cd1d744dc39adf50bc17b587d203d5fce77995c4c51cc0438187dfc9eabbd948

Analysis

max time kernel
110s
max time network
144s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2023 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

desk-zhonwenbao4.9.msi
Size

90.9MB
MD5

9cee7423f1bd5d64559c49689a18c06b
SHA1

5a75b69d2e66fc679c123d60a12712566246904a
SHA256

296608771a852e2e95f8fbd3f1990e671a9b7d44f84470335f262ff9b14b7d1c
SHA512

4e0da5e6fe0205d065cd3eeb9d5e2fb644177d65c273f447686b51d614b5c89a0c435b2ae2698d2a8e2aba5838dc576e5fb2cceb7d44aeea959d9e9369ed6f00
SSDEEP

1572864:3S8hXhuaZPB/j+Q4FAXaG/25Zwd7zZ2r+qriUeB6SXJObHXEq0bT7MbC3IA64Fy1:2aORGqR5ORqrUB7kbon7MbC3z6MbK

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exe

pid process

5108 netsh.exe
2096 netsh.exe
600 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

dac.exeConsoleProxy.exe

pid process

3596 dac.exe
3148 ConsoleProxy.exe

pid	process
5108	netsh.exe
2096	netsh.exe
600	netsh.exe

pid	process
3596	dac.exe
3148	ConsoleProxy.exe

Loads dropped DLL 10 IoCs

Processes:

MsiExec.exeMsiExec.exeConsoleProxy.exe

pid	process
1536	MsiExec.exe
1536	MsiExec.exe
1536	MsiExec.exe
1536	MsiExec.exe
1536	MsiExec.exe
1536	MsiExec.exe
1396	MsiExec.exe
1396	MsiExec.exe
3148	ConsoleProxy.exe
3148	ConsoleProxy.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral5/memory/3596-94-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral5/memory/3596-96-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral5/memory/3596-97-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral5/memory/3596-98-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral5/memory/3596-99-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral5/memory/3596-113-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral5/memory/3596-133-0x0000000180000000-0x0000000180030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exeConsoleProxy.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	ConsoleProxy.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	ConsoleProxy.exe
File opened (read-only)	\??\U:	ConsoleProxy.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	ConsoleProxy.exe
File opened (read-only)	\??\I:	ConsoleProxy.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	ConsoleProxy.exe
File opened (read-only)	\??\V:	ConsoleProxy.exe
File opened (read-only)	\??\Z:	ConsoleProxy.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	ConsoleProxy.exe
File opened (read-only)	\??\X:	ConsoleProxy.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	ConsoleProxy.exe
File opened (read-only)	\??\O:	ConsoleProxy.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	ConsoleProxy.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	ConsoleProxy.exe
File opened (read-only)	\??\Q:	ConsoleProxy.exe
File opened (read-only)	\??\T:	ConsoleProxy.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	ConsoleProxy.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	ConsoleProxy.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	ConsoleProxy.exe
File opened (read-only)	\??\W:	ConsoleProxy.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in System32 directory 7 IoCs

Processes:

dac.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7229E30BCFD0992128433D951137A421_76EBFC12D6FD7EE9DD82775C12CF3BD5	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_F7F9B7BDCC367A8E3539D28F7D4D4BA2	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_F7F9B7BDCC367A8E3539D28F7D4D4BA2	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7229E30BCFD0992128433D951137A421_F0BB2463DDCCB4B49DC9200CC9E498E9	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7229E30BCFD0992128433D951137A421_F0BB2463DDCCB4B49DC9200CC9E498E9	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7229E30BCFD0992128433D951137A421_76EBFC12D6FD7EE9DD82775C12CF3BD5	dac.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e5906cc.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AC.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{997F38C3-E68F-4219-8D4D-C234BE733C5E}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5906cc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF89.tmp	msiexec.exe
File created	C:\Windows\Installer\e5906ce.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ConsoleProxy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ConsoleProxy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ConsoleProxy.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

