Analysis Overview
SHA256
68c9986a8dcc0214d909aa1f31bee9fb5461bb839edca996a75b08ddffc1483f
Threat Level: Known bad
The file ndp48-x86-x64-allos-enu.exe was found to be: Known bad.
Malicious Activity Summary
Irata payload
Irata
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Checks system information in the registry
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-10 06:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-10 06:29
Reported
2023-12-10 06:31
Platform
win10-20231129-en
Max time kernel
58s
Max time network
57s
Command Line
Signatures
Irata
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| N/A | N/A | C:\bb18dd10c50d0ad54bc9fb18\SetupUtility.exe | N/A |
| N/A | N/A | C:\bb18dd10c50d0ad54bc9fb18\SetupUtility.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FA9BE4CC-6FD8-46E5-98C5-BAE6914F132E\dismhost.exe | N/A |
Loads dropped DLL
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system32\msvcr100_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\system32\en-us\dfshim.dll.mui | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\syswow64\aspnet_counters.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\syswow64\msvcr100_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\syswow64\ucrtbase_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\system32\msvcr120_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\syswow64\msvcp140_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\syswow64\msvcr120_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\system32\aspnet_counters.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\system32\ucrtbase_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\system32\msvcp120_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\syswow64\vcruntime140_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\syswow64\msvcp120_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\system32\msvcp140_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\system32\vcruntime140_clr0400.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\program files (x86)\microsoft.net\redistlist\assemblylist_4_client.xml | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft.net\redistlist\assemblylist_4_extended.xml | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\microsoft.visualbasic.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\webengine4.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\normnfd.nlp | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_32\system.web\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.web.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\providers\manageconsolidatedproviders.aspx | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.data.oracleclient.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\aspnet_rc.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\system.threading.thread\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.threading.thread.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\dv_aspnetmmc.chm | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.globalization.calendars.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.web.abstractions.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\system.security.cryptography.csp\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.security.cryptography.csp.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorlib.tlb | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\caspol.exe | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.componentmodel.typeconverter.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.runtime.serialization.formatters.soap.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\system.activities.presentation\v4.0_4.0.0.0__31bf3856ad364e35\system.activities.presentation.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\accessibility.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\system.componentmodel.composition.registration\v4.0_4.0.0.0__b77a5c561934e089\system.componentmodel.composition.registration.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\appconfig\app_localresources\smtpsettings.aspx.resx | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.io.pipes.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\mui\0409\mscorsecr.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\inf\msdtc bridge 4.0.0.0\_transactionbridgeperfcounters.h | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.dynamic.runtime.