c4bc773529cf52bb73bceb047cf34a3ab54576292e0a35458c2ee9521e0fa7d9

Analysis

max time kernel
88s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2023 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4bc773529cf52bb73bceb047cf34a3ab54576292e0a35458c2ee9521e0fa7d9.exe
Size

10.8MB
MD5

debc9361d18c8bce117b9060a4069ffe
SHA1

31de536b2ce7f89f8eb03050f09e47bcc815bc05
SHA256

c4bc773529cf52bb73bceb047cf34a3ab54576292e0a35458c2ee9521e0fa7d9
SHA512

471213db7b22dccfc34336896cefa360f7d799f91c654b150753b1299e76d0a019d0445ef48038586ec1299032523748bbb7d500852eaf322c7462ac04f34e73
SSDEEP

196608:Mi9Hdu5iiOXneiEQcqNahpneiEQcqNahC39pR:M2dqiiOXtJcqNah9tJcqNah29j

Score

6^/10

persistence

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\T:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\Z:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\N:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\R:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\O:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\P:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\Q:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\J:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\V:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\U:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	CargoWiseOneRemoteDesktopServicesSetup.exe
File opened (read-only)	\??\Y:	CargoWiseOneRemoteDesktopServicesSetup.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\Enterprise.RemoteDesktopServices.Client.x64.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\CargoWise.Interop.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\Outlook.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\CargoWiseRDPLoad.exe	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\CargoWise.Cryptoki.Common.ClientServerApi.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\CargoWise.ApplicationManager.Common.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\Enterprise.RemoteDesktopServices.Shared.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\Enterprise.URLHandler.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\Enterprise.URLHandler.Integration.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\Enterprise.ZArchitecture.GUI.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\Pkcs11Interop.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\ApplicationIcon.ico	msiexec.exe
File created	C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Service.exe.config	msiexec.exe
File created	C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Common.dll	msiexec.exe
File created	C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Service.exe	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\Enterprise.RemoteDesktopServices.Client.dll	msiexec.exe
File created	C:\Program Files\WiseTech Global\CargoWise One Remote Desktop Services\CargoWise.Shared.40.dll	msiexec.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC630.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB45.tmp	msiexec.exe
File created	C:\Windows\Installer\e581292.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{C36D65B8-6F9D-4B3E-B5FA-C8944F88C09C}\EnterpriseIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e58128e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC35F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	MSIC544.tmp
File created	C:\Windows\Installer\SourceHash{C36D65B8-6F9D-4B3E-B5FA-C8944F88C09C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1567.tmp	msiexec.exe
File created	C:\Windows\Installer\e58128d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC2A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC544.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC610.tmp	msiexec.exe
File created	C:\Windows\Installer\{8992C6A1-918F-4A87-B5C2-5C33606A2797}\ApplicationIcon.exe	msiexec.exe
File created	C:\Windows\Installer\{C36D65B8-6F9D-4B3E-B5FA-C8944F88C09C}\EnterpriseIcon	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	MSIC544.tmp
File opened for modification	C:\Windows\Installer\MSIC7E7.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8992C6A1-918F-4A87-B5C2-5C33606A2797}	msiexec.exe
File opened for modification	C:\Windows\Installer\e581289.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC95F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA89.tmp	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	msiexec.exe
File opened for modification	C:\Windows\Installer\{8992C6A1-918F-4A87-B5C2-5C33606A2797}\ApplicationIcon.exe	msiexec.exe
File created	C:\Windows\Installer\e581289.msi	msiexec.exe
File created	C:\Windows\Installer\e58128e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC310.tmp	msiexec.exe
File created	C:\Windows\assembly\tmp\JKLGN07Y\Enterprise.RemoteDesktopServices.Shared.XmlSerializers.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC197.tmp	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
2316	CargoWiseOneRemoteDesktopServicesSetup.exe
4608	CargoWise.ApplicationManager.Service.exe
2644	MSIC35F.tmp
1244	MSIC544.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1708	sc.exe

Loads dropped DLL 13 IoCs

pid	Process
1916	MsiExec.exe
1916	MsiExec.exe
4608	CargoWise.ApplicationManager.Service.exe
4608	CargoWise.ApplicationManager.Service.exe
2888	MsiExec.exe
1464	MsiExec.exe
1464	MsiExec.exe
1464	MsiExec.exe
1464	MsiExec.exe
1464	MsiExec.exe
1464	MsiExec.exe
1464	MsiExec.exe
1464	MsiExec.exe