dac.exemmc.exemmc.exeConsoleProxy.exemmc.exenetsh.exesvchost.exenetsh.exemsiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dac.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Recent File List	mmc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\MICROSOFT MANAGEMENT CONSOLE\RECENT FILE LIST	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ConsoleProxy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ConsoleProxy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dac.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Recent File List	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Settings	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Settings	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	ConsoleProxy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@mmcbase.dll,-14008 = "Folder"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Recent File List	mmc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dac.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	dac.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mmc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\MICROSOFT MANAGEMENT CONSOLE\RECENT FILE LIST	mmc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ConsoleProxy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Settings	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ConsoleProxy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	ConsoleProxy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ConsoleProxy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dac.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dac.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ConsoleProxy.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\MICROSOFT MANAGEMENT CONSOLE\RECENT FILE LIST	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ConsoleProxy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dac.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dac.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ConsoleProxy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dac.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	dac.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mmc.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\67708036E3027134CBB5C9BE30891990\3C83F799F86E9124D8D42C43EB37C3E5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C83F799F86E9124D8D42C43EB37C3E5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C83F799F86E9124D8D42C43EB37C3E5\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\67708036E3027134CBB5C9BE30891990	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\PackageName = "desk-zhonwenbao4.9.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\ProductName = "CS-TG-64"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\PackageCode = "63F29DC7FCF25354CB1205C9543A7856"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4768 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exeConsoleProxy.exe

pid process

3908 msiexec.exe
3908 msiexec.exe
3148 ConsoleProxy.exe
3148 ConsoleProxy.exe

pid	process
4768	PING.EXE

pid	process
3908	msiexec.exe
3908	msiexec.exe
3148	ConsoleProxy.exe
3148	ConsoleProxy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2800	msiexec.exe
Token: SeSecurityPrivilege	3908	msiexec.exe
Token: SeCreateTokenPrivilege	2800	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2800	msiexec.exe
Token: SeLockMemoryPrivilege	2800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2800	msiexec.exe
Token: SeMachineAccountPrivilege	2800	msiexec.exe
Token: SeTcbPrivilege	2800	msiexec.exe
Token: SeSecurityPrivilege	2800	msiexec.exe
Token: SeTakeOwnershipPrivilege	2800	msiexec.exe
Token: SeLoadDriverPrivilege	2800	msiexec.exe
Token: SeSystemProfilePrivilege	2800	msiexec.exe
Token: SeSystemtimePrivilege	2800	msiexec.exe
Token: SeProfSingleProcessPrivilege	2800	msiexec.exe
Token: SeIncBasePriorityPrivilege	2800	msiexec.exe
Token: SeCreatePagefilePrivilege	2800	msiexec.exe
Token: SeCreatePermanentPrivilege	2800	msiexec.exe
Token: SeBackupPrivilege	2800	msiexec.exe
Token: SeRestorePrivilege	2800	msiexec.exe
Token: SeShutdownPrivilege	2800	msiexec.exe
Token: SeDebugPrivilege	2800	msiexec.exe
Token: SeAuditPrivilege	2800	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2800	msiexec.exe
Token: SeChangeNotifyPrivilege	2800	msiexec.exe
Token: SeRemoteShutdownPrivilege	2800	msiexec.exe
Token: SeUndockPrivilege	2800	msiexec.exe
Token: SeSyncAgentPrivilege	2800	msiexec.exe
Token: SeEnableDelegationPrivilege	2800	msiexec.exe
Token: SeManageVolumePrivilege	2800	msiexec.exe
Token: SeImpersonatePrivilege	2800	msiexec.exe
Token: SeCreateGlobalPrivilege	2800	msiexec.exe
Token: SeCreateTokenPrivilege	2800	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2800	msiexec.exe
Token: SeLockMemoryPrivilege	2800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2800	msiexec.exe
Token: SeMachineAccountPrivilege	2800	msiexec.exe
Token: SeTcbPrivilege	2800	msiexec.exe
Token: SeSecurityPrivilege	2800	msiexec.exe
Token: SeTakeOwnershipPrivilege	2800	msiexec.exe
Token: SeLoadDriverPrivilege	2800	msiexec.exe
Token: SeSystemProfilePrivilege	2800	msiexec.exe
Token: SeSystemtimePrivilege	2800	msiexec.exe
Token: SeProfSingleProcessPrivilege	2800	msiexec.exe
Token: SeIncBasePriorityPrivilege	2800	msiexec.exe
Token: SeCreatePagefilePrivilege	2800	msiexec.exe
Token: SeCreatePermanentPrivilege	2800	msiexec.exe
Token: SeBackupPrivilege	2800	msiexec.exe
Token: SeRestorePrivilege	2800	msiexec.exe
Token: SeShutdownPrivilege	2800	msiexec.exe
Token: SeDebugPrivilege	2800	msiexec.exe
Token: SeAuditPrivilege	2800	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2800	msiexec.exe
Token: SeChangeNotifyPrivilege	2800	msiexec.exe
Token: SeRemoteShutdownPrivilege	2800	msiexec.exe
Token: SeUndockPrivilege	2800	msiexec.exe
Token: SeSyncAgentPrivilege	2800	msiexec.exe
Token: SeEnableDelegationPrivilege	2800	msiexec.exe
Token: SeManageVolumePrivilege	2800	msiexec.exe
Token: SeImpersonatePrivilege	2800	msiexec.exe
Token: SeCreateGlobalPrivilege	2800	msiexec.exe
Token: SeCreateTokenPrivilege	2800	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2800	msiexec.exe
Token: SeLockMemoryPrivilege	2800	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2800 msiexec.exe
2800 msiexec.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

