trickbot | cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58

Analysis

max time kernel
139s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
13-11-2020 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58.msi
Size

624KB
MD5

e1d32800e12d4df430e9f016bfba70b3
SHA1

2aadf50c972d6dcbd439896a2cb5446f4fa8eebc
SHA256

cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58
SHA512

870fdbdadefbfab69887c50b253270cce3ce9da90092b11a6d26bd4989a98182833f07be7836109ee2e157d698139c8ed1094cf2f53d4483458b50a04410da13

Score

10^/10

trickbot tar2 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blacklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

3 932 msiexec.exe
5 932 msiexec.exe
7 932 msiexec.exe
Executes dropped EXE 1 IoCs

Processes:

MMMedia.exe

pid process

1640 MMMedia.exe

flow	pid	process
3	932	msiexec.exe
5	932	msiexec.exe
7	932	msiexec.exe

pid	process
1640	MMMedia.exe

Enumerates connected drives 3 TTPs 72 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeMMMedia.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	MMMedia.exe
File opened (read-only)	\??\I:	MMMedia.exe
File opened (read-only)	\??\J:	MMMedia.exe
File opened (read-only)	\??\M:	MMMedia.exe
File opened (read-only)	\??\Q:	MMMedia.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	MMMedia.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\F:	MMMedia.exe
File opened (read-only)	\??\U:	MMMedia.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	MMMedia.exe
File opened (read-only)	\??\W:	MMMedia.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	MMMedia.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	MMMedia.exe
File opened (read-only)	\??\X:	MMMedia.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	MMMedia.exe
File opened (read-only)	\??\S:	MMMedia.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	MMMedia.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	MMMedia.exe
File opened (read-only)	\??\O:	MMMedia.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	MMMedia.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	MMMedia.exe
File opened (read-only)	\??\Y:	MMMedia.exe
File opened (read-only)	\??\U:	msiexec.exe

