2b390e71bfc34db3e6869269df4f8e345442bfb15d5f03a86c715d452e7273bd

Analysis

max time kernel
162s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Size

31.1MB
MD5

c51233a3b0cc2f9cbbeff772ee068238
SHA1

c4762734094f38f2032edad4df4817363f7df304
SHA256

56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf
SHA512

a29314d6279cd63d6a514320a3b6e20c9a29d848b28d80acbe71c619a8778f3b19f19ce48f503a8c0ba1fa155a07bbec7d25f107e8f0725af40eb312a6cfce1d
SSDEEP

786432:cfd+0AfrbXCStGd0ZiL+ew/k7mAonhybq3j:ed+0WrbDlZi6e1EEW3j

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
60	1032	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	MSIEFB3.tmp

Executes dropped EXE 4 IoCs

pid	Process
5008	MSIEFB3.tmp
2144	gstall.exe
4908	CSVed.exe
3016	Web.pif

Loads dropped DLL 20 IoCs

pid	Process
3836	MsiExec.exe
3836	MsiExec.exe
3836	MsiExec.exe
3836	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2144	gstall.exe
2096	MsiExec.exe
2144	gstall.exe
2144	gstall.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\H:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\J:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\Z:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\V:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\O:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\P:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\U:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\Y:	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57f04b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF221.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF95B.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f04f.msi	msiexec.exe
File created	C:\Windows\Installer\e57f04b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF33C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF206.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF448.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFB3.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{77542BFB-1FC7-491E-A6B8-5761E85BD6BB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI568F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF67F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF194.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF8CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF610.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FB5326F1-045C-4D9B-875C-21B6D13B204F}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f04f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF799.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1336	tasklist.exe
1020	tasklist.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	powershell.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1112	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2656	msiexec.exe
2656	msiexec.exe
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
5032	powershell.exe
5032	powershell.exe
5032	powershell.exe
1032	powershell.exe
1032	powershell.exe
1032	powershell.exe
2656	msiexec.exe
2656	msiexec.exe
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif
3016	Web.pif