dac.exemmc.exemmc.exemmc.exeConsoleProxy.exe

pid process

3596 dac.exe
3596 dac.exe
4260 mmc.exe
4260 mmc.exe
4688 mmc.exe
4688 mmc.exe
504 mmc.exe
504 mmc.exe
3148 ConsoleProxy.exe

pid	process
2800	msiexec.exe
2800	msiexec.exe

pid	process
3596	dac.exe
3596	dac.exe
4260	mmc.exe
4260	mmc.exe
4688	mmc.exe
4688	mmc.exe
504	mmc.exe
504	mmc.exe
3148	ConsoleProxy.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

msiexec.exemmc.exemmc.exedac.execmd.exemmc.exeConsoleProxy.execmd.exe

description	pid	process	target process
PID 3908 wrote to memory of 1536	3908	msiexec.exe	MsiExec.exe
PID 3908 wrote to memory of 1536	3908	msiexec.exe	MsiExec.exe
PID 3908 wrote to memory of 1536	3908	msiexec.exe	MsiExec.exe
PID 3908 wrote to memory of 2136	3908	msiexec.exe	srtasks.exe
PID 3908 wrote to memory of 2136	3908	msiexec.exe	srtasks.exe
PID 3908 wrote to memory of 1396	3908	msiexec.exe	MsiExec.exe
PID 3908 wrote to memory of 1396	3908	msiexec.exe	MsiExec.exe
PID 3908 wrote to memory of 1396	3908	msiexec.exe	MsiExec.exe
PID 3908 wrote to memory of 3596	3908	msiexec.exe	dac.exe
PID 3908 wrote to memory of 3596	3908	msiexec.exe	dac.exe
PID 4260 wrote to memory of 1860	4260	mmc.exe	netsh.exe
PID 4260 wrote to memory of 1860	4260	mmc.exe	netsh.exe
PID 4688 wrote to memory of 4164	4688	mmc.exe	netsh.exe
PID 4688 wrote to memory of 4164	4688	mmc.exe	netsh.exe
PID 3596 wrote to memory of 4400	3596	dac.exe	cmd.exe
PID 3596 wrote to memory of 4400	3596	dac.exe	cmd.exe
PID 4400 wrote to memory of 4748	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 4748	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 4320	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 4320	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 2272	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 2272	4400	cmd.exe	reg.exe
PID 3596 wrote to memory of 1620	3596	dac.exe	cmd.exe
PID 3596 wrote to memory of 1620	3596	dac.exe	cmd.exe
PID 504 wrote to memory of 3148	504	mmc.exe	ConsoleProxy.exe
PID 504 wrote to memory of 3148	504	mmc.exe	ConsoleProxy.exe
PID 504 wrote to memory of 3148	504	mmc.exe	ConsoleProxy.exe
PID 3148 wrote to memory of 5108	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 5108	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 5108	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 2096	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 2096	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 2096	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 600	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 600	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 600	3148	ConsoleProxy.exe	netsh.exe
PID 3596 wrote to memory of 4968	3596	dac.exe	cmd.exe
PID 3596 wrote to memory of 4968	3596	dac.exe	cmd.exe
PID 4968 wrote to memory of 4768	4968	cmd.exe	PING.EXE
PID 4968 wrote to memory of 4768	4968	cmd.exe	PING.EXE
PID 3148 wrote to memory of 1676	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 1676	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 1676	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 2008	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 2008	3148	ConsoleProxy.exe	netsh.exe
PID 3148 wrote to memory of 2008	3148	ConsoleProxy.exe	netsh.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\desk-zhonwenbao4.9.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2800

