Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2025, 12:38
Static task
static1
Behavioral task
behavioral1
Sample
49b35e.msi
Resource
win10v2004-20250313-en
General
-
Target
49b35e.msi
-
Size
4.7MB
-
MD5
ecdd7739e76adee32b9cd61f4a132963
-
SHA1
14e5ec6b9c6bdaab641009284e2f41067462bf21
-
SHA256
59baa105734ae018e88a3abeee22657b083d2aaddf1c73e5564bf21382e5fa16
-
SHA512
91526118167315f2258c1d4e7f2b1d68f8cd7865b8bedafdb1864a4d2084ba8312124aefacc9402a38dd47474e9aabe7ce988c18bfdef9ced275920bf376c229
-
SSDEEP
98304:5Yqd1ASubUZwPEDYPo6sAPGJ60TGEtof1SvfRL8YwlYfRa6:LHr0PdsAPGJVTGEOdSvfSUa
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/5096-1414-0x0000000000400000-0x00000000004D4000-memory.dmp family_sectoprat -
Sectoprat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 5940 created 3580 5940 CasPol.exe 56 -
Uses browser remote debugging 2 TTPs 10 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4956 chrome.exe 5984 chrome.exe 864 chrome.exe 312 chrome.exe 5424 chrome.exe 1828 msedge.exe 3888 msedge.exe 3828 msedge.exe 5228 msedge.exe 1476 chrome.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks for any installed AV software in registry 1 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Avira GmRemote.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security GmRemote.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira GmRemote.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security GmRemote.exe Key queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Avira GmRemote.exe Key opened \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Avira\Security\UserInterface GmRemote.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Security\UserInterface GmRemote.exe Key created \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Avira\Security GmRemote.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2968 set thread context of 5940 2968 GmRemote.exe 113 PID 5940 set thread context of 5096 5940 CasPol.exe 117 PID 2968 set thread context of 3504 2968 GmRemote.exe 114 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI95D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9667.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{D7DF4AAC-D1B0-41F5-B96D-0DCF90182CC3} msiexec.exe File created C:\Windows\Installer\e579460.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9627.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9927.tmp msiexec.exe File created C:\Windows\Installer\e579464.msi msiexec.exe File opened for modification C:\Windows\Installer\e579460.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI94AE.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 2968 GmRemote.exe 5096 CasPol.exe -
Loads dropped DLL 5 IoCs
pid Process 4084 MsiExec.exe 4084 MsiExec.exe 4084 MsiExec.exe 4084 MsiExec.exe 5940 CasPol.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 5660 msiexec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GmRemote.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009677f1a6e4fdfbc60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009677f1a60000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009677f1a6000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9677f1a6000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009677f1a600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 5180 msiexec.exe 5180 msiexec.exe 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe 5940 CasPol.exe 5940 CasPol.exe 5940 CasPol.exe 5940 CasPol.exe 5940 CasPol.exe 5940 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 3504 gpupdate.exe 3504 gpupdate.exe 3504 gpupdate.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 1476 chrome.exe 1476 chrome.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe 5096 CasPol.