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2656	msiexec.exe
Token: SeCreateTokenPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeAssignPrimaryTokenPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeLockMemoryPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeIncreaseQuotaPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeMachineAccountPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeTcbPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeSecurityPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeTakeOwnershipPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeLoadDriverPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeSystemProfilePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeSystemtimePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeProfSingleProcessPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeIncBasePriorityPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeCreatePagefilePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeCreatePermanentPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeBackupPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeRestorePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeShutdownPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeDebugPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeAuditPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeSystemEnvironmentPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeChangeNotifyPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeRemoteShutdownPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeUndockPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeSyncAgentPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeEnableDelegationPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeManageVolumePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeImpersonatePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeCreateGlobalPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeCreateTokenPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeAssignPrimaryTokenPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeLockMemoryPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeIncreaseQuotaPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeMachineAccountPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeTcbPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeSecurityPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeTakeOwnershipPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeLoadDriverPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeSystemProfilePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeSystemtimePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeProfSingleProcessPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeIncBasePriorityPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeCreatePagefilePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeCreatePermanentPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeBackupPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeRestorePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeShutdownPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeDebugPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeAuditPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeSystemEnvironmentPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeChangeNotifyPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeRemoteShutdownPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeUndockPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeSyncAgentPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeEnableDelegationPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeManageVolumePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeImpersonatePrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeCreateGlobalPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeCreateTokenPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeAssignPrimaryTokenPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeLockMemoryPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeIncreaseQuotaPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
Token: SeMachineAccountPrivilege	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
584	msiexec.exe
584	msiexec.exe
3016	Web.pif
3016	Web.pif
3016	Web.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3016	Web.pif
3016	Web.pif
3016	Web.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 3836	2656	msiexec.exe	92
PID 2656 wrote to memory of 3836	2656	msiexec.exe	92
PID 2656 wrote to memory of 3836	2656	msiexec.exe	92
PID 3756 wrote to memory of 584	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe	96
PID 3756 wrote to memory of 584	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe	96
PID 3756 wrote to memory of 584	3756	56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe	96
PID 2656 wrote to memory of 4276	2656	msiexec.exe	98
PID 2656 wrote to memory of 4276	2656	msiexec.exe	98
PID 2656 wrote to memory of 4276	2656	msiexec.exe	98
PID 4276 wrote to memory of 3724	4276	MsiExec.exe	100
PID 4276 wrote to memory of 3724	4276	MsiExec.exe	100
PID 4276 wrote to memory of 3724	4276	MsiExec.exe	100
PID 4276 wrote to memory of 5032	4276	MsiExec.exe	106
PID 4276 wrote to memory of 5032	4276	MsiExec.exe	106
PID 4276 wrote to memory of 5032	4276	MsiExec.exe	106
PID 5032 wrote to memory of 1032	5032	powershell.exe	109
PID 5032 wrote to memory of 1032	5032	powershell.exe	109
PID 5032 wrote to memory of 1032	5032	powershell.exe	109
PID 5032 wrote to memory of 3020	5032	powershell.exe	111
PID 5032 wrote to memory of 3020	5032	powershell.exe	111
PID 5032 wrote to memory of 3020	5032	powershell.exe	111
PID 2656 wrote to memory of 5008	2656	msiexec.exe	112
PID 2656 wrote to memory of 5008	2656	msiexec.exe	112
PID 2656 wrote to memory of 5008	2656	msiexec.exe	112
PID 2656 wrote to memory of 2096	2656	msiexec.exe	114
PID 2656 wrote to memory of 2096	2656	msiexec.exe	114
PID 2656 wrote to memory of 2096	2656	msiexec.exe	114
PID 5008 wrote to memory of 2144	5008	MSIEFB3.tmp	113
PID 5008 wrote to memory of 2144	5008	MSIEFB3.tmp	113
PID 5008 wrote to memory of 2144	5008	MSIEFB3.tmp	113
PID 2656 wrote to memory of 4908	2656	msiexec.exe	116
PID 2656 wrote to memory of 4908	2656	msiexec.exe	116
PID 2656 wrote to memory of 4908	2656	msiexec.exe	116
PID 4908 wrote to memory of 2828	4908	CSVed.exe	117
PID 4908 wrote to memory of 2828	4908	CSVed.exe	117
PID 4908 wrote to memory of 2828	4908	CSVed.exe	117
PID 2828 wrote to memory of 3604	2828	cmd.exe	119
PID 2828 wrote to memory of 3604	2828	cmd.exe	119
PID 2828 wrote to memory of 3604	2828	cmd.exe	119
PID 3604 wrote to memory of 1336	3604	cmd.exe	121
PID 3604 wrote to memory of 1336	3604	cmd.exe	121
PID 3604 wrote to memory of 1336	3604	cmd.exe	121
PID 3604 wrote to memory of 4176	3604	cmd.exe	122
PID 3604 wrote to memory of 4176	3604	cmd.exe	122
PID 3604 wrote to memory of 4176	3604	cmd.exe	122
PID 3604 wrote to memory of 1020	3604	cmd.exe	123
PID 3604 wrote to memory of 1020	3604	cmd.exe	123
PID 3604 wrote to memory of 1020	3604	cmd.exe	123
PID 3604 wrote to memory of 2732	3604	cmd.exe	124
PID 3604 wrote to memory of 2732	3604	cmd.exe	124
PID 3604 wrote to memory of 2732	3604	cmd.exe	124
PID 3604 wrote to memory of 4620	3604	cmd.exe	125
PID 3604 wrote to memory of 4620	3604	cmd.exe	125
PID 3604 wrote to memory of 4620	3604	cmd.exe	125
PID 3604 wrote to memory of 1032	3604	cmd.exe	126
PID 3604 wrote to memory of 1032	3604	cmd.exe	126
PID 3604 wrote to memory of 1032	3604	cmd.exe	126
PID 3604 wrote to memory of 1712	3604	cmd.exe	127
PID 3604 wrote to memory of 1712	3604	cmd.exe	127
PID 3604 wrote to memory of 1712	3604	cmd.exe	127
PID 3604 wrote to memory of 3016	3604	cmd.exe	128
PID 3604 wrote to memory of 3016	3604	cmd.exe	128
PID 3604 wrote to memory of 3016	3604	cmd.exe	128
PID 3604 wrote to memory of 1112	3604	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe
"C:\Users\Admin\AppData\Local\Temp\56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Revo\Revo Uninstaller Pro 5.2.0\install\13B204F\xrecode-ii-1-137.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1699948763 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D74F1B559E6438D3D6CFD757C583EC8B C
  2⤵
  - Loads dropped DLL
  PID:3836
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 039C0AC2938AE289D2A71B9C839E106E
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssFCA3.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiFCA0.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrFCA1.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrFCA2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss592F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi592C.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr592D.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr592E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:1032
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\updater.msi" /QN /norestart
      4⤵
      PID:3020
- C:\Windows\Installer\MSIEFB3.tmp
  "C:\Windows\Installer\MSIEFB3.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin /dir "C:\Users\Admin\AppData\Roaming\" "C:\Users\Admin\AppData\Roaming\gstall.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Roaming\gstall.exe
    "C:\Users\Admin\AppData\Roaming\gstall.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2144
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 682CD6A000C974B996CBC76E5F32C9B7
  2⤵
  - Loads dropped DLL
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe
  "C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k cmd < Baths & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3604
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1336
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:4176
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1020
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        5⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 24649
        5⤵
        
