a28965dccdc1105cd4f40fb73875fb83a0a53141d9fc65fc348d3acdbf3afffb

Analysis

max time kernel
102s
max time network
694s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
13-05-2022 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WS25_0_7_0_ENU.exe
Size

657.1MB
MD5

8b4dec978afa8a1cabf3c7a429ad1654
SHA1

84142670153b59e341830da322a49010ed3f652d
SHA256

a28965dccdc1105cd4f40fb73875fb83a0a53141d9fc65fc348d3acdbf3afffb
SHA512

efde88b6de72ec7a6ccbbc83d34c8e0bfa330265b1101e49e612f7fdb43a8872ba6128d7e9b5c5ee95497483b16f6ba0049d634bdeaf846f24885751b5b6ae45

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 9 IoCs

Processes:

WS25_0_7_0_ENU.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeSetup.exeUPSInit.exe

pid	process
4072	WS25_0_7_0_ENU.exe
4284	ISBEW64.exe
2044	ISBEW64.exe
1412	ISBEW64.exe
2036	ISBEW64.exe
4492	ISBEW64.exe
4876	ISBEW64.exe
3560	Setup.exe
2644	UPSInit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WS25_0_7_0_ENU.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WS25_0_7_0_ENU.exe

Loads dropped DLL 8 IoCs

Processes:

WS25_0_7_0_ENU.exeSetup.exe

pid	process
4072	WS25_0_7_0_ENU.exe
4072	WS25_0_7_0_ENU.exe
4072	WS25_0_7_0_ENU.exe
4072	WS25_0_7_0_ENU.exe
4072	WS25_0_7_0_ENU.exe
4072	WS25_0_7_0_ENU.exe
3560	Setup.exe
3560	Setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\PIC RunOnce = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\launch.exe\" \"C:\\Users\\Public\\UPS\\WSTD\\INSTALLATION_25_0_7_0\\Setup.exe\" \"/PIC\" "	Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Drops file in Windows directory 1 IoCs

Processes:

WS25_0_7_0_ENU.exe

description ioc process

File opened for modification C:\Windows\ADinstall.ini WS25_0_7_0_ENU.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1308 4084 WerFault.exe

description	ioc	process
File opened for modification	C:\Windows\ADinstall.ini	WS25_0_7_0_ENU.exe

pid	pid_target	process	target process
1308	4084	WerFault.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "82"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exe

pid process

3560 Setup.exe
3560 Setup.exe
3560 Setup.exe
3560 Setup.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Setup.exe

description pid process

Token: SeShutdownPrivilege 3560 Setup.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WS25_0_7_0_ENU.exe

pid process

4072 WS25_0_7_0_ENU.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Setup.exeLogonUI.exe

pid process

3560 Setup.exe
2752 LogonUI.exe

pid	process
3560	Setup.exe
3560	Setup.exe
3560	Setup.exe
3560	Setup.exe

description	pid	process
Token: SeShutdownPrivilege	3560	Setup.exe

pid	process
3560	Setup.exe
2752	LogonUI.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WS25_0_7_0_ENU.exeWS25_0_7_0_ENU.exeSetup.exe

description	pid	process	target process
PID 4500 wrote to memory of 4072	4500	WS25_0_7_0_ENU.exe	WS25_0_7_0_ENU.exe
PID 4500 wrote to memory of 4072	4500	WS25_0_7_0_ENU.exe	WS25_0_7_0_ENU.exe
PID 4500 wrote to memory of 4072	4500	WS25_0_7_0_ENU.exe	WS25_0_7_0_ENU.exe
PID 4072 wrote to memory of 4284	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 4284	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 2044	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 2044	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 1412	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 1412	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 2036	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 2036	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 4492	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 4492	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 4876	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 4876	4072	WS25_0_7_0_ENU.exe	ISBEW64.exe
PID 4072 wrote to memory of 3560	4072	WS25_0_7_0_ENU.exe	Setup.exe
PID 4072 wrote to memory of 3560	4072	WS25_0_7_0_ENU.exe	Setup.exe
PID 4072 wrote to memory of 3560	4072	WS25_0_7_0_ENU.exe	Setup.exe
PID 3560 wrote to memory of 2644	3560	Setup.exe	UPSInit.exe
PID 3560 wrote to memory of 2644	3560	Setup.exe	UPSInit.exe
PID 3560 wrote to memory of 2644	3560	Setup.exe	UPSInit.exe

