e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2023 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winrar-611br.msi
Size

4.5MB
MD5

68ba045e1427d63d03660ef2d88584d0
SHA1

a3e9bd9adddf1aaaaff03cd69a7128e6fc774977
SHA256

e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898
SHA512

d677806a4c4ed419995b0ead65db4081c3e4b002e400fafb8d042d6695e7e17cc476a0ccc8df9c1caed164254ba2536c73891f89f6f9f57aea7a5421a6d964e8
SSDEEP

98304:MYGKdAHTgvV1OsKnG5vgzfTVkdRTpRjbrvC7gEjT7A3:i81OsKG6zfTVkddpdTCRj

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

40 3744 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

Hw2pedir.exe

pid process

3976 Hw2pedir.exe
Loads dropped DLL 8 IoCs

Processes:

MsiExec.exeHw2pedir.exe

pid process

1656 MsiExec.exe
1656 MsiExec.exe
1656 MsiExec.exe
1656 MsiExec.exe
1656 MsiExec.exe
3976 Hw2pedir.exe
3976 Hw2pedir.exe
3976 Hw2pedir.exe

flow	pid	process
40	3744	powershell.exe

pid	process
3976	Hw2pedir.exe

pid	process
1656	MsiExec.exe
1656	MsiExec.exe
1656	MsiExec.exe
1656	MsiExec.exe
1656	MsiExec.exe
3976	Hw2pedir.exe
3976	Hw2pedir.exe
3976	Hw2pedir.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57fa9c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI686.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D4BC40EB-CE6B-4E7E-8C9A-599259C9F613}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BF.tmp	msiexec.exe
File created	C:\Windows\Installer\e57fa9f.msi	msiexec.exe
File created	C:\Windows\Installer\e57fa9c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000206f4107d723b55a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000206f41070000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900206f4107000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51\BE04CB4DB6ECE7E4C8A99529959C6F31	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BE04CB4DB6ECE7E4C8A99529959C6F31\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\ProductName = "Winrar"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\PackageCode = "94EDD224D2A9E134DBED2B44DF521151"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\PackageName = "winrar-611br.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BE04CB4DB6ECE7E4C8A99529959C6F31	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\Language = "1046"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BE04CB4DB6ECE7E4C8A99529959C6F31\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exepowershell.exe

pid process

4812 msiexec.exe
4812 msiexec.exe
3744 powershell.exe
3744 powershell.exe

pid	process
4812	msiexec.exe
4812	msiexec.exe
3744	powershell.exe
3744	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3824	msiexec.exe
Token: SeSecurityPrivilege	4812	msiexec.exe
Token: SeCreateTokenPrivilege	3824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3824	msiexec.exe
Token: SeLockMemoryPrivilege	3824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3824	msiexec.exe
Token: SeMachineAccountPrivilege	3824	msiexec.exe
Token: SeTcbPrivilege	3824	msiexec.exe
Token: SeSecurityPrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeLoadDriverPrivilege	3824	msiexec.exe
Token: SeSystemProfilePrivilege	3824	msiexec.exe
Token: SeSystemtimePrivilege	3824	msiexec.exe
Token: SeProfSingleProcessPrivilege	3824	msiexec.exe
Token: SeIncBasePriorityPrivilege	3824	msiexec.exe
Token: SeCreatePagefilePrivilege	3824	msiexec.exe
Token: SeCreatePermanentPrivilege	3824	msiexec.exe
Token: SeBackupPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeShutdownPrivilege	3824	msiexec.exe
Token: SeDebugPrivilege	3824	msiexec.exe
Token: SeAuditPrivilege	3824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3824	msiexec.exe
Token: SeChangeNotifyPrivilege	3824	msiexec.exe
Token: SeRemoteShutdownPrivilege	3824	msiexec.exe
Token: SeUndockPrivilege	3824	msiexec.exe
Token: SeSyncAgentPrivilege	3824	msiexec.exe
Token: SeEnableDelegationPrivilege	3824	msiexec.exe
Token: SeManageVolumePrivilege	3824	msiexec.exe
Token: SeImpersonatePrivilege	3824	msiexec.exe
Token: SeCreateGlobalPrivilege	3824	msiexec.exe
Token: SeBackupPrivilege	2660	vssvc.exe
Token: SeRestorePrivilege	2660	vssvc.exe
Token: SeAuditPrivilege	2660	vssvc.exe
Token: SeBackupPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe
Token: SeTakeOwnershipPrivilege	4812	msiexec.exe
Token: SeRestorePrivilege	4812	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msiexec.exepowershell.exe

pid process

3824 msiexec.exe
3744 powershell.exe
3744 powershell.exe
3744 powershell.exe
3744 powershell.exe