        PID:4620
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Compound + Initiatives + Emotions + Worm + Participants 24649\Web.pif
        5⤵
        
        PID:1032
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Cds + Paul + Squirting 24649\x
        5⤵
        
        PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\4740\24649\Web.pif
        
        24649\Web.pif 24649\x
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3016
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        5⤵
        Runs ping.exe
        
        PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f04e.rbs

Filesize
1KB

MD5
e53516238ded366cfbd6a688229b776a

SHA1
e6a05a3956e8e8a619d2c50802d9345db1dff358

SHA256
bca1ab7b79e211d40675d3b0208ea9f987f3bf48f218a5943927636d20e15a52

SHA512
ad0c33dfec122490ee1b06eb133b01701635f54c7d9875c139e292c485d104803df20b51e2b9cecfccecd5cad6f7cceb06bd68481e78db3db2dffa309eae4822

Download Submit
C:\Config.Msi\e57f052.rbs

Filesize
1KB

MD5
83fb206708f8ea7230984fc7514e8c9b

SHA1
b02d57a07a4261d2251b0aa4fa8d3639cfac33e3

SHA256
3967a703736f724c7bafee68e1b96c64a772eff1664597a1cc0e48f96d5186fa

SHA512
b29bf80b6f31850cda2318e8354fc06009b0e4f7f13279ff096961131d188b0528d27bafd90bba10007f9e9a5aac35a9ace0a11a9368d10754e3ee46baa05f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
15434942540a690d207ab6e54304e842

SHA1
ba73745f046579cd5e5050fd49941a5cee981127

SHA256
fa2c2d6d365536115f28f9942635df1812f35cf85ed5e3b8005302f303126522

SHA512
09ea54cbe9d09d1ac4148c6ceebf22daca3c9ac93f9121d9d35c8987450cdd86f0836e9435eb18c92b568e19a1446b3659f6eefc57c30f250c0f1bb943b793ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a965e0d243d31858705c64f3328ebe15

SHA1
38e0e4bef2d07fe71511f07ee032e6e7938889eb

SHA256
f032638f83b57ea0b6d7af8ba9c9b6c338e67275479cb11fa9eec36beb284a7f

SHA512
c71ffc78a5598b0c956b138888e63bccfb6af43129eb57c9b59880b6e82fef44a30dfe14e8ddeacf8bd364bff05b679b00cc5988c3850198d7bbb9689e0f48a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4740\Baths

