Resubmissions
31-01-2024 04:13
240131-etjqaadbbj 725-01-2024 16:01
240125-tgnk2aaca5 1025-01-2024 15:47
240125-s76c4aaab6 3Analysis
-
max time kernel
1598s -
max time network
1601s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
25-01-2024 16:01
Static task
static1
General
-
Target
TauDEM537_setup.exe
-
Size
88.6MB
-
MD5
33f7f04d3df20cf2c5aabea259150d51
-
SHA1
8eb78ef9e2cdad7fee7704fb8a3820277eaff6ea
-
SHA256
e8109b14400b3a580fbc4f5aa6930536df59a046b6cc5625c8ab47bfe39b4937
-
SHA512
f6c5d9d51e8d103d134252546a6be1070800a1e6875c50cada378c7eddee7c06d271a540833d50002714927bcb6e4d975b9bcdfd6a809ba43fcf6d1477d94faa
-
SSDEEP
1572864:pn/WnnDLV0dwTIYWU3bnTdE/aBBuAVZm6NT16YRaucD9aaXSF5OCKDbE6bMdyDiX:p/WnHyy8UjTSCXjrF56m8haMSF5OCKDu
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 9 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 1360 netsh.exe 1936 netsh.exe 168 netsh.exe 1528 netsh.exe 4480 netsh.exe 3344 netsh.exe 356 netsh.exe 2900 netsh.exe 8 netsh.exe -
Executes dropped EXE 3 IoCs
Processes:
TauDEM537_setup.tmpMSMpiSetup.exePurgeMsmpi_x64.exepid process 4124 TauDEM537_setup.tmp 5008 MSMpiSetup.exe 500 PurgeMsmpi_x64.exe -
Loads dropped DLL 15 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exepid process 4160 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 4908 MsiExec.exe 4908 MsiExec.exe 4908 MsiExec.exe 4908 MsiExec.exe 4908 MsiExec.exe 4908 MsiExec.exe 4908 MsiExec.exe 4908 MsiExec.exe 4908 MsiExec.exe 4908 MsiExec.exe 4908 MsiExec.exe -
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid process 17 4860 msiexec.exe 19 4860 msiexec.exe 21 4860 msiexec.exe 23 4860 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in System32 directory 8 IoCs
Processes:
msiexec.exePurgeMsmpi_x64.exedescription ioc process File created C:\Windows\SysWOW64\msmpires.dll msiexec.exe File created C:\Windows\system32\msmpires.dll msiexec.exe File opened for modification C:\Windows\System32\Msmpi.dll PurgeMsmpi_x64.exe File opened for modification C:\Windows\System32\Msmpires.dll PurgeMsmpi_x64.exe File opened for modification C:\Windows\SysWow64\Msmpi.dll PurgeMsmpi_x64.exe File opened for modification C:\Windows\SysWow64\Msmpires.dll PurgeMsmpi_x64.exe File created C:\Windows\SysWOW64\msmpi.dll msiexec.exe File created C:\Windows\system32\msmpi.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exeTauDEM537_setup.tmpdescription ioc process File created C:\Program Files\GDAL\gdalplugins\gdal_HDF5.dll msiexec.exe File opened for modification C:\Program Files\TauDEM\TauDEM5Exe\DinfRevAccum.exe TauDEM537_setup.tmp File opened for modification C:\Program Files\TauDEM\TauDEM5Exe\DinfTransLimAccum.exe TauDEM537_setup.tmp File created C:\Program Files\GDAL\gdaltindex.exe msiexec.exe File created C:\Program Files\GDAL\geos_c.dll msiexec.exe File created C:\Program Files\GDAL\ogr2ogr.exe msiexec.exe File opened for modification C:\Program Files\TauDEM\TauDEM5Exe\DinfDecayAccum.exe TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Exe\is-BHDAV.tmp TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Exe\is-IE4CM.tmp TauDEM537_setup.tmp File created C:\Program Files\GDAL\projlib\prvi msiexec.exe File created C:\Program Files\GDAL\hdf5.dll msiexec.exe File created C:\Program Files\GDAL\gdal-data\unit_of_measure.csv msiexec.exe File created C:\Program Files\TauDEM\TauDEM5Exe\is-S31SP.tmp TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Arc\is-S7FI1.tmp TauDEM537_setup.tmp File created C:\Program Files\GDAL\curl-ca-bundle.crt msiexec.exe File created C:\Program Files\GDAL\gdalmove.py msiexec.exe File created C:\Program Files\GDAL\projlib\hawaii msiexec.exe File created C:\Program Files\GDAL\hdf5_hl.dll msiexec.exe File created C:\Program Files\GDAL\libeay32.dll msiexec.exe File created C:\Program Files\TauDEM\TauDEM5Exe\is-Q2RG7.tmp TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Arc\is-2DF79.tmp TauDEM537_setup.tmp File created C:\Program Files\GDAL\gdal_grid.exe msiexec.exe File created C:\Program Files\GDAL\projlib\nad.lst msiexec.exe File created C:\Program Files\GDAL\osrjni.dll msiexec.exe File created C:\Program Files\GDAL\szip.dll msiexec.exe File created C:\Program Files\Microsoft