plugx | b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Size

4.0MB
MD5

083f54e1891baeb8783adc6ee775fc41
SHA1

9f7b44476da46086e38f89f4eb2b9900629082a4
SHA256

b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1
SHA512

4c0ab2a86af49ed0fd129095962e11baa9fa9a9e0276473832be6c47bb8918c5c39a2f228a06e6f7d2aaa8d791c75645102ee5674ba44a9e3b9dc079c936d8ab
SSDEEP

98304:Zwa9JkoXTaSRr+aV1uHIx5gjSTBvq+TYIMV3hMAo:Zr9UY5g0v0g

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1996-159-0x0000000002720000-0x0000000003720000-memory.dmp	family_plugx
behavioral2/memory/1780-165-0x0000000001600000-0x0000000002600000-memory.dmp	family_plugx
behavioral2/memory/4344-167-0x0000000001720000-0x0000000002720000-memory.dmp	family_plugx
behavioral2/memory/1536-170-0x0000000000B20000-0x0000000001B20000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 3 IoCs

Processes:

MSIF587.tmpbdreinit.exebdreinit.exe

pid process

3024 MSIF587.tmp
1996 bdreinit.exe
1780 bdreinit.exe
Loads dropped DLL 9 IoCs

Processes:

MsiExec.exeMsiExec.exebdreinit.exebdreinit.exe

pid process

4284 MsiExec.exe
4468 MsiExec.exe
4468 MsiExec.exe
4468 MsiExec.exe
4468 MsiExec.exe
4468 MsiExec.exe
4468 MsiExec.exe
1996 bdreinit.exe
1780 bdreinit.exe

pid	process
3024	MSIF587.tmp
1996	bdreinit.exe
1780	bdreinit.exe

pid	process
4284	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
1996	bdreinit.exe
1780	bdreinit.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\Y:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\Q:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\X:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\V:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\H:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\T:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\S:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\K:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\R:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\I:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
File opened (read-only)	\??\M:	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe

Drops file in Program Files directory 10 IoCs

Processes:

msiexec.exebdreinit.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\Microsoft\log.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\BitDefender\Handler\log.dat	bdreinit.exe
File created	C:\Program Files (x86)\BitDefender\Handler\log.dll	bdreinit.exe
File created	C:\Program Files (x86)\BitDefender\Handler\log.dat	bdreinit.exe
File opened for modification	C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe	bdreinit.exe
File created	C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe	bdreinit.exe
File created	C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Office\Microsoft\log.dat	msiexec.exe
File opened for modification	C:\Program Files (x86)\BitDefender\Handler	bdreinit.exe
File opened for modification	C:\Program Files (x86)\BitDefender\Handler\log.dll	bdreinit.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIF209.tmp	msiexec.exe
File created	C:\Windows\Installer\e56ef0b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF11C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CADD28DF-723D-4BD4-AAFC-FAE439BAE647}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF342.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF382.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e56ef08.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF44E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF587.tmp	msiexec.exe
File created	C:\Windows\Installer\e56ef08.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 25 IoCs

Processes:

msiexec.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9A63D6CDA60BAB248B02E4255D3A74C1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD82DDACD3274DB4AACFAF4E93AB6E74\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\ProductName = "Microsoft"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\PackageCode = "C3DCF6D77E9A82E4884CC7833DE2C026"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 43004500450037004200420036004300310036003300370034003200380036000000	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD82DDACD3274DB4AACFAF4E93AB6E74	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\KET.FAST	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9A63D6CDA60BAB248B02E4255D3A74C1\FD82DDACD3274DB4AACFAF4E93AB6E74	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD82DDACD3274DB4AACFAF4E93AB6E74\SourceList\PackageName = "Microsoft.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSIF587.tmpsvchost.exeuserinit.exe

pid	process
4272	msiexec.exe
4272	msiexec.exe
3024	MSIF587.tmp
3024	MSIF587.tmp
4344	svchost.exe
4344	svchost.exe
4344	svchost.exe
4344	svchost.exe
4344	svchost.exe
4344	svchost.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
4344	svchost.exe
4344	svchost.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
4344	svchost.exe
4344	svchost.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
4344	svchost.exe
4344	svchost.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
4344	svchost.exe
4344	svchost.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe
1536	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exeuserinit.exe

