cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-en-20211014
submitted
22-11-2021 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e519d0a4bab2d08e14a5c175d431ce3e.msi
Size

6.1MB
MD5

e519d0a4bab2d08e14a5c175d431ce3e
SHA1

56f8327c426952cb3f85de5927274974c9dc89b8
SHA256

cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1
SHA512

43372e37b07d4586f951c7911df635f375f778f9182583cdaafe8bac38e99d42da32534c445c0f2febdda0153682f83956dbcd573d942127aca8ae162ab4f350

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://autoatendimento.bb.com.br/apf-apj-acesso/#/transacao/acesso-empresa/0?v=2.28.10&t=1&tipoCliente=empresa

exe.dropper

https://www2.bancobrasil.com.br/aapf/login.html#/acesso-aapf-agencia-conta

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

29 2240 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

PQYNFX.exe

pid process

1512 PQYNFX.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upspur.lnk powershell.exe

flow	pid	process
29	2240	powershell.exe

pid	process
1512	PQYNFX.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upspur.lnk	powershell.exe

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exePQYNFX.exe

pid	process
2312	MsiExec.exe
2312	MsiExec.exe
2312	MsiExec.exe
2312	MsiExec.exe
2312	MsiExec.exe
1512	PQYNFX.exe
1512	PQYNFX.exe
1512	PQYNFX.exe
1512	PQYNFX.exe
1512	PQYNFX.exe
1512	PQYNFX.exe
1512	PQYNFX.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI8859.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D618A565-832C-447D-909C-78211999A508}	msiexec.exe
File opened for modification	C:\Windows\Installer\f76828a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI83A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI874E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A9C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI908B.tmp	msiexec.exe
File created	C:\Windows\Installer\f76828a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exepowershell.exepowershell.exepowershell.exe

pid	process
724	msiexec.exe
724	msiexec.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe
2636	powershell.exe
2636	powershell.exe
2636	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	2644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2644	msiexec.exe
Token: SeSecurityPrivilege	724	msiexec.exe
Token: SeCreateTokenPrivilege	2644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2644	msiexec.exe
Token: SeLockMemoryPrivilege	2644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2644	msiexec.exe
Token: SeMachineAccountPrivilege	2644	msiexec.exe
Token: SeTcbPrivilege	2644	msiexec.exe
Token: SeSecurityPrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeLoadDriverPrivilege	2644	msiexec.exe
Token: SeSystemProfilePrivilege	2644	msiexec.exe
Token: SeSystemtimePrivilege	2644	msiexec.exe
Token: SeProfSingleProcessPrivilege	2644	msiexec.exe
Token: SeIncBasePriorityPrivilege	2644	msiexec.exe
Token: SeCreatePagefilePrivilege	2644	msiexec.exe
Token: SeCreatePermanentPrivilege	2644	msiexec.exe
Token: SeBackupPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeShutdownPrivilege	2644	msiexec.exe
Token: SeDebugPrivilege	2644	msiexec.exe
Token: SeAuditPrivilege	2644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2644	msiexec.exe
Token: SeChangeNotifyPrivilege	2644	msiexec.exe
Token: SeRemoteShutdownPrivilege	2644	msiexec.exe
Token: SeUndockPrivilege	2644	msiexec.exe
Token: SeSyncAgentPrivilege	2644	msiexec.exe
Token: SeEnableDelegationPrivilege	2644	msiexec.exe
Token: SeManageVolumePrivilege	2644	msiexec.exe
Token: SeImpersonatePrivilege	2644	msiexec.exe
Token: SeCreateGlobalPrivilege	2644	msiexec.exe
Token: SeBackupPrivilege	3368	vssvc.exe
Token: SeRestorePrivilege	3368	vssvc.exe
Token: SeAuditPrivilege	3368	vssvc.exe
Token: SeBackupPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeBackupPrivilege	2324	srtasks.exe
Token: SeRestorePrivilege	2324	srtasks.exe
Token: SeSecurityPrivilege	2324	srtasks.exe
Token: SeTakeOwnershipPrivilege	2324	srtasks.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeBackupPrivilege	2324	srtasks.exe
Token: SeRestorePrivilege	2324	srtasks.exe
Token: SeSecurityPrivilege	2324	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2644 msiexec.exe
2644 msiexec.exe

pid	process
2644	msiexec.exe
2644	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