MPI\Bin\msmpilaunchsvc.exe msiexec.exe File created C:\Program Files\TauDEM\TauDEM5Arc\is-2EAH1.tmp TauDEM537_setup.tmp File created C:\Program Files\GDAL\gdal-data\coordinate_axis.csv msiexec.exe File created C:\Program Files\GDAL\epsg_tr.py msiexec.exe File created C:\Program Files\GDAL\gdal_proximity.py msiexec.exe File created C:\Program Files\GDAL\projlib\stpaul msiexec.exe File opened for modification C:\Program Files\TauDEM\TauDEM5Exe\GridNet.exe TauDEM537_setup.tmp File opened for modification C:\Program Files\TauDEM\TauDEM5Exe\MoveOutletsToStreams.exe TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Arc\is-B8D6D.tmp TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Arc\is-R9QC1.tmp TauDEM537_setup.tmp File created C:\Program Files\GDAL\gcps2vec.py msiexec.exe File created C:\Program Files\GDAL\projlib\MD msiexec.exe File created C:\Program Files\GDAL\ogrtindex.exe msiexec.exe File created C:\Program Files\TauDEM\TauDEM5Arc\is-IMQ48.tmp TauDEM537_setup.tmp File created C:\Program Files\GDAL\libxml2.dll msiexec.exe File created C:\Program Files\GDAL\ogrinfo.exe msiexec.exe File created C:\Program Files\Microsoft MPI\License\license.rtf msiexec.exe File created C:\Program Files\GDAL\curl.exe msiexec.exe File created C:\Program Files\GDAL\gdalchksum.py msiexec.exe File created C:\Program Files\GDAL\gdal-data\s57expectedinput.csv msiexec.exe File created C:\Program Files\Microsoft MPI\Bin\mpiexec.exe msiexec.exe File opened for modification C:\Program Files\TauDEM\TauDEM5Exe\AreaDinf.exe TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Exe\is-52IQL.tmp TauDEM537_setup.tmp File created C:\Program Files\GDAL\projlib\stgeorge msiexec.exe File created C:\Program Files\TauDEM\TauDEM5Exe\is-2GOO7.tmp TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Exe\is-U2M0B.tmp TauDEM537_setup.tmp File created C:\Program Files\GDAL\projlib\esri msiexec.exe File created C:\Program Files\GDAL\gdalident.py msiexec.exe File created C:\Program Files\GDAL\esri2wkt.py msiexec.exe File created C:\Program Files\GDAL\gdal-data\pci_datum.txt msiexec.exe File opened for modification C:\Program Files\TauDEM\TauDEM5Exe\DinfDistUp.exe TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Exe\is-IRQLL.tmp TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Arc\is-4LDBV.tmp TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Arc\is-VO2MI.tmp TauDEM537_setup.tmp File created C:\Program Files\GDAL\nad2bin.exe msiexec.exe File created C:\Program Files\GDAL\sqlite3.dll msiexec.exe File created C:\Program Files\GDAL\projlib\stlrnc msiexec.exe File opened for modification C:\Program Files\TauDEM\TauDEM5Exe\SlopeAreaRatio.exe TauDEM537_setup.tmp File created C:\Program Files\TauDEM\TauDEM5Arc\is-7SQK9.tmp TauDEM537_setup.tmp -
Drops file in Windows directory 42 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{951471E7-9F1D-4CFE-AA35-5933381A52AA} msiexec.exe File opened for modification C:\Windows\Installer\MSIF77B.tmp msiexec.exe File opened for modification C:\Windows\Installer\{8499ACD3-C1E3-45AB-BF96-DA491727EBE1}\MSIICON msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\7E174159D1F9EFC4AA53953383A125AA\1.0.0\F_CENTRAL_vccorlib120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C msiexec.exe File opened for modification C:\Windows\Installer\MSIE6D5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF3B0.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\e59023d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIED63.tmp msiexec.exe File created C:\Windows\Installer\e590240.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIEF69.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF17D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF5F3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI361.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9B6E.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\7E174159D1F9EFC4AA53953383A125AA\1.0.0\F_CENTRAL_msvcp120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\7E174159D1F9EFC4AA53953383A125AA\1.0.0\F_CENTRAL_msvcr120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\7E174159D1F9EFC4AA53953383A125AA msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\7E174159D1F9EFC4AA53953383A125AA\1.0.0\F_CENTRAL_msvcp120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C msiexec.exe File created C:\Windows\Installer\e59023e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE657.