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1828 msedge.exe 1828 msedge.exe 1828 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5660 msiexec.exe Token: SeIncreaseQuotaPrivilege 5660 msiexec.exe Token: SeSecurityPrivilege 5180 msiexec.exe Token: SeCreateTokenPrivilege 5660 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5660 msiexec.exe Token: SeLockMemoryPrivilege 5660 msiexec.exe Token: SeIncreaseQuotaPrivilege 5660 msiexec.exe Token: SeMachineAccountPrivilege 5660 msiexec.exe Token: SeTcbPrivilege 5660 msiexec.exe Token: SeSecurityPrivilege 5660 msiexec.exe Token: SeTakeOwnershipPrivilege 5660 msiexec.exe Token: SeLoadDriverPrivilege 5660 msiexec.exe Token: SeSystemProfilePrivilege 5660 msiexec.exe Token: SeSystemtimePrivilege 5660 msiexec.exe Token: SeProfSingleProcessPrivilege 5660 msiexec.exe Token: SeIncBasePriorityPrivilege 5660 msiexec.exe Token: SeCreatePagefilePrivilege 5660 msiexec.exe Token: SeCreatePermanentPrivilege 5660 msiexec.exe Token: SeBackupPrivilege 5660 msiexec.exe Token: SeRestorePrivilege 5660 msiexec.exe Token: SeShutdownPrivilege 5660 msiexec.exe Token: SeDebugPrivilege 5660 msiexec.exe Token: SeAuditPrivilege 5660 msiexec.exe Token: SeSystemEnvironmentPrivilege 5660 msiexec.exe Token: SeChangeNotifyPrivilege 5660 msiexec.exe Token: SeRemoteShutdownPrivilege 5660 msiexec.exe Token: SeUndockPrivilege 5660 msiexec.exe Token: SeSyncAgentPrivilege 5660 msiexec.exe Token: SeEnableDelegationPrivilege 5660 msiexec.exe Token: SeManageVolumePrivilege 5660 msiexec.exe Token: SeImpersonatePrivilege 5660 msiexec.exe Token: SeCreateGlobalPrivilege 5660 msiexec.exe Token: SeBackupPrivilege 5540 vssvc.exe Token: SeRestorePrivilege 5540 vssvc.exe Token: SeAuditPrivilege 5540 vssvc.exe Token: SeBackupPrivilege 5180 msiexec.exe Token: SeRestorePrivilege 5180 msiexec.exe Token: SeRestorePrivilege 5180 msiexec.exe Token: SeTakeOwnershipPrivilege 5180 msiexec.exe Token: SeRestorePrivilege 5180 msiexec.exe Token: SeTakeOwnershipPrivilege 5180 msiexec.exe Token: SeRestorePrivilege 5180 msiexec.exe Token: SeTakeOwnershipPrivilege 5180 msiexec.exe Token: SeRestorePrivilege 5180 msiexec.exe Token: SeTakeOwnershipPrivilege 5180 msiexec.exe Token: SeRestorePrivilege 5180 msiexec.exe Token: SeTakeOwnershipPrivilege 5180 msiexec.exe Token: SeBackupPrivilege 4180 srtasks.exe Token: SeRestorePrivilege 4180 srtasks.exe Token: SeSecurityPrivilege 4180 srtasks.exe Token: SeTakeOwnershipPrivilege 4180 srtasks.exe Token: SeBackupPrivilege 4180 srtasks.exe Token: SeRestorePrivilege 4180 srtasks.exe Token: SeSecurityPrivilege 4180 srtasks.exe Token: SeTakeOwnershipPrivilege 4180 srtasks.exe Token: SeRestorePrivilege 5180 msiexec.exe Token: SeTakeOwnershipPrivilege 5180 msiexec.exe Token: SeRestorePrivilege 5180 msiexec.exe Token: SeTakeOwnershipPrivilege 5180 msiexec.exe Token: SeRestorePrivilege 5180 msiexec.exe Token: SeTakeOwnershipPrivilege 5180 msiexec.exe Token: SeRestorePrivilege 5180 msiexec.exe Token: SeTakeOwnershipPrivilege 5180 msiexec.exe Token: SeRestorePrivilege 5180 msiexec.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 5660 msiexec.exe 5660 msiexec.exe 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1476 chrome.exe 1828 msedge.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe 2968 GmRemote.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5096 CasPol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5180 wrote to memory of 4180 5180 msiexec.exe 108 PID 5180 wrote to memory of 4180 5180 msiexec.exe 108 PID 5180 wrote to memory of 4084 5180 msiexec.exe 111 PID 5180 wrote to memory of 4084 5180 msiexec.exe 111 PID 5180 wrote to memory of 4084 5180 msiexec.exe 111 PID 5180 wrote to memory of 2968 5180 msiexec.exe 112 PID 5180 wrote to memory of 2968 5180 msiexec.exe 112 PID 5180 wrote to memory of 2968 5180 msiexec.exe 112 PID 2968 wrote to memory of 5940 2968 GmRemote.exe 113 PID 2968 wrote to memory of 5940 2968 GmRemote.exe 113 PID 2968 wrote to memory of 5940 2968 GmRemote.exe 113 PID 2968 wrote to memory of 5940 2968 GmRemote.exe 113 PID 2968 wrote to memory of 5940 2968 GmRemote.exe 113 PID 2968 wrote to memory of 3504 2968 GmRemote.exe 114 PID 2968 wrote to memory of 3504 2968 GmRemote.exe 114 PID 2968 wrote to memory of 3504 2968 GmRemote.exe 114 PID 5940 wrote to memory of 5096 5940 CasPol.exe 