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\config\defaultwsdlhelpgenerator.aspx | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\aspnet_state.exe | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\config\legacy.web_lowtrust.config.default | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\microsoft.visualc.stlclr.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\microsoft.visualbasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\microsoft.visualbasic.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.net.http.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.servicemodel.channels.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\inf\windows workflow foundation 4.0.0.0\perfcounters.ini | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\security\security0.aspx | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_64\presentationcore\v4.0_4.0.0.0__31bf3856ad364e35\globalsansserif.compositefont | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\microsoft.visualbasic.targets | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\appconfig\app_localresources\createappsetting.aspx.resx | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.console.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\microsoft.xaml.targets | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\config\browsers\generic.browser | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\system.componentmodel.dataannotations\v4.0_4.0.0.0__31bf3856ad364e35\system.componentmodel.dataannotations.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\alert_lrg.gif | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\config\browsers\ucbrowser.browser | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.activities.durableinstancing.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\smdiagnostics\v4.0_4.0.0.0__b77a5c561934e089\smdiagnostics.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.web.extensions.design.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\security\wizard\app_localresources\wizardauthentication.ascx.resx | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\microsoft.visualbasic.compatibility.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.xml.xmlserializer.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.net.http.rtc.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.diagnostics.stacktrace.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\system.activities\v4.0_4.0.0.0__31bf3856ad364e35\system.activities.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\system.xml.readerwriter.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\vbc.exe | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\microsoft.build.utilities.v4.0.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\default.win32manifest | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\uninstallcommon.sql | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\system.drawing.tlb | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\microsoft.netframework.targets | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v4.0.30319\wpf\presentationframework-systemxmllinq.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\assembly\gac_msil\presentationframework.aero\v4.0_4.0.0.0__31bf3856ad364e35\presentationframework.aero.dll | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\aspx_file.gif | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob = 5900000001000000160000005200530041002f005300480041003200350036000000190000000100000010000000bb048f1838395f6fc3a1f3d2b7e97654140000000100000014000000722d3a02319043b914054ee1eaa7c731d12389340300000001000000140000008f43288ad272f3103b6fb1428485ea3014c0bcfe69000000010000000e000000300c060a2b0601040182373c03020b00000001000000540000004d006900630072006f0073006f0066007400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003100310000000f0000000100000020000000279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1040000000100000010000000ce0490d5e56c34a5ae0be98be581185d5c0000000100000004000000001000002000000001000000f1050000308205ed308203d5a00302010202103f8bc8b5fc9fb29643b569d66c42e144300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131303332323232303532385a170d3336303332323232313330345a308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f72697479203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100b28041aa35384d13723268224db8b2f1ffd552bc6cc7f5d24