pid process

4344 svchost.exe
1536 userinit.exe

pid	process
4344	svchost.exe
1536	userinit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeb55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe

description	pid	process
Token: SeSecurityPrivilege	4272	msiexec.exe
Token: SeCreateTokenPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeAssignPrimaryTokenPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeLockMemoryPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeIncreaseQuotaPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeMachineAccountPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeTcbPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeSecurityPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeTakeOwnershipPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeLoadDriverPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeSystemProfilePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeSystemtimePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeProfSingleProcessPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeIncBasePriorityPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeCreatePagefilePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeCreatePermanentPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeBackupPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeRestorePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeShutdownPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeDebugPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeAuditPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeSystemEnvironmentPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeChangeNotifyPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeRemoteShutdownPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeUndockPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeSyncAgentPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeEnableDelegationPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeManageVolumePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeImpersonatePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeCreateGlobalPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeCreateTokenPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeAssignPrimaryTokenPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeLockMemoryPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeIncreaseQuotaPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeMachineAccountPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeTcbPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeSecurityPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeTakeOwnershipPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeLoadDriverPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeSystemProfilePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeSystemtimePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeProfSingleProcessPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeIncBasePriorityPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeCreatePagefilePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeCreatePermanentPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeBackupPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeRestorePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeShutdownPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeDebugPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeAuditPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeSystemEnvironmentPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeChangeNotifyPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeRemoteShutdownPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeUndockPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeSyncAgentPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeEnableDelegationPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeManageVolumePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeImpersonatePrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeCreateGlobalPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeCreateTokenPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeAssignPrimaryTokenPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeLockMemoryPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeIncreaseQuotaPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
Token: SeMachineAccountPrivilege	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exemsiexec.exe

pid process

3292 b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
4264 msiexec.exe
4264 msiexec.exe

pid	process
3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
4264	msiexec.exe
4264	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

msiexec.exeb55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exebdreinit.exesvchost.exe

description	pid	process	target process
PID 4272 wrote to memory of 4284	4272	msiexec.exe	MsiExec.exe
PID 4272 wrote to memory of 4284	4272	msiexec.exe	MsiExec.exe
PID 4272 wrote to memory of 4284	4272	msiexec.exe	MsiExec.exe
PID 3292 wrote to memory of 4264	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe	msiexec.exe
PID 3292 wrote to memory of 4264	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe	msiexec.exe
PID 3292 wrote to memory of 4264	3292	b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe	msiexec.exe
PID 4272 wrote to memory of 2912	4272	msiexec.exe	srtasks.exe
PID 4272 wrote to memory of 2912	4272	msiexec.exe	srtasks.exe
PID 4272 wrote to memory of 4468	4272	msiexec.exe	MsiExec.exe
PID 4272 wrote to memory of 4468	4272	msiexec.exe	MsiExec.exe
PID 4272 wrote to memory of 4468	4272	msiexec.exe	MsiExec.exe
PID 4272 wrote to memory of 3024	4272	msiexec.exe	MSIF587.tmp
PID 4272 wrote to memory of 3024	4272	msiexec.exe	MSIF587.tmp
PID 4272 wrote to memory of 3024	4272	msiexec.exe	MSIF587.tmp
PID 1780 wrote to memory of 4344	1780	bdreinit.exe	svchost.exe
PID 1780 wrote to memory of 4344	1780	bdreinit.exe	svchost.exe
PID 1780 wrote to memory of 4344	1780	bdreinit.exe	svchost.exe
PID 1780 wrote to memory of 4344	1780	bdreinit.exe	svchost.exe
PID 1780 wrote to memory of 4344	1780	bdreinit.exe	svchost.exe
PID 1780 wrote to memory of 4344	1780	bdreinit.exe	svchost.exe
PID 1780 wrote to memory of 4344	1780	bdreinit.exe	svchost.exe
PID 4344 wrote to memory of 1536	4344	svchost.exe	userinit.exe
PID 4344 wrote to memory of 1536	4344	svchost.exe	userinit.exe
PID 4344 wrote to memory of 1536	4344	svchost.exe	userinit.exe
PID 4344 wrote to memory of 1536	4344	svchost.exe	userinit.exe
PID 4344 wrote to memory of 1536	4344	svchost.exe	userinit.exe
PID 4344 wrote to memory of 1536	4344	svchost.exe	userinit.exe
PID 4344 wrote to memory of 1536	4344	svchost.exe	userinit.exe