Modifies service 2 TTPs 147 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exemsiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\GETSTATE (Enter) = 480000000000000030b11377cbb9d6010c05000004040000f90300000100000001000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Enter) = 480000000000000010981f77cbb9d6010c050000a8070000020400000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Enter) = 480000000000000090ca0f7acbb9d6010c050000a0020000fb0300000100000005000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\IDENTIFY (Leave) = 4800000000000000d037b671cbb9d6010c05000004040000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Leave) = 480000000000000050bff476cbb9d6010c0500007c040000e90300000000000001000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Leave) = 4800000000000000f0a72d79cbb9d6010c050000a8070000fe0300000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\THAW_KTM (Enter) = 4800000000000000f0a72d79cbb9d6010c050000a8070000f40300000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 480000000000000010d74779cbb9d6010c0500006c060000f20300000000000003000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\BACKUPSHUTDOWN (Leave) = 480000000000000090ca0f7acbb9d6010c050000a8070000fb0300000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{495fd7e4-1989-11eb-abf9-806e6f6e6963}_)\IOCTL_FLUSH_AND_HOLD (Enter) = 480000000000000050fe1c79cbb9d6010c050000dc050000fe0300000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Leave) = 4800000000000000f0b24079cbb9d6010c05000010060000fc0300000000000003000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 4800000000000000b06a3279cbb9d601cc05000044050000d50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppAddInterestingComponents (Leave) = 480000000000000090e6c976cbb9d601cc05000044050000d40700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Leave) = 4800000000000000304b1e78cbb9d6010c0500006c060000ea0300000000000001000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\FREEZE (Enter) = 4800000000000000509b7178cbb9d6010c05000064060000eb0300000100000002000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_RM (Leave) = 4800000000000000f07be178cbb9d6010c050000a8070000ef0300000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Enter) = 480000000000000050fe1c79cbb9d6010c050000a8070000fe0300000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Leave) = 4800000000000000f0a72d79cbb9d6010c050000ec050000040400000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\THAW (Enter) = 480000000000000010d74779cbb9d6010c0500006c060000f20300000100000003000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Leave) = 48000000000000001077e676cbb9d6010c05000048060000010400000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Enter) = 480000000000000030827d78cbb9d6010c050000a8070000f00300000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\FREEZE (Enter) = 480000000000000010698978cbb9d6010c0500006c060000eb0300000100000002000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 4800000000000000d039eb76cbb9d6010c05000048060000e90300000100000001000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Enter) = 480000000000000010981f77cbb9d601cc050000440500000a0400000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000d0f42e78cbb9d6010c050000c0060000020000000100000001000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Enter) = 4800000000000000f07be178cbb9d6010c050000a8070000030400000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Leave) = 480000000000000090ca0f7acbb9d6010c05000064060000fb0300000000000005000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppAddInterestingComponents (Enter) = 480000000000000090d0a376cbb9d601cc05000044050000d40700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\GETSTATE (Enter) = 480000000000000050ca0777cbb9d601cc05000054040000f90300000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_BACK (Leave) = 4800000000000000d0156878cbb9d6010c050000a8070000ed0300000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Leave) = 480000000000000050093079cbb9d601cc0500008c0700000a0400000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppGatherWriterMetadata (Enter) = 4800000000000000d02ca371cbb9d601cc05000044050000d30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\IDENTIFY (Enter) = 480000000000000090efa771cbb9d601cc05000050060000e80300000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Enter) = 4800000000000000d0f54371cbb9d601cc05000044050000d50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Leave) = 480000000000000090121677cbb9d6010c0500007c040000f90300000000000001000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Enter) = 4800000000000000f07be178cbb9d6010c050000a8070000fd0300000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Enter) = 480000000000000090ca0f7acbb9d6010c05000064060000fb0300000100000005000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Enter) = 48000000000000001077e676cbb9d6010c05000048060000010400000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\FREEZE (Leave) = 4800000000000000f07be178cbb9d6010c0500006c060000eb0300000000000002000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\THAW_KTM (Leave) = 4800000000000000f0a72d79cbb9d6010c050000a8070000f40300000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 4800000000000000d0dbbe79cbb9d6010c05000064060000050000000100000004000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Leave) = 4800000000000000d0d3f577cbb9d6010c050000a8070000020400000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Enter) = 4800000000000000b0ba0178cbb9d6010c0500006c060000ea0300000100000001000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{495fd7e4-1989-11eb-abf9-806e6f6e6963}_)\IOCTL_FLUSH_AND_HOLD (Leave) = 4800000000000000f0a72d79cbb9d6010c050000dc050000fe0300000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\THAW (Enter) = 4800000000000000f0a72d79cbb9d6010c050000a8070000f20300000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Enter) = 4800000000000000509b7178cbb9d6010c05000034010000fc0300000100000003000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{495fd7e4-1989-11eb-abf9-806e6f6e6963}_)\OPEN_VOLUME_HANDLE (Enter) = 4800000000000000f07be178cbb9d6010c050000dc050000fd0300000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Enter) = 4800000000000000f0de8c79cbb9d6010c050000a8070000f50300000100000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_STABLE (SetCurrentState) = 480000000000000050bff476cbb9d6010c0500007c040000010000000100000001000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{495fd7e4-1989-11eb-abf9-806e6f6e6963}_)\IOCTL_RELEASE (Leave) = 4800000000000000f0a72d79cbb9d6010c050000dc050000ff0300000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\THAW (Enter) = 4800000000000000f0b24079cbb9d6010c0500004c060000f20300000100000003000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Leave) = 480000000000000010d74779cbb9d6010c05000034010000fc0300000000000003000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 480000000000000090889d79cbb9d6010c050000a0020000050000000100000004000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Leave) = 480000000000000050ca0777cbb9d601cc0500005c040000e90300000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\GETSTATE (Leave) = 480000000000000090121677cbb9d601cc05000054040000f90300000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000304b1e78cbb9d6010c0500006c060000020000000100000001000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Leave) = 4800000000000000304b1e78cbb9d6010c0500004c060000ea0300000000000001000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Leave) = 480000000000000050fe1c79cbb9d6010c050000a8070000fd0300000000000000000000000000001c07387b9653e84ca9c0b293de4d242800000000000000000000000000000000	vssvc.exe

Drops file in Windows directory 9 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f745744.msi	msiexec.exe
File created	C:\Windows\Installer\f745745.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A04.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f745744.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f745745.ipi	msiexec.exe

Modifies data under HKEY_USERS 44 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1484 msiexec.exe
1484 msiexec.exe

pid	process
1484	msiexec.exe
1484	msiexec.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exewermgr.exe

