Malware Analysis Report

2024-11-30 20:56

Sample ID 241120-hahknatdnl
Target merd.msi
SHA256 c39abdca1a31b20fe06969a36102c784df7f63847ec930dfaf8c4bd97b4558bf
Tags
latrodectus discovery loader persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c39abdca1a31b20fe06969a36102c784df7f63847ec930dfaf8c4bd97b4558bf

Threat Level: Known bad

The file merd.msi was found to be: Known bad.

Malicious Activity Summary

latrodectus discovery loader persistence privilege_escalation

Latrodectus loader

Detects Latrodectus

Latrodectus family

Blocklisted process makes network request

Enumerates connected drives

Drops file in Windows directory

Loads dropped DLL

Executes dropped EXE

System Location Discovery: System Language Discovery

Event Triggered Execution: Installer Packages

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 06:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 06:31

Reported

2024-11-20 06:39

Platform

win10v2004-20241007-en

Max time kernel

397s

Max time network

399s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects Latrodectus

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Latrodectus family

latrodectus

Latrodectus loader

loader latrodectus

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICF66.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID1E8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{F51335B5-861E-4317-91B1-6EA78A6DECF1} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57cee9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID14B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID218.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID361.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID49B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57cee9.msi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSID49B.tmp N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Installer\MSID49B.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\merd.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 98FB30082A0B50FBDBE02561645D390C

C:\Windows\Installer\MSID49B.tmp

"C:\Windows\Installer\MSID49B.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\sqx.dll, GetDbInterface

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\sqx.dll, GetDbInterface

C:\Windows\system32\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\sqx.dll, GetDbInterface

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 uayyau.com udp
NL 94.232.40.38:4438 uayyau.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 88.221.135.105:80 r10.o.lencr.org tcp
NL 94.232.40.38:4438 uayyau.com tcp
US 8.8.8.8:53 38.40.232.94.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
NL 94.232.40.38:4438 uayyau.com tcp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 guaaug.com udp
NL 46.249.49.83:4438 guaaug.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 88.221.135.105:80 r10.o.lencr.org tcp
US 8.8.8.8:53 83.49.249.46.in-addr.arpa udp
NL 94.232.40.38:4438 uayyau.com tcp
NL 46.249.49.83:4438 guaaug.com tcp
US 8.8.8.8:53 bestmarsgood.com udp
US 104.21.6.232:443 bestmarsgood.com tcp
US 8.8.8.8:53 cerwintifed.com udp
US 104.21.78.35:443 cerwintifed.com tcp
US 8.8.8.8:53 232.6.21.104.in-addr.arpa udp
US 8.8.8.8:53 35.78.21.104.in-addr.arpa udp
NL 94.232.40.38:4438 uayyau.com tcp
NL 46.249.49.83:4438 guaaug.com tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
NL 94.232.40.38:4438 uayyau.com tcp
NL 46.249.49.83:4438 guaaug.com tcp

Files

C:\Windows\Installer\MSICF66.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSID49B.tmp

MD5 b9545ed17695a32face8c3408a6a3553
SHA1 f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA256 1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512 f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

C:\Config.Msi\e57ceec.rbs

MD5 7de9d72029b9e3b91325868f2bd6642b
SHA1 8308e391e44e36df5e729212fcad351768857365
SHA256 b641e831bee19e90214474dbcf5a03b748a2149bdcc676d38e0c55ff1e443dd7
SHA512 bbc60283498a7274ca7f718a600648360bd6ee38ea6798f46a062047a566c58d71863232101eda36931fd5b96221a0997f076486c228f4714c1d98c6c33e2e1f