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\7E174159D1F9EFC4AA53953383A125AA\1.0.0 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\7E174159D1F9EFC4AA53953383A125AA\1.0.0\F_CENTRAL_msvcr120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C msiexec.exe File opened for modification C:\Windows\Installer\e59023e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE997.tmp msiexec.exe File opened for modification C:\Windows\Installer\e590238.msi msiexec.exe File created C:\Windows\Installer\e59023a.msi msiexec.exe File created C:\Windows\Installer\e59023b.msi msiexec.exe File opened for modification C:\Windows\Installer\e59023b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIEAD1.tmp msiexec.exe File created C:\Windows\Installer\{8499ACD3-C1E3-45AB-BF96-DA491727EBE1}\MSIICON msiexec.exe File opened for modification C:\Windows\Installer\MSIE5AA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE744.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEC49.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEE00.tmp msiexec.exe File created C:\Windows\Installer\e590238.msi msiexec.exe File created C:\Windows\Installer\SourceHash{E19C0BD7-CB9A-419A-AA0D-A9659B9B7AB5} msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\7E174159D1F9EFC4AA53953383A125AA\1.0.0\F_CENTRAL_vccorlib120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C msiexec.exe File created C:\Windows\Installer\SourceHash{8499ACD3-C1E3-45AB-BF96-DA491727EBE1} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIE56B.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1B msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1c msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe -
Modifies registry class 62 IoCs
Processes:
msiexec.exeTauDEM537_setup.tmpdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\MainProgram msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\SourceList\PackageName = "mpi_x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\JavaBindings msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\ProductName = "Microsoft MPI (7.1.12437.25)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F440E913BE045CD4495926468F27F020\3DCA99483E1CBA54FB69AD947172BE1E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\NetCDF = "GDALPlugins" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\ProductIcon = "C:\\Windows\\Installer\\{8499ACD3-C1E3-45AB-BF96-DA491727EBE1}\\MSIICON" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F440E913BE045CD4495926468F27F020 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\PackageCode = "4530E29C9AAEDBE479CA378C05C7DDB2" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3DCA99483E1CBA54FB69AD947172BE1E\MPI msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\PythonBindings msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\KEA = "GDALPlugins" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3DCA99483E1CBA54FB69AD947172BE1E msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\PROJ4Utilities = "Utilities" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\ProductName = "GDAL 201 (MSVC 2013 Win64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2C57307F1756C8A4EA9AF352A371530E msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3DCA99483E1CBA54FB69AD947172BE1E\MPI_HNREDIST = "MPI" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\GDALUtilities = "Utilities" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f2ed52ca-31fa-4c77-ba4d-8ac7ac6caa3b\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\Version = "117518485" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\FITS = "GDALPlugins" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2C57307F1756C8A4EA9AF352A371530E\7E174159D1F9EFC4AA53953383A125AA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings TauDEM537_setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\GDALPlugins msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\HDF4 = "GDALPlugins" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\VCRedist msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\CURLUtilities = "Utilities" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\HDF5 = "GDALPlugins" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\SourceList\PackageName = "gdal-201-1800-x64-core.