msiexec.exeMsiExec.exepowershell.exeWScript.exepowershell.exe

description	pid	process	target process
PID 724 wrote to memory of 2324	724	msiexec.exe	srtasks.exe
PID 724 wrote to memory of 2324	724	msiexec.exe	srtasks.exe
PID 724 wrote to memory of 2312	724	msiexec.exe	MsiExec.exe
PID 724 wrote to memory of 2312	724	msiexec.exe	MsiExec.exe
PID 724 wrote to memory of 2312	724	msiexec.exe	MsiExec.exe
PID 2312 wrote to memory of 2240	2312	MsiExec.exe	powershell.exe
PID 2312 wrote to memory of 2240	2312	MsiExec.exe	powershell.exe
PID 2312 wrote to memory of 2240	2312	MsiExec.exe	powershell.exe
PID 2240 wrote to memory of 1896	2240	powershell.exe	WScript.exe
PID 2240 wrote to memory of 1896	2240	powershell.exe	WScript.exe
PID 2240 wrote to memory of 1896	2240	powershell.exe	WScript.exe
PID 1896 wrote to memory of 1512	1896	WScript.exe	PQYNFX.exe
PID 1896 wrote to memory of 1512	1896	WScript.exe	PQYNFX.exe
PID 1896 wrote to memory of 1512	1896	WScript.exe	PQYNFX.exe
PID 1896 wrote to memory of 2636	1896	WScript.exe	powershell.exe
PID 1896 wrote to memory of 2636	1896	WScript.exe	powershell.exe
PID 1896 wrote to memory of 2636	1896	WScript.exe	powershell.exe
PID 2636 wrote to memory of 1964	2636	powershell.exe	powershell.exe
PID 2636 wrote to memory of 1964	2636	powershell.exe	powershell.exe
PID 2636 wrote to memory of 1964	2636	powershell.exe	powershell.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e519d0a4bab2d08e14a5c175d431ce3e.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2644

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 23560ACC0382E011B11134E7AA583EAE
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9114.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9111.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9112.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9113.txt" -propSep " :<->: " -testPrefix "_testValue."
3⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\SGMSXH\RUUYBF.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\SGMSXH\PQYNFX.exe
"C:\SGMSXH\PQYNFX.exe" -f C:\SGMSXH\HOXZOZ
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy ByPass -File C:\SGMSXH\FNUKDE.ps1 C:\SGMSXH\GRFHME.exe save.nbanamend.com
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Xopato\capturador.exe
MD5
53fc515f425a2cdc9dadf1e139bc142b

SHA1
b63ca1abab256b1619da7df994497e9f063f6713

SHA256
daba783c0b0e47ce3096ca6661e785467b5eb45147dd29c09b77c6b18b7a3d7e

SHA512
fd91f97825a19c105a1304bc969ceec33af89614aa4cac3c6bf75f3362ccb41c167431493bebe8ca428fba587e8089b9eab7473148009ad9f8de1a95093c3b1d

Download Submit
C:\ProgramData\Xopato\capturador.exe.config
MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\ProgramData\Xopato\libcrypto-1_1.dll
MD5
3406f79392c47a72bed2f0067b3ce466

SHA1
a8e2940d61fc840441c4e2a835959d197929ffdf

SHA256
e4b6b2ca32b1e2ba26959ec7380c4f117418d3a724f60494ff3cb81505fbf43d

SHA512
930d794aa8715dcd23fafbead7fe2ec95d2863783b4c52279870cad93d5b6cf02ba8a13e2653d2bf731e9882bf63f43a7e44788ce47505346be3fe8e8b872fa4

Download Submit
C:\ProgramData\Xopato\libevent-2-1-7.dll
MD5
a3bf8e33948d94d490d4613441685eee

SHA1
75ed7f6e2855a497f45b15270c3ad4aed6ad02e2

SHA256
91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585

SHA512
c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

Download Submit
C:\ProgramData\Xopato\libevent_core-2-1-7.dll
MD5
686c6a9da6767287bf2e2126574fafea

SHA1
2b0be53c4ad4b67ecdfdcd97a717de5a617f9ef0

SHA256
abdc8cfb39d1431a1e740cf9db2bbd604cdb7a4ed79e7e0a68d814e32a296164

SHA512
3cde56ff25e53a9a04b5459113c89b8562c01b0f93e39c56bd6536824488f4f9347929935056012adaa4982cbb8a39b61ce2f17cf92ecf02295ab1a922cd4dd4