117 PID 5940 wrote to memory of 5096 5940 CasPol.exe 117 PID 5940 wrote to memory of 5096 5940 CasPol.exe 117 PID 5940 wrote to memory of 5096 5940 CasPol.exe 117 PID 5940 wrote to memory of 5096 5940 CasPol.exe 117 PID 5940 wrote to memory of 5096 5940 CasPol.exe 117 PID 5940 wrote to memory of 5096 5940 CasPol.exe 117 PID 5940 wrote to memory of 5096 5940 CasPol.exe 117 PID 2968 wrote to memory of 3504 2968 GmRemote.exe 114 PID 5096 wrote to memory of 1476 5096 CasPol.exe 121 PID 5096 wrote to memory of 1476 5096 CasPol.exe 121 PID 1476 wrote to memory of 4448 1476 chrome.exe 122 PID 1476 wrote to memory of 4448 1476 chrome.exe 122 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 2768 1476 chrome.exe 123 PID 1476 wrote to memory of 5092 1476 chrome.exe 124 PID 1476 wrote to memory of 5092 1476 chrome.exe 124 PID 1476 wrote to memory of 5356 1476 chrome.exe 125 PID 1476 wrote to memory of 5356 1476 chrome.exe 125 PID 1476 wrote to memory of 5356 1476 chrome.exe 125 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3580
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\49b35e.msi2⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5660
-
-
C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe"C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=8270 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb2899dcf8,0x7ffb2899dd04,0x7ffb2899dd104⤵PID:4448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2012,i,13473168371165235774,4871702046205366042,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2008 /prefetch:24⤵PID:2768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1588,i,13473168371165235774,4871702046205366042,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2272 /prefetch:34⤵PID:5092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2388,i,13473168371165235774,4871702046205366042,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2556 /prefetch:84⤵PID:5356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8270 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,13473168371165235774,4871702046205366042,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3304 /prefetch:14⤵
- Uses browser remote debugging
PID:864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8270 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,13473168371165235774,4871702046205366042,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3324 /prefetch:14⤵
- Uses browser remote debugging
PID:4956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8270 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,13473168371165235774,4871702046205366042,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4576 /prefetch:24⤵
- Uses browser remote debugging
PID:5424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8270 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4532,i,13473168371165235774,4871702046205366042,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4600 /prefetch:24⤵
- Uses browser remote debugging
PID:312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=8270 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4832,i,13473168371165235774,4871702046205366042,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4864 /prefetch:14⤵
- Uses browser remote debugging
PID:5984
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=7981 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1828 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x26c,0x7ffb19aff208,0x7ffb19aff214,0x7ffb19aff2204⤵PID:320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1960,i,11930990480782943395,959597033486323405,262144 --variations-seed-version --mojo-platform-channel-handle=2388 /prefetch:34⤵PID:6136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2196,i,11930990480782943395,959597033486323405,262144 --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:24⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1972,i,11930990480782943395,959597033486323405,262144 --variations-seed-version --mojo-platform-channel-handle=2724 /prefetch:84⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=7981 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3604,i,11930990480782943395,959597033486323405,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:14⤵