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\f2ed52ca-31fa-4c77-ba4d-8ac7ac6caa3b\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\MSSQLSpatial = "\x06GDALPlugins" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\SourceList\LastUsedSource = "n;1;C:\\Program Files\\TauDEM\\setup_files\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\Utilities msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\PackageCode = "A743DADBFB201834CBB7FD49E46FA00B" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\SourceList\Net\1 = "C:\\Program Files\\TauDEM\\setup_files\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E174159D1F9EFC4AA53953383A125AA\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7E174159D1F9EFC4AA53953383A125AA\CSharpBindings msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DCA99483E1CBA54FB69AD947172BE1E\SourceList\Media msiexec.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
TauDEM537_setup.tmpmsiexec.exepid process 4124 TauDEM537_setup.tmp 4124 TauDEM537_setup.tmp 1464 msiexec.exe 1464 msiexec.exe 1464 msiexec.exe 1464 msiexec.exe 1464 msiexec.exe 1464 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 1700 msiexec.exe 4860 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 1700 msiexec.exe Token: SeIncreaseQuotaPrivilege 1700 msiexec.exe Token: SeSecurityPrivilege 1464 msiexec.exe Token: SeCreateTokenPrivilege 1700 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1700 msiexec.exe Token: SeLockMemoryPrivilege 1700 msiexec.exe Token: SeIncreaseQuotaPrivilege 1700 msiexec.exe Token: SeMachineAccountPrivilege 1700 msiexec.exe Token: SeTcbPrivilege 1700 msiexec.exe Token: SeSecurityPrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeLoadDriverPrivilege 1700 msiexec.exe Token: SeSystemProfilePrivilege 1700 msiexec.exe Token: SeSystemtimePrivilege 1700 msiexec.exe Token: SeProfSingleProcessPrivilege 1700 msiexec.exe Token: SeIncBasePriorityPrivilege 1700 msiexec.exe Token: SeCreatePagefilePrivilege 1700 msiexec.exe Token: SeCreatePermanentPrivilege 1700 msiexec.exe Token: SeBackupPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeShutdownPrivilege 1700 msiexec.exe Token: SeDebugPrivilege 1700 msiexec.exe Token: SeAuditPrivilege 1700 msiexec.exe Token: SeSystemEnvironmentPrivilege 1700 msiexec.exe Token: SeChangeNotifyPrivilege 1700 msiexec.exe Token: SeRemoteShutdownPrivilege 1700 msiexec.exe Token: SeUndockPrivilege 1700 msiexec.exe Token: SeSyncAgentPrivilege 1700 msiexec.exe Token: SeEnableDelegationPrivilege 1700 msiexec.exe Token: SeManageVolumePrivilege 1700 msiexec.exe Token: SeImpersonatePrivilege 1700 msiexec.exe Token: SeCreateGlobalPrivilege 1700 msiexec.exe Token: SeBackupPrivilege 1580 vssvc.exe Token: SeRestorePrivilege 1580 vssvc.exe Token: SeAuditPrivilege 1580 vssvc.exe Token: SeBackupPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeBackupPrivilege 4212 srtasks.exe Token: SeRestorePrivilege 4212 srtasks.exe Token: SeSecurityPrivilege 4212 srtasks.exe Token: SeTakeOwnershipPrivilege 4212 srtasks.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe Token: SeTakeOwnershipPrivilege 1464 msiexec.exe Token: SeRestorePrivilege 1464 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
TauDEM537_setup.tmpmsiexec.exemsiexec.exemsiexec.exepid process 4124 TauDEM537_setup.tmp 1700 msiexec.exe 1700 msiexec.exe 4860 msiexec.exe 4860 msiexec.exe 2772 msiexec.exe 2772 msiexec.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