Filesize
12KB

MD5
b5dc5648561af324256109e118abfa01

SHA1
2c3f0707d9bd3e95c880092e54e892222517d606

SHA256
de246407afa5b9513cfdfd6913d432c2ac1ba1075720b6105484f89bd4caa343

SHA512
3cb5470bba63957847662361a369190c61adeae83263415265477cd75aa8eb48061aafef9bf6dee68d2ba91cd89d151c742b613b8ce787dbeb848c52de0e8614

Download Submit
C:\Users\Admin\AppData\Local\Temp\4740\Cds

Filesize
454KB

MD5
9678d2fa3483d3bca2aa6e9b6346a049

SHA1
801a620f0dc1d926af07055813fd6064fcf0cb4f

SHA256
a9d9db38b61138a41faea9b1dedef4fbe3086e8451e053931991cd8c781dd79c

SHA512
fb6fb9bf34d578ef6259b39f5c6b41b8d96406532aa441a3e7da7dc179c11e5fb092c47428af75a536898680945183ec0013e35a3dcbf8e755909b8f8f589ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4740\Compound

Filesize
194KB

MD5
bd82be8706052ed929c2c1f68b722fb1

SHA1
4e1949c62fe7944e56deafbfc5415c549bd11e06

SHA256
1e8ee26cd09d538032cb28e4b804389ffcab0fd80c492e4fd48df36fb07b2f4b

SHA512
2c9237d96a1c07bee9db13dd4c41ff8550077949f9e299a6a2d00bd53f629edac9be5d6eef18a6fa2f51b1ca00639a2a2cfe3a94280c9416e1a664bb5f819268

Download Submit
C:\Users\Admin\AppData\Local\Temp\4740\Emotions

Filesize
138KB

MD5
ec23db21a9be2154a67a40d4d20ea0e3

SHA1
691bc9fdaae652a2475657d910eee1b6c6a7fd54

SHA256
028c206a1be6a5fa47da3a3cca65aa4f3e493fdd63e9183b47da8265c921e71c

SHA512
86575d02bac7b3e13718c3d3a8bfeae8e62f988380e112b409b3ff35831ec0de1f809bbe3e25723a9e80249d98d031a29d2626d46e70b597038d6f8044563378

Download Submit
C:\Users\Admin\AppData\Local\Temp\4740\Initiatives

Filesize
291KB

MD5
a6eea7a1100ae828228202856a1418fa

SHA1
908bcc482df141e9dcb6eca55f3ca2ddd58a5576

SHA256
8097efc3871d805fa4314c895cd8a9c3ed82a025a4d6c4c2c1c44d8f89e49c7e

SHA512
fc2d118e5afdfbaf580b6e59934161d25d21b3a55d781d5f9656ffda62da67ff59a3a5c921ea79e61efe778b448bd468f824254bd66c13ff985d294d4335e85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4740\Participants

Filesize
194KB

MD5
a26e2ad7c64f747682ec1a40f891a5af

SHA1
13c3833f02b73e369b5b9a2b1350082b6a48aab3

SHA256
ff69f3cc4d75e5937f5a76905487420b333f55261ad4505ac981b2029fa728b4

SHA512
a13bda5ac3606b9ed3283168c45a7bb3d4217d1d06c555ed7779e297f5bf4ea3e03ae75f63e1da4fe97a1d2b0292cd1e1ebf3b3ab40fd1b1276084740ee91f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\4740\Paul

Filesize
441KB

MD5
020f1378f69dc20b601bee5780c95996

SHA1
d591a1be38d9defa4821d819c31110b8c7c957b0

SHA256
4dfcdaabc436fc652050c042ec43a4365444f2ba31498e374923083b6244b826

SHA512
9dbd412468cb383b522bd65a33e8b64d09ab9dcc83a60ab679fefa976cda3f24b870cd59f033bc17c3a0877018cd4d583f47837c44af1469b4a59061a03a863d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4740\Worm

Filesize
107KB

MD5
78d310b349c12826c106d955f0d02de8

SHA1
c68cb61077f06f33d261ab5ab92d86cccbf20ce8

SHA256
c9ce45eaf6813cc6a2c2c415cf2daed281204121accd633db76b18bbc2d6c3a1

SHA512
2c1bb5bdb7305f18f23368353a80a92455e4900ef58ec73abd9ab8585945d9d48410d2eaf5bc2551a9eea57e7203c537a675e02d7a5600d900f8aaa7f15133ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEADE.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEADE.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC65.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC65.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIED12.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIED12.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIED12.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIED52.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIED52.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4evflzi.iwx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe

Filesize
1.6MB

MD5
610e8f890ba32a21812c39351e674b8d

SHA1
00065ded23230ff4c96299cdd806c51e43458890

SHA256
793635aee777e2872e53049d9782b8eb6fd72910110e6b6699680cfe75de1dc8

SHA512
dc7ac03516ff127b7c69f3d0e0cddfc30bde505256a496ec29d45b1be0ffeb6ce798859d08008d5658804b9f9829b617e5f3750926effeadefd2e65693b51104

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe

Filesize
1.6MB

MD5
610e8f890ba32a21812c39351e674b8d

SHA1
00065ded23230ff4c96299cdd806c51e43458890

SHA256
793635aee777e2872e53049d9782b8eb6fd72910110e6b6699680cfe75de1dc8

SHA512
dc7ac03516ff127b7c69f3d0e0cddfc30bde505256a496ec29d45b1be0ffeb6ce798859d08008d5658804b9f9829b617e5f3750926effeadefd2e65693b51104

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF5F6.tmp\LangDLL.dll

Filesize
5KB

MD5
109b201717ab5ef9b5628a9f3efef36f

SHA1
98db1f0cc5f110438a02015b722778af84d50ea7

SHA256
20e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319

SHA512
174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF5F6.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF5F6.tmp\nsDialogs.dll

Filesize
9KB

MD5
ec9640b70e07141febbe2cd4cc42510f

SHA1
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

SHA256
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

SHA512
47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss592F.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssFCA3.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr592D.ps1

Filesize
1KB

MD5
83af22c0443025c1f5814f7db4ca8017

SHA1
925766c2cb1665ab75622487542eeb4eaed4d8c5

SHA256
b3c78c6a49d7292bb912a8a9c4ab8e13cbc5deb2d9176d50640c38772d46208d

SHA512
32033c07984c9ef2d39e9c052aeead58692f2a30f27435d8ee73ed48bee4015bb756835cb198983f62938fa5c2b53baee4103f8d5422bbe7d37ee3a3f3e200a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr592E.txt

Filesize
60B

MD5
c353c6f75ebd1706c419faeb1fb395dc

SHA1
c2e131f90b8d7ae761e1e7465eaf36618e08d5e7

SHA256
7d49510c2b63b8551ecc8e9e870c585c3819100b973b9b4165ec65d0555e53a6

SHA512
5240e664f4e97536ed776b4e1a736735ca2356ef2b9d670d96218c9fb9865a7b2b517966567fbd5d1cbc54580a08e94de0e11f21aa4b0928150eed89a219291b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrFCA1.ps1

Filesize
76B

MD5
e749e8248cb32a61909600123a3c55cd

SHA1
2119ef2f611eed28c0fe8dc8795bb48136002c47

SHA256
fc9dde3b58704b5432aa689bbaa1eb8d8a116b52f7652e453b098e45d5623953

SHA512
70732d0c99c10cd38662791c73abfc0a57b54221f9bf0a270db2b0212c3ad7e19cfc9183fcf5a54bab31b4687ff5771b8aba9541844c561b82665aa9a1e686d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrFCA2.txt

Filesize
60B

MD5
c353c6f75ebd1706c419faeb1fb395dc

SHA1
c2e131f90b8d7ae761e1e7465eaf36618e08d5e7

SHA256
7d49510c2b63b8551ecc8e9e870c585c3819100b973b9b4165ec65d0555e53a6

SHA512
5240e664f4e97536ed776b4e1a736735ca2356ef2b9d670d96218c9fb9865a7b2b517966567fbd5d1cbc54580a08e94de0e11f21aa4b0928150eed89a219291b

Download Submit
C:\Users\Admin\AppData\Roaming\Revo\Revo Uninstaller Pro 5.2.0\install\13B204F\AppDataFolder\gstall.exe