Download Submit
C:\ProgramData\Xopato\libevent_extra-2-1-7.dll
MD5
070f988b98e9717bbd5e870a4f8c1611

SHA1
17fb4c990c13a4fb0a2181fe139d3515ff8d96f6

SHA256
9deb6f1776db51fa7e4e89ad2779a9f07e9f22fcb5e24481faa291d2d27e43fe

SHA512
c83d793bbe26e0297f9726b32cad5be3f92dbc36717c143ff7d55b7bd7bb20324fd86594bc626a374252656c3ee187fa4dca4c3933fe19952894042b2127a6fd

Download Submit
C:\ProgramData\Xopato\libgcc_s_sjlj-1.dll
MD5
bd40ff3d0ce8d338a1fe4501cd8e9a09

SHA1
3aae8c33bf0ec9adf5fbf8a361445969de409b49

SHA256
ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c

SHA512
404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

Download Submit
C:\ProgramData\Xopato\libssl-1_1.dll
MD5
9e3d55fbf890c6cbffd836f2aef4ba31

SHA1
715890ba3bda3431470cca4f4bc492c0f63fa138

SHA256
e6f4cf41373e8770c670cf5e85461f25385314ed9d8a2b37381bc84f5c0dd5c0

SHA512
9848f28fd96c21dd054cbf3e722e56373696c1f7803c137afc7c7203325d9738fa6b984d95cd49ff78a6d95c8f9406f869af3c3783901da3cc003e2b09497d65

Download Submit
C:\ProgramData\Xopato\libssp-0.dll
MD5
b77328da7cead5f4623748a70727860d

SHA1
13b33722c55cca14025b90060e3227db57bf5327

SHA256
46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7

SHA512
2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

Download Submit
C:\ProgramData\Xopato\libwinpthread-1.dll
MD5
19d7cc4377f3c09d97c6da06fbabc7dc

SHA1
3a3ba8f397fb95ed5df22896b2c53a326662fcc9

SHA256
228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d

SHA512
23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

Download Submit
C:\ProgramData\Xopato\monitor.ps1
MD5
dd2c9a2529b9db000e30fe0331f6ffaa

SHA1
b7b89dc1e05479d421153ef5109dc72319c3943e

SHA256
eef8c513b78dbe60d5fd2793052f7b29151b96d53a513bf6f2a27ab205a64b14

SHA512
e359df6b0b7774e32522bf66932e4dd9561a5cbea9f982369ab52fb1d51a4b7ad4ad5bae6747717e126b6b14ab0018aa88b7efb105e37ca6bcbde140f60140f9

Download Submit
C:\ProgramData\Xopato\tor-gencert.exe
MD5
86585d1fefe502af61cc1ac83502d73d

SHA1
92f5ea6539edc25b7a43e5e62967941670f1cfd0

SHA256
7332b6e43206f54085b1ca61d6b8920e11e0f94d2ac82bbcbd852f378d703a77

SHA512
8ea093bff34e768d33196441ea25a7eabae9e0ca1def49eddb018d8803d55d326d2624fcf9018225162720f8ddc97fe32e39f5aed711978bd46b3ec364b96154

Download Submit
C:\ProgramData\Xopato\tor.exe
MD5
67ab12cf6cabc14588e4f51b21c2134a

SHA1
32a4ff564f38bf4b62007e419f19c991e60d6e14

SHA256
f0aaae0364306bb7a4681d01935c96c2ac76b3576b7982990f86bcaf811a45ba

SHA512
2a1c67e9d23d6b050e35c5a8e159309cf598095239406c60a9f721fddc912e21afab7036cbd9f77197cc4241df5f8fa6aa9d7294762659178c6edeb4699d5bec

Download Submit
C:\ProgramData\Xopato\zlib1.dll
MD5
6f98da9e33cd6f3dd60950413d3638ac