TauDEM537_setup.exeTauDEM537_setup.tmpmsiexec.exeMSMpiSetup.exeMsiExec.exewevtutil.exedescription pid process target process PID 2524 wrote to memory of 4124 2524 TauDEM537_setup.exe TauDEM537_setup.tmp PID 2524 wrote to memory of 4124 2524 TauDEM537_setup.exe TauDEM537_setup.tmp PID 2524 wrote to memory of 4124 2524 TauDEM537_setup.exe TauDEM537_setup.tmp PID 4124 wrote to memory of 1700 4124 TauDEM537_setup.tmp msiexec.exe PID 4124 wrote to memory of 1700 4124 TauDEM537_setup.tmp msiexec.exe PID 4124 wrote to memory of 1700 4124 TauDEM537_setup.tmp msiexec.exe PID 1464 wrote to memory of 4212 1464 msiexec.exe srtasks.exe PID 1464 wrote to memory of 4212 1464 msiexec.exe srtasks.exe PID 4124 wrote to memory of 4860 4124 TauDEM537_setup.tmp msiexec.exe PID 4124 wrote to memory of 4860 4124 TauDEM537_setup.tmp msiexec.exe PID 4124 wrote to memory of 4860 4124 TauDEM537_setup.tmp msiexec.exe PID 4124 wrote to memory of 5008 4124 TauDEM537_setup.tmp MSMpiSetup.exe PID 4124 wrote to memory of 5008 4124 TauDEM537_setup.tmp MSMpiSetup.exe PID 4124 wrote to memory of 5008 4124 TauDEM537_setup.tmp MSMpiSetup.exe PID 5008 wrote to memory of 500 5008 MSMpiSetup.exe PurgeMsmpi_x64.exe PID 5008 wrote to memory of 500 5008 MSMpiSetup.exe PurgeMsmpi_x64.exe PID 5008 wrote to memory of 2772 5008 MSMpiSetup.exe msiexec.exe PID 5008 wrote to memory of 2772 5008 MSMpiSetup.exe msiexec.exe PID 5008 wrote to memory of 2772 5008 MSMpiSetup.exe msiexec.exe PID 1464 wrote to memory of 4160 1464 msiexec.exe MsiExec.exe PID 1464 wrote to memory of 4160 1464 msiexec.exe MsiExec.exe PID 1464 wrote to memory of 4160 1464 msiexec.exe MsiExec.exe PID 1464 wrote to memory of 3868 1464 msiexec.exe MsiExec.exe PID 1464 wrote to memory of 3868 1464 msiexec.exe MsiExec.exe PID 1464 wrote to memory of 3868 1464 msiexec.exe MsiExec.exe PID 1464 wrote to memory of 4908 1464 msiexec.exe MsiExec.exe PID 1464 wrote to memory of 4908 1464 msiexec.exe MsiExec.exe PID 1464 wrote to memory of 4908 1464 msiexec.exe MsiExec.exe PID 4908 wrote to memory of 4480 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 4480 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 4480 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 2900 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 2900 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 2900 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 3344 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 3344 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 3344 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 2540 4908 MsiExec.exe wevtutil.exe PID 4908 wrote to memory of 2540 4908 MsiExec.exe wevtutil.exe PID 4908 wrote to memory of 2540 4908 MsiExec.exe wevtutil.exe PID 2540 wrote to memory of 1668 2540 wevtutil.exe wevtutil.exe PID 2540 wrote to memory of 1668 2540 wevtutil.exe wevtutil.exe PID 4908 wrote to memory of 2536 4908 MsiExec.exe setx.exe PID 4908 wrote to memory of 2536 4908 MsiExec.exe setx.exe PID 4908 wrote to memory of 2536 4908 MsiExec.exe setx.exe PID 4908 wrote to memory of 356 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 356 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 356 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 1360 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 1360 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 1360 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 8 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 8 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 8 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 1936 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 1936 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 1936 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 168 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 168 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 168 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 1528 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 1528 4908 MsiExec.exe netsh.exe PID 4908 wrote to memory of 1528 4908 MsiExec.exe netsh.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TauDEM537_setup.exe"C:\Users\Admin\AppData\Local\Temp\TauDEM537_setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\is-EPVG3.tmp\TauDEM537_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-EPVG3.tmp\TauDEM537_setup.tmp" /SL5="$701EE,92498073,56832,C:\Users\Admin\AppData\Local\Temp\TauDEM537_setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Program Files\TauDEM\setup_files\GDAL-2.1.0.win32-py2.7.msi"3⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1700 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Program Files\TauDEM\setup_files\gdal-201-1800-x64-core.msi"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4860 -