Filesize
20.6MB

MD5
2ff4ad1fab3a70bef07c995678de5716

SHA1
eeb0e2ebc93084d95c3913723d2c715062a00315

SHA256
b6e397f4c97a8a593cdd43fd14c18fb3335bd8b40d490b6c1e0f086a7a2c0b23

SHA512
100f5b6aca0e9f2ea706603a130622b58e8d9e876c9e8b00776519fe4021d7f744857d206914124815aa59f43e72c52aba26b44fcaec98615c3d7136a4ca555b

Download Submit
C:\Users\Admin\AppData\Roaming\Revo\Revo Uninstaller Pro 5.2.0\install\13B204F\xrecode-ii-1-137.msi

Filesize
6.9MB

MD5
6bd83bc85d694699ee12380ff56dfcd9

SHA1
a10c957741b960cf2c3e435359d1b4c0efbe5f33

SHA256
747020f81422647625012266e0f8c5d18f91337301a55dafe87d24ab17bca378

SHA512
2c05a14bec311274335413cf27813c222b07ad870f3910490644752f5e9e22508fd2c40b4409a20ece9d677a990d453d9473c73b33354568a81e79c1007090e1

Download Submit
C:\Users\Admin\AppData\Roaming\Revo\Revo Uninstaller Pro 5.2.0\install\13B204F\xrecode-ii-1-137.msi

Filesize
6.9MB

MD5
6bd83bc85d694699ee12380ff56dfcd9

SHA1
a10c957741b960cf2c3e435359d1b4c0efbe5f33

SHA256
747020f81422647625012266e0f8c5d18f91337301a55dafe87d24ab17bca378

SHA512
2c05a14bec311274335413cf27813c222b07ad870f3910490644752f5e9e22508fd2c40b4409a20ece9d677a990d453d9473c73b33354568a81e79c1007090e1

Download Submit
C:\Users\Admin\AppData\Roaming\gstall.exe

Filesize
20.6MB

MD5
2ff4ad1fab3a70bef07c995678de5716

SHA1
eeb0e2ebc93084d95c3913723d2c715062a00315

SHA256
b6e397f4c97a8a593cdd43fd14c18fb3335bd8b40d490b6c1e0f086a7a2c0b23

SHA512
100f5b6aca0e9f2ea706603a130622b58e8d9e876c9e8b00776519fe4021d7f744857d206914124815aa59f43e72c52aba26b44fcaec98615c3d7136a4ca555b

Download Submit
C:\Users\Admin\AppData\Roaming\gstall.exe

Filesize
20.6MB

MD5
2ff4ad1fab3a70bef07c995678de5716

SHA1
eeb0e2ebc93084d95c3913723d2c715062a00315

SHA256
b6e397f4c97a8a593cdd43fd14c18fb3335bd8b40d490b6c1e0f086a7a2c0b23

SHA512
100f5b6aca0e9f2ea706603a130622b58e8d9e876c9e8b00776519fe4021d7f744857d206914124815aa59f43e72c52aba26b44fcaec98615c3d7136a4ca555b

Download Submit
C:\Users\Admin\AppData\Roaming\updater.msi

Filesize
6.1MB

MD5
445ab56f6cc163d947131d276e5ebc32

SHA1
ee04b7122ed7215a63cfbc16cfa1f1b2bcf68a96

SHA256
454f1e8428f949fc092f46ddfc4e0a88e038ef1e544e91609fadd81d54677e51

SHA512
36e6c428aef9f32eff6438d3636a52d59a0f43b5c49207ccd58b56d4233925b5c5611134c54ed04bde659862d116f9fadb1bb6f84b25bd053d77d18077886f91

