165-0x0000000003320000-0x0000000003389000-memory.dmp

Filesize
420KB

Download
memory/208-164-0x0000000003320000-0x0000000003389000-memory.dmp

Filesize
420KB

Download
memory/208-143-0x0000000003320000-0x0000000003389000-memory.dmp

Filesize
420KB

Download
memory/208-145-0x0000000003320000-0x0000000003389000-memory.dmp

Filesize
420KB

Download
memory/208-144-0x0000000003320000-0x0000000003389000-memory.dmp

Filesize
420KB

Download
memory/1252-12-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/1252-45-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2560-53-0x00000000744C0000-0x000000007457A000-memory.dmp

Filesize
744KB

Download
memory/2560-80-0x00000000744C0000-0x000000007457A000-memory.dmp

Filesize
744KB

Download
memory/2812-120-0x0000000180000000-0x000000018025A000-memory.dmp

Filesize
2.4MB

Download
memory/2812-118-0x0000000180000000-0x000000018025A000-memory.dmp

Filesize
2.4MB

Download
memory/2812-119-0x0000000180000000-0x000000018025A000-memory.dmp

Filesize
2.4MB

Download