C:\Program Files\TauDEM\setup_files\MSMpiSetup.exe"C:\Program Files\TauDEM\setup_files\MSMpiSetup.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\f2ed52ca-31fa-4c77-ba4d-8ac7ac6caa3b\PurgeMsmpi_x64.exe"C:\Users\Admin\AppData\Local\Temp\f2ed52ca-31fa-4c77-ba4d-8ac7ac6caa3b\PurgeMsmpi_x64.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:500 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i "C:\Users\Admin\AppData\Local\Temp\f2ed52ca-31fa-4c77-ba4d-8ac7ac6caa3b\mpi_x64.msi" INSTALLLEVEL=300 WRAPPERPATH="C:\Users\Admin\AppData\Local\Temp\f2ed52ca-31fa-4c77-ba4d-8ac7ac6caa3b\MSMPISetup.exe"4⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2772
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CD288B6E970D06D2B19687D08B7B6F76 C2⤵
- Loads dropped DLL
PID:4160 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3AC2F38E89B721C583B23C808E5C3CB62⤵
- Loads dropped DLL
PID:3868 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CEB63117EA4CB761FBB5ACEE5FBB29AE E Global\MSI00002⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" advfirewall firewall delete rule name=MSMPI-LaunchSvc3⤵
- Modifies Windows Firewall
PID:4480 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" advfirewall firewall delete rule name=MSMPI-MPIEXEC3⤵
- Modifies Windows Firewall
PID:2900 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" advfirewall firewall delete rule name=MSMPI-SMPD3⤵
- Modifies Windows Firewall
PID:3344 -
C:\Windows\syswow64\wevtutil.exe"wevtutil.exe" im "C:\Program Files\Microsoft MPI\Bin\mpitrace.man"3⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\System32\wevtutil.exe"wevtutil.exe" im "C:\Program Files\Microsoft MPI\Bin\mpitrace.man" /fromwow644⤵PID:1668
-
C:\Windows\SysWOW64\setx.exe"C:\Windows\SysWOW64\setx.exe" /M MSMPI_BIN "C:\Program Files\Microsoft MPI\Bin\3⤵PID:2536
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" advfirewall firewall add rule name=MSMPI-LaunchSvc dir=in action=allow program="C:\Program Files\Microsoft MPI\Bin\msmpilaunchsvc.exe"3⤵
- Modifies Windows Firewall
PID:356 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" advfirewall firewall add rule name=MSMPI-LaunchSvc dir=out action=allow program="C:\Program Files\Microsoft MPI\Bin\msmpilaunchsvc.exe"3⤵
- Modifies Windows Firewall
PID:1360 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" advfirewall firewall add rule name=MSMPI-MPIEXEC dir=in action=allow program="C:\Program Files\Microsoft MPI\Bin\mpiexec.exe" profile=any3⤵
- Modifies Windows Firewall
PID:8 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" advfirewall firewall add rule name=MSMPI-MPIEXEC dir=out action=allow program="C:\Program Files\Microsoft MPI\Bin\mpiexec.exe" profile=any3⤵
- Modifies Windows Firewall
PID:1936 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" advfirewall firewall add rule name=MSMPI-SMPD dir=in action=allow program="C:\Program Files\Microsoft MPI\Bin\smpd.exe"3⤵
- Modifies Windows Firewall
PID:168 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" advfirewall firewall add rule name=MSMPI-SMPD dir=out action=allow program="C:\Program Files\Microsoft MPI\Bin\smpd.exe"3⤵
- Modifies Windows Firewall
PID:1528
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e590239.rbsFilesize
11KB
MD51115f184f6c013e7156b3c73a804c619
SHA1dc13f46476b2e4c8c7e7eb4af887e24c2b37b318
SHA2569f825cb8cf4180915a8e45e0662db399331e85becdbe069ec10b0a282869d0ee
SHA512b8475e942f3b87d64dcd070ddefbf027a25419a16c33c31eb743aff42e9ba213dbc890c8d476d61bc09f632d6e93d1164a5272d85d13d8a3033be9658fe35848
-
C:\Config.Msi\e59023c.rbsFilesize
45KB
MD54a679484d795ea7d43951618824c0d9d
SHA142453f4278bdf90d80c91a24fe9c2ca9b100a475
SHA256da0a11a8bf6a352e12e26dacd5df786b15ffc9d1900eb6b7fba94053cc89cf72
SHA51292f548df270158bc75ce1037bbd090355cb896bf1b514004eaef83b8fce56ae8c8ddbbb0fcd860ff2c3a6f130b8f41669abf26509b3fbc3f56031a1726156179
-
C:\Config.Msi\e59023f.rbsFilesize
177KB
MD50c6811e3a14d911e421f982909994967