- Uses browser remote debugging
PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=7981 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3612,i,11930990480782943395,959597033486323405,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:14⤵
- Uses browser remote debugging
PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --remote-debugging-port=7981 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4996,i,11930990480782943395,959597033486323405,262144 --variations-seed-version --mojo-platform-channel-handle=5048 /prefetch:24⤵
- Uses browser remote debugging
PID:5228
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5180 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 162F53CB0873461D884B28F7C04357FB2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4084
-
-
C:\Users\Admin\AppData\Local\Kart\GmRemote.exe"C:\Users\Admin\AppData\Local\Kart\GmRemote.exe"2⤵
- Checks for any installed AV software in registry
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\31081\CasPol.exeC:\Users\Admin\AppData\Local\Temp\31081\CasPol.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5940
-
-
C:\Windows\SysWOW64\gpupdate.exeC:\Windows\SysWOW64\gpupdate.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3504
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5540
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:6012
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:3744
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Modify Authentication Process
1Defense Evasion
Modify Authentication Process
1System Binary Proxy Execution
1Msiexec
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5ca2016f2ab9153060107c89ff66f56e8
SHA139cbd872c014a875b38eb0c39bd8a9ce66b4fb56
SHA2569f58b82073c509cc9e5d2c65bd7b9fc3add03744911bed61bf5c81a557c0efa3
SHA5126ba6aa3fc92491f3459cf1f8a6a85ed69c83a3ee2f3596fc0f0a528a148969a5d71e829cee09af5e0c04592c5b482f5afc8835a56b271195aede34e755b41ca5
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
17KB
MD5b78f388d08dce319ad56281c037045b1
SHA1b7b42e1d068d92357b51334935002caaa3982825
SHA2565b0600f84a284472f6ec28d472d64cbf7a4cfe0a696b0f2b7b7220a815216f2d
SHA51235791e42b5c6a6b4fd821955e54f050c20362497c89f9931fc20ae36fa332ee4a83885afea614a4111f1f5eb4706d663c0a8c165c4eaaa4de372a58072b5ddaa
-
Filesize
79KB
MD5a2cd5a10c997c90527e724a21b0e4d36
SHA1ada31fa62b4cba479d5e60178cba6979690102f5
SHA2561b6b28f59d50b6d4c0671b1002a566f743d13a497a3cfafc7df1a91cd061a6c5
SHA512507a95a46ff13f5ad4aef0b5b75b903bd0602e6b176134e947bd266d91b0872125c5dc21738ee9a089a1bb7497955beda48fa25c47b17d6157880c15a7d410b9
-
Filesize
280B
MD57b0736a36bad51260e5db322736df2e9
SHA130af14ed09d3f769230d67f51e0adb955833673e
SHA2560d2adfd06d505b9020c292d30597083d808bfd90ddc0fe173def5db96832a087
SHA512caabdc6a8601b93f3c082e6506b3c9efe2242b90e92e86306dc0bd4857d33343ba395325fabb21f5db562d3e3932f52f77de547f379072d0154efd5f1b1cdeb3
-
Filesize
33KB
MD54f1f7deec9d87396ab7f4cf51d1952d8
SHA1bd90a0535f97ff6b01cd30e95c8bf01e17d6aebe
SHA25615b8b06e5cb7962c7f5328f9dd778bf392f843fb039e47bb0be3a5083e5b3bca
SHA5129f7c41a26759eebc91838d9e67b6cbe0390ebaddf43be45e1573b5810102da88fb4bdc8f5681bf688f570c2b3bcbbd4fbaf8274e19d33f915831b22807f61bb3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b31ac5d5-f3c9-4706-bd69-fa1295cda083\index-dir\the-real-index
Filesize1KB
MD5adeb21f8f1b7f09aa7320ec8f4f95e9e
SHA1729a0eefc5f37a71ba9d8e02e8ac5f5ccbaeebac
SHA256a7e2a7a3e5174a65e097a198e99667aa573323fc6aad391ab87197da23ec14eb
SHA512a25b5cad6601b551925bb351dd05d3d32ec720ce5c227008ffc4011978dc482127cb2dfa071a8c18c9339654a9e911bab1af05bbdd5fe83101a4ab1f03dfa048
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b31ac5d5-f3c9-4706-bd69-fa1295cda083\index-dir\the-real-index~RFe587c6e.TMP
Filesize1KB
MD5bc003a7c6aeb084b9c11a5c2e8c17a6e
SHA139d3e503a46ca33c12bfeed71027bf8a7542e7d2