C:\Users\Admin\AppData\Local\Temp\WS25_0_7_0_ENU.exe
"C:\Users\Admin\AppData\Local\Temp\WS25_0_7_0_ENU.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\WS25_0_7_0_ENU.exe
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\WS25_0_7_0_ENU.exe -package:"C:\Users\Admin\AppData\Local\Temp\WS25_0_7_0_ENU.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\Disk1\WS25_0_7_0_ENU.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C85FFCA-A687-4E7A-88BA-E78948E37254}
3⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{88A522DD-EF34-4C12-8595-1654270A65FF}
3⤵
- Executes dropped EXE
PID:2044

C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{27684FBE-AECB-4C0E-AE00-43418F17D1C9}
3⤵
- Executes dropped EXE
PID:1412

C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1B8E7336-5634-4D73-9182-270B038353FD}
3⤵
- Executes dropped EXE
PID:2036

C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C1CD274-334E-4832-9783-5E052B80E86D}
3⤵
- Executes dropped EXE
PID:4492

C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2993352F-982F-4607-8319-47B234D49695}
3⤵
- Executes dropped EXE
PID:4876

C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\Setup.exe
"C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\Setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\PIF\PIC\UPSInit.exe
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\PIF\PIC\UPSInit.exe
4⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4084 -ip 4084
1⤵
PID:4368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4084 -s 2088
1⤵
- Program crash
PID:1308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a7055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\{D48E40B7-E952-42BA-B266-031CF645D0FE}\_isres_0x0409.dll
Filesize
1.8MB

MD5
5018e0cebcb7c62c9112016b03db6bf9

SHA1
23154a8aff147e25bb5ba1f23f647f90d546f942

SHA256
14f71f99d340a6d2dff8e5b7a5c7b7231761e9ac04a861863d3b7d9b9e377cce

SHA512
5579743b7c963e07d11ce715941073bc7d8dc6919421de3de56b3fd45e4605c75ad4514d0dd5f20bc27e574938366c692911b33ac8f5c48ced408e5cfe5b9020

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\{D48E40B7-E952-42BA-B266-031CF645D0FE}\_isres_0x0409.dll
Filesize
1.8MB

MD5
5018e0cebcb7c62c9112016b03db6bf9

SHA1
23154a8aff147e25bb5ba1f23f647f90d546f942

SHA256
14f71f99d340a6d2dff8e5b7a5c7b7231761e9ac04a861863d3b7d9b9e377cce

SHA512
5579743b7c963e07d11ce715941073bc7d8dc6919421de3de56b3fd45e4605c75ad4514d0dd5f20bc27e574938366c692911b33ac8f5c48ced408e5cfe5b9020

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\{D48E40B7-E952-42BA-B266-031CF645D0FE}\_isuser_0x0409.dll
Filesize
12KB

MD5
da1c8b833ea575cb1794b8058e854ad7

SHA1
d8c36f185bbe7ccd4861ed3abcf2cce2e2773137

SHA256
f90d1863ac274772c0543302786b28d64ed95c7f925229441a1def4ff0c4302e

SHA512
1957e1c958f4b5d816a4190bd5a39e1e9ca849040eab696dec8b9cabe8fa0839d2bb19dee1556ff7ab46434f5f3b6b6a92994d515efe7d38820989d8b37bf82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\{D48E40B7-E952-42BA-B266-031CF645D0FE}\_isuser_0x0409.dll
Filesize
12KB

MD5
da1c8b833ea575cb1794b8058e854ad7

SHA1
d8c36f185bbe7ccd4861ed3abcf2cce2e2773137

SHA256
f90d1863ac274772c0543302786b28d64ed95c7f925229441a1def4ff0c4302e

SHA512
1957e1c958f4b5d816a4190bd5a39e1e9ca849040eab696dec8b9cabe8fa0839d2bb19dee1556ff7ab46434f5f3b6b6a92994d515efe7d38820989d8b37bf82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8AFF33E9-9DA0-4CC4-B2D6-AC1BEEF60264}\{D48E40B7-E952-42BA-B266-031CF645D0FE}\isrt.dll
Filesize
426KB