C:\Users\Admin\AppData\Roaming\sqx.dll

MD5 dd862590d9e4ea1791df147912ae4c8f
SHA1 852d7a9ea4db5ff4cd51a92447a8d5701cfb322b
SHA256 14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
SHA512 3e9222d8bd91d3e53f5e378318a78a7c5aa12011272031f7c0d8c36c5b255db1d0a168cc02e1159eb021dd18206352dd6dcb857fefc2222937c467350dc6d568

memory/2272-45-0x000001C736D20000-0x000001C736D6C000-memory.dmp

memory/2272-63-0x00007FF4F5980000-0x00007FF4F5981000-memory.dmp

memory/2272-65-0x00007FF4F5960000-0x00007FF4F5961000-memory.dmp

memory/2272-64-0x00007FF4F5970000-0x00007FF4F5971000-memory.dmp

memory/2272-62-0x00007FF4F5990000-0x00007FF4F5991000-memory.dmp

memory/2272-61-0x00007FF4F59A0000-0x00007FF4F59B5000-memory.dmp

memory/2272-60-0x00007FF4F59C0000-0x00007FF4F59C1000-memory.dmp

memory/3380-66-0x0000000002A10000-0x0000000002A25000-memory.dmp

memory/3380-67-0x0000000002A10000-0x0000000002A25000-memory.dmp

\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1bff4c85-4a6b-4694-aec3-f34ebff9c25b}_OnDiskSnapshotProp

MD5 6037630b14d47910a2ed85c4efc13eb7
SHA1 1f7cfc365c57451f23254ead19eb5ff6ebc664c8
SHA256 04d88805a3f73da9ae744f953955a174a70d08a0f872ec52ea16b53053fc3e4e
SHA512 470f77a95286ad6d8b94482ae6ef0f160e04939fbd7bb5a7d58cd12627ccd5b3cc1fb4670d8e268aec44fd18265f554edd4548b99eda824af777ffcd32d18652

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 7406cbe7e279886901110bf530ecd79e
SHA1 a54942046d503f75b23a620b5b847fdcd70f2857
SHA256 c0ba4ad7ac984b0b7509492b7ca3f9840a944aafc2639fec759c162990c4e419
SHA512 950e35cda8e7a4e869d6b0d8a96601cd30bf40d4766a02d2c89a6b100fc69b4150e37ea4d2e7d257f50f7efc36578bb5c57d7f7356072d1a1ee45b2493f73236

memory/2272-75-0x000001C736D20000-0x000001C736D6C000-memory.dmp

memory/3380-80-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-81-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-85-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-83-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-82-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-84-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-86-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-88-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-91-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-89-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-87-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-90-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-92-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-93-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-94-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3380-95-0x00000000029E0000-0x00000000029F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 06:31

Reported

2024-11-20 06:39

Platform

win10ltsc2021-20241023-en

Max time kernel

389s

Max time network

363s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detects Latrodectus

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Latrodectus family

latrodectus

Latrodectus loader

loader latrodectus

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e57bcc8.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBD26.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBE9E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBEDD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC018.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC122.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57bcc8.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBEEE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{F51335B5-861E-4317-91B1-6EA78A6DECF1} C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSIC122.tmp N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Installer\MSIC122.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006b382b850f3dc2e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006b382b850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006b382b85000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6b382b85000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006b382b8500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\merd.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7D6420FB5EBED4EFF16221BF26A37B2A

C:\Windows\Installer\MSIC122.tmp

"C:\Windows\Installer\MSIC122.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\sqx.dll, GetDbInterface

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\sqx.dll, GetDbInterface

C:\Windows\system32\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\sqx.dll, GetDbInterface