a8c36eed1c25c7e8c8aaeaf13286fc073e33aced025a85a3a6defa8b859ab132368cd0c2987d16f805c8f447f5d90015258ac51c55f2a87dcdcd80a1dc103b97bb056e8a3de6461c29ef8f37cb9ec0db554fe4cb6654f88f09c48990c420b097c315917790678288d893a4c0325be716a5c0be78460a49922e3d2af84a4a7fbd198ed0ca9de9489e10ea0dcc0ce993dea0852bb5679e41f84ba1eb8b4c4495c4f314b87dddd0567269980e07111a3b8a541e2a453b9f73229830c13bf365e04b34b43472f6be2911ed3984fdd4207c8e81d12fc99a96b3e927ec8d6693afc64bdb6099dcafd0c0ba29b77604b0394a4306912d6422dc1414ccadcaafd8f5b83469ad9fcb1d1e3b3c97f487acd24f0418f5c74d0acb010200649b7c72d21c857e3d086f30368fbd0ce71c189994a64016cfdec3091cf413c92c7e5ba861d6184c75f833962aeb4922f47f30bf855eba01f59d0bb749b1ed076e6f2e906d710e8fa64de69c635968802f046b83f27996fcb71892935f7481602358fd5797c4d02cf5feb8a834f457188f9a90d4e72e9c29c07cf491b4e040e63518c5ed800c1552cb6c6e0c2654ec93439f59cb3c47ee8616e135f15c45fd97eed1dceee44eccb2e86b1ec38f670edab5c13c1d90f0dc780b255ed34f7ac9be4c3dae7473ca6b58f31dfc54bafebf10203010001a351304f300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414722d3a02319043b914054ee1eaa7c731d1238934301006092b06010401823715010403020100300d06092a864886f70d01010b050003820201007f72cf0fb7c515db9bc049ca265bfe9e13e6d3f0d2db975ff24b3f4db3ae19aeedd797a0acefa93aa3c241b0e5b8919e13812403e609fd3f574039212456d1102f4b40a936864bb453579afbf17e898f11fe186c51aae8ed0995b5e571c9a1e98775a6157fc97e37545e7493c5c367cc0d4f6ba8170c6d08927e8bdd81aa2d7021c33d0614bbbf245ea784d73f0f2122bd4b0006db971cd85ed4c50b5c876e50a4e8c338a4fbcb2cc592669b855ecb7a6c937c8029585b57b54069ba0879a66462159d879645b5662320038b1c73a0d3a27933e0505986db2fe50225ea732a9f0014c836c7923be94e00ecd85609b9334912d2540b01abac47b691297d4cb475805201e8ca82f69fccac9c8f17ea2f26b0ab72ac0bfe9e511ec74355674f51b357d6b6ecee52b73ae94ee1d78188bc4f8e75bb4ba8f035aa26d4676749b2704c3b93dc1ddf78908672b238a4d1dc924dc958eb2b125cd43bae8c6bb083e5013ff80932f693353422afdd370d7709802bcd4800f18c9919470501e9d1bfd14ed0e628433799a40a4a08d99a7173d2aacd31136376a1376f92381e7d123c6632e7cb6de1fc5289ddcad666059a9661bea228c71ca3a736503c3aa4df4a6ee6873bceebf0e081379d133c528ebdb91d34c61dd50a6a3d9829708c892ad1ab8210481fdcf4efa5c5bb551a3863844eb76cad9554ec6522104917b8c01ec70fac5447 | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\bb18dd10c50d0ad54bc9fb18\Setup.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ndp48-x86-x64-allos-enu.exe
"C:\Users\Admin\AppData\Local\Temp\ndp48-x86-x64-allos-enu.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\bb18dd10c50d0ad54bc9fb18\Setup.exe
C:\bb18dd10c50d0ad54bc9fb18\\Setup.exe /x86 /x64 /redist
C:\bb18dd10c50d0ad54bc9fb18\SetupUtility.exe
SetupUtility.exe /aupause
C:\bb18dd10c50d0ad54bc9fb18\SetupUtility.exe
SetupUtility.exe /screboot
C:\Windows\System32\dism.exe
dism.exe /quiet /norestart /online /add-package /packagepath:"C:\bb18dd10c50d0ad54bc9fb18\x64-Windows10.0-KB4486129-x64.cab"
C:\Users\Admin\AppData\Local\Temp\FA9BE4CC-6FD8-46E5-98C5-BAE6914F132E\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\FA9BE4CC-6FD8-46E5-98C5-BAE6914F132E\dismhost.exe {BE469983-E07A-4AC1-8579-6AF38AA86754}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp |
Files
C:\bb18dd10c50d0ad54bc9fb18\Setup.exe
| MD5 | 057ce4fb9c8e829af369afbc5c4dfd41 |
| SHA1 | 094f9d5f107939250f03253cf6bb3a93ae5b2a10 |
| SHA256 | 60dd7d10b3f88f1b17e39464bb2d7ca77c9267b846d90cf5728a518a117bd21b |
| SHA512 | cae4df73a5b28863c14a5207fbbe4e0630e71215aa1271fe61117523cc32b8b82cd1ba63f698907fbfeb36d4007bb0f463828025957505cfcbb200f4ed5d3a52 |
C:\bb18dd10c50d0ad54bc9fb18\Setup.exe
| MD5 | 057ce4fb9c8e829af369afbc5c4dfd41 |
| SHA1 | 094f9d5f107939250f03253cf6bb3a93ae5b2a10 |
| SHA256 | 60dd7d10b3f88f1b17e39464bb2d7ca77c9267b846d90cf5728a518a117bd21b |
| SHA512 | cae4df73a5b28863c14a5207fbbe4e0630e71215aa1271fe61117523cc32b8b82cd1ba63f698907fbfeb36d4007bb0f463828025957505cfcbb200f4ed5d3a52 |
C:\bb18dd10c50d0ad54bc9fb18\SetupEngine.dll
| MD5 | f9618535477ddfef9fe8b531a44be1a3 |
| SHA1 | c137a4c7994032a6410ef0a7e6f0f3c5acb68e03 |
| SHA256 | 236bf2b5cf6014b8ee22484afe172ace512cc99dba85080b082d47e9e189ea5c |
| SHA512 | b85ae1a9cc334e9352c51aa94b2c74c6c067957e0e6021f7309a1c194fc64c0c50bb5efeaef7030e8689d75a22798f74cf719366a2fdcce26e23692510bfe064 |
\bb18dd10c50d0ad54bc9fb18\SetupEngine.dll
| MD5 | f9618535477ddfef9fe8b531a44be1a3 |
| SHA1 | c137a4c7994032a6410ef0a7e6f0f3c5acb68e03 |
| SHA256 | 236bf2b5cf6014b8ee22484afe172ace512cc99dba85080b082d47e9e189ea5c |