MD5
f5749e8fc6419afdb27283ccc57f25af

SHA1
abe645b76d05b831e86e94abe870883618c8c6c6

SHA256
ed05b093f2264f166b5c9305141dbdfc320668c34f5d164aa68879a58c0e7c43

SHA512
6b7844e16748c2a0ea01c1b3841ddc09f0abc408003ef681807580834359f609443ca6d3b2df7d4e580d22ad7deabc63d01e169cae271c4ea9ad5445fb3a1208

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\Disk1\0x0409.ini
Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\Disk1\ISSetup.dll
Filesize
1.6MB

MD5
855df2fa564d3dce1067f0663ab9fade

SHA1
25caee59b4b61817fdb3b2cfabc4ad513cf710b2

SHA256
d385c91e453f6678070ed0f61de0d412ca3896f77b140fa557f12d649f215016

SHA512
24794f6280c3798420ce8a335cb5cf8183468715b3d7e1c8233f2c124ca18287d57a5ea1a334f4be440fc1793f3f6fb089b3745728e1184891c6f1ff0f7bdf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\Disk1\data1.cab
Filesize
1.0MB

MD5
7dda298031a0e4f03f12b81667221da6

SHA1
c9e7915afa78d70010d1ddee2c0726e0d964823a

SHA256
264c470acedff272bd268ddd7e4610cfbfda1b82227d72f42ed412af9fccba17

SHA512
f9097a95d8c417dd47ac1d0c11f79605e691dff7ce41b93c1f7be135ef6d6ce9fb1a28dd95e6a13c8399e2eda61da7e9a8ae04d38c4585751ed7b9434affb704

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\Disk1\data1.hdr
Filesize
79KB

MD5
67aa2495148084990f8429a5921de7f1

SHA1
d9165160bf2d65d0534e2477ef5e2584249164ec

SHA256
f6a70afb7a84818fcb9840f99ffc49066ebd07d56a4167b5051821f9de182758

SHA512
71ab2ced44e32d67cd2fcb9db79cd53b697f70b83f0445515c9262b64b8177b04d8b592e442c45aa5971be36c785d9bc5e727d7ce4d850cb899310432837a8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\Disk1\layout.bin
Filesize
522B

MD5
2131937a7ae63d014ebf21d547374368

SHA1
7962d88ea6e52dae4b30a73a2b4806dc72e0ddf3

SHA256
d0abb5d9513334e2360c26249bcc5138626ef229af16eb8fc46223de6412c77f

SHA512
58e891b6e2520d7e5e27a95e1126d821e77099b1e50d83679360c5fe2a8e72c0c18e868933558f51b5c4d8301c228daa3b368edaad928659b18ba13848219ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\Disk1\setup.ini
Filesize
2KB

MD5
fdd286742a2f516b3f69600808db3e38

SHA1
46f118c1fde752db8b463a5ce39b3013caccf05a

SHA256
43cb87b64bd662be9d978a7514b43d6ea13f4b6ac51b5c03dd648b6b21c8af91

SHA512
1201b28ce02c491d3e9243daa281920026bdfd2e510852a6d387bbd11e5a687f1cc5c058e9376390154da5138066285ba7640914780f9e660131be6aa4fb57ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\ISSetup.dll
Filesize
1.6MB

MD5
855df2fa564d3dce1067f0663ab9fade

SHA1
25caee59b4b61817fdb3b2cfabc4ad513cf710b2

SHA256
d385c91e453f6678070ed0f61de0d412ca3896f77b140fa557f12d649f215016

SHA512
24794f6280c3798420ce8a335cb5cf8183468715b3d7e1c8233f2c124ca18287d57a5ea1a334f4be440fc1793f3f6fb089b3745728e1184891c6f1ff0f7bdf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\WS25_0_7_0_ENU.exe
Filesize
921KB