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7F59EE4FDFB0CA0704351E1BE86A1C87 C
2⤵
- Loads dropped DLL
PID:1536

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2136

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 996EC4397CE228D713831305309E1FA0
2⤵
- Loads dropped DLL
PID:1396

C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\dac.exe
"C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\dac.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\Y9iG5.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
4⤵
- UAC bypass
PID:4748

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
4⤵
- UAC bypass
PID:4320

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
4⤵
- UAC bypass
PID:2272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\24UEG\1P7ch@A8\v + C:\Users\Public\Pictures\24UEG\1P7ch@A8\b C:\Users\Public\Pictures\24UEG\1P7ch@A8\openconsolewpcap.dll
3⤵
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\dac.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:4768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:432

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" interface ip set address 以太网 static 1.0.0.2 255.255.255.0 1.0.0.1 1
2⤵
- Modifies data under HKEY_USERS
PID:1860

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" interface ip set address \"WLAN\" static 1.0.0.3 255.255.255.0 1.0.0.1 1
2⤵
- Modifies data under HKEY_USERS
PID:4164

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:504

C:\Users\Public\Pictures\24UEG\1P7ch@A8\ConsoleProxy.exe
"C:\Users\Public\Pictures\24UEG\1P7ch@A8\ConsoleProxy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="" program="C:\Users\Public\Pictures\24UEG\1P7ch@A8\ConsoleProxy.exe"
3⤵
- Modifies Windows Firewall
PID:5108

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="" dir=in action=allow program="C:\Users\Public\Pictures\24UEG\1P7ch@A8\ConsoleProxy.exe" description=""
3⤵
- Modifies Windows Firewall
PID:2096

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="" dir=out action=allow program="C:\Users\Public\Pictures\24UEG\1P7ch@A8\ConsoleProxy.exe" description=""
3⤵
- Modifies Windows Firewall
PID:600

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" interface ip set address \"ÒÔÌ«Íø\" dhcp
3⤵
PID:1676

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" interface ip set address \"WLAN\" dhcp
3⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI35B1.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI37A6.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3872.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3872.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI395E.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI39EB.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3B44.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\cache_22_7

Filesize
9.0MB

MD5
be5628882d28ba1bdb9850dc4b7e7fa1

SHA1
6d37839c4b8ded05c0e8108696e1b794de59a2a8

SHA256
def949e97a2a2d2e504f7c85a27a6f2fd44d3a898357398f4aaa7eb033dfb287

SHA512
16037fd6ee2bb26e1014e9e69a2ee5d7290ebe5021ed1eedaa5908b73c39cc2ba6f66c553be9a39163b8831e8f519b10009e71fb94ce392c7229541192aa1c39

Download Submit
C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\dac.exe

Filesize
23.0MB

MD5
ec65abfa1f59b0d7d5335150834226b3

SHA1
036768482c85e94135847d91db77a901b21ff621

SHA256
f5842ba5da811ef75225d03c28b7178c47cc358da67ea5d577a29e23eea3fe6a

SHA512
eb605664dfe37fbd30819235b0851b905f8802a596cc8d986fe4322ea899cb55276dcbca5b85c0d7df50b32ad02016bbe98b012585d5fa6722156edcdc427040

Download Submit
C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\dac.exe

Filesize
23.0MB

MD5
ec65abfa1f59b0d7d5335150834226b3

SHA1
036768482c85e94135847d91db77a901b21ff621

SHA256
f5842ba5da811ef75225d03c28b7178c47cc358da67ea5d577a29e23eea3fe6a

SHA512
eb605664dfe37fbd30819235b0851b905f8802a596cc8d986fe4322ea899cb55276dcbca5b85c0d7df50b32ad02016bbe98b012585d5fa6722156edcdc427040

Download Submit
C:\Users\Admin\AppData\Roaming\Y9iG5.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Users\Public\Pictures\24UEG\1P7ch@A8\ConsoleProxy.exe