description	pid	process
Token: SeShutdownPrivilege	932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeSecurityPrivilege	1484	msiexec.exe
Token: SeCreateTokenPrivilege	932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	932	msiexec.exe
Token: SeLockMemoryPrivilege	932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	932	msiexec.exe
Token: SeMachineAccountPrivilege	932	msiexec.exe
Token: SeTcbPrivilege	932	msiexec.exe
Token: SeSecurityPrivilege	932	msiexec.exe
Token: SeTakeOwnershipPrivilege	932	msiexec.exe
Token: SeLoadDriverPrivilege	932	msiexec.exe
Token: SeSystemProfilePrivilege	932	msiexec.exe
Token: SeSystemtimePrivilege	932	msiexec.exe
Token: SeProfSingleProcessPrivilege	932	msiexec.exe
Token: SeIncBasePriorityPrivilege	932	msiexec.exe
Token: SeCreatePagefilePrivilege	932	msiexec.exe
Token: SeCreatePermanentPrivilege	932	msiexec.exe
Token: SeBackupPrivilege	932	msiexec.exe
Token: SeRestorePrivilege	932	msiexec.exe
Token: SeShutdownPrivilege	932	msiexec.exe
Token: SeDebugPrivilege	932	msiexec.exe
Token: SeAuditPrivilege	932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	932	msiexec.exe
Token: SeChangeNotifyPrivilege	932	msiexec.exe
Token: SeRemoteShutdownPrivilege	932	msiexec.exe
Token: SeUndockPrivilege	932	msiexec.exe
Token: SeSyncAgentPrivilege	932	msiexec.exe
Token: SeEnableDelegationPrivilege	932	msiexec.exe
Token: SeManageVolumePrivilege	932	msiexec.exe
Token: SeImpersonatePrivilege	932	msiexec.exe
Token: SeCreateGlobalPrivilege	932	msiexec.exe
Token: SeBackupPrivilege	1292	vssvc.exe
Token: SeRestorePrivilege	1292	vssvc.exe
Token: SeAuditPrivilege	1292	vssvc.exe
Token: SeBackupPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	2016	DrvInst.exe
Token: SeLoadDriverPrivilege	2016	DrvInst.exe
Token: SeLoadDriverPrivilege	2016	DrvInst.exe
Token: SeLoadDriverPrivilege	2016	DrvInst.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeDebugPrivilege	1604	wermgr.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

932 msiexec.exe
932 msiexec.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MMMedia.exe

pid process

1640 MMMedia.exe
1640 MMMedia.exe

pid	process
932	msiexec.exe
932	msiexec.exe

pid	process
1640	MMMedia.exe
1640	MMMedia.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

msiexec.exeMMMedia.exe

description	pid	process	target process
PID 1484 wrote to memory of 1640	1484	msiexec.exe	MMMedia.exe
PID 1484 wrote to memory of 1640	1484	msiexec.exe	MMMedia.exe
PID 1484 wrote to memory of 1640	1484	msiexec.exe	MMMedia.exe
PID 1484 wrote to memory of 1640	1484	msiexec.exe	MMMedia.exe
PID 1640 wrote to memory of 1604	1640	MMMedia.exe	wermgr.exe
PID 1640 wrote to memory of 1604	1640	MMMedia.exe	wermgr.exe
PID 1640 wrote to memory of 1604	1640	MMMedia.exe	wermgr.exe
PID 1640 wrote to memory of 1604	1640	MMMedia.exe	wermgr.exe
PID 1640 wrote to memory of 1604	1640	MMMedia.exe	wermgr.exe
PID 1640 wrote to memory of 1604	1640	MMMedia.exe	wermgr.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58.msi
1⤵
- Blacklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Modifies service
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\MMMedia\MMMedia.exe
C:\Users\Admin\AppData\Local\Temp\MMMedia\MMMedia.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005B4" "00000000000004E0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
MD5
5750119e73733fa46e0e619bcc38c9e4

SHA1
f4676a5ed5b119ff1bc3159e7dfcb56ab9983a67

SHA256
9294e1ab3b124831317fc30d02523147abb8006a22b9f429106cc05ae358ab5d

SHA512
d67c1e47ecec9d849052d5dcceb4e60a7f99859bff5c86f41f1b07e6906e406105279c3934ddd59f98a4f0aca8d76fa25dddfd2ee4f3d4217bdc74168d5a3603

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_2EC831F712385997548A0475F2DAA8EC
MD5
483073b54bd6b8352dcdf5cd87c8c24f

SHA1
de2b9f3b81eb714517c869f5e16bf9754e558f25

SHA256
49a40c57ac173e259d2d8fc70d85c256ecbf20c7c8a21bb598b4060fd4d4f592

SHA512
16c278df57a33c389297d2d021ed033e2e0a74fd3ce22d04cb1e50e1e75d3452c4ab38fc415a6790e8ab24a7caa2259333a6ee64ca309162798014c061eb90f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
030fe87cfe5f6cd49739fdf70cbd3a5e

SHA1
5a2414fa9f2eae51e2bef9871e7cef0ebbdee0d2

SHA256
4df6f0a37708e36c68fe9eec2deedfe4f3f4fc7a311902209d2b399bd946ea5e

SHA512
0eb4798c3b34e1d5eb33675207bb85396fb54bef6d37f3617292f73299bc0d310e60db98eb8e5eaa28c01fe37b811f0b04731e68d1587095d9fb4fafcbc09a27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B
MD5
2005abda92b4b8fbedf1a06554d4c021