SHA132a1171294991b42158c28ad276f50093de2266c
SHA256bbce11e67e4e8de7ca697ea747eac12d896a3744e79851da5f621e9ff64b7ff9
SHA5120b505ed399d366b58223dce18d0ce92701018703a9d571aa620411067a5f94ba53cc1e04b94921513912e3beaa289743602a32cceabb292cfaf69f8bf6b34ee8
-
C:\Program Files\Microsoft MPI\Bin\mpitrace.manFilesize
966KB
MD539031ad273516d8722f2cf2f137a0d1b
SHA1b89e629ab688597f120519893fb0a0dadb5b15de
SHA25698399089edc0c13cdf3bd03f18b04cfe520cc59354e702ee888efbff49ba7cd8
SHA5120521d8a8f4ffd4af051c1e66fd7add007496fdc6ddce16c3850531f305f66501dee02a48f7c19902e75cecc5b48eade54028515909cdc8d5a70e983499134ca2
-
C:\Program Files\TauDEM\setup_files\GDAL-2.1.0.win32-py2.7.msiFilesize
560KB
MD538572c3935da44c614bbbe12cc52a40b
SHA1e475fc18a5bd77ea0edd58937b458472422f929b
SHA256df3663118b1c5269f753cf3d176369f9c97ea8166cc76dbe4e13dc0ae8fab5ee
SHA512a8d9c69615a77593b86cd24f33b2c405e4fb09b904813838564d27b6c519aacc1f77f15cd5abd3e077dbe452a07ca4642e2d7095ecfea7aa2a89abd006ae377b
-
C:\Program Files\TauDEM\setup_files\MSMpiSetup.exeFilesize
5.1MB
MD576f0ebc23b0684a4e4148fb2733705ba
SHA18c81c83c09cea33b8a0e4f7dc43a2d2d0c940e81
SHA256548e0eedfda61180e776f5125dd92c65b76ce3f3d029aff63ea81cafb88d12c4
SHA512f75c448e49b1ab4f5e60c958f0c7c1766e06665d65d2bdec42578aa77fb9d5fdc0215cee6ec51909e77d13451490bfff1c324bf9eb4311cb886b98a6ad469a2d
-
C:\Program Files\TauDEM\setup_files\gdal-201-1800-x64-core.msiFilesize
22.0MB
MD56471673f19d5afc8572b0182e0c05c6d
SHA13fdd7fffbbdd9fb2af63fd1f3fcf15a64da706c0
SHA2563e7d143cf1f4ad80dc3899c18e9d90904412838aa7159eda5418f571bb537cf1
SHA512a39c538becc616fd9dfcb4ffb9d51f01dbb5ae06b9234d2e494b6514c452dc745d288610d0d61f69bc4879fbc5a57509ff276634872b773796e359111d2c5916
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1F4BA66CDBFEC85A20E11BF729AF23_0FDA2E67E371AEB03992D56035802B07Filesize
1KB
MD56ce64a4cdb2853783514b8e3a0691353
SHA180a95aa5ae379fc248e499b8a7d237f2bb4fe2a6
SHA2564f2fb09cc481a813970220ca55f74c4af15a36779021562551c421370dd7e2e7
SHA512a68a7402b020bed855f72f57b9a83c06586250cdac639c1800330e0a5445cb84d7f0039181bf3778b5a08102ea2347b5dbd765b61c7c3f02bb8260128e96e19e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CE4CFAB51DB3F9AB265C1526D1E6F12F_4154A11532CBE35FC9F1E337BE92ECF0Filesize
1KB
MD5ec221f70b8dc711d84380223972cfc3c
SHA16e844fd883abfe2bb9f356cfdd16644699e57371
SHA2562376c9af237cf5ebd26f3160e720dd4f42491a85bf4b20ed8d5dda3d12734a00
SHA5128f613369ba66edf8cdbd0a5d116e0ada4362ce4d780c8c275008972954462e9cb964fbe4943ef021208b98f8b109be734e12334509aaff1cc9cf2c4e4a2d9fa2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_0FDA2E67E371AEB03992D56035802B07Filesize
416B
MD59bb492d869244f6c26cabd045aaa815f
SHA122094936d2d5f813a85f84f0cc9e10fee1bafce5
SHA256628a8f68540dd0f680bc0dc79aff4e7abeeed6c145962f8bbf15c9654fbf6bb4
SHA512aa71c3df8d640d453233d50a500bc4fd9794cf4fa0a32148ede7ce4322ca0580e01790875acd6192de387492132380ceaa0083d9c0130ad0567d1bd95f2d99fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CE4CFAB51DB3F9AB265C1526D1E6F12F_4154A11532CBE35FC9F1E337BE92ECF0Filesize
394B
MD59b5477414894b3070d1cc2ab18922511
SHA145de324ae649f86f9e8432d3e08bcb53f16615d8
SHA2564ce9b636c4f72ba78b75d2697b90c4f8d0c69fbe63cf8cdd6253487edcc51e92
SHA51251cf93d7e30bedfd9d6da98c4827a64de5f85b1d0496ff37994e0a1cdf6fd650729cc28b9b148a6fafa66ace77b20265e6e6d2e3f0082aac8f8b3288b7235a98
-
C:\Users\Admin\AppData\Local\Temp\MSIDD47.tmpFilesize
66KB
MD528a9771def2f62764786e951de8ab6c1
SHA1b6a928e0c9bd3ce8aec58d5138f09c94295f931c
SHA2565c165e5ead82ea06047ad5585efb40e439a6472346033c5528c1f148804328cb
SHA5120ec75b737c6c1aadd3871d84b1546d96c076940ba6be6fdec6d7d9aa68f2f6cd76be2f26e78ae9831ce7f7209cb46cb9b324ccaa32de09e839945620441c7aef
-
C:\Users\Admin\AppData\Local\Temp\f2ed52ca-31fa-4c77-ba4d-8ac7ac6caa3b\PurgeMsmpi_x64.exeFilesize
52KB
MD50fb247fb230a896aa0049659f60aa9e2
SHA1318fc90f192218c7d26f142ada7fab6d7183a4a8
SHA2568b4251c9ef287ee7b648ef217ea82ebbecae5b59f52c900068a5130407966751
SHA512619aaafd2d7ee08539b499eeea65f557eb3df9616bc43b8a75d5e79c4d9e67d9ebc409ce9bc68b29c819a3159fcf0a1c1248a90f380a135be2ac497484f03563
-
C:\Users\Admin\AppData\Local\Temp\f2ed52ca-31fa-4c77-ba4d-8ac7ac6caa3b\mpi_x64.msiFilesize
2.7MB