Registers COM server for autorun 1 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\2.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\2.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\2.0.0.0\CodeBase = "file:///C:\\Program Files\\WiseTech Global\\CargoWise One Remote Desktop Services\\Enterprise.RemoteDesktopServices.Client.x64.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\2.0.0.0\Class = "Enterprise.RemoteDesktopServices.Client.WtsPlugin64"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\Class = "Enterprise.RemoteDesktopServices.Client.WtsPlugin64"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\ = "mscoree.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\2.0.0.0\Assembly = "Enterprise.RemoteDesktopServices.Client.x64, Version=2.0.0.0, Culture=neutral, PublicKeyToken=4f570df270576350"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\2.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\CodeBase = "file:///C:\\Program Files\\WiseTech Global\\CargoWise One Remote Desktop Services\\Enterprise.RemoteDesktopServices.Client.x64.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\Assembly = "Enterprise.RemoteDesktopServices.Client.x64, Version=2.0.0.0, Culture=neutral, PublicKeyToken=4f570df270576350"	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	CargoWise.ApplicationManager.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	CargoWise.ApplicationManager.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	CargoWise.ApplicationManager.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	CargoWise.ApplicationManager.Service.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	CargoWise.ApplicationManager.Service.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EdiEnterprise.edient\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\edient\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\ = "mscoree.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\WiseTech Global\\CargoWise One Remote Desktop Services\\prerequisites\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\edient	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\EdiEnterprise.edient\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\EdiEnterprise.edient\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EdiEnterprise.edient\shell\open\command\ = "\"C:\\Program Files\\WiseTech Global\\CargoWise One Remote Desktop Services\\CargoWiseRDPLoad.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\2.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\2.0.0.0\Assembly = "Enterprise.RemoteDesktopServices.Client.x64, Version=2.0.0.0, Culture=neutral, PublicKeyToken=4f570df270576350"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Enterprise.RemoteDesktopServices.Shared.XmlSerializers,Version="2.0.0.0",Culture="neutral",PublicKeyToken="4f570df270576350",ProcessorArchitecture="MSIL" = 570074004500360054007100560028007a003f002b006e003100530034005d00550046005900580046006500610074007500720065003e003d002c0068004c00330043007200790048003900240037002a005b0057004d00640079002900340000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\ProductName = "CargoWise One Application Manager"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\2.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\Version = "67829763"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\edient\shell\open\command\ = "\"C:\\Program Files\\WiseTech Global\\CargoWise One Remote Desktop Services\\CargoWiseRDPLoad.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\edient\FriendlyTypeName = "EdiEnterprise Hyperlink"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EdiEnterprise.edient\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Enterprise.RemoteDesktopServices.Client.WtsPlugin64\ = "Enterprise.RemoteDesktopServices.Client.WtsPlugin64"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\edient\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\Assembly = "Enterprise.RemoteDesktopServices.Client.x64, Version=2.0.0.0, Culture=neutral, PublicKeyToken=4f570df270576350"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1A6C2998F81978A45B2CC53306A67279	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1A6C2998F81978A45B2CC53306A67279\AI64BitFiles	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\ProductName = "CargoWise One Remote Desktop Services"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\PackageCode = "BCFFF4EA990D5CD4E9A6BE49504D424E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\edient\DefaultIcon\ = "\"C:\\Program Files\\WiseTech Global\\CargoWise One Remote Desktop Services\\CargoWiseRDPLoad.exe\",0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\WiseTech Global\\CargoWise One Remote Desktop Services\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\WiseTech Global\\CargoWise One Remote Desktop Services\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\28717CB4C5A912C4C9AE7CDF801B5607\1A6C2998F81978A45B2CC53306A67279	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\SourceList\PackageName = "CargoWiseOneRemoteDesktopServicesSetup.x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\SourceList\PackageName = "CargoWiseOneAppManagerSetup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\WiseTech Global\\CargoWise One Remote Desktop Services\\prerequisites\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\EdiEnterprise.edient	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EdiEnterprise.edient\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\Class = "Enterprise.RemoteDesktopServices.Client.WtsPlugin64"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Enterprise.RemoteDesktopServices.Client.WtsPlugin64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A6C2998F81978A45B2CC53306A67279\PackageCode = "C429B7C2FDBBB404B8F3220BE1CE83DC"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7FDF92EAC29C5004B9686F1089CC0899	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\InprocServer32\2.0.0.0\Class = "Enterprise.RemoteDesktopServices.Client.WtsPlugin64"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{CBB01CCE-49F1-480B-8893-0271789AAD7D}\ProgId	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	CargoWiseOneRemoteDesktopServicesSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B56D63CD9F6E3B45BAF8C49F4880CC9\ProductIcon = "C:\\Windows\\Installer\\{C36D65B8-6F9D-4B3E-B5FA-C8944F88C09C}\\EnterpriseIcon"	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	CargoWiseOneRemoteDesktopServicesSetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	CargoWiseOneRemoteDesktopServicesSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CargoWiseOneRemoteDesktopServicesSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CargoWiseOneRemoteDesktopServicesSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CargoWiseOneRemoteDesktopServicesSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CargoWiseOneRemoteDesktopServicesSetup.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5000	msiexec.exe
5000	msiexec.exe
2644	MSIC35F.tmp
2644	MSIC35F.tmp
2644	MSIC35F.tmp
5000	msiexec.exe
5000	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5000	msiexec.exe
Token: SeCreateTokenPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeLockMemoryPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeIncreaseQuotaPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeMachineAccountPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeTcbPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeSecurityPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeTakeOwnershipPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeLoadDriverPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeSystemProfilePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeSystemtimePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeProfSingleProcessPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeIncBasePriorityPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeCreatePagefilePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeCreatePermanentPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeBackupPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeRestorePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeShutdownPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeDebugPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeAuditPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeSystemEnvironmentPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeChangeNotifyPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeRemoteShutdownPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeUndockPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeSyncAgentPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeEnableDelegationPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeManageVolumePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeImpersonatePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeCreateGlobalPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeCreateTokenPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeLockMemoryPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeIncreaseQuotaPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeMachineAccountPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeTcbPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeSecurityPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeTakeOwnershipPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeLoadDriverPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeSystemProfilePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeSystemtimePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeProfSingleProcessPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeIncBasePriorityPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeCreatePagefilePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeCreatePermanentPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeBackupPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeRestorePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeShutdownPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeDebugPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeAuditPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeSystemEnvironmentPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeChangeNotifyPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeRemoteShutdownPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeUndockPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeSyncAgentPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeEnableDelegationPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeManageVolumePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeImpersonatePrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeCreateGlobalPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeCreateTokenPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeLockMemoryPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeIncreaseQuotaPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe
Token: SeMachineAccountPrivilege	2316	CargoWiseOneRemoteDesktopServicesSetup.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2316	CargoWiseOneRemoteDesktopServicesSetup.exe
2316	CargoWiseOneRemoteDesktopServicesSetup.exe
1560	msiexec.exe
1560	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 2316	3164	c4bc773529cf52bb73bceb047cf34a3ab54576292e0a35458c2ee9521e0fa7d9.exe	81
PID 3164 wrote to memory of 2316	3164	c4bc773529cf52bb73bceb047cf34a3ab54576292e0a35458c2ee9521e0fa7d9.exe	81
PID 3164 wrote to memory of 2316	3164	c4bc773529cf52bb73bceb047cf34a3ab54576292e0a35458c2ee9521e0fa7d9.exe	81
PID 5000 wrote to memory of 1916	5000	msiexec.exe	88
PID 5000 wrote to memory of 1916	5000	msiexec.exe	88
PID 5000 wrote to memory of 1916	5000	msiexec.exe	88
PID 2316 wrote to memory of 3336	2316	CargoWiseOneRemoteDesktopServicesSetup.exe	90
PID 2316 wrote to memory of 3336	2316	CargoWiseOneRemoteDesktopServicesSetup.exe	90
PID 2316 wrote to memory of 3336	2316	CargoWiseOneRemoteDesktopServicesSetup.exe	90
PID 4608 wrote to memory of 1708	4608	CargoWise.ApplicationManager.Service.exe	93
PID 4608 wrote to memory of 1708	4608	CargoWise.ApplicationManager.Service.exe	93
PID 4608 wrote to memory of 1708	4608	CargoWise.ApplicationManager.Service.exe	93
PID 5000 wrote to memory of 2888	5000	msiexec.exe	97
PID 5000 wrote to memory of 2888	5000	msiexec.exe	97
PID 5000 wrote to memory of 2888	5000	msiexec.exe	97
PID 2316 wrote to memory of 1560	2316	CargoWiseOneRemoteDesktopServicesSetup.exe	98
PID 2316 wrote to memory of 1560	2316	CargoWiseOneRemoteDesktopServicesSetup.exe	98
PID 2316 wrote to memory of 1560	2316	CargoWiseOneRemoteDesktopServicesSetup.exe	98
PID 5000 wrote to memory of 2744	5000	msiexec.exe	103
PID 5000 wrote to memory of 2744	5000	msiexec.exe	103
PID 5000 wrote to memory of 1464	5000	msiexec.exe	105
PID 5000 wrote to memory of 1464	5000	msiexec.exe	105
PID 5000 wrote to memory of 1464	5000	msiexec.exe	105
PID 5000 wrote to memory of 2644	5000	msiexec.exe	106
PID 5000 wrote to memory of 2644	5000	msiexec.exe	106
PID 5000 wrote to memory of 1244	5000	msiexec.exe	107
PID 5000 wrote to memory of 1244	5000	msiexec.exe	107