SHA1
e630bdf8cebc165aa81464ff20c1d55272d05675

SHA256
219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773

SHA512
2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

Download Submit
C:\SGMSXH\FNUKDE.ps1
MD5
dd2c9a2529b9db000e30fe0331f6ffaa

SHA1
b7b89dc1e05479d421153ef5109dc72319c3943e

SHA256
eef8c513b78dbe60d5fd2793052f7b29151b96d53a513bf6f2a27ab205a64b14

SHA512
e359df6b0b7774e32522bf66932e4dd9561a5cbea9f982369ab52fb1d51a4b7ad4ad5bae6747717e126b6b14ab0018aa88b7efb105e37ca6bcbde140f60140f9

Download Submit
C:\SGMSXH\HOXZOZ
MD5
fff5f1a728740ed0d126837e9e8ff116

SHA1
77f745aa4a2b17b262095a93db8d6681c95e9260

SHA256
a6dd0c6f283b1fff9dca4ddc58426f5d066ee2f970afc2289ec2928fc41778ac

SHA512
3ead2d98ba9963bcf43a76f1f153db119bd7f7afabbf0a3de0a605b08058a1fb9c56b325da3bdd46682d368ea990369798c5dfe911c245c8793ba50a4bad236e

Download Submit
C:\SGMSXH\PQYNFX.exe
MD5
67ab12cf6cabc14588e4f51b21c2134a

SHA1
32a4ff564f38bf4b62007e419f19c991e60d6e14

SHA256
f0aaae0364306bb7a4681d01935c96c2ac76b3576b7982990f86bcaf811a45ba

SHA512
2a1c67e9d23d6b050e35c5a8e159309cf598095239406c60a9f721fddc912e21afab7036cbd9f77197cc4241df5f8fa6aa9d7294762659178c6edeb4699d5bec

Download Submit
C:\SGMSXH\PQYNFX.exe
MD5
67ab12cf6cabc14588e4f51b21c2134a

SHA1
32a4ff564f38bf4b62007e419f19c991e60d6e14

SHA256
f0aaae0364306bb7a4681d01935c96c2ac76b3576b7982990f86bcaf811a45ba

SHA512
2a1c67e9d23d6b050e35c5a8e159309cf598095239406c60a9f721fddc912e21afab7036cbd9f77197cc4241df5f8fa6aa9d7294762659178c6edeb4699d5bec

Download Submit
C:\SGMSXH\RUUYBF.vbs
MD5
f964b095696c2881109757eedc5e22a5

SHA1
2b4e362c4f7b84ceed38ce16c4b6e5253607da36

SHA256
a170c2608747b228f65fb4f4fe015ab359a32b3d954eb3674607549cd2a510a8

SHA512
982f7b2b078edc528b0fe102f365eae4e6a148f419527dda2fe2dc6d87a7740fad1983f39481e30f93a28fcef25bda5a00ad8523074979f4fab35d48a830b2f2

Download Submit
C:\SGMSXH\libcrypto-1_1.dll
MD5
3406f79392c47a72bed2f0067b3ce466

SHA1
a8e2940d61fc840441c4e2a835959d197929ffdf

SHA256
e4b6b2ca32b1e2ba26959ec7380c4f117418d3a724f60494ff3cb81505fbf43d

SHA512
930d794aa8715dcd23fafbead7fe2ec95d2863783b4c52279870cad93d5b6cf02ba8a13e2653d2bf731e9882bf63f43a7e44788ce47505346be3fe8e8b872fa4

Download Submit
C:\SGMSXH\libevent-2-1-7.dll
MD5
a3bf8e33948d94d490d4613441685eee

SHA1
75ed7f6e2855a497f45b15270c3ad4aed6ad02e2

SHA256
91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585

SHA512
c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

Download Submit
C:\SGMSXH\libgcc_s_sjlj-1.dll
MD5
bd40ff3d0ce8d338a1fe4501cd8e9a09

SHA1
3aae8c33bf0ec9adf5fbf8a361445969de409b49

SHA256
ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c

SHA512
404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

Download Submit
C:\SGMSXH\libssl-1_1.dll
MD5
9e3d55fbf890c6cbffd836f2aef4ba31

SHA1
715890ba3bda3431470cca4f4bc492c0f63fa138

SHA256
e6f4cf41373e8770c670cf5e85461f25385314ed9d8a2b37381bc84f5c0dd5c0

SHA512
9848f28fd96c21dd054cbf3e722e56373696c1f7803c137afc7c7203325d9738fa6b984d95cd49ff78a6d95c8f9406f869af3c3783901da3cc003e2b09497d65