SHA256c953ebf1f1e028192ba40fe1d112e1f50b15ac676d95cd13d10e57bc9bf1b659
SHA5129b1b12e9b48da653f9fe8560a90ad863c28325100e1f4730b587044d44864b54b657320f90acba22521de2025b2b3b91ea10a18b67c8459304faf217b779993a
-
Filesize
40KB
MD5291509583074785565ef81b8eca597d2
SHA142d128f75f9f637cb297aaa1007ef0e2f23fda86
SHA256907bc1e365a4dfb530fddffbf976c3d969b1b2947a71e1e89c46f6165f46e7dd
SHA5128a3d08e61f54272c65ef47751e4919c50f9b1c7b660b2b3326bb1bb2a69627eafe60e0babef534f809632712e2c662f0ff4971eb85993a0661e571f1fbe37dd1
-
Filesize
99KB
MD5f61fa5ce25f885a9b1f549055c9911ed
SHA1aba1c035b06017b0b0bd1c712669646e4f3765ab
SHA25657e9675902b443085e37ead57dfed97de6bb61321682bc93aff30f16b5ca5aeb
SHA51202e3db343037294fd3b774f954c9a617a50715e6b89d7c409f3c7dc5a1cf5ed9418158c442e9e80111994da139a9a16db33ac68a833d6d115c4a41bdf75751ac
-
Filesize
2.8MB
MD59f2b0e4d218442927581577f52997f8d
SHA1ab74e08d3a230260a545036c4ab423db1e4746e8
SHA25647d20fa8d26cd6659bdcd45bce3a2666706d1e0b52b69ee023b58ac7e61bd936
SHA5124f7db2f85793056884876be3506710833c2bed20b0fb0d13db0e347f28b4935fa20b1d5968b63f9877ea473aed6c8bf28dc91af0cacaeee43d63f31a87e44e8b
-
Filesize
2.7MB
MD5ac8782983424aa539bbe94fbb1fcfbd0
SHA1c15276a5ac564dd9872504f60a95850bcc00a5ff
SHA256fa6f44a4ee3eba367e66f54141e00c860f741c0e5655eb63ae59454b203d98e7
SHA51244300a82af4f139b9710d08b345a693dfd3a5fd17c61d969269caffe6d21abce2b48c8b11b9689205ff0d572495dbe308f7401ee1176435657c20375d69e68ba
-
Filesize
2.7MB
MD5a8ea3a2fc14f8b273bc1935d43da1984
SHA1efe374596b618ef9d370aba05b42d9a0ac65dac1
SHA256c660d5677189669d513c0b56be46faa85d3b703601bedf01c56b955fcedacd29
SHA512d9d13bd1ebb1c6fe156ea375103476bce8f2bf7bfca4a8b57983eb0cb7b6c711ec5ac4a8c8f98d033025b4fa0e0038178a259524d312f453534ffaeca9b5cb17
-
Filesize
596B
MD5aa0e77ec6b92f58452bb5577b9980e6f
SHA1237872f2b0c90e8cbe61eaa0e2919d6578cacd3f
SHA256aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde
SHA51237366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6
-
Filesize
1KB
MD5cfbf46fdac2d3380e858db9c434a2e8d
SHA1de2b6f97e2506f048141270f8499008ed1715204
SHA2561d74732b4c8db898c02733ce77e49accbb6948768368ab5fdb6261e3728f9342
SHA51237bed8fbfaee4deb287284c7d0b88b0cd159a65ef96dd230ca0d0d39c3e04d49f2f44fc2fe6ed4af8eade72a3555f18cea6bacd694c33a6317bc5ad88a4e4e30
-
Filesize
5KB
MD52c905a6e4a21a3fa14adc1d99b7cbc03
SHA1bd8682b580d951e3df05dfd467abba6b87bb43d9
SHA256cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb
SHA512753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6
-
Filesize
93KB
MD53c9137d88a00b1ae0b41ff6a70571615
SHA11797d73e9da4287351f6fbec1b183c19be217c2a
SHA25624262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1
SHA51231730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae
-
Filesize
569B
MD52835dd0a0aef8405d47ab7f73d82eaa5
SHA1851ea2b4f89fc06f6a4cd458840dd5c660a3b76c
SHA2562aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3
SHA512490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc
-
Filesize
386KB
MD572b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
Filesize
4.7MB
MD5ecdd7739e76adee32b9cd61f4a132963
SHA114e5ec6b9c6bdaab641009284e2f41067462bf21
SHA25659baa105734ae018e88a3abeee22657b083d2aaddf1c73e5564bf21382e5fa16
SHA51291526118167315f2258c1d4e7f2b1d68f8cd7865b8bedafdb1864a4d2084ba8312124aefacc9402a38dd47474e9aabe7ce988c18bfdef9ced275920bf376c229
-
Filesize
24.1MB
MD5a480e7fa5f352bced4886df6caec9f94
SHA19e998854ce9dc1fb783cf70111d4d5a23a6a6ce4
SHA256ae89281b5fa8a1848db164107213ee224f957b290891ae88de0619c416b90a62
SHA512853a83cd1a34681aac3c32a1417a4604ff87427d08c464841fbc75ff33917c4375830b2b7fb3092cbf4e6d5f2360a026c5f2cb51ea66949c3abb07c7d5e1991b
-
\??\Volume{a6f17796-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{48e55ba0-aa07-4c9b-8afb-eb9616ed4b61}_OnDiskSnapshotProp
Filesize6KB
MD5410af0a00fe2083eba65ece5b5c524eb
SHA10f19eba609227e82a619e72e508ef3a269675c08
SHA25661732e95a58d0bc6b000df863d9cdfd3e9da91e8a67fc1e9a546dd829505132f
SHA5129554de44b5074809537f016d6c92d4ac775e29298ebdb53d30605146ac196fbdd32ae889b88a72bbc17ff10d946cfc120495a509b12b60e0b49272d3674fcf9a