| SHA512 | b85ae1a9cc334e9352c51aa94b2c74c6c067957e0e6021f7309a1c194fc64c0c50bb5efeaef7030e8689d75a22798f74cf719366a2fdcce26e23692510bfe064 |
C:\bb18dd10c50d0ad54bc9fb18\sqmapi.dll
| MD5 | 0c0e41efeec8e4e78b43d7812857269a |
| SHA1 | 846033946013f959e29cd27ff3f0eaa17cb9e33f |
| SHA256 | 048d51885874d62952e150d69489bcfb643a5131ce8b70a49f10dfb34832702c |
| SHA512 | e11da01852a92833c1632e121a2f2b6588b58f4f2166339a28dd02dad6af231a2260a7e5fc92e415d05aa65b71e8bbda065e82a2db49bb94b6cf2fe82b646c28 |
\bb18dd10c50d0ad54bc9fb18\sqmapi.dll
| MD5 | 0c0e41efeec8e4e78b43d7812857269a |
| SHA1 | 846033946013f959e29cd27ff3f0eaa17cb9e33f |
| SHA256 | 048d51885874d62952e150d69489bcfb643a5131ce8b70a49f10dfb34832702c |
| SHA512 | e11da01852a92833c1632e121a2f2b6588b58f4f2166339a28dd02dad6af231a2260a7e5fc92e415d05aa65b71e8bbda065e82a2db49bb94b6cf2fe82b646c28 |
C:\Users\Admin\AppData\Local\Temp\HFI30EF.tmp.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\bb18dd10c50d0ad54bc9fb18\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\bb18dd10c50d0ad54bc9fb18\UiInfo.xml
| MD5 | c99059acb88a8b651d7ab25e4047a52d |
| SHA1 | 45114125699fa472d54bc4c45c881667c117e5d4 |
| SHA256 | b879f9bc5b79349fa7b0bdbe63167be399c5278454c96773885bd70fbfe7c81d |
| SHA512 | b23a7051f94d72d5a1a0914107e5c2be46c0ddee7ca510167065b55e2d1cb25f81927467370700b1cc7449348d152e9562566de501f3ea5673a2072248572e3b |
C:\bb18dd10c50d0ad54bc9fb18\ParameterInfo.xml
| MD5 | 1d9839d2aa01c91005752000749cf5cf |
| SHA1 | 540698e77846d1316c2c15ac858a31bd083ac037 |
| SHA256 | 3dbf5ef577ea2d96461dcfd31d5be2f3066519a154a5000691e9596ff438d3e7 |
| SHA512 | 1fc8c30eb287d7048b36bd7133c7665672efef2e674357b55b8d62ea85214e43dfe2ce73b9bc060de91ab8e738949db58b0aea9274c6b86ad141f0fa45f43ede |
C:\bb18dd10c50d0ad54bc9fb18\SplashScreen.bmp
| MD5 | bc32088bfaa1c76ba4b56639a2dec592 |
| SHA1 | 84b47aa37bda0f4cd196bd5f4bd6926a594c5f82 |
| SHA256 | b05141dbc71669a7872a8e735e5e43a7f9713d4363b7a97543e1e05dcd7470a7 |
| SHA512 | 4708015aa57f1225d928bfac08ed835d31fd7bdf2c0420979fd7d0311779d78c392412e8353a401c1aa1885568174f6b9a1e02b863095fa491b81780d99d0830 |
C:\bb18dd10c50d0ad54bc9fb18\1031\LocalizedData.xml
| MD5 | afb4b1d7103ddca43ea723acbcdd31fd |
| SHA1 | c4d95dfd4869df636091e979c8b3bd7684004a48 |
| SHA256 | 961efe11e9e3e553269cb14dc1b942e9ac68b86740d59aa35e4ff6e5913532dd |
| SHA512 | bde563d158e38f7a46abe564e365bbc9cfa235f4735f668a532919f0575bead27bdd6fa11ac50802c989f2f69371c2e9179c9affbc85954a9b4050f9122e26a5 |
C:\bb18dd10c50d0ad54bc9fb18\1032\LocalizedData.xml
| MD5 | 71bdb323a746a4adab9ce42498e937bc |
| SHA1 | 8e58d4ba5623a50610bd99e82df135708a9f130e |
| SHA256 | 6c5a6e11a85c9e172e7748a9a9f19f8598870a63a103a7ac18cbbd0cdf026475 |
| SHA512 | b7d66fa4f1a1b7130cdd801447fe0c4965cba1618c01d4ff64b9707e3e132fb13858aa498ea26fb1e54b56daf83e5e7958c6a4fcc1a4ad6dd6c2ffa966e58b76 |
C:\bb18dd10c50d0ad54bc9fb18\1030\LocalizedData.xml
| MD5 | 03b1e582ec5454b2fa3599e788569dfa |
| SHA1 | 75845acdd04fb17011218b06fd7c28830641f021 |
| SHA256 | 59884541554376a26143b105fa924b9f9961254d22db8dedf7de7f3495d7a1dd |
| SHA512 | 23d1b1c2e2c78692a48b959bdb70c3c321a76792885b19805cafd543c0ef25856f8f115af766ea46f20eb2c440eaf31e656726710b12ae5f362779bea28035bc |
C:\bb18dd10c50d0ad54bc9fb18\1029\LocalizedData.xml
| MD5 | d6801174849373cde3f1d214d80fe834 |
| SHA1 | 50caf47aa60b999ca7b43d3ceb75d0dbffd2278a |
| SHA256 | cbb0da2d1efa7de6736e67c978848d53acf8b502bf3daf43ce40b05076145a7c |
| SHA512 | a4cf812dc4fac888dad4ca986fcb07b93f45633fe5931f24afff4558d9a29734a0ac5d647f3bc631c377fba816c19bd44178398bb6166f6f84e5f05acb8e0a18 |
C:\bb18dd10c50d0ad54bc9fb18\1028\LocalizedData.xml
| MD5 | f3a4fd6968658a18882cf300553f2f89 |
| SHA1 | b75ccaeff41bf9c8586bca612550cb9dca6b09ea |
| SHA256 | 53742293b25149b19d8677b15f6424fc71e308014b1bcf883e6949d1dab3961c |
| SHA512 | 9692c8577034c0e628a42d581f634ed174b4af684ee87c947556888027215bbf4c92286a3ad1cb1792fc6f7392190719ebef85b60fce48e20239abcb58d04d97 |
C:\bb18dd10c50d0ad54bc9fb18\1035\LocalizedData.xml
| MD5 | ad67691b3b5474154f65400e53ddfef2 |
| SHA1 | dc8dc683bf9fee12a5ab7297789a5c087e98facc |
| SHA256 | 1e828840ae8728ac809624845597406d4025d6da7797b38f02946a30a48bfe7c |
| SHA512 | 64ee113f0c3e173fee6047cc41ff3e84181aba2eb2b02ca5cc717caaf1392e5e2f0eed7e7c469d821d86878443bc8ec64c66e2afb1d850fb4c7e9823c3a5ea73 |
C:\bb18dd10c50d0ad54bc9fb18\1037\LocalizedData.xml
| MD5 | 631011d665ad08220fe248d9f8a103ba |
| SHA1 | 652c56998d0e8bf0c43f136fd90c69728bb0e111 |