pid	process
3824	msiexec.exe
3744	powershell.exe
3744	powershell.exe
3744	powershell.exe
3744	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

msiexec.exeMsiExec.exepowershell.exe

description	pid	process	target process
PID 4812 wrote to memory of 2220	4812	msiexec.exe	srtasks.exe
PID 4812 wrote to memory of 2220	4812	msiexec.exe	srtasks.exe
PID 4812 wrote to memory of 1656	4812	msiexec.exe	MsiExec.exe
PID 4812 wrote to memory of 1656	4812	msiexec.exe	MsiExec.exe
PID 4812 wrote to memory of 1656	4812	msiexec.exe	MsiExec.exe
PID 1656 wrote to memory of 3744	1656	MsiExec.exe	powershell.exe
PID 1656 wrote to memory of 3744	1656	MsiExec.exe	powershell.exe
PID 1656 wrote to memory of 3744	1656	MsiExec.exe	powershell.exe
PID 3744 wrote to memory of 3976	3744	powershell.exe	Hw2pedir.exe
PID 3744 wrote to memory of 3976	3744	powershell.exe	Hw2pedir.exe
PID 3744 wrote to memory of 3976	3744	powershell.exe	Hw2pedir.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\winrar-611br.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C685590E1BB059FD0EFDB3284075750C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssADB.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiAC9.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrACA.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrACB.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\ego\ora\Hw2pedir.exe
      "C:\ego\ora\Hw2pedir.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3976
  - - C:\Users\Public\Documents\AnyDesk\winrar.exe
      "C:\Users\Public\Documents\AnyDesk\winrar.exe"
      4⤵
      PID:4064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:2340
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:17410 /prefetch:2
  2⤵
  PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57fa9e.rbs

Filesize
256KB

MD5
6157bf6b9a0da69e3ad7f7e3ecd3085f

SHA1
27c47ae56ae57df3a3b0fa7d26f0aab6358d375d

SHA256
f46708773e29c0dfeeec2621b5324a5a9d9723c0efdb971e253846e4f9cc9f3d

SHA512
f0e40ed7badee15c8cb28d37251bf575fe007e2a26c049bf845838bc0bbf1b1832de43d68f4caf634380a7a60669c711b193937eccf8b33ebe9232ac3146618d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yqiexppb.dlo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssADB.ps1

Filesize
5KB

MD5
fc1bb6c87fd1f08b534e52546561c53c

SHA1
db402c5c1025cf8d3e79df7b868fd186243aa9d1

SHA256
a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b

SHA512
5495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrACA.ps1

Filesize
17KB

MD5
d815da347cf3c1a260840649beb56ff7

SHA1
4da95ffed10e7369b685a390fe4e99a6a1e1f416

SHA256
d6f001aeb36cdb8e6bbcb0d35ffe55c86ad5f942f9d0d15a089706801fdad931

SHA512
ca2cd68cf615db854c7ccc6cc5c84da4a8b5f6913229c856fc343ba3e7af8563b0afcd29e9d14ca75eb4cf833102a2ea8b802629f284819bfb2630a82d61b170

Download Submit
C:\Users\Public\Documents\AnyDesk\winrar.exe

Filesize
2.6MB

MD5
bc865ad9d926848caaecc51799d93379

SHA1
acebdcb3d020f45033d911764a1a79954f6fc700

SHA256
420c8c91b170a918d4d1c1a36e777ea661e1bbc2185117880f5a0e11defa0192

SHA512
37f499ad08d3d28295f6007d6441bf2b193536d1fd7ced951b05cbe32514dba93a91d305099d95ae546972ac11398976174be67b2bc2cfc7f8673aa767d65f6c

Download Submit
C:\Users\Public\Documents\AnyDesk\winrar.exe

Filesize
2.2MB

MD5
86c37f041ec1f23d4e1c462e54b27111

SHA1
1824e6064ceb450caf5b5d29916383286281fc18

SHA256
340d813d357c7ae60c5a2c2e7e37408ded0752b085226c11bde7a70704ac1bd5

SHA512
b20bd4c2c0b4dba4cd8c23fb4dc590af0a61828835def929335716ffccfa4c220450b8e0cbf7c0eeb722b668d9fa2c6cda53301b2839b7531a0e0574c074d856

Download Submit
C:\Windows\Installer\MSI4CE.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI4CE.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI5F8.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI5F8.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI5F8.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI686.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI686.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIA51.tmp