Download Submit
C:\Windows\Installer\MSI568F.tmp

Filesize
742KB

MD5
3965d073a05f6d86906ba705d9e87ca2

SHA1
1acb0c99dd1e9add872c28d3e9bbb2383dd02d57

SHA256
d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0

SHA512
0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

Download Submit
C:\Windows\Installer\MSI568F.tmp

Filesize
742KB

MD5
3965d073a05f6d86906ba705d9e87ca2

SHA1
1acb0c99dd1e9add872c28d3e9bbb2383dd02d57

SHA256
d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0

SHA512
0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

Download Submit
C:\Windows\Installer\MSIEFB3.tmp

Filesize
403KB

MD5
ca8f8b580b6a0aba8f9103a151009fd4

SHA1
5bca9aae97adfab6f5dd7f8564ade2f165d6c365

SHA256
5f06cabaec2f253ada91b065cfd0717149fbab827d6e316fc3dbe7b3206d5a82

SHA512
12a9582f3f492bcbc1248a5895942e81d20b7896181bee3ae25784d7a03207baea56d6cede75dcc2aed86588afa172133072994060a946bc84b83972543b1116

Download Submit
C:\Windows\Installer\MSIEFB3.tmp

Filesize
403KB

MD5
ca8f8b580b6a0aba8f9103a151009fd4

SHA1
5bca9aae97adfab6f5dd7f8564ade2f165d6c365

SHA256
5f06cabaec2f253ada91b065cfd0717149fbab827d6e316fc3dbe7b3206d5a82

SHA512
12a9582f3f492bcbc1248a5895942e81d20b7896181bee3ae25784d7a03207baea56d6cede75dcc2aed86588afa172133072994060a946bc84b83972543b1116

Download Submit
C:\Windows\Installer\MSIF194.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF194.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF206.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF206.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF221.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF221.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF2DE.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF2DE.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF33C.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF33C.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF3DA.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF3DA.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF448.tmp

Filesize
835KB

MD5
3fe648959c7496beb28a3638fcc2e944

SHA1
6c73ebcdf517e2b30ad90f046f50f9e64c7a636c

SHA256
e6d18685b2e231f9166909764c3b90bbc3c51f30736d18873166e5dc9133e290

SHA512
1be58c011987b67396e052d32b6b3576823d612e4e678a18641a55fb6159b32e106cadeeebc22f179aa07902e1bbf517cc10d1ebf7233bf68fe198de3f20bca2

Download Submit
C:\Windows\Installer\MSIF448.tmp

Filesize
835KB

MD5
3fe648959c7496beb28a3638fcc2e944

SHA1
6c73ebcdf517e2b30ad90f046f50f9e64c7a636c

SHA256
e6d18685b2e231f9166909764c3b90bbc3c51f30736d18873166e5dc9133e290

SHA512
1be58c011987b67396e052d32b6b3576823d612e4e678a18641a55fb6159b32e106cadeeebc22f179aa07902e1bbf517cc10d1ebf7233bf68fe198de3f20bca2

Download Submit
C:\Windows\Installer\MSIF4D6.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF4D6.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF5A2.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF5A2.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF610.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF610.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF67F.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF67F.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIF95B.tmp

Filesize
742KB

MD5
3965d073a05f6d86906ba705d9e87ca2

SHA1
1acb0c99dd1e9add872c28d3e9bbb2383dd02d57

SHA256
d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0

SHA512
0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

Download Submit
C:\Windows\Installer\MSIF95B.tmp

Filesize
742KB

MD5
3965d073a05f6d86906ba705d9e87ca2

SHA1
1acb0c99dd1e9add872c28d3e9bbb2383dd02d57

SHA256
d32b87f251222bb12fe4886f1b670ab9be151c2d981a379258d16b150373aee0

SHA512
0855cd343073e017f8898a6b51e688ff9a4c851ec4c14b108a1ad9aa57e9bf68bbe0a08ecc33de63b1cee90f123ddc95f39ca87cc493d020a6c1a4061c114226

Download Submit
memory/1032-179-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/1032-182-0x00000000717A0000-0x0000000071F50000-memory.dmp

Filesize
7.7MB

Download
memory/1032-168-0x00000000717A0000-0x0000000071F50000-memory.dmp

Filesize
7.7MB

Download
memory/3016-283-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3016-284-0x0000000005270000-0x00000000052F7000-memory.dmp