C:\Users\Admin\AppData\Local\Temp\c4bc773529cf52bb73bceb047cf34a3ab54576292e0a35458c2ee9521e0fa7d9.exe
"C:\Users\Admin\AppData\Local\Temp\c4bc773529cf52bb73bceb047cf34a3ab54576292e0a35458c2ee9521e0fa7d9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3164
- C:\ProgramData\WiseTech Global\3164\CargoWiseOneRemoteDesktopServicesSetup.exe
  "C:\ProgramData\WiseTech Global\3164\CargoWiseOneRemoteDesktopServicesSetup.exe"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\WiseTech Global\CargoWise One Remote Desktop Services\prerequisites\CargoWiseOneAppManagerSetup.msi" /qn
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\WiseTech Global\CargoWise One Remote Desktop Services\install\CargoWiseOneRemoteDesktopServicesSetup.x64.msi" AI_SETUPEXEPATH="C:\ProgramData\WiseTech Global\3164\CargoWiseOneRemoteDesktopServicesSetup.exe" SETUPEXEDIR="C:\ProgramData\WiseTech Global\3164\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692634967 " AI_EUIMSI=""
    3⤵
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:1560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A45F18AB0FA8ACFE6FB4D76BB3DF5B41 C
  2⤵
  - Loads dropped DLL
  PID:1916
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1CA94F57DD671FABCEF2D47384D3196E C
  2⤵
  - Loads dropped DLL
  PID:2888
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2744
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56809BD3986DA4AFBAB6D45B5ED95647
  2⤵
  - Loads dropped DLL
  PID:1464
- C:\Windows\Installer\MSIC35F.tmp
  "C:\Windows\Installer\MSIC35F.tmp" 3
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Windows\Installer\MSIC544.tmp
  "C:\Windows\Installer\MSIC544.tmp"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  PID:1244