Filesize
574KB

MD5
7b7d9e2c9b8236e7155f2f97254cb40e

SHA1
99621fc9d14511428d62d91c31865fb2c4625663

SHA256
df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

SHA512
fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

Download Submit
C:\Windows\Installer\MSIA51.tmp

Filesize
574KB

MD5
7b7d9e2c9b8236e7155f2f97254cb40e

SHA1
99621fc9d14511428d62d91c31865fb2c4625663

SHA256
df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

SHA512
fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

Download Submit
C:\Windows\Installer\MSIFBD5.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIFBD5.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\e57fa9c.msi

Filesize
320KB

MD5
49472983adad9b1a410386f593423377

SHA1
6dac9475ead9155b67bf2e405a2d10bc4b9b4122

SHA256
1a6fbb3aaf0360b05c727ea5c3b77a2352738c090be968639f2b6fbad8713bf6

SHA512
c8d15acc3231ff492d73e500f7b461c2cd5e76227da769becc838b38e82d156a3fc8230b5116fba567871422ae0d8c9620cca1f422c57733591336a1e6d621dc

Download Submit
C:\ego\ora\Hw2pedir.exe

Filesize
15.1MB

MD5
a88098f4d2d7866410b428572a3c113e

SHA1
a8b6f921b2c0b08b1d5f0766e9d03c4932bd0155

SHA256
1c04e379b31b6edd40354af97aeb9046863ae15e3ddac18022836f15db07f421

SHA512
c07beeffd780d8d91e79e73997f163fc571ad30e8e7b1e5247f6ada4437621e794b3fc0301061fda7589b1a97ea885b95111e3dbf67f6b2a5aeea84f63d81ff5

Download Submit
C:\ego\ora\Hw2pedir.exe

Filesize
13.9MB

MD5
b276516c0f1bec33aa80ed57cebf68c0

SHA1
9ef3b036ecaaeaf6caffed43f3b660e77c0c4dfe

SHA256
388583cd4981dd4312313b3507a19a42858a90aec7415ba131f90cbd616362e3

SHA512
52c59e6e7528e4ca2452ef428a13e824d5c6eaca0f39b7025a0eb4942c314c94bf407186948268fe2b83fcecfd6a12cb2f731317ad1dacdbecafe4ebdcccd17e

Download Submit
C:\ego\ora\Hw2pedir.exe

Filesize
14.0MB

MD5
405265a53460593c8577d5f4af7da4ea

SHA1
23f6ad04ab0f329dc89ea559fa50568fddd4e84f

SHA256
f0c7d65a6ffe08eb74e84f1a64902e85ac631beb0c715178799f8ce03e4bab6a

SHA512
1158489aca6cecb1184eb183b53c1452fb63b8212ce77f57129df23c0ef25c33b1276cad66d44a7111a1032a8f98831189e15f22425734addf36997b549df5c3

Download Submit
C:\ego\ora\LIBEAY32.DLL

Filesize
3.6MB

MD5
ec72186e5f06b5e990d9157b403441a5

SHA1
21f42648538bfd91074eb187a35b360470e806cb

SHA256
6b45a83471ac4b58f597d27245034c58d259601b0b2808d405471ca74670bd17

SHA512
9fa4c85bc1d3dfc4ae077807799e0abd66505228badb9f2e7a2dea561c7d3c138c49f2b6c834c273ace707d302ecfe86868cfb8bc258ff20f4eb76eb2a881268

Download Submit
C:\ego\ora\PROFILE.DLL

Filesize
241KB

MD5
24aae6bcc99f29b0b4e1db6ea1e8e902

SHA1
ef6eb3f8fea180b36252fd85d8ab0d6842d0f32d

SHA256
199498a70290ba14947f8fbde13840499f07e63d9b3b79ced03928fca9c009b9

SHA512
51f3ccefcf0f562c502fbf789f40e21b4ecd99599fd857841938f7e2d6529f2640360f0e7947441b2aed7e611905b03fe9cac246a874d54bf545acdfa4ce24d8

Download Submit
C:\ego\ora\Update.zip

Filesize
39.9MB

MD5
d85ebc217256e950e3716580b8e9932a

SHA1
4f6824b366e7804f85162746a4cddf3c37a6e390

SHA256
171310a4360a1340366b6be1a303a3ab628b24786c9eb2627e60e1953df4b000

SHA512
fed8381bf6cd8da99208b80456c9b3ce25af0951beb7bce4a641d66e3267fef6f569654dc9443f72b2304ec6ce6f71056bf67180567d9d3eea55359fd17ba9f2