Filesize
540KB

Download
memory/3016-285-0x0000000005270000-0x00000000052F7000-memory.dmp

Filesize
540KB

Download
memory/3016-286-0x0000000005270000-0x00000000052F7000-memory.dmp

Filesize
540KB

Download
memory/3016-287-0x0000000005270000-0x00000000052F7000-memory.dmp

Filesize
540KB

Download
memory/3016-288-0x0000000005270000-0x00000000052F7000-memory.dmp

Filesize
540KB

Download
memory/3016-289-0x0000000005270000-0x00000000052F7000-memory.dmp

Filesize
540KB

Download
memory/3724-77-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/3724-90-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/3724-102-0x000000006E0F0000-0x000000006E13C000-memory.dmp

Filesize
304KB

Download
memory/3724-120-0x0000000007C60000-0x0000000007C68000-memory.dmp

Filesize
32KB

Download
memory/3724-103-0x000000007F310000-0x000000007F320000-memory.dmp

Filesize
64KB

Download
memory/3724-119-0x0000000007C70000-0x0000000007C8A000-memory.dmp

Filesize
104KB

Download
memory/3724-101-0x00000000717A0000-0x0000000071F50000-memory.dmp

Filesize
7.7MB

Download
memory/3724-100-0x0000000007920000-0x0000000007952000-memory.dmp

Filesize
200KB

Download
memory/3724-97-0x0000000008500000-0x0000000008AA4000-memory.dmp

Filesize
5.6MB

Download
memory/3724-96-0x00000000074D0000-0x00000000074F2000-memory.dmp

Filesize
136KB

Download
memory/3724-95-0x0000000007800000-0x0000000007896000-memory.dmp

Filesize
600KB

Download
memory/3724-94-0x0000000006A60000-0x0000000006A7A000-memory.dmp

Filesize
104KB

Download
memory/3724-93-0x0000000007E80000-0x00000000084FA000-memory.dmp

Filesize
6.5MB

Download
memory/3724-118-0x0000000007C20000-0x0000000007C34000-memory.dmp

Filesize
80KB

Download
memory/3724-117-0x0000000007C10000-0x0000000007C1E000-memory.dmp

Filesize
56KB

Download
memory/3724-116-0x0000000007BD0000-0x0000000007BE1000-memory.dmp

Filesize
68KB

Download
memory/3724-113-0x0000000007900000-0x000000000791E000-memory.dmp

Filesize
120KB

Download
memory/3724-92-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/3724-114-0x0000000007970000-0x0000000007A13000-memory.dmp

Filesize
652KB

Download
memory/3724-72-0x00000000717A0000-0x0000000071F50000-memory.dmp

Filesize
7.7MB

Download
memory/3724-115-0x0000000007A70000-0x0000000007A7A000-memory.dmp

Filesize
40KB

Download
memory/3724-71-0x0000000002BE0000-0x0000000002C16000-memory.dmp

Filesize
216KB

Download
memory/3724-89-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/3724-88-0x0000000006060000-0x00000000063B4000-memory.dmp

Filesize
3.3MB

Download
memory/3724-73-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/3724-79-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/3724-123-0x00000000717A0000-0x0000000071F50000-memory.dmp

Filesize
7.7MB

Download
memory/3724-74-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/3724-76-0x0000000005540000-0x0000000005562000-memory.dmp

Filesize
136KB

Download
memory/3724-75-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/4908-258-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/4908-243-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5032-147-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/5032-160-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/5032-164-0x00000000063F0000-0x000000000641C000-memory.dmp

Filesize
176KB

Download
memory/5032-148-0x0000000005F00000-0x0000000006254000-memory.dmp

Filesize
3.3MB

Download
memory/5032-178-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/5032-146-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/5032-145-0x00000000717A0000-0x0000000071F50000-memory.dmp

Filesize
7.7MB

Download
memory/5032-165-0x00000000717A0000-0x0000000071F50000-memory.dmp

Filesize
7.7MB

Download
memory/5032-166-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/5032-188-0x00000000717A0000-0x0000000071F50000-memory.dmp

Filesize
7.7MB

Download
memory/5032-167-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download