C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Service.exe
"C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Service.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" failure ediAppMgr reset= 0 actions= restart/180000/restart/180000/restart/180000
  2⤵
  - Launches sc.exe
  PID:1708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58128c.rbs

Filesize
8KB

MD5
6e46621a1762359162025b91913c3b27

SHA1
300976181ff88115e7af710b82b2c3fe335351db

SHA256
dd804a79fe8714b50f9a51b8bff6f145d2bdd97f6b0182e4d2cf38d1d5ac4cb2

SHA512
f9f404a69752e154d46e56b43423a58b1adf1d6443b8720e2c9f1b913ddc03cb0f479946d63890b82af68a5f4d90fe2842add283c94cf83fb46a7b85586d0d9c

Download Submit
C:\Config.Msi\e581291.rbs

Filesize
20KB

MD5
c99b991601cb8a3b1519d3cddd962594

SHA1
e80d572f467b46e889db61da094f68d05228c83b

SHA256
74b1400b10be3af151f38051cf50f562ba6e703e969df2f76a590abb4a14e41a

SHA512
c4d7d0776b7a38afac2688e0593e75502d8363ea43c3cc85425099ff83be2457e0ccb976844f4793b54d417cb8e4ae1df5335f109f8f490b0b220ee615c1ee36

Download Submit
C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Common.dll

Filesize
27KB

MD5
24a4b92823834671756c74215430715d

SHA1
c02fadd1e57695ad551e5a311cf7f27ccdc9b9a9

SHA256
97d4478f623c0dbc6b52a59fc2b6fade64e71b28e93b7269f9c1dec1399b5a74

SHA512
074289963f293d23e5ad52e38d63970304094e37546c384b5d694bf53fe373d8a69bf620e047ec35abbdb54233315c7994f899bcf561e3fb6df9af55c96f4d4d

Download Submit
C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Common.dll

Filesize
27KB

MD5
24a4b92823834671756c74215430715d

SHA1
c02fadd1e57695ad551e5a311cf7f27ccdc9b9a9

SHA256
97d4478f623c0dbc6b52a59fc2b6fade64e71b28e93b7269f9c1dec1399b5a74

SHA512
074289963f293d23e5ad52e38d63970304094e37546c384b5d694bf53fe373d8a69bf620e047ec35abbdb54233315c7994f899bcf561e3fb6df9af55c96f4d4d

Download Submit
C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Common.dll

Filesize
27KB

MD5
24a4b92823834671756c74215430715d

SHA1
c02fadd1e57695ad551e5a311cf7f27ccdc9b9a9

SHA256
97d4478f623c0dbc6b52a59fc2b6fade64e71b28e93b7269f9c1dec1399b5a74

SHA512
074289963f293d23e5ad52e38d63970304094e37546c384b5d694bf53fe373d8a69bf620e047ec35abbdb54233315c7994f899bcf561e3fb6df9af55c96f4d4d

Download Submit
C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Common.dll

Filesize
27KB

MD5
24a4b92823834671756c74215430715d

SHA1
c02fadd1e57695ad551e5a311cf7f27ccdc9b9a9

SHA256
97d4478f623c0dbc6b52a59fc2b6fade64e71b28e93b7269f9c1dec1399b5a74

SHA512
074289963f293d23e5ad52e38d63970304094e37546c384b5d694bf53fe373d8a69bf620e047ec35abbdb54233315c7994f899bcf561e3fb6df9af55c96f4d4d

Download Submit
C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Service.exe

Filesize
137KB

MD5
7fe98c1bf96fd94171ce91eb5090a6eb

SHA1
2ac8533dcac17b7c1d0f4888f2847f11fa06b40d

SHA256
8141e35a84559b3424df415f583f77f0ba04c5a1a0c57dd543d7b0fc21fb15d9

SHA512
6be31f3855247274747655cca4273154674ab4c64c41ee7c334a2f2156478513e1e13d4e7823e978477821c95a38cdc9110665fc7e310e3b83f52750e31c09a8

Download Submit
C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Service.exe

Filesize
137KB

MD5
7fe98c1bf96fd94171ce91eb5090a6eb

SHA1
2ac8533dcac17b7c1d0f4888f2847f11fa06b40d

SHA256
8141e35a84559b3424df415f583f77f0ba04c5a1a0c57dd543d7b0fc21fb15d9

SHA512
6be31f3855247274747655cca4273154674ab4c64c41ee7c334a2f2156478513e1e13d4e7823e978477821c95a38cdc9110665fc7e310e3b83f52750e31c09a8

Download Submit
C:\Program Files (x86)\WiseTech Global\CargoWise One Application Manager\CargoWise.ApplicationManager.Service.exe.config

Filesize
238B

MD5
4f9244c09c51af681f179ba93df0b8d0

SHA1
d8eb77d41fe3fb012016c629660123b44f53bb0c

SHA256
0b8d74951901eec03779f6ca384849c0d30682cd41b0962e8192102a05dfc275

SHA512
b48cb44e146cf1df07a11748e0446781ddc6b4ebb171f7437320976839ee5be502744e6e7bd47ee498cac8f845f68a17ab77ac77eef6edd21b1bb6354fa4a0da

Download Submit
C:\ProgramData\WiseTech Global\3164\CargoWiseOneRemoteDesktopServicesSetup.exe