Download Submit
C:\ego\ora\libeay32.dll

Filesize
3.6MB

MD5
ec72186e5f06b5e990d9157b403441a5

SHA1
21f42648538bfd91074eb187a35b360470e806cb

SHA256
6b45a83471ac4b58f597d27245034c58d259601b0b2808d405471ca74670bd17

SHA512
9fa4c85bc1d3dfc4ae077807799e0abd66505228badb9f2e7a2dea561c7d3c138c49f2b6c834c273ace707d302ecfe86868cfb8bc258ff20f4eb76eb2a881268

Download Submit
C:\ego\ora\libeay32.dll

Filesize
3.6MB

MD5
ec72186e5f06b5e990d9157b403441a5

SHA1
21f42648538bfd91074eb187a35b360470e806cb

SHA256
6b45a83471ac4b58f597d27245034c58d259601b0b2808d405471ca74670bd17

SHA512
9fa4c85bc1d3dfc4ae077807799e0abd66505228badb9f2e7a2dea561c7d3c138c49f2b6c834c273ace707d302ecfe86868cfb8bc258ff20f4eb76eb2a881268

Download Submit
C:\ego\ora\profile.dll

Filesize
241KB

MD5
24aae6bcc99f29b0b4e1db6ea1e8e902

SHA1
ef6eb3f8fea180b36252fd85d8ab0d6842d0f32d

SHA256
199498a70290ba14947f8fbde13840499f07e63d9b3b79ced03928fca9c009b9

SHA512
51f3ccefcf0f562c502fbf789f40e21b4ecd99599fd857841938f7e2d6529f2640360f0e7947441b2aed7e611905b03fe9cac246a874d54bf545acdfa4ce24d8

Download Submit
C:\ego\ora\windowsdump

Filesize
7.2MB

MD5
09aa571318616c7c1ad56a66e171e32b

SHA1
24bd10b5fa1c70363923f77a67254a6fdc52309b

SHA256
030c41bcfe623ec6f9017701c667e981802640b96de2f8e48147b7ada1c4f34b

SHA512
9190220d58fa9eb73c695fb2de50915dc4aa317b9d94dbeea4f0bff49115e47c1bf00da288819f4b6a6ffa57a22aaa4f0fbf45bd84e4684980355d636937d42a

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
69c1875ff2ae8485ef75678e1121bb4c

SHA1
3b47e4c0efffe855ae2528a3f15415b20e4be148

SHA256
2d56777aaa088856411171260e09bb7b46e06574369e83ef3d7ef16dd49f05b1

SHA512
711f82a11a81610de1a75519f27901c1f5f1b80b5bd430961b407dff9a1e7e8f3a90f79f2d69dbc8077c6e381541cd2dc8439d672e20f2fd8e889e263a6ae653

Download Submit
\??\Volume{07416f20-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4e3dcab5-64cb-47df-8d5c-8b5e6492cb3f}_OnDiskSnapshotProp

Filesize
5KB

MD5
392355c071cc778bb99143dec2e0b5cf

SHA1
9d62e926d643bf16ab3747d7e8f09ee7e344ebda

SHA256
2a7aa09fcc4c0b8e8d39c8695b1590dc1bb2e9acdfa961e3620dcd4f5ff3a00f

SHA512
9d421ad693c106aacf6e28630a46f0bd9a30022ff1904b5742012d03a3d448cea0f9cabc38228ab65032b5887fdc18a14dc4fa956c3b47317be233d632ee820c

Download Submit
memory/3744-176-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3744-185-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/3744-203-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3744-201-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3744-197-0x0000000008270000-0x0000000008814000-memory.dmp

Filesize
5.6MB

Download
memory/3744-196-0x0000000007470000-0x0000000007492000-memory.dmp

Filesize
136KB

Download
memory/3744-195-0x0000000007570000-0x0000000007606000-memory.dmp

Filesize
600KB

Download
memory/3744-194-0x00000000069E0000-0x00000000069FA000-memory.dmp

Filesize
104KB

Download
memory/3744-193-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/3744-192-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3744-190-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/3744-202-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3744-174-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

Filesize
216KB

Download
memory/3744-175-0x00000000056E0000-0x0000000005D08000-memory.dmp

Filesize
6.2MB

Download
memory/3744-177-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3744-178-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/3744-179-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/3976-292-0x0000000009CD0000-0x0000000009CD1000-memory.dmp

Filesize
4KB

Download
memory/3976-290-0x0000000001820000-0x00000000022FC000-memory.dmp

Filesize
10.9MB

Download
memory/3976-289-0x0000000001820000-0x00000000022FC000-memory.dmp

Filesize
10.9MB

Download
memory/3976-288-0x0000000001820000-0x00000000022FC000-memory.dmp

Filesize
10.9MB

Download
memory/3976-287-0x0000000001820000-0x00000000022FC000-memory.dmp

Filesize
10.9MB

Download