SHA1
98858ced01d19b366933ace58626949402798880

SHA256
9e2f8d63f0499ba00e76321fe91a5c2285fe654b47db375f847b8d6b421a68b1

SHA512
d87466cc0ef02286ded862c937461e0774eb6ed998cc9940794cb20d1ce7abb5f66acf64b32f66268d43f59915f47bc386198c93ae046b77d25e34401c649318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_2EC831F712385997548A0475F2DAA8EC
MD5
526484a7e99cce73327051ab8be8e081

SHA1
08d122c6e0390a851232d5fcd210000ad40e4348

SHA256
5e2afe11d04b1830918dbe3445829c08a914b08945135a9d484b1cbf3ef3d422

SHA512
bcdb4e45e46d024ee59cebbd7062cc4a5f32da3cee9adab63d5c13fa17a691da31138df732701ef6dbfe83eab75d75330fff783368f7718e8c2656f736fbff4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
8a8fc26de48b573aa4693db0928aac9e

SHA1
02d5d04f2e98ecffb3fb69c2d51779339d52e993

SHA256
39b67629df106aa3943b9603cfa02a9de9fa156928850c902c65b4746410351c

SHA512
5d75fa64644c28d0ecff8d4bf0f6be96e4e1c60ef6848f0150e54044b8a8f5da3e07f8d28bc37afba0d5866a401e5d65c8690fc1417e716cd510fbb316f7d35d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
30ecb947a734df4858f36f35bfd2b87a

SHA1
2f32e54936ff3edcd5b321bb5bcd8ba5cecd5d0c

SHA256
ef1cdfcd57f1896d0cf30ded315598607736cc63fbb999b055864eb79291a4a9

SHA512
7ad340841a6fb217fefbce6525fe2f0a202715a3616346c8dcbb42f47c4e3a6fd201f4f484f0252c9b1f5dbf8d97b62fd74cf3212eb1f67bd0b02f36d062ed94

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMedia\MMMedia.exe
MD5
46a07ec480cd011dae44a527b478cce4

SHA1
21d83628819edcded2ca949c8c886526594847cd

SHA256
b4ad3c9c795d3d07eed4af3d337662a974e64315bb7edde82b6df25f4c09b32b

SHA512
ca1bce0427b4531f2d3960a49f734bbc61014627fac912a780b43d40b9db45c76801337d0086a1da464622aa05a6cc25e07c15bbef418826d40b78e6679e1e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMMedia\MMMedia.exe
MD5
46a07ec480cd011dae44a527b478cce4

SHA1
21d83628819edcded2ca949c8c886526594847cd

SHA256
b4ad3c9c795d3d07eed4af3d337662a974e64315bb7edde82b6df25f4c09b32b

SHA512
ca1bce0427b4531f2d3960a49f734bbc61014627fac912a780b43d40b9db45c76801337d0086a1da464622aa05a6cc25e07c15bbef418826d40b78e6679e1e64

Download Submit
memory/932-6-0x0000000004310000-0x0000000004314000-memory.dmp

Filesize
16KB

Download
memory/932-4-0x0000000004310000-0x0000000004314000-memory.dmp

Filesize
16KB

Download
memory/932-3-0x0000000004150000-0x0000000004154000-memory.dmp

Filesize
16KB

Download
memory/932-1-0x00000000040D0000-0x00000000040D4000-memory.dmp

Filesize
16KB

Download
memory/932-42-0x0000000002210000-0x0000000002214000-memory.dmp

Filesize
16KB

Download
memory/932-0-0x0000000003210000-0x0000000003214000-memory.dmp

Filesize
16KB

Download
memory/1484-18-0x0000000000E30000-0x0000000000E34000-memory.dmp

Filesize
16KB

Download
memory/1484-17-0x0000000000E30000-0x0000000000E34000-memory.dmp

Filesize
16KB

Download
memory/1484-15-0x0000000001870000-0x0000000001874000-memory.dmp

Filesize
16KB

Download
memory/1484-16-0x0000000000E30000-0x0000000000E34000-memory.dmp

Filesize
16KB

Download
memory/1484-40-0x0000000004780000-0x0000000004784000-memory.dmp

Filesize
16KB

Download
memory/1484-41-0x0000000004780000-0x0000000004784000-memory.dmp

Filesize
16KB

Download
memory/1484-14-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/1604-33-0x0000000000000000-mapping.dmp

Download
memory/1640-28-0x0000000000000000-mapping.dmp

Download
memory/1640-31-0x00000000034B0000-0x00000000034EE000-memory.dmp

Filesize
248KB

Download
memory/1640-32-0x00000000034F0000-0x000000000352A000-memory.dmp

Filesize
232KB

Download