Filesize
10.0MB

MD5
3b9634eebaf0dec174e644783b809992

SHA1
e6e2bf0c12e239900b52ef1032c23f7766d22032

SHA256
51286b0a03ef7e59e21963e8d50190c25ac43e322a911b70fb212d077e38f32a

SHA512
97e1c6c849e0e7557dda23ae67b15d79bd58e3cd6be0caf8667e970c9eda916b75ef9c96d0b7a46d696ceb14b71a16a5a2c642ac9162a33faa0246a2f037f71f

Download Submit
C:\ProgramData\WiseTech Global\3164\CargoWiseOneRemoteDesktopServicesSetup.exe

Filesize
10.0MB

MD5
3b9634eebaf0dec174e644783b809992

SHA1
e6e2bf0c12e239900b52ef1032c23f7766d22032

SHA256
51286b0a03ef7e59e21963e8d50190c25ac43e322a911b70fb212d077e38f32a

SHA512
97e1c6c849e0e7557dda23ae67b15d79bd58e3cd6be0caf8667e970c9eda916b75ef9c96d0b7a46d696ceb14b71a16a5a2c642ac9162a33faa0246a2f037f71f

Download Submit
C:\ProgramData\WiseTech Global\3164\CargoWiseOneRemoteDesktopServicesSetup.exe

Filesize
10.0MB

MD5
3b9634eebaf0dec174e644783b809992

SHA1
e6e2bf0c12e239900b52ef1032c23f7766d22032

SHA256
51286b0a03ef7e59e21963e8d50190c25ac43e322a911b70fb212d077e38f32a

SHA512
97e1c6c849e0e7557dda23ae67b15d79bd58e3cd6be0caf8667e970c9eda916b75ef9c96d0b7a46d696ceb14b71a16a5a2c642ac9162a33faa0246a2f037f71f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
1KB

MD5
652327094975beb08c83602b122a8722

SHA1
0f9ecddbeb956176786b6e729e552f9a4fb1e58c

SHA256
1eae1ee6f764175ebf4388d98cc6eac5f23b24b3be8685a494fa4d33441979a0

SHA512
9528004f44c541082f5205b15021ccc947b08e639e9ba194ade56018ca66b04403e2780432909416cf364590039a7d2f8424faf1fe7dcc47f5b9c8eebb8d4d38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_95047E89C356392964034697A66D6FBD

Filesize
1KB

MD5
0d04156d007f4f0e2d8b25a103b02697

SHA1
ff47dd0736dc4c9afca6ec52e8a4a0242923c7ad

SHA256
b2751f51e423a8bdc9b1373a896f404901ae51d095aa41e1b5edb7ec4f827473

SHA512
86424afbd65a0cb725c197f86df8b8d6cbe1c0d406cca5f9eb0fdb70585c0fe58037f7a6ee270bd251fd9b8568c08883c3cba510dc299785597d78ae62bcd12e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
a7bbf334e213ce42b291be1aa6887dd6

SHA1
a2162f24f7a94c7ec3ce8d784199c13c1f39f178

SHA256
0befbc73523363eaf433cba3a6d6221ac7df3eb1e740070e93ad31bceefcf403

SHA512
47bab67411f3930d62f385a274b771c31640c82f4d46ba996df343b1d7ad16bcf7521bdeabeca7075acc0e8717a61fd2c44359fadea8b0e8f291d04c84eded1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_95047E89C356392964034697A66D6FBD

Filesize
402B

MD5
f56e74aa624d8b62adb6975ce88580a1

SHA1
987ae43c7e664f1f46136aa700030f8cc593a1f7

SHA256
784d054708ec7c2f809045459c89298bac40f4e724c8a6ffaff8435b76cbd098

SHA512
7ea2d52e742cbebeb6ca848154755a96f95e26db5290f9c46fe810d2f928d491d3434d32a887355ef8d92e779717507d19dc1db6895b43c48a837211c25cb286

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI223C.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI223C.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI223C.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9EF.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9EF.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB28.tmp

Filesize
864KB

MD5
38b4d89280216a9b841eec994cd660a9

SHA1
ebc5cc58e877bd75024c3f9dfdb85f946e69d283

SHA256
d6ec6db8ccdf6aa9b8e80734c2a364c7edf1f9761330a48df0a4bdd1c6b7bb21

SHA512
e18d3c203ec0150f6b3fb4ef0e2af2562386420079270587cb7d64dfb86a7ae0bb61abe7a3f235579741e55a203e6f7f620d61c793c1afd24f4054b2d0215cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB28.tmp

Filesize
864KB

MD5
38b4d89280216a9b841eec994cd660a9

SHA1
ebc5cc58e877bd75024c3f9dfdb85f946e69d283

SHA256
d6ec6db8ccdf6aa9b8e80734c2a364c7edf1f9761330a48df0a4bdd1c6b7bb21

SHA512
e18d3c203ec0150f6b3fb4ef0e2af2562386420079270587cb7d64dfb86a7ae0bb61abe7a3f235579741e55a203e6f7f620d61c793c1afd24f4054b2d0215cc8

Download Submit
C:\Users\Admin\AppData\Roaming\WiseTech Global\CargoWise One Remote Desktop Services\install\CargoWiseOneRemoteDesktopServicesSetup.x64.msi