| SHA256 | e9877973bef23498b586a9cf03230fc45a9ea8a3f75decfa062b03bd31974b06 |
| SHA512 | cf479c0c5167e011721bd6b0f5829a62c0c269b1e1be13e5bb750516b8441a1d8ca20fafd0d539066f84d669f6f5e9401c223b82e200501716c719d268c3c1a0 |
C:\bb18dd10c50d0ad54bc9fb18\1036\LocalizedData.xml
| MD5 | 2c77cbaaf9c3ed0c4410c4b8c3c29c30 |
| SHA1 | 110775ca1c6e252b4e8c8bf39b593dfb4d66206c |
| SHA256 | ab3d5571b57b7bb705bffe13f37bd73894b0d12d09cc1fb1b438493a863c324c |
| SHA512 | c1438b9b95bd16503f5a14d743e9c6c40cb46cd24a4bb48adf6f9162c61e8979c370e7e1eff8989db05ff5a496415a68b58cc16912a7c8215fecb72d252c5285 |
C:\bb18dd10c50d0ad54bc9fb18\1025\LocalizedData.xml
| MD5 | d8165beb3b8433921d0d5611b85bfa35 |
| SHA1 | bef57e3511e18170ebbc9ae3aefd73ce3f50f8f4 |
| SHA256 | b092668e0825f7f498acdc1bf10e1d2cb6ca99497389142cf9af815f25a4b712 |
| SHA512 | 9fa221f549b4e660c4f40c7ab0e483e3d9a9204248da51675058f32f4f56667c782667295decbb441a581f582a099fe34c6cc569d0c4ec13e85c680abf5870b0 |
C:\bb18dd10c50d0ad54bc9fb18\1049\LocalizedData.xml
| MD5 | d46f34e95e94fbfa4cb4a8dcc7ba3211 |
| SHA1 | 3e2150c9dd44c4b3416051534ccf84968f2737cd |
| SHA256 | a787b2f493c3248991877f61e210bb0231d357d06aa2671917d2ad4e528c9f67 |
| SHA512 | c740f7eba5187699b39265ba2238121a20d935d1320c0e344b767d537618cc2954bb7a6bacae12e7121cd1b4bca1ceb84e11bb80a347e7c2c79e87eb899adb7a |
C:\bb18dd10c50d0ad54bc9fb18\1046\LocalizedData.xml
| MD5 | 4a892aa3fedbfe5991b6ff46c00af55c |
| SHA1 | 421fe8f80432c56d022ff2911c4a5708093184c3 |
| SHA256 | aadbd1df74fc82a43f86f1f40d5065a802b2db71652525a78d258fda3197a743 |
| SHA512 | 9391096ad6c721b50a300f3c8285291086c0f302f77a7edee7283ec8eb7432171edde5998d5c76587c6431eb3c7e5cba176d0c31f6963acd8d954ea9c6a6e619 |
C:\bb18dd10c50d0ad54bc9fb18\1045\LocalizedData.xml
| MD5 | c3a238ffbf2dbb9f758e5c5b33948971 |
| SHA1 | 56ceb241f3780dc4a9814332f44369188ded3e77 |
| SHA256 | 2f0beba8a56cccaddfe6e0ecc3130d0efafb7f84cc0fa4e8db9d85c840e24241 |
| SHA512 | 2def165951b958195a339f8b4a38aba310c428fbf89f0d7e708d44255f3cf59953550f8e4772626aa125e4a2cb3328601b5ca097f5e355423f4d5094cb8155ea |
C:\bb18dd10c50d0ad54bc9fb18\1053\LocalizedData.xml
| MD5 | cb2e2edf7d7fefde9b3894923407f8c0 |
| SHA1 | 541ec570f26bb30f4be35f1a87d4ccf6bc660f67 |
| SHA256 | 874e5d7e45603ad70ca353e8dc6bf42944594f911d17c79be8966dc01d27eb73 |
| SHA512 | 045fadda432280ec961da53b914adc9d9a31d02140282b3b37e89f01723d64b5659e3c1a61e9344f4440813efb8b932cf45f859b97cfbdc158c0802d70c5ecda |
C:\bb18dd10c50d0ad54bc9fb18\3082\LocalizedData.xml
| MD5 | e2fc9d2a4fc56b64e3981dd7e0b076d5 |
| SHA1 | 1660468ac360a0a52f1a84887a9bb9c6ca3c9d8d |
| SHA256 | 9e224a5f7a5c83df1ab31743520a05252c3cdcc9e97526264da716166d2b29f9 |
| SHA512 | ca9098a09a7450d02bda76f1d64480f27679610441e3df0858b231de4599f53ddf245b69d181d3fdd37ee846eb085dda0ec85cf1825ec2c7f0eaeea8423fefd3 |
C:\bb18dd10c50d0ad54bc9fb18\2070\LocalizedData.xml
| MD5 | 5b73409a0f1cbb707cd62a7956bc2f92 |
| SHA1 | 1ce52fd3746c5bee7a3c3ef5aa8958e44b8761e3 |
| SHA256 | 193090f4472f1a1c5ed10ab97fa4bf77bd4ff3f172f380ef4a53fef39989159a |
| SHA512 | ecc775f665b7f0a192d04bd372542e3fadf89b47e4cc5373d2597b9df321b386e89f6fa695c0871fd56691be126e16443af91a7da34de018ceb47f90aa30e3f7 |
C:\bb18dd10c50d0ad54bc9fb18\2052\LocalizedData.xml
| MD5 | 6cc370b95c9f3e3d28315759b496e977 |
| SHA1 | 09e4aad0a389f0f876d21e132123dbbd83dc1314 |
| SHA256 | 93e519e8cc173a3f1aa8dd8113ad4a1be0b5b8d40e1d0a1563dba2054b50433a |
| SHA512 | 3b2f19f97cb07f5c845d85cee1a0932c19ddd0efc0433e4b6f092e0e7782e9454c6ff43eb54a943e1e85764ca2ce8ff36a239ac319b09fd8042669d24af27f91 |
C:\bb18dd10c50d0ad54bc9fb18\1055\LocalizedData.xml
| MD5 | f020b0e38f1295924f1833e77859fc9a |
| SHA1 | 17467f2ebb8cbca89119d30b3ba7ae30691921e1 |
| SHA256 | 8ce790eca06bae1b01f40f732580adea86d4c22b28d1e701e033c6c9983500c2 |
| SHA512 | bf01aea04827a46cb60cacf97993b319643e90aca82e1abc2c6750f01de0d638fc1b73931fe80e5441128eba70f364c1000b4ccd053b2e241c0a3916b75d670a |
C:\bb18dd10c50d0ad54bc9fb18\1044\LocalizedData.xml
| MD5 | b0d9e4dac3935bb596bb83b7d8474f8f |
| SHA1 | 29ce971b1a3ccf6f09eced6bff8e778df13f3d35 |
| SHA256 | 3c309a5509d42e6485e9123bc6af5ec43cf2faa8afead5062676e85ab7f96add |
| SHA512 | af4e4032a3b4a1696a3f252c03c8f5364089320e4181ebccd39d569d7577b11b70b4ae694d4a74e09bb61505664a01733dccb2d80aed64cb7142225dddd997e2 |
C:\bb18dd10c50d0ad54bc9fb18\1043\LocalizedData.xml
| MD5 | e939717e7eaf1b7f53c4b752e62a22e7 |
| SHA1 | ca5a66c452ec6ca8bc04de95eac1616cf3980992 |
| SHA256 | 8afdf3d2c0fd2370889e3fd96bc2742831cdc6041af0a407123c27f8d76d68a6 |