MD5
8e48f565203af7fa214edef0ad3d2bbd

SHA1
300d6233b4378cfdf43d323d9684dc3851514136

SHA256
9bb10632eb064967765bf01ca28e428965e73143758a8e3feae3c32612739f66

SHA512
3103a8b0711987ce42584f5d191480e0d8f704d73dff20261a884e37ce0eea05c03ed83cd70724e5f97932749c6141f2a5adebab30a0b2843d40800ba75e7ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\WS25_0_7_0_ENU.exe
Filesize
921KB

MD5
8e48f565203af7fa214edef0ad3d2bbd

SHA1
300d6233b4378cfdf43d323d9684dc3851514136

SHA256
9bb10632eb064967765bf01ca28e428965e73143758a8e3feae3c32612739f66

SHA512
3103a8b0711987ce42584f5d191480e0d8f704d73dff20261a884e37ce0eea05c03ed83cd70724e5f97932749c6141f2a5adebab30a0b2843d40800ba75e7ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB47CDF5-1FA8-4BBB-9286-68864F9A2934}\setup.ini
Filesize
2KB

MD5
fdd286742a2f516b3f69600808db3e38

SHA1
46f118c1fde752db8b463a5ce39b3013caccf05a

SHA256
43cb87b64bd662be9d978a7514b43d6ea13f4b6ac51b5c03dd648b6b21c8af91

SHA512
1201b28ce02c491d3e9243daa281920026bdfd2e510852a6d387bbd11e5a687f1cc5c058e9376390154da5138066285ba7640914780f9e660131be6aa4fb57ec

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\PIF\IM\InstallManager.exe
Filesize
1.7MB

MD5
5da41bc6a003346a00c8b70067353bad

SHA1
b4a95f53a2e80232a5260a9a3081a1c990de6664

SHA256
26c7c5f981983a888b3ef95adeb7c63e08d3ca244e32c3c835d351b4a94bca3b

SHA512
2fae3a0af1d8397c512039a73428232e30c4f93de3d242838955ce9874e742c08658f77dc824482e2f199009fdc25f946b1a53640e9bab229b922ace67229f85

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\PIF\IM\Profile.ini
Filesize
523B

MD5
b3c024e2558e15df12d51ea32e357fd7

SHA1
2db936381e04afa19f790a20dfd5204fbe442925

SHA256
0e58f70038ef938c57a3802eb2cf07d20b2ad744b0b44ecde2110552ef962fd5

SHA512
ef045d56fe2edc13b4cbccb194e876d1ec65ace0c31a45291c03d66e955646830d286e66b341f31adb640cf68f10eff22b238fa7e139de3fe660c9509713a0ef

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\PIF\IM\Resources\launch.exe
Filesize
295KB

MD5
e26731c6cf9d43a762ab4b8644b32621

SHA1
f483817229ef7adc3b09d24f1a5a65c584733b3e

SHA256
733a19a5c7b1152635480983c6148750ccbd41e770c27b7a571388e50aa150b2

SHA512
a85f660dbdca8af7411a517150cd8d94dbde5924c52dd640ba1194497f0c4475dc98dde607e7ae6338eb8658c647f74d2a84cab017d667cdcc49d31749781dea

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\PIF\PIC\PIC_ENU.dll
Filesize
49KB

MD5
742a0cc7f1026a617b36697cc0dc552e

SHA1
ce0c0771f1ce30eb42f80c00196a96f93019694c

SHA256
d484301ac95cb68c4f5a064314c09640102f3e3bb4944a9355b25f4d43bb865c

SHA512
b102ed7b1eedb9ea9f4dcb31c44bd81e793a33cbdea8f760df6a22861f6c2b26ff6b5f16f7477288ec01e741bb88f9b75e623b5c9a2e85f0895c1f91cb54a4cd

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\PIF\PIC\PIC_ENU.dll
Filesize
49KB

MD5
742a0cc7f1026a617b36697cc0dc552e

SHA1
ce0c0771f1ce30eb42f80c00196a96f93019694c

SHA256
d484301ac95cb68c4f5a064314c09640102f3e3bb4944a9355b25f4d43bb865c

SHA512
b102ed7b1eedb9ea9f4dcb31c44bd81e793a33cbdea8f760df6a22861f6c2b26ff6b5f16f7477288ec01e741bb88f9b75e623b5c9a2e85f0895c1f91cb54a4cd