Filesize
3.1MB

MD5
bf0657296d0349daf9c47763fc2a1ea2

SHA1
144280ef2b4bdbb6c7fa2f66c23bdc02ceb6c0c7

SHA256
708d4e11c0bf827da73481922e5a2b12b70affa28d65a15f94757a27237b5675

SHA512
d07001a59cef6286d8befb2197ca719521bb6c4be959183f6868896721d6097eb6532e4f1cb5357f9f1e9508b2b4bdbdc1260f6e2a40d98eb08ed073b9e68d8c

Download Submit
C:\Users\Admin\AppData\Roaming\WiseTech Global\CargoWise One Remote Desktop Services\install\CargoWiseOneRemoteDesktopServicesSetup.x64.msi

Filesize
3.1MB

MD5
bf0657296d0349daf9c47763fc2a1ea2

SHA1
144280ef2b4bdbb6c7fa2f66c23bdc02ceb6c0c7

SHA256
708d4e11c0bf827da73481922e5a2b12b70affa28d65a15f94757a27237b5675

SHA512
d07001a59cef6286d8befb2197ca719521bb6c4be959183f6868896721d6097eb6532e4f1cb5357f9f1e9508b2b4bdbdc1260f6e2a40d98eb08ed073b9e68d8c

Download Submit
C:\Users\Admin\AppData\Roaming\WiseTech Global\CargoWise One Remote Desktop Services\install\CargoWiseOneRemoteDesktopServicesSetup1.cab

Filesize
493KB

MD5
85f427511c762a2b51d8e012d671771e

SHA1
b2bff652f36e1f27273c3653ca50d2f54c8f32de

SHA256
c234c1fd6390bd1a893da9a6ca3a8508234a79f92519c6256a140b4eb565c973

SHA512
6ad3fa6603a82b265e670f4c199555cb2bb6284328f37b0b4de8f60e8d64d31ebf5a9812d85361a14c401d0684aeefceadd0319b0689cc588e87f891929b8286

Download Submit
C:\Users\Admin\AppData\Roaming\WiseTech Global\CargoWise One Remote Desktop Services\prerequisites\CargoWiseOneAppManagerSetup.msi

Filesize
308KB

MD5
5d458a0ba74dd6ecd2bd640bf76c4883

SHA1
5ac01c53b6162610b27df99f83966c6bc43de0f7

SHA256
2f2697846290672c4691e8367dbf341d93b57e40a69c6268eb9e6cc207b33d8b

SHA512
6b5b5da0f6d0f5d0c3eb6636ba72a5e61668f2f14b5ca202f925707627cf8ef7c1c2c4dead3f02fc93c8b178efc4c76cb014827dbe9c9da53e64e6abe9082fa3

Download Submit
C:\Users\Admin\AppData\Roaming\WiseTech Global\CargoWise One Remote Desktop Services\prerequisites\CargoWiseOneAppManagerSetup.msi

Filesize
308KB

MD5
5d458a0ba74dd6ecd2bd640bf76c4883

SHA1
5ac01c53b6162610b27df99f83966c6bc43de0f7

SHA256
2f2697846290672c4691e8367dbf341d93b57e40a69c6268eb9e6cc207b33d8b

SHA512
6b5b5da0f6d0f5d0c3eb6636ba72a5e61668f2f14b5ca202f925707627cf8ef7c1c2c4dead3f02fc93c8b178efc4c76cb014827dbe9c9da53e64e6abe9082fa3

Download Submit
C:\Windows\Installer\MSIC197.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSIC197.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSIC2A1.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSIC2A1.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSIC310.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSIC310.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSIC35F.tmp

Filesize
16KB

MD5
3975055f39e36f21218556aa703be077

SHA1
056dc25c398ef0ce3c8ea4126d39f8325da37bcb

SHA256
cb87333e7d73da768e451de8c583b2d5fb8202a3fd32292f11dfb3162935bc49

SHA512
b1241741ad55792c19bdd540bba3846ab3b9401b63cde00082451219c81215496936cc90845de6907757875e6c1d9a39bb21d61258b121369db483a01a6625c0

Download Submit
C:\Windows\Installer\MSIC35F.tmp

Filesize
16KB

MD5
3975055f39e36f21218556aa703be077

SHA1
056dc25c398ef0ce3c8ea4126d39f8325da37bcb

SHA256
cb87333e7d73da768e451de8c583b2d5fb8202a3fd32292f11dfb3162935bc49

SHA512
b1241741ad55792c19bdd540bba3846ab3b9401b63cde00082451219c81215496936cc90845de6907757875e6c1d9a39bb21d61258b121369db483a01a6625c0

Download Submit
C:\Windows\Installer\MSIC544.tmp

Filesize
21KB

MD5
f83e89363b61a7cc054fa36baec7b5a9

SHA1
9c170cf24f3b40055c7f7b7f3aa0ae79e2f71efc

SHA256
9c965009899a46fb533f49df6dc2fbba3c20495adce5245847211b4ed48eaafe

SHA512
779826621154c4fe341d87675e626ea0bca4313b1f941a311b1215f10ef5980cb19212c14f7406e625377e1232a37b162a65126e5c3e690d9bf80225f21937ea