C:\Users\Admin\AppData\Local\Temp\b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe
"C:\Users\Admin\AppData\Local\Temp\b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\Microsoft.msi AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1662828276 "
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 062CF82D5C6491C5875E7F30EA0526A6 C
2⤵
- Loads dropped DLL
PID:4284

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2912

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2E87ABFD187139FBBCA02EB669E5FDC4
2⤵
- Loads dropped DLL
PID:4468

C:\Windows\Installer\MSIF587.tmp
"C:\Windows\Installer\MSIF587.tmp" "C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1852

C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe
"C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1996

C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe
"C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe" 600 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 601 0
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\userinit.exe
C:\Windows\system32\userinit.exe 609 4344
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe
Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe
Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\Program Files (x86)\BitDefender\Handler\log.dat
Filesize
199KB

MD5
4d46b087b62183d86c53bf05ce4e2c8d

SHA1
174bd3886bd598f621eb758f469f69e85532f5c0

SHA256
49686cbde9535055fa48a0742bbe765f9d6ec1104e7efa8f71d1894f2d7d7873

SHA512
cf87b40dd69306285adff88de6050c1d456c34b2056e8f98ca7cf046459b6839afe67f4b13e25e5162ab311f1033a004b7e1bdc2955a10e8490eaef0f882a117

Download Submit
C:\Program Files (x86)\BitDefender\Handler\log.dll
Filesize
139KB

MD5
c55b6938f885c07d627c15165c21390a

SHA1
9d2e460fd11791e78eb7fbc1357c973493293572

SHA256
f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

SHA512
9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

Download Submit
C:\Program Files (x86)\BitDefender\Handler\log.dll
Filesize
139KB

MD5
c55b6938f885c07d627c15165c21390a

SHA1
9d2e460fd11791e78eb7fbc1357c973493293572

SHA256
f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

SHA512
9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

Download Submit
C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe
Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe
Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
C:\Program Files (x86)\Microsoft Office\Microsoft\log.dat
Filesize
199KB

MD5
4d46b087b62183d86c53bf05ce4e2c8d

SHA1
174bd3886bd598f621eb758f469f69e85532f5c0

SHA256
49686cbde9535055fa48a0742bbe765f9d6ec1104e7efa8f71d1894f2d7d7873

SHA512
cf87b40dd69306285adff88de6050c1d456c34b2056e8f98ca7cf046459b6839afe67f4b13e25e5162ab311f1033a004b7e1bdc2955a10e8490eaef0f882a117

Download Submit
C:\Program Files (x86)\Microsoft Office\Microsoft\log.dll
Filesize
139KB

MD5
c55b6938f885c07d627c15165c21390a

SHA1
9d2e460fd11791e78eb7fbc1357c973493293572

SHA256
f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

SHA512
9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

Download Submit
C:\Program Files (x86)\Microsoft Office\Microsoft\log.dll
Filesize
139KB

MD5
c55b6938f885c07d627c15165c21390a

SHA1
9d2e460fd11791e78eb7fbc1357c973493293572

SHA256
f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

SHA512
9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8487.tmp
Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8487.tmp
Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.msi
Filesize
1.5MB

MD5
df26d42194e934122c73559987f3ab84

SHA1
c526f8e1f8f4b22c0b62f76af448c63a7e5f2073

SHA256
eec36f5b2d28bb8076648f96899def8e297347322dd7d13368234680eaaee01d

SHA512
e62bd5773649251dfaa4870b2e5f6ebff6e69dd18ac4ecdeb296d0826b02b4a76d878037ea183a2653044afe5b807cee15c9fd1d7032bb6e75e761609e8f30b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft1.cab
Filesize
351KB

MD5
a66bc9849ba7d090a983e1aa64275e9a

SHA1
86f35c1a29cde722c2c822c46e4c4eac0b360f4a

SHA256
1b1a6809886af74850a817d23854ada702af6e6f094ac477049faa46c317d9cc

SHA512
e1a5f7b65bbca6a6eba9bcfaa278882961e3d0ad3b03a18a6fdda91558372d9a902d6ebe2f203d5b1174145eb84b3b5ebfe9fc78bb1d081f34d72b9b03993f90