Download Submit
C:\SGMSXH\libssp-0.dll
MD5
b77328da7cead5f4623748a70727860d

SHA1
13b33722c55cca14025b90060e3227db57bf5327

SHA256
46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7

SHA512
2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

Download Submit
C:\SGMSXH\libwinpthread-1.dll
MD5
19d7cc4377f3c09d97c6da06fbabc7dc

SHA1
3a3ba8f397fb95ed5df22896b2c53a326662fcc9

SHA256
228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d

SHA512
23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

Download Submit
C:\SGMSXH\zlib1.dll
MD5
6f98da9e33cd6f3dd60950413d3638ac

SHA1
e630bdf8cebc165aa81464ff20c1d55272d05675

SHA256
219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773

SHA512
2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
9ee2fc876b295affc0e0ae4e05baeb98

SHA1
c0c15a072ee7100484355e77dcd1a92ebc1edb6e

SHA256
57abde5b934e48ca1cb5d487f4f2263fc597416218017e3cfde5e1af280d6679

SHA512
5ed04e1f17d457e93e81d610c318d9dd7591625f96239f128459a9ecc8fd4d2ffbed82d8b1a0e4f8a255a1b8774453d36e87bb7e63f5292e718d8c4c3b633624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6ae8936dea8f92df3b2de7eec57aebdd

SHA1
e8a3f0ae957d8e8722d5ed313fd767dfd05e9ffe

SHA256
5ce946bbb9f4c79eb9b327048248d31ba0f9fdff4e627029f89414042047fde8

SHA512
6996c5d6c8484b1bc7365ab926254c9790e73a54b680a28897b1c4b8a948ec853616f96e821c4452aa5d1be125e1ead60b74880b3acbc9d709f32e88db18826c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss9114.ps1
MD5
0c95bc11cfca37f84a19de0529377e13

SHA1
41f409dbbab04ef35c4f6489af6f85fceb9c501a

SHA256
88748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93

SHA512
8a52f3c40440e3129a367609ee4b6e9e98aa62edec48592be03bad1aadcd389e2e58e095f4ea3d6f9cb458aa7101fcb5afdff66658885bfa0634c74c086db568

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr9112.ps1
MD5
760083834ce1d1b1ffa7d4134702ef37

SHA1
4acdc74fc95959fccd939f4b76ed34361b378daf

SHA256
82d84adfabc02fedb06911b370215b382bb6f21998f65971ffd454b1c9a2bac9

SHA512
c6c65ae003984538ac166a91d51ec4871781dd36d84d0d360880950c72504d2a8bfd80a339d1bd898f4be4baac11b3029333195da8cd6890a087126e1104e9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr9113.txt
MD5
78b10d5d64c74e8450185f1cc409c2b4

SHA1
92e2d22ffa1b3dc1df05462db670a182b2bae3ab

SHA256
1e5b986e5d39b1e0a15d6721d75d5174d164ae687a5f541036333e033963e983

SHA512
544d687f50fb38c0c7908de08149ede99dbe3250ddd84282c20b1af1496ca072d3266221b7220f407938a70035819b8e5451b3a30e2d7ce3ae0aaa152552184a

Download Submit
C:\Windows\Installer\MSI83A3.tmp
MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSI874E.tmp
MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSI87EB.tmp
MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSI8859.tmp
MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSI908B.tmp
MD5
eeacf76535bbb010b9407d94288933de

SHA1
d30e40f531bb1074fe78595ef647b56b7c6609e4

SHA256
322023eee9182800b4160c2b1e739d3e7850cc127da9d2bd77e705ca5f2d2e56

SHA512
81f446cd0ec952dc9b28634d3c6ba94942967cae5f5fcc84d336b1d0b4c19933cfe68fc6fe501374d101f5dc6048cd29b5171bb62c1ec56240a5539a07d75e99

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
eb6f3d820cad826994c88f2de88c68c9

SHA1
70442b8dc52f4f60968a4a26f9fd82f2eaf2ef7c

SHA256
78ebef84e274fcb6bb54ef284089813124184ee7c1ca8ccb73802da6047d3cbb

SHA512
e137de0942a7c08f7b665fde809778c184ebe97823486e6aeb7b2b5957f1cd6e331dbc79d5e9d64981dafb31c6dc56b1bc9092a9ac8a623400b58657515b25d7