| SHA512 | ebfa725b8efc4448d669beea6f56eab9a317793ff1e21cbc51e015a1a31dfb8b1408e9df15023b878aca220465dbede09254f9a524ef7f6060877844994e17aa |
C:\bb18dd10c50d0ad54bc9fb18\1042\LocalizedData.xml
| MD5 | 47f8082069c52d2f7db1fc6aac2886df |
| SHA1 | 4b5c371e9006c10685f2c59ca9a7ebfb4a597a0a |
| SHA256 | e86656ef2092c0e6caf5b8b0bca2d6ce5def273609c22187ae91236605d2e273 |
| SHA512 | 7bdaf721e561c46609054f6786624149fd824abb1e3126b2a6b6385b56c6fe11414af216fca3ee2b1fe6a4b42ca8a19f46186ab1d4e70fb81b6f9af013c40018 |
C:\bb18dd10c50d0ad54bc9fb18\1040\LocalizedData.xml
| MD5 | e74a35a00e0228de37ee911f93411ed2 |
| SHA1 | c1c0901eb552c21ce2817b7edb94af611b571a49 |
| SHA256 | 2ec36fb871853f60085bc972e08156483384f8c1d6e000f5db1cc8cccad05f8c |
| SHA512 | 8876e39093448d1ae5a1f53499272323747789fbaefdf9bd852fee161fa9c18ce0721164473a5a2279643b34a2727d870e0b802635288f2e32b15c40660ad06f |
C:\bb18dd10c50d0ad54bc9fb18\1041\LocalizedData.xml
| MD5 | 32e4d6f895a69bb2c373ff4c688d6b27 |
| SHA1 | 57738235363c5f1a1c5651c65832396e3aef4414 |
| SHA256 | ae28910c1ef16ce70a5e97c5d02390ad8d64f80966e2be3c4a56db0c4038442d |
| SHA512 | 5052e8a218cf71b0e08de33665a58f9219282e00f2e4f6c19897a07863556a2408dc273ad3cc9257d98d6a57765321e0f1b051bed051f188947deda9d32dbdbe |
C:\bb18dd10c50d0ad54bc9fb18\1038\LocalizedData.xml
| MD5 | 28e8a2833f3d5302a1f5c2a84fa8990a |
| SHA1 | 08977251eb62c6df447c6754b2ec27a73d9071f1 |
| SHA256 | e4261c9b8c779d58883820a531a19594d238f0ca9ecac399505c569b0cccdbc7 |
| SHA512 | 4a62afe84d4eb03bf2c65826b5765f270b3c9a3403b972bb00db66cb40b70d1809334fc3a8edf012c1ea31e4e3b8c6fed6423e9da14dd62ad76a12d525e515b9 |
C:\bb18dd10c50d0ad54bc9fb18\1033\LocalizedData.xml
| MD5 | 47703bed025228689a1032edae56b4c4 |
| SHA1 | a2aba33c7e8915025251574c81fe2e5ac6bc0893 |
| SHA256 | 05fc9352b918a710d51f68873fc522528265455b77014e8b0cd66c5e7aa71dc3 |
| SHA512 | 9d6eda9fc3be6116371d1b86b54b8b65ccd58c182105e0954870f75e2a6f4d7e8fc84462bfd3584175c0f849066e47d82cd18ae3bf1671e60cc237347b7cc00d |
C:\bb18dd10c50d0ad54bc9fb18\SetupUi.dll
| MD5 | 6f51e9b469f95edb9156c74b4b0f4e1b |
| SHA1 | 5224c3de0fa4895297898f76ed5647ef40d924f8 |
| SHA256 | 9fd4639955338928731a8ab6e131175949a179931b8c9d4fcadd2367d749b826 |
| SHA512 | 920f6525852a3a3636722fa8a36112d5402b22b7d93469443eba2b782ef27d25532a8b6a922dad2a60709c24e74527f639e2744bfd30635dda80ab364376a32e |
\bb18dd10c50d0ad54bc9fb18\SetupUi.dll
| MD5 | 6f51e9b469f95edb9156c74b4b0f4e1b |
| SHA1 | 5224c3de0fa4895297898f76ed5647ef40d924f8 |
| SHA256 | 9fd4639955338928731a8ab6e131175949a179931b8c9d4fcadd2367d749b826 |
| SHA512 | 920f6525852a3a3636722fa8a36112d5402b22b7d93469443eba2b782ef27d25532a8b6a922dad2a60709c24e74527f639e2744bfd30635dda80ab364376a32e |
C:\bb18dd10c50d0ad54bc9fb18\SetupUi.xsd
| MD5 | a9f6a028e93f3f6822eb900ec3fda7ad |
| SHA1 | 8ff2e8f36d690a687233dbd2e72d98e16e7ef249 |
| SHA256 | aaf8cb1a9af89d250cbc0893a172e2c406043b1f81a211cb93604f165b051848 |
| SHA512 | 1c51392c334aea17a25b20390cd4e7e99aa6373e2c2b97e7304cf7ec1a16679051a41e124c7bc890b02b890d4044b576b666ef50d06671f7636e4701970e8ddc |
C:\bb18dd10c50d0ad54bc9fb18\1033\SetupResources.dll
| MD5 | 3f975e8bb4cd4adb9b5d21b2da436ab6 |
| SHA1 | e017dd66cbd964228b3b9b84b14c892709fe3915 |
| SHA256 | ab1d462944fdcb4ad2e6a4d37257f2fe2063744bb4e3de55b4126dfb65d383fc |
| SHA512 | f99359f9118409fe7cbdc4390a48f2f661d7e1622b08af75080e036400e1a3dae118d92848e54a24168eb8b27e69d51a920bb26511c466868afb42257b3ea048 |
\bb18dd10c50d0ad54bc9fb18\1033\SetupResources.dll
| MD5 | 3f975e8bb4cd4adb9b5d21b2da436ab6 |
| SHA1 | e017dd66cbd964228b3b9b84b14c892709fe3915 |
| SHA256 | ab1d462944fdcb4ad2e6a4d37257f2fe2063744bb4e3de55b4126dfb65d383fc |
| SHA512 | f99359f9118409fe7cbdc4390a48f2f661d7e1622b08af75080e036400e1a3dae118d92848e54a24168eb8b27e69d51a920bb26511c466868afb42257b3ea048 |
C:\bb18dd10c50d0ad54bc9fb18\Strings.xml
| MD5 | 8a28b474f4849bee7354ba4c74087cea |
| SHA1 | c17514dfc33dd14f57ff8660eb7b75af9b2b37b0 |
| SHA256 | 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b |
| SHA512 | a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\print.ico
| MD5 | d39bad9dda7b91613cb29b6bd55f0901 |
| SHA1 | 6d079df41e31fbc836922c19c5be1a7fc38ac54e |
| SHA256 | d80ffeb020927f047c11fc4d9f34f985e0c7e5dfea9fb23f2bc134874070e4e6 |
| SHA512 | fad8cb2b9007a7240421fbc5d621c3092d742417c60e8bb248e2baa698dcade7ca54b24452936c99232436d92876e9184eaf79d748c96aa1fe8b29b0e384eb82 |
C:\bb18dd10c50d0ad54bc9fb18\header.bmp