Download Submit
C:\Windows\Installer\MSIEFC4.tmp
Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSIEFC4.tmp
Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSIF11C.tmp
Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSIF11C.tmp
Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSIF1BA.tmp
Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSIF1BA.tmp
Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSIF209.tmp
Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSIF209.tmp
Filesize
377KB

MD5
316ed83688978925aa47a0c4d5662d2c

SHA1
96aaa52977cbd62ba865b35f9730c7c2861e5c2b

SHA256
da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

SHA512
14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

Download Submit
C:\Windows\Installer\MSIF382.tmp
Filesize
529KB

MD5
aab600da7532150b6fd984f3c6e6d781

SHA1
30c95ec5f80d8595221c9f37c0f172ea2ce7b917

SHA256
c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

SHA512
70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

Download Submit
C:\Windows\Installer\MSIF382.tmp
Filesize
529KB

MD5
aab600da7532150b6fd984f3c6e6d781

SHA1
30c95ec5f80d8595221c9f37c0f172ea2ce7b917

SHA256
c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

SHA512
70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

Download Submit
C:\Windows\Installer\MSIF44E.tmp
Filesize
529KB

MD5
aab600da7532150b6fd984f3c6e6d781

SHA1
30c95ec5f80d8595221c9f37c0f172ea2ce7b917

SHA256
c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

SHA512
70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

Download Submit
C:\Windows\Installer\MSIF44E.tmp
Filesize
529KB

MD5
aab600da7532150b6fd984f3c6e6d781

SHA1
30c95ec5f80d8595221c9f37c0f172ea2ce7b917

SHA256
c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

SHA512
70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

Download Submit
C:\Windows\Installer\MSIF587.tmp
Filesize
401KB

MD5
8c7085c86a4b14296f6e76525f20c828

SHA1
6113087876f86c9247bc4080c08ce1ae578d9a99

SHA256
beeaa8bfc97d87c1739611a88d3f4fa9a561cecbc5379309543dd850cc3f956c

SHA512
97dcbe469ec14114b90c0c52c289af173c6078b8aad3f9bb78c212278f1980d2750ce8bfba6b1ac0aaf72aa956f4c0be0c471ffbc7e811d4affa5896d36367e0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
983fca9748d2f2d5640ee0923cdd0876

SHA1
2ce99e0d0d8232d4c0c6402a7cfcdc6b0251acc4

SHA256
f8deb8ce002dc48da7484030f9f8ee1aa197b1ca3e9dbac15580f020f554a479

SHA512
713c9395edfc4ba5c08a1ddb6dbc2a553fcef937cae8260dd5addabc494e29d09f104880c30c688e5bbdeb423102457e9fbbcaebab564c32c83d6e534ce0601d

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{89e994d7-481c-4347-85b8-685c21a54088}_OnDiskSnapshotProp
Filesize
5KB

MD5
8fbb7a136c146ad0860867443685521c

SHA1
2c368b13e3b20aa4f550ee8e3bddc24c9b374f4f

SHA256
0cc05c51c23cc9f92e9ebd890e7df0df101e940e6c83f91ce371036fea3db443

SHA512
709aa0ed664eb7e2cbf27820b820fa3fd024642454d6a2c4fd17072fb5d199eb7d4bb15dede5c682e7b0b260a8eb2afe53b7b23fa432f9044317bfd6bf2b5358

Download Submit
memory/1536-170-0x0000000000B20000-0x0000000001B20000-memory.dmp

Filesize
16.0MB

Download
memory/1536-169-0x0000000000000000-mapping.dmp

Download
memory/1780-165-0x0000000001600000-0x0000000002600000-memory.dmp

Filesize
16.0MB

Download
memory/1996-168-0x0000000000B40000-0x0000000000B72000-memory.dmp

Filesize
200KB

Download
memory/1996-159-0x0000000002720000-0x0000000003720000-memory.dmp

Filesize
16.0MB

Download
memory/2912-137-0x0000000000000000-mapping.dmp

Download
memory/3024-152-0x0000000000000000-mapping.dmp

Download
memory/4264-135-0x0000000000000000-mapping.dmp

Download
memory/4284-132-0x0000000000000000-mapping.dmp

Download
memory/4344-167-0x0000000001720000-0x0000000002720000-memory.dmp

Filesize
16.0MB

Download
memory/4344-166-0x0000000000000000-mapping.dmp

Download
memory/4468-138-0x0000000000000000-mapping.dmp

Download