Filesize
904KB

MD5
07664d67b56857133ce91e0ede047ec6

SHA1
c83dd9f00278e567f23b918791e2f1ba1b025c8b

SHA256
effe2e868cb9f885a1f91044be10eca56057f0fd2fea43f0fc4ad349e344c15f

SHA512
610b68bfc4acba3307b9ae106b388777040d024cb6ce5a3cee92462ab0d20986d1bf1a0ab9a827fe45fc48442b5e0c771329ac47e6ebacd4d9d793cf81fa036d

Download Submit
C:\Users\Public\Pictures\24UEG\1P7ch@A8\ConsoleProxy.exe

Filesize
904KB

MD5
07664d67b56857133ce91e0ede047ec6

SHA1
c83dd9f00278e567f23b918791e2f1ba1b025c8b

SHA256
effe2e868cb9f885a1f91044be10eca56057f0fd2fea43f0fc4ad349e344c15f

SHA512
610b68bfc4acba3307b9ae106b388777040d024cb6ce5a3cee92462ab0d20986d1bf1a0ab9a827fe45fc48442b5e0c771329ac47e6ebacd4d9d793cf81fa036d

Download Submit
C:\Users\Public\Pictures\24UEG\1P7ch@A8\PX.log

Filesize
156KB

MD5
a4a2e7d0f65a958404227b9fe3b334a7

SHA1
c009268c802f25e259f6804ad7f5bc0aa92bea78

SHA256
253488a52213e35845d5c66a67aca65d35801a3998523a895976ce521748abba

SHA512
04b6afcdcad80461c977717d448cefacdb2bf856f4b1350e8d923c9b6001d2f7868968c340a2ab12a5a1d5c724fdb16e73710cadbed85ce3a058eabd86a4ac00

Download Submit
C:\Users\Public\Pictures\24UEG\1P7ch@A8\b

Filesize
104KB

MD5
87fc2bd3754f13f346d5deb868b7b205

SHA1
909995865895b9c79c0a3b6c17b5867e1c67b4de

SHA256
f194e9e6449f4634a1f20ffa9d17ad5a2af228ad55160ab27ec2562265dc0715

SHA512
43adb9a29c443477126226a12f3035672a43f168e58e0b2e540995491248fd6173d637314be477d6d13f1397f0504def4171e02cae14876fecd12b2e74bd2bce

Download Submit
C:\Users\Public\Pictures\24UEG\1P7ch@A8\openconsolepacket.dll

Filesize
126KB

MD5
75601eb6b85df77b3b8328e524cdd8be

SHA1
58e732acec0c0e65370030fc61e6577a2cc0d4af

SHA256
530010b5cb8a82bae6e244bca0a1a5202ece0cf59c83f7434af77b2a8ed32a84

SHA512
cc01c13b7926d31354a90db66b317c02fb4e155785f4c27eee24fdecdda4b5d18cdaf09581d4e54f0d10169708e4c2f904144a669cb5f4019146e19acef3f982

Download Submit
C:\Users\Public\Pictures\24UEG\1P7ch@A8\openconsolewpcap.dll

Filesize
208KB

MD5
ceb101e19e1627a7cefc3edd8e594d43

SHA1
52da2a83f1ed5e2f9e34e7462a724986b1946c61

SHA256
e3210354d07b2e785f794fade1f84ab072f9e6bd169d246974ae1550bde33b92

SHA512
c20418068d538c727a310b236c66122d5f0fc86300c32c10be05d32a2c0e8da8b7af632e202aa612c863eb2149b7891e577e81dc729148cb3f6dcad0697836f2

Download Submit
C:\Users\Public\Pictures\24UEG\1P7ch@A8\v

Filesize
104KB

MD5
b3d69bc92cd8824c81dce8a039289b51

SHA1
4d1636c74bc6c05b3da6fc71ad0a2fccbf48357a

SHA256
e3c6afedac974e02f301dc9c05ee8456343d1b013a3edbd7e648a13b36193a88

SHA512
444108a37cb065ee2b070bdd0f0ddb22bfc78eb6b5d9de1025960f22cb86fc4d865988445df75605bff8e806d6ba3659d2260432125f04ce80bf8fba27af83a8

Download Submit
C:\Windows\Installer\MSI7E6.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\MSI9AC.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\e5906cc.msi