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.61.93:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 uayyau.com udp
NL 94.232.40.38:4438 uayyau.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 88.221.135.105:80 r10.o.lencr.org tcp
NL 94.232.40.38:4438 uayyau.com tcp
US 8.8.8.8:53 38.40.232.94.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 94.232.40.38:4438 uayyau.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 guaaug.com udp
NL 46.249.49.83:4438 guaaug.com tcp
US 8.8.8.8:53 83.49.249.46.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 94.232.40.38:4438 uayyau.com tcp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp
NL 46.249.49.83:4438 guaaug.com tcp
US 8.8.8.8:53 bestmarsgood.com udp
US 104.21.6.232:443 bestmarsgood.com tcp
US 8.8.8.8:53 cerwintifed.com udp
US 172.67.215.185:443 cerwintifed.com tcp
US 8.8.8.8:53 232.6.21.104.in-addr.arpa udp
US 8.8.8.8:53 185.215.67.172.in-addr.arpa udp
NL 94.232.40.38:4438 uayyau.com tcp
NL 94.232.40.38:4438 uayyau.com tcp
NL 94.232.40.38:4438 uayyau.com tcp
NL 46.249.49.83:4438 guaaug.com tcp

Files

C:\Windows\Installer\MSIBD26.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSIC122.tmp

MD5 b9545ed17695a32face8c3408a6a3553
SHA1 f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA256 1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512 f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

C:\Config.Msi\e57bccb.rbs

MD5 1fd22be2640a1e3c515abead07569e88
SHA1 cdb3dcb981882f854d40ab627548c364a3187ae2
SHA256 b52623abc3e24479ba7c1acb663e3b59f4822d936a74dfd08fe8f922d3bb120d
SHA512 bafc979aa3fd1f0a38b8285ea373e465682b80f78d253c2595c13a3193f8b9f3e89d9a68384a28ce0e8d2b2777060fc92b26cf9e6c7c2f934d56a67fc2151332

C:\Users\Admin\AppData\Roaming\sqx.dll

MD5 dd862590d9e4ea1791df147912ae4c8f
SHA1 852d7a9ea4db5ff4cd51a92447a8d5701cfb322b
SHA256 14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
SHA512 3e9222d8bd91d3e53f5e378318a78a7c5aa12011272031f7c0d8c36c5b255db1d0a168cc02e1159eb021dd18206352dd6dcb857fefc2222937c467350dc6d568

memory/4844-45-0x0000021315350000-0x000002131539C000-memory.dmp

memory/4844-61-0x00007FF415260000-0x00007FF415275000-memory.dmp

memory/4844-63-0x00007FF415240000-0x00007FF415241000-memory.dmp

memory/3692-66-0x00000000013F0000-0x0000000001405000-memory.dmp

memory/4844-65-0x00007FF415220000-0x00007FF415221000-memory.dmp

memory/4844-64-0x00007FF415230000-0x00007FF415231000-memory.dmp

memory/4844-62-0x00007FF415250000-0x00007FF415251000-memory.dmp

memory/4844-60-0x00007FF415280000-0x00007FF415281000-memory.dmp

memory/3692-67-0x00000000013F0000-0x0000000001405000-memory.dmp

\??\Volume{852b386b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d7dcfaef-2c42-4d1d-ab2a-a6e5c73717cc}_OnDiskSnapshotProp

MD5 9a9f949457f14f16bf729c03fded813f
SHA1 461716cd6822b6cf00dd4f10609d518275ba1cc5
SHA256 f211945c951dadc291e9fb224a06c1b252f19986c9f03e0dacf376a302d5e7ba
SHA512 6a2115e7eab2752935a05e54fe5f09bf8496edfb01baaddf69441293c9b05fa6bc19fd75ec59a43913ccfe4417a7f962e61c90935f44dcfc116015f9a604a074

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 f0a04952f9732e6ee769be35985a63a9
SHA1 ba21c70fcf8d83d285da5176dde2451d3e94d326
SHA256 0bbc788ebc4b8165a9a9f56dc8266a816a117459bd046549d481dfab2b16fa79
SHA512 39a72e8b135341ad969d5c6e3ae790346b34fd4af8fdbb3354b27cf5c1f7c982538610c08cd507acfc4cf0a00e8c38c4517c6ce8117e62290e3c1c35aed73cff

memory/4844-72-0x0000021315350000-0x000002131539C000-memory.dmp