Download Submit
C:\Windows\Installer\MSIC544.tmp

Filesize
21KB

MD5
f83e89363b61a7cc054fa36baec7b5a9

SHA1
9c170cf24f3b40055c7f7b7f3aa0ae79e2f71efc

SHA256
9c965009899a46fb533f49df6dc2fbba3c20495adce5245847211b4ed48eaafe

SHA512
779826621154c4fe341d87675e626ea0bca4313b1f941a311b1215f10ef5980cb19212c14f7406e625377e1232a37b162a65126e5c3e690d9bf80225f21937ea

Download Submit
C:\Windows\Installer\MSIC610.tmp

Filesize
864KB

MD5
38b4d89280216a9b841eec994cd660a9

SHA1
ebc5cc58e877bd75024c3f9dfdb85f946e69d283

SHA256
d6ec6db8ccdf6aa9b8e80734c2a364c7edf1f9761330a48df0a4bdd1c6b7bb21

SHA512
e18d3c203ec0150f6b3fb4ef0e2af2562386420079270587cb7d64dfb86a7ae0bb61abe7a3f235579741e55a203e6f7f620d61c793c1afd24f4054b2d0215cc8

Download Submit
C:\Windows\Installer\MSIC610.tmp

Filesize
864KB

MD5
38b4d89280216a9b841eec994cd660a9

SHA1
ebc5cc58e877bd75024c3f9dfdb85f946e69d283

SHA256
d6ec6db8ccdf6aa9b8e80734c2a364c7edf1f9761330a48df0a4bdd1c6b7bb21

SHA512
e18d3c203ec0150f6b3fb4ef0e2af2562386420079270587cb7d64dfb86a7ae0bb61abe7a3f235579741e55a203e6f7f620d61c793c1afd24f4054b2d0215cc8

Download Submit
C:\Windows\Installer\MSIC630.tmp

Filesize
572KB

MD5
234335fa2173787410b2a059890ddddd

SHA1
93ffd4b0f63982c9b617aa9c9de133999012041f

SHA256
76c742c96e888d49e0838fa8de284b7e8687e777699e62093918ece2d183a15f

SHA512
4bf945b018c2aada4758ce54c2900823fa5edebaee89147ef527cf61e6caa7f5ccf3d0f5a83e22f2827db50161063bd45fe1cbc58f146cc322a545782212d636

Download Submit
C:\Windows\Installer\MSIC630.tmp

Filesize
572KB

MD5
234335fa2173787410b2a059890ddddd

SHA1
93ffd4b0f63982c9b617aa9c9de133999012041f

SHA256
76c742c96e888d49e0838fa8de284b7e8687e777699e62093918ece2d183a15f

SHA512
4bf945b018c2aada4758ce54c2900823fa5edebaee89147ef527cf61e6caa7f5ccf3d0f5a83e22f2827db50161063bd45fe1cbc58f146cc322a545782212d636

Download Submit
C:\Windows\Installer\MSIC7E7.tmp

Filesize
572KB

MD5
234335fa2173787410b2a059890ddddd

SHA1
93ffd4b0f63982c9b617aa9c9de133999012041f

SHA256
76c742c96e888d49e0838fa8de284b7e8687e777699e62093918ece2d183a15f

SHA512
4bf945b018c2aada4758ce54c2900823fa5edebaee89147ef527cf61e6caa7f5ccf3d0f5a83e22f2827db50161063bd45fe1cbc58f146cc322a545782212d636

Download Submit
C:\Windows\Installer\MSIC7E7.tmp

Filesize
572KB

MD5
234335fa2173787410b2a059890ddddd

SHA1
93ffd4b0f63982c9b617aa9c9de133999012041f

SHA256
76c742c96e888d49e0838fa8de284b7e8687e777699e62093918ece2d183a15f

SHA512
4bf945b018c2aada4758ce54c2900823fa5edebaee89147ef527cf61e6caa7f5ccf3d0f5a83e22f2827db50161063bd45fe1cbc58f146cc322a545782212d636

Download Submit
C:\Windows\Installer\MSIC95F.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSIC95F.tmp

Filesize
393KB

MD5
85b69b55118ffc36f03b4db94f4ddc3d

SHA1
f7239136ce15776f76e6567a7a361ed8272a1096

SHA256
e9e32cb36c162ef4527c725adf76857439c26d1a5653a484ce4547b36471bb8e

SHA512
bff8496048d727830a3e73dea7bf0819e443bfea3b35256af04222434694f98dcfcdfec837c5dde6f6ae2c2c0c51372d15139e8b172888764d3a951d98c4dfce

Download Submit
C:\Windows\Installer\MSICB45.tmp

Filesize
683KB

MD5
c3c45774a64d4d8add4bbe732d3f2b7e

SHA1
2c6368eb6de027ef6bab7427a4fe86dff40de7ac

SHA256
053ddbd7ffd7ea6344746dc9234644bc5b782973bf8df41a499a467af6f4e55f

SHA512
80be3075c6d7b9b5a69be6619cbc13ecf609e987800a6b5a6459f1f4950f68c5d866c10525182060fdc896a776f69b1395f54a3f01d5afe2c8d3828b7a4b7928

Download Submit
C:\Windows\Installer\MSICB45.tmp

Filesize
683KB

MD5
c3c45774a64d4d8add4bbe732d3f2b7e

SHA1
2c6368eb6de027ef6bab7427a4fe86dff40de7ac

SHA256
053ddbd7ffd7ea6344746dc9234644bc5b782973bf8df41a499a467af6f4e55f

SHA512
80be3075c6d7b9b5a69be6619cbc13ecf609e987800a6b5a6459f1f4950f68c5d866c10525182060fdc896a776f69b1395f54a3f01d5afe2c8d3828b7a4b7928