Download Submit
\??\Volume{0e38e18f-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{ccaf7827-ad95-473e-a34e-2f86c4f91add}_OnDiskSnapshotProp
MD5
e9b2e438050a9207503fca785a68e983

SHA1
438a4b4162c0a41732a72bc0bd88e55db04c01c8

SHA256
0301b303e4b9b1c63843094bded19bbf9b342a39f1478efca2fffd209b83f4a9

SHA512
103c28f89356ca160fdb7583e12df6d928dedd6b79433f5d1eaa861db7a460aa7586f5326390aa051cca5a154d9e2bcd884f929d57d59e1c14cf1dcada2b3ba3

Download Submit
\SGMSXH\libcrypto-1_1.dll
MD5
3406f79392c47a72bed2f0067b3ce466

SHA1
a8e2940d61fc840441c4e2a835959d197929ffdf

SHA256
e4b6b2ca32b1e2ba26959ec7380c4f117418d3a724f60494ff3cb81505fbf43d

SHA512
930d794aa8715dcd23fafbead7fe2ec95d2863783b4c52279870cad93d5b6cf02ba8a13e2653d2bf731e9882bf63f43a7e44788ce47505346be3fe8e8b872fa4

Download Submit
\SGMSXH\libevent-2-1-7.dll
MD5
a3bf8e33948d94d490d4613441685eee

SHA1
75ed7f6e2855a497f45b15270c3ad4aed6ad02e2

SHA256
91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585

SHA512
c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

Download Submit
\SGMSXH\libgcc_s_sjlj-1.dll
MD5
bd40ff3d0ce8d338a1fe4501cd8e9a09

SHA1
3aae8c33bf0ec9adf5fbf8a361445969de409b49

SHA256
ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c

SHA512
404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

Download Submit
\SGMSXH\libssl-1_1.dll
MD5
9e3d55fbf890c6cbffd836f2aef4ba31

SHA1
715890ba3bda3431470cca4f4bc492c0f63fa138

SHA256
e6f4cf41373e8770c670cf5e85461f25385314ed9d8a2b37381bc84f5c0dd5c0

SHA512
9848f28fd96c21dd054cbf3e722e56373696c1f7803c137afc7c7203325d9738fa6b984d95cd49ff78a6d95c8f9406f869af3c3783901da3cc003e2b09497d65

Download Submit
\SGMSXH\libssp-0.dll
MD5
b77328da7cead5f4623748a70727860d

SHA1
13b33722c55cca14025b90060e3227db57bf5327

SHA256
46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7

SHA512
2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

Download Submit
\SGMSXH\libwinpthread-1.dll
MD5
19d7cc4377f3c09d97c6da06fbabc7dc

SHA1
3a3ba8f397fb95ed5df22896b2c53a326662fcc9

SHA256
228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d

SHA512
23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

Download Submit
\SGMSXH\zlib1.dll
MD5
6f98da9e33cd6f3dd60950413d3638ac

SHA1
e630bdf8cebc165aa81464ff20c1d55272d05675

SHA256
219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773

SHA512
2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

Download Submit
\Windows\Installer\MSI83A3.tmp
MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
\Windows\Installer\MSI874E.tmp
MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
\Windows\Installer\MSI87EB.tmp
MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
\Windows\Installer\MSI8859.tmp
MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
\Windows\Installer\MSI908B.tmp
MD5
eeacf76535bbb010b9407d94288933de

SHA1
d30e40f531bb1074fe78595ef647b56b7c6609e4

SHA256
322023eee9182800b4160c2b1e739d3e7850cc127da9d2bd77e705ca5f2d2e56

SHA512
81f446cd0ec952dc9b28634d3c6ba94942967cae5f5fcc84d336b1d0b4c19933cfe68fc6fe501374d101f5dc6048cd29b5171bb62c1ec56240a5539a07d75e99