| MD5 | 41c22efa84ca74f0ce7076eb9a482e38 |
| SHA1 | 8e4a371fd51a61244d11c4fc97d738905ce00fbb |
| SHA256 | 255025a0d79ef2dac04bd610363f966ef58328400bf31e1f8915e676478cd750 |
| SHA512 | 8c83edeecbd7d5fb64aa7f841be3992ba8303b158a5360d9c7eafb085cbc9b7258af40f50570e0ca051cb6d235ea7e3eacf5cb8c7e39750601061f0b57338395 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\setup.ico
| MD5 | 6125f32aa97772afdff2649bd403419b |
| SHA1 | d84da82373b599aed496e0d18901e3affb6cfaca |
| SHA256 | a0c7b4b17a69775e1d94123dfceec824744901d55b463ba9dca9301088f12ea5 |
| SHA512 | c4bdcd72fa4f2571c505fdb0adc69f7911012b6bdeb422dca64f79f7cc1286142e51b8d03b410735cd2bd7bc7c044c231a3a31775c8e971270beb4763247850f |
C:\bb18dd10c50d0ad54bc9fb18\graphics\save.ico
| MD5 | c66bbe8f84496ef85f7af6bed5212cec |
| SHA1 | 1e4eab9cc728916a8b1c508f5ac8ae38bb4e7bf1 |
| SHA256 | 1372c7f132595ddad210c617e44fedff7a990a9e8974cc534ca80d897dd15abd |
| SHA512 | 5dabf65ec026d8884e1d80dcdacb848c1043ef62c9ebd919136794b23be0deb3f7f1acdff5a4b25a53424772b32bd6f91ba1bd8c5cf686c41477dd65cb478187 |
C:\bb18dd10c50d0ad54bc9fb18\1033\EULA.rtf
| MD5 | 47c47a12e6830b793150494d35d51637 |
| SHA1 | 87a11fece572f2a57982270533d6906daf7da218 |
| SHA256 | 4399b24e28becfb3bb2820daa09965860001492145fd7e2466da7b740c31855d |
| SHA512 | 1b85ff8f11afafaa7368e744d281d964313eb342d294cbbe0e1c5fab3c5e817ca2b58bbcd7fc87a556f7575fd8e9d7404eb0a4f8e045e4c446ba83398eab3127 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\SysReqMet.ico
| MD5 | 889472312e724195d7b946eecaea20c1 |
| SHA1 | d099c44b794f7d0414cda5ba9a6df432347ff513 |
| SHA256 | c9ca53f83a5cc10f726248d47ff82981b584b3ff62ee591229a8237c11340991 |
| SHA512 | 511b4bae756fd61ab4e7f8f7173a6b0bda6ab2aefb7c4c77e78ecae3b7de080cec575db6af110c195f58bc7b2abcab0f1477271a31ce6d2af10634b632e0bf39 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\SysReqNotMet.ico
| MD5 | eca24331ce0850d188bd2eb5c22de684 |
| SHA1 | 53e910c03aa6bc423717c5b175670517f26f00a4 |
| SHA256 | deba0a7a6e2ca99d3380d35ae33f8d266806fdbcbf75fb06b5718be5873258f6 |
| SHA512 | a3de7deb9a0eb2f40b56f1dc435a01578d6f0ee299f7159560029e965e7785f0197f3e98ff2ec9c2c39c8078c125454c19e81d5f6291a90010d7704f57312db9 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\Rotate1.ico
| MD5 | 9b70c7fa81dca6d3b992037d0c251d92 |
| SHA1 | 83a11f4b7a5020616257fef143a7c32164d3927c |
| SHA256 | 18226b9d56d2b1c070a2c606428892773cb00b5b4b95397e79d01de26685ccd4 |
| SHA512 | a771725b16e23086b1ee37336f904a047445e8c6a6ca505b9aff5a20948f8dfa53fe07cb07a13cb9cb7a5bbc7484009a40a91ed9eb8b7f5726307efc6a991a17 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\Rotate2.ico
| MD5 | f824905e5501603e6720b784add71bdd |
| SHA1 | d71b15e1168306c1e698250edc5f99f624c73e6f |
| SHA256 | d15a6f1eefefe4f9cd51b7b22e9c7b07c7acad72fd53e5f277e6d4e0976036c3 |
| SHA512 | 3914b1fadcf6b90d106ab536687e5badb1b09b60450e0b75f403f7dca32c2dc63d68c0918d10359da4f4113406dcc4e02fa0c02941d8b1badba021c60aface9a |
C:\bb18dd10c50d0ad54bc9fb18\graphics\Rotate3.ico
| MD5 | 0ade6be0df29400e5534aa71abfa03f6 |
| SHA1 | 6dde6e571b2fa45ab2cacf565e488ecace01db56 |
| SHA256 | c2f6faa18b16f728ae5536d5992cc76a4b83530a1ea74b9d11bebdf871cf3b4e |
| SHA512 | 57ce956375097b8aeed4605b7816e8eeba139a4151d2516b46e7f0e2e917276264040039319cc9012796eed5405e005ac4de20caffdb99ee59db06c868901a83 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\Rotate6.ico
| MD5 | 5ac2b8e1a766c204f996d9ce33fb3db4 |
| SHA1 | 09cbabdd17a5a0215ad5d5af509ea9ec315373b6 |
| SHA256 | ee387d9642df93e4240361077af6051c1b7e643c3cf110f43da42e0efe29a375 |
| SHA512 | 802b84dedc195c21de32e3abbed02b8646affdfa75525e8b1984869b207a7fa02ee91938c0d2cb511d7911fc00ef612d03b6f2ea3615b01548bd408302b08f44 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\Rotate5.ico
| MD5 | 25f0d572761cb610bdad6dd980c46cc7 |
| SHA1 | 6270ee0684700c5a4d01cd964dc05b82719b0370 |
| SHA256 | ce2afc0aa52b3d459d6d8d7c551f7b8fbf323e2260326908c37a13f21fee423e |
| SHA512 | db061086d1db6379593cc066860c31667dc20fe4cd60d73e2e16fe1dca9990060ece5396fafc5c023a9bed19dd251bda7537a6018b58420ce838276f7430f79d |
C:\bb18dd10c50d0ad54bc9fb18\graphics\Rotate4.ico
| MD5 | 267b198fef022d3b1d44cca7fe589373 |
| SHA1 | f48215df0f855328509a47c441a14e3578a20195 |
| SHA256 | 303989b692a57fe34b47bb2f926b91ac605f288ae6c9479b33eaf15a14eb33ac |
| SHA512 | a492bcab782ae385fbca6e0081926e41578778a7f196405372bb0f177ae0e47322859314068fb16167310ac50183f9dd507832b187382e494c3889cd6c64c129 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\Rotate8.ico