Filesize
90.9MB

MD5
9cee7423f1bd5d64559c49689a18c06b

SHA1
5a75b69d2e66fc679c123d60a12712566246904a

SHA256
296608771a852e2e95f8fbd3f1990e671a9b7d44f84470335f262ff9b14b7d1c

SHA512
4e0da5e6fe0205d065cd3eeb9d5e2fb644177d65c273f447686b51d614b5c89a0c435b2ae2698d2a8e2aba5838dc576e5fb2cceb7d44aeea959d9e9369ed6f00

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
952e16ddbba210bf37c64480c029ed48

SHA1
e1120d3e92d8a128fea32edd22c7f5b0e1024033

SHA256
886dfe24ecdf7fe844425c92e09d4faa56fb61bf080451e02560dcb71994315f

SHA512
72c3649696eec0513bba98d15843665cc3d933bafd6197ed9bf513b204bf13f88db84908b2879d1bf06df3cba879f1a7c10567bddc9d01f17f29d19035486884

Download Submit
\??\Volume{ae039998-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{246a3463-f9e0-47dc-a5bb-e5cbd98f88c3}_OnDiskSnapshotProp

Filesize
5KB

MD5
79cccf2f758797ec6b5ade20d7abfded

SHA1
b5aa66bab9d8bdf8bcc13e664e2b22df9a02666d

SHA256
de44b2c50686940175eb1ba6e4b65fdce0770574c6f5bb9804cf33fa7f174aef

SHA512
1a436582c8a18fad3fcf81e5fe391977e65600fe1a10975f47d17b642942d01cb6608c0017f3b8babba702ebd2a67aede7f0e904804e770b85efb2637dd56056

Download Submit
\Users\Admin\AppData\Local\Temp\MSI35B1.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI37A6.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3872.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI395E.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI39EB.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3B44.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Users\Public\Pictures\24UEG\1P7ch@A8\openconsolepacket.dll

Filesize
126KB

MD5
75601eb6b85df77b3b8328e524cdd8be

SHA1
58e732acec0c0e65370030fc61e6577a2cc0d4af

SHA256
530010b5cb8a82bae6e244bca0a1a5202ece0cf59c83f7434af77b2a8ed32a84

SHA512
cc01c13b7926d31354a90db66b317c02fb4e155785f4c27eee24fdecdda4b5d18cdaf09581d4e54f0d10169708e4c2f904144a669cb5f4019146e19acef3f982

Download Submit
\Users\Public\Pictures\24UEG\1P7ch@A8\openconsolewpcap.dll

Filesize
208KB

MD5
ceb101e19e1627a7cefc3edd8e594d43

SHA1
52da2a83f1ed5e2f9e34e7462a724986b1946c61

SHA256
e3210354d07b2e785f794fade1f84ab072f9e6bd169d246974ae1550bde33b92

SHA512
c20418068d538c727a310b236c66122d5f0fc86300c32c10be05d32a2c0e8da8b7af632e202aa612c863eb2149b7891e577e81dc729148cb3f6dcad0697836f2

Download Submit
\Windows\Installer\MSI7E6.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\Windows\Installer\MSI9AC.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
memory/3148-152-0x0000000002B20000-0x0000000002B7E000-memory.dmp

Filesize
376KB

Download
memory/3148-153-0x0000000002B20000-0x0000000002B7E000-memory.dmp

Filesize
376KB

Download
memory/3148-158-0x0000000002B20000-0x0000000002B7E000-memory.dmp

Filesize
376KB

Download
memory/3148-155-0x0000000002B20000-0x0000000002B7E000-memory.dmp

Filesize
376KB

Download
memory/3148-154-0x0000000002B20000-0x0000000002B7E000-memory.dmp

Filesize
376KB

Download
memory/3148-150-0x0000000002B20000-0x0000000002B7E000-memory.dmp

Filesize
376KB

Download
memory/3148-144-0x0000000002B20000-0x0000000002B7E000-memory.dmp

Filesize
376KB

Download
memory/3148-141-0x0000000002B20000-0x0000000002B7E000-memory.dmp

Filesize
376KB

Download
memory/3148-142-0x0000000002B20000-0x0000000002B7E000-memory.dmp

Filesize
376KB

Download
memory/3148-143-0x0000000002B20000-0x0000000002B7E000-memory.dmp

Filesize
376KB

Download
memory/3596-99-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/3596-98-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/3596-113-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/3596-97-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/3596-133-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/3596-94-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/3596-96-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download