Download Submit
memory/724-118-0x0000021AD9E00000-0x0000021AD9E02000-memory.dmp

Filesize
8KB

Download
memory/724-119-0x0000021AD9E00000-0x0000021AD9E02000-memory.dmp

Filesize
8KB

Download
memory/1512-244-0x000000006F250000-0x000000006F276000-memory.dmp

Filesize
152KB

Download
memory/1512-212-0x0000000000000000-mapping.dmp

Download
memory/1512-230-0x000000006F250000-0x000000006F276000-memory.dmp

Filesize
152KB

Download
memory/1512-233-0x0000000000E50000-0x0000000001263000-memory.dmp

Filesize
4.1MB

Download
memory/1512-240-0x000000006F100000-0x000000006F1FB000-memory.dmp

Filesize
1004KB

Download
memory/1512-229-0x000000006F100000-0x000000006F1FB000-memory.dmp

Filesize
1004KB

Download
memory/1512-243-0x000000006EB30000-0x000000006EC16000-memory.dmp

Filesize
920KB

Download
memory/1512-242-0x000000006EC20000-0x000000006EF15000-memory.dmp

Filesize
3.0MB

Download
memory/1512-245-0x0000000000E50000-0x0000000001263000-memory.dmp

Filesize
4.1MB

Download
memory/1896-208-0x0000000000000000-mapping.dmp

Download
memory/1964-358-0x0000000006938000-0x0000000006939000-memory.dmp

Filesize
4KB

Download
memory/1964-334-0x0000000006930000-0x0000000006931000-memory.dmp

Filesize
4KB

Download
memory/1964-326-0x0000000000000000-mapping.dmp

Download
memory/1964-335-0x0000000006932000-0x0000000006933000-memory.dmp

Filesize
4KB

Download
memory/1964-356-0x0000000006935000-0x0000000006937000-memory.dmp

Filesize
8KB

Download
memory/1964-357-0x0000000006937000-0x0000000006938000-memory.dmp

Filesize
4KB

Download
memory/1964-359-0x0000000006939000-0x000000000693A000-memory.dmp

Filesize
4KB

Download
memory/1964-360-0x000000000693A000-0x000000000693F000-memory.dmp

Filesize
20KB

Download
memory/1964-362-0x0000000008660000-0x0000000008B5E000-memory.dmp

Filesize
5.0MB

Download
memory/2240-174-0x000000000AF60000-0x000000000AF61000-memory.dmp

Filesize
4KB

Download
memory/2240-158-0x0000000009D60000-0x0000000009D61000-memory.dmp

Filesize
4KB

Download
memory/2240-151-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2240-155-0x00000000097C0000-0x00000000097C1000-memory.dmp

Filesize
4KB

Download
memory/2240-156-0x00000000096E0000-0x00000000096E1000-memory.dmp

Filesize
4KB

Download
memory/2240-143-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/2240-142-0x0000000007222000-0x0000000007223000-memory.dmp

Filesize
4KB

Download
memory/2240-141-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/2240-144-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/2240-149-0x0000000008A20000-0x0000000008A21000-memory.dmp

Filesize
4KB

Download
memory/2240-140-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2240-184-0x0000000007223000-0x0000000007224000-memory.dmp

Filesize
4KB

Download
memory/2240-139-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/2240-148-0x00000000087D0000-0x00000000087D1000-memory.dmp

Filesize
4KB

Download
memory/2240-138-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2240-147-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/2240-146-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download
memory/2240-137-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2240-145-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/2240-211-0x000000000A5C0000-0x000000000A5C1000-memory.dmp

Filesize
4KB

Download
memory/2240-164-0x000000000A8E0000-0x000000000A8E1000-memory.dmp

Filesize
4KB

Download
memory/2240-136-0x0000000000000000-mapping.dmp

Download
memory/2240-157-0x0000000009750000-0x0000000009751000-memory.dmp

Filesize
4KB

Download
memory/2312-123-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2312-122-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2312-121-0x0000000000000000-mapping.dmp

Download
memory/2324-120-0x0000000000000000-mapping.dmp

Download
memory/2636-214-0x0000000000000000-mapping.dmp

Download
memory/2636-332-0x00000000074F3000-0x00000000074F4000-memory.dmp

Filesize
4KB

Download
memory/2636-247-0x00000000074F2000-0x00000000074F3000-memory.dmp

Filesize
4KB

Download
memory/2636-232-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/2636-231-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/2636-333-0x00000000074F4000-0x00000000074F6000-memory.dmp

Filesize
8KB

Download
memory/2636-246-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/2644-116-0x00000226007F0000-0x00000226007F2000-memory.dmp

Filesize
8KB

Download
memory/2644-117-0x00000226007F0000-0x00000226007F2000-memory.dmp

Filesize
8KB

Download