| MD5 | e7a252c763ce259f800183fd9dd1f512 |
| SHA1 | 4601c87f90e1c0061a7137370358ae11a4d83a23 |
| SHA256 | fde052efe70c27d8023065f0859627fc88bf86e166016e9cb00185c21de52742 |
| SHA512 | b140883eb89872306c7dbc4dfe75b204d927295649d3de9230748465628bdda4d2e6c8806ff2e5da9647ee45838200a1cba44cb7222f9173202f369465c4da05 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\Rotate9.ico
| MD5 | 8853da1f831cae28e59d45f5e51885ac |
| SHA1 | 496eefcfa68de25abb899addf39498d8420bfa3d |
| SHA256 | 0203c7d678464641c016dc3d658aba0a68f20b9a141d6e3ee1820c5b8b6401db |
| SHA512 | 1a48f52c305713f08059a83c9ec1b03ce310a068e3abbc546cb458c6b56934852637ef9da8beeacadd91dc06f338adb7fd7d709f906d2a5f533132283ef05197 |
C:\bb18dd10c50d0ad54bc9fb18\graphics\Rotate10.ico
| MD5 | 0cca04a3468575fdcefee9957e32f904 |
| SHA1 | ae5a03b47df97f5f1b14dca3539a1c4b0f407f15 |
| SHA256 | b94e68c711b3b06d9a63c80ad013c7c7bbdb5f8e82cbc866b246ff22d99b03fe |
| SHA512 | a59d832ee7d956ce348e0a73893e44683db148bc2fc54765b69921d710feffa2c1f652fafc7b8961ccb1d4a12d1dea701d7bb62956d4904a52cf1be6eb022fef |
C:\bb18dd10c50d0ad54bc9fb18\graphics\Rotate7.ico
| MD5 | b4947d242ab4a902031fcd1ffd3a56cd |
| SHA1 | 4014a05642118a306c742f56878db1ea61e78b6b |
| SHA256 | 995c9f4ea0d98c0c4e5037ede43fc44a680d85cb1e37c782adab775915e975b8 |
| SHA512 | a9c468b6c444b528898fe6fa26f42b57e7890c1992ba03e670ca849e9badbbad74c2d923eabef5ab88631ae7abde4477286c43d755ab566d1a70ec8e84a4ff93 |
C:\bb18dd10c50d0ad54bc9fb18\SetupUtility.exe
| MD5 | 2a20ff4988db90ae0632d898916950ca |
| SHA1 | f822b12f4efb31a99ec4df9a4d9c9806c55648fa |
| SHA256 | 289e23983692bdbd58ab0cb3b1668b5158d90a9937721185a75247a44d0c3243 |
| SHA512 | 02003b403ec2375b9ee004978d522c91666f4aa642288ead9963ff0e5701d2ab8efa9b3854f13dca8d85cf7b6b2890b000148a24d3565c9e4399b27936b691b0 |
C:\bb18dd10c50d0ad54bc9fb18\x64-Windows10.0-KB4486129-x64.cab
| MD5 | 92931fd8be50fbffa38a1c0bd631a403 |
| SHA1 | 90f411b539142a4d37f6389139bf5d0f5a82d5bf |
| SHA256 | 612f4e1a490681c5ec99e5c120d940217f7d1d02de64f8e1a3c7bff79815eb1a |
| SHA512 | fccba2ac368dde29c9ff9248217f1a8a0cc2b80dd22f5f3f9c20a6cd92e886d7ff7a2979ef00f65fc6da087203f9e07e90019afcc1433756a3a9de68c6d80adf |
C:\bb18dd10c50d0ad54bc9fb18\SetupUtility.exe
| MD5 | 2a20ff4988db90ae0632d898916950ca |
| SHA1 | f822b12f4efb31a99ec4df9a4d9c9806c55648fa |
| SHA256 | 289e23983692bdbd58ab0cb3b1668b5158d90a9937721185a75247a44d0c3243 |
| SHA512 | 02003b403ec2375b9ee004978d522c91666f4aa642288ead9963ff0e5701d2ab8efa9b3854f13dca8d85cf7b6b2890b000148a24d3565c9e4399b27936b691b0 |
C:\bb18dd10c50d0ad54bc9fb18\SetupUtility.exe
| MD5 | 2a20ff4988db90ae0632d898916950ca |
| SHA1 | f822b12f4efb31a99ec4df9a4d9c9806c55648fa |
| SHA256 | 289e23983692bdbd58ab0cb3b1668b5158d90a9937721185a75247a44d0c3243 |
| SHA512 | 02003b403ec2375b9ee004978d522c91666f4aa642288ead9963ff0e5701d2ab8efa9b3854f13dca8d85cf7b6b2890b000148a24d3565c9e4399b27936b691b0 |
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt
| MD5 | e1aaf0f8c1774a210b96d792b99f6590 |
| SHA1 | 14774345174101f3f5c16642f1d8096694d43071 |
| SHA256 | 563b82187fc5b1493435258503e0c6aa94516af7edbff357a7ad4db02fb070d7 |
| SHA512 | 22512e63bf8ac80fb3b06283f3c4e64416c23babb892ad86529824b8a180e8eaeff1cb9ce41ec9fae738aebee055d6ee4c6e733e74403cbb0b72c6f2c1f1cc25 |
C:\Users\Admin\AppData\Local\Temp\FA9BE4CC-6FD8-46E5-98C5-BAE6914F132E\DismHost.exe
| MD5 | 9ad8d8d2c6126cf9f65f4ba4cd24bcd9 |
| SHA1 | 505e851852228545903c2423afa81039e0bd9447 |
| SHA256 | 3687d79e43b9c3aa9ff31dbaafdd2f4674ce0937c7fe34813f43531f32e7aded |
| SHA512 | e38d6af47c7443119fb73fcd6bcb23dd6b96bce19c4a98802af96fd6751e12a8add8c48cc0062ffe315aa7a5ffa6c38787c4f2051a8f6b97ac0dc86b3f8d279e |
C:\Users\Admin\AppData\Local\Temp\FA9BE4CC-6FD8-46E5-98C5-BAE6914F132E\DismCorePS.dll
| MD5 | 4e43afafe9483d72a5838cdb8ea8d345 |
| SHA1 | 779d8c234343da4ca7fbdb16b5861eecb025f6e3 |
| SHA256 | 80e83929245c4377ecc73b7596ebf885d8e919b69ef975701a082d2b5cf2150e |
| SHA512 | 22267fe42128333940b9574fc5f5a70f0411280bd4e294bb456f987eb30c5ec1be12f4e5ce44e7007d793a3924032315782eaea96ab18da832ce56c1f0a3fe3d |
C:\Windows\Logs\DISM\dism.log
| MD5 | 172d59e853685338dc23b7bbbb7b9b97 |
| SHA1 | fde77b7a064199735297ff835a5adc02ca82e7af |
| SHA256 | 5a7558f5f0d2d775587c4f89dbb2daac85ce8f7d0a6f01795c3b093751be5413 |
| SHA512 | dbd3a4e6c62fde10cdfaa27c90f84882dd90bdd110121d7207aec5b1bac15704ce7857191032110f96d0183964db41c736e03d9bc3b403c82ed9e74468222502 |