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\PIF\PIC\PIC_ENU.dll
Filesize
49KB

MD5
742a0cc7f1026a617b36697cc0dc552e

SHA1
ce0c0771f1ce30eb42f80c00196a96f93019694c

SHA256
d484301ac95cb68c4f5a064314c09640102f3e3bb4944a9355b25f4d43bb865c

SHA512
b102ed7b1eedb9ea9f4dcb31c44bd81e793a33cbdea8f760df6a22861f6c2b26ff6b5f16f7477288ec01e741bb88f9b75e623b5c9a2e85f0895c1f91cb54a4cd

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\PIF\PIC\UPSInit.exe
Filesize
3.2MB

MD5
a8cf79a64d7d9a97466f64d5069410fc

SHA1
d1ebeac0fd23bdaa43924fe7dfe21661a3c41e35

SHA256
4825a01a8807beeba3a35f3da55b94b336c6e1570a74aa1f5d2767fd624d3d6e

SHA512
af4eff48fe7fdf9d0ba476789269499b4708613e4b24ca75455fa50f7f6852689b122970abc8036b5258c359b3fe2372e8e4dc7b57c5c278fe774bac825b9381

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\PIF\PIC\UPSInit.exe
Filesize
3.2MB

MD5
a8cf79a64d7d9a97466f64d5069410fc

SHA1
d1ebeac0fd23bdaa43924fe7dfe21661a3c41e35

SHA256
4825a01a8807beeba3a35f3da55b94b336c6e1570a74aa1f5d2767fd624d3d6e

SHA512
af4eff48fe7fdf9d0ba476789269499b4708613e4b24ca75455fa50f7f6852689b122970abc8036b5258c359b3fe2372e8e4dc7b57c5c278fe774bac825b9381

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\Setup.exe
Filesize
3.4MB

MD5
d82debbe2f00bfad651f1deee4d525d4

SHA1
4dd844a41e7287394b044df068a96dfaa8fd6c08

SHA256
88c5e12581359f25c9292302b7b4a851bc9930f8f7404a18947bcefbb4b84aa5

SHA512
7470cd6bc8f8e8e43e9dba893377d7783149f49332d668651dbaa6397892cce00c8e56d7535904e39ba811f52e37f8413b1e001954a1a43a867fd43736463f6f

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\Setup.exe
Filesize
3.4MB

MD5
d82debbe2f00bfad651f1deee4d525d4

SHA1
4dd844a41e7287394b044df068a96dfaa8fd6c08

SHA256
88c5e12581359f25c9292302b7b4a851bc9930f8f7404a18947bcefbb4b84aa5

SHA512
7470cd6bc8f8e8e43e9dba893377d7783149f49332d668651dbaa6397892cce00c8e56d7535904e39ba811f52e37f8413b1e001954a1a43a867fd43736463f6f

Download Submit
C:\Users\Public\UPS\WSTD\INSTALLATION_25_0_7_0\settings.ini
Filesize
606B

MD5
1f17dc280801e729a8b7e9569f9bda9e

SHA1
d66fe9b78cfdf2b8e04331d146e30fc90d75cf94

SHA256
a03967f1a39b54599f479a249c2e140664932c457495e4edff600e20dd84e1e8

SHA512
335b14900df6d53f9ea426c8b516a5d0bce8cdaba75aeee962b137fe922c283c0241cef3e0669e9d9570930daa4ee5b807969644c2143d47843b7f15ebecb9ee

Download Submit
memory/1412-155-0x0000000000000000-mapping.dmp

Download
memory/2036-157-0x0000000000000000-mapping.dmp

Download
memory/2044-153-0x0000000000000000-mapping.dmp

Download
memory/2644-171-0x0000000000000000-mapping.dmp

Download
memory/3560-163-0x0000000000000000-mapping.dmp

Download
memory/4072-133-0x0000000000000000-mapping.dmp

Download
memory/4072-175-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/4072-147-0x00000000059C0000-0x0000000005B87000-memory.dmp

Filesize
1.8MB

Download
memory/4284-150-0x0000000000000000-mapping.dmp

Download
memory/4492-159-0x0000000000000000-mapping.dmp

Download
memory/4876-161-0x0000000000000000-mapping.dmp

Download