Download Submit
C:\Windows\Installer\{8992C6A1-918F-4A87-B5C2-5C33606A2797}\ApplicationIcon.exe

Filesize
104KB

MD5
72f01545d84da0fc027aefc46a4ddac4

SHA1
4d4c8a210acbabd9844c0a9848222da2fed9a295

SHA256
44443f4fa17eceb7e20ecdf642402b91d2433397cf4bb1fbbf556cb62756c0e7

SHA512
259c18d3a3c6edde7c173714a312e00ca90652858f1439ee7846e6bc0eba7cc10e006d497a81f086fc9e4cb1774771b7428fc46cbd36ded51996e1556c79c886

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
155KB

MD5
2b0cf439225169517e7c9b525a2bc876

SHA1
a4a130f97f9aab4b83240f727f01c04357e4d836

SHA256
c673675a4d0ac559c4547324948940a491926a2dcbb090ff6944b03d0e79a374

SHA512
6f235e7ddb64b69e10949fdb61b2e5bf926b9758acbe24f46dd20bce44424e5d7f4c9ef9f5151a08d6459c7591ac4ba6243d99ff8fe28a9aa555f5024b8f2b20

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
36687fc2093831e807cc86ccc5c292e6

SHA1
9678ccadd39fd33ec01a6453e1e556c046453f8e

SHA256
b12fc8141df41e355f89ea6c4553af21ae2a0fc9df7f71556f03ff89d5ce9b95

SHA512
81a8391050cc74ec45c63e402b4645fc6c7c2aa390706e48730d0ed9592db6f157c627e8be0d8a6a9ad1c7aff0a40df177b7338b40bc41b8b357a32cfa822916

Download Submit
\??\Volume{dca10565-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c95ce4b6-f69f-4b98-844f-0dcabc5ed6fc}_OnDiskSnapshotProp

Filesize
5KB

MD5
0775fe105d543310b2ecf5221d09be92

SHA1
0ba3a9d201e7ef3a609747876620edbc4feb3e0c

SHA256
86b1b335a2fa791ada8b65cdf52bcf7da3517e707238d2a9b81f78a7a215d5b7

SHA512
e7b562d38e6b3b606470730b623c80d0538721a130d97957948c945b6376e5acb90b91a5eaabcd3dc3fefae370fe2f8b98b69849e89ea1eec0a71d782709683f

Download Submit
memory/1244-279-0x00007FFAF77A0000-0x00007FFAF8261000-memory.dmp

Filesize
10.8MB

Download
memory/1244-181-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1244-186-0x00007FFAF77A0000-0x00007FFAF8261000-memory.dmp

Filesize
10.8MB

Download
memory/2644-176-0x00007FFAF77A0000-0x00007FFAF8261000-memory.dmp

Filesize
10.8MB

Download
memory/2644-174-0x00007FFAF77A0000-0x00007FFAF8261000-memory.dmp

Filesize
10.8MB

Download
memory/2644-173-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

Filesize
32KB

Download
memory/3164-1-0x00007FFAF77A0000-0x00007FFAF8261000-memory.dmp

Filesize
10.8MB

Download
memory/3164-43-0x00007FFAF77A0000-0x00007FFAF8261000-memory.dmp

Filesize
10.8MB

Download
memory/3164-276-0x00007FFAF77A0000-0x00007FFAF8261000-memory.dmp

Filesize
10.8MB

Download
memory/3164-86-0x0000028AC85E0000-0x0000028AC85F0000-memory.dmp

Filesize
64KB

Download
memory/3164-18-0x0000028AC85E0000-0x0000028AC85F0000-memory.dmp

Filesize
64KB

Download
memory/3164-5-0x0000028AAFC60000-0x0000028AAFC6C000-memory.dmp

Filesize
48KB

Download
memory/3164-2-0x0000028AC85E0000-0x0000028AC85F0000-memory.dmp

Filesize
64KB

Download
memory/3164-0-0x0000028AAD480000-0x0000028AADF4E000-memory.dmp

Filesize
10.8MB

Download
memory/3164-99-0x0000028AC85E0000-0x0000028AC85F0000-memory.dmp

Filesize
64KB

Download
memory/4608-114-0x0000000004560000-0x0000000004582000-memory.dmp

Filesize
136KB

Download
memory/4608-108-0x0000000000F80000-0x0000000000FA6000-memory.dmp

Filesize
152KB

Download
memory/4608-113-0x0000000071820000-0x0000000071FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4608-112-0x0000000001820000-0x000000000182C000-memory.dmp

Filesize
48KB

Download
memory/4608-149-0x0000000071820000-0x0000000071FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4608-115-0x00000000045E0000-0x00000000045F0000-memory.dmp

Filesize
64KB

Download
memory/4608-116-0x0000000004A50000-0x0000000004AA6000-memory.dmp

Filesize
344KB

Download
memory/4608-150-0x00000000045E0000-0x00000000045F0000-memory.dmp

Filesize
64KB

Download
memory/5000-217-0x000002523C690000-0x000002523C6A8000-memory.dmp

Filesize
96KB

Download