MD52082f4f15e07aadd4107b590308ba8f8
SHA12410f6409fa91aeb13973ce0cbc210ba2006c1c8
SHA25688c8aa56c64b7629d39efd06d3234364840d66d40c2ac766a5d5ec646fc0dc5f
SHA5124d4e78c6eac6c16a69b09c2e6d043651d292fea291ed62b55b5a9560e016a43c07e7a60fa39e2be0826c57fc2d7a15d08d7ec27f36d3b94d35db982544b57cbb
-
C:\Users\Admin\AppData\Local\Temp\is-EPVG3.tmp\TauDEM537_setup.tmpFilesize
694KB
MD5ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
C:\Windows\Installer\MSIE657.tmpFilesize
163KB
MD55a3caeced164cab3aaef81d475f855b6
SHA142d386a901805697515161fea5915538b3c40117
SHA256944f833196d0e6f048c7d268039c4c0cbf01d06a8ad009d79234eac0547c89f7
SHA51291658730a318ac4a8eaf53f9d7948a6ded24cda1304558c2c812bffbe0f361ce9abc247627486cb2d122b41b9a73eb52a03ffbf6a0032d25fa6a8fd7e11c9e42
-
C:\Windows\System32\msmpires.dllFilesize
395KB
MD5da87c48b01b23ee1700ee4828caf12c1
SHA1dc144e3ec6a1193a4d5761947940b9853a45b7d4
SHA256e10d8e43342e93f47c7fa4ea4124916b8d07b6023d5c2108f97328a9297053e7
SHA512e557038428f8559e7d6266f60fab7051741f50a557844b2053c4ffac613d444614b0548e7fd245da7e911f1de85f41df967e9853cce593f8b4adfe3213a3bb68
-
F:\PythonX\Lib\site-packages\GDAL-2.1.0-py2.7.egg-info\PKG-INFOFilesize
10KB
MD563b54edd9bf79fe1b5e775fa4e5eee1b
SHA1b5a2f301c6fc49f900fe1634642c46b1b1452210
SHA25637a4ec9160cbd05b31096097c3cf9c5ddc3d0af89cabc4ef224bd7b37e4def6f
SHA5123d1feee8198755ab1fde2611e89470ea4e745814eefa3d5e7366131bbcab6b4723c77631bd4e673d802d554cb8eb6b2811c7e1ce7f607a2ffe8874631edced46
-
F:\PythonX\Lib\site-packages\GDAL-2.1.0-py2.7.egg-info\SOURCES.txtFilesize
2KB
MD53e2a6d31b8bb9a9bf114735f4da7e47f
SHA1d2fdfbbedade2552f9af9ad5d4ba27134a31932f
SHA256539fc101b71b6384c0bac56850cb378a3da978917fed8564d7002358de072ebc
SHA512b4fedf54d8f14ef6137de0baad9302f98b8b73132e3d97e376a463789aacbb5c4355532a60273d4c94b421b113b668f855e3908835886d6208107b9d76003285
-
F:\PythonX\Lib\site-packages\GDAL-2.1.0-py2.7.egg-info\dependency_links.txtFilesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
F:\PythonX\Lib\site-packages\GDAL-2.1.0-py2.7.egg-info\not-zip-safeFilesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
F:\PythonX\Lib\site-packages\GDAL-2.1.0-py2.7.egg-info\top_level.txtFilesize
41B
MD5c6fdbf16fd0d2a2e61a4d15d54ba227d
SHA166aa86175a16191b737a1767ece6c020548e2f89
SHA256a18eb813c6f21c82ea4ad4ac65671a1d2f17039c0dbcf0957e6f799e281c3237
SHA512d5b8a3c3d7367db5ce5fb4cec29f83f907d878c25f0e846e86997268b7b401db6d2056de7f07e76f04b1894e953643ff7ae986add881bff01facf2f40667d7f3
-
F:\PythonX\Lib\site-packages\gdal.pyFilesize
133B
MD5d96ce2ed0c28aceaf039f161746a748c
SHA1e585466cc6bec238c6abd6fd2942d419c698b91f
SHA256a26b5e791fb6ebb03eba8b374e7323bdfb905cd75af28d7510d78ecc736764db
SHA512feb35154c1616358a35abd3e4eeeca083c5f05023b11609503860185a9dd5cc7d741ad4b6b336a543e6c7e062dd3f638d87528568784bd8d2b384c81a95666c3
-
F:\PythonX\Lib\site-packages\gdalconst.pyFilesize
148B
MD57a7696a47eb3e811eab663a8c52a7b20
SHA1216e08751256c74013e8415e9b116fa19edf648c
SHA256009c390ef51a1055184804df94f40c9717b260ef8c36a5188b0e8d8d7508bd04
SHA51249ed73a8c54fa3ba27fc29a496a700da9fe418ace8b7e266f63c91b2339ed88e26788369e7366d711d18836b071994d56cb5804be325fa86e681980246148dc8
-
F:\PythonX\Lib\site-packages\gdalnumeric.pyFilesize
147B
MD5ea03edc19b9ed33242a248f72929b9f7
SHA1737e3391afb50768cd89f327a6041befff9dfcd6
SHA2565b7834246221fc62d820d651686a1e07bafc32997e52e94ed6244c20e1bca81c
SHA512f45679ab814766954bb264031f44501009a02974741afdca5faa6c1815695e11048488d6e3739cd598b70b196082b379b4ab092bc973929e5e2dc86bf40b2562
-
F:\PythonX\Lib\site-packages\ogr.pyFilesize
130B
MD506d83490edcc5b05fecd395250823f9b
SHA1e7c95c495c5d88eb00aa117291de8bfc2ca63216
SHA256087fdb224e15f1edd4919b7d3fada6732de66cf5ca0cf0cffd6a8a9c4746824e
SHA5124f52d7f53bef42435e2d524f2f69cf61ea12af520354a8090f640f91e3b875f5075ff52d588e92d07056ac8f67dd7d1d6965e25ef31676a5ffd6b7fe55da707a
-
F:\PythonX\Lib\site-packages\osgeo\__init__.pyFilesize
777B
MD512af8cbbc02c681bfb924780fc5c0447
SHA1ed424bd381e3964cfc773f4e345280a560d143f2
SHA256cc429e4d5e8c02fdc0bddc855d55f2af39a88171c571f4afdedc6d0d8d82fb26
SHA51244f1fec21228123cc80372acc1656fb436fc7d30d71d2a1a315ed74e3a89dd07163cc1c28b1f1523ea3f5d327e35f9c74fe3637127f6d061b02fd300a6d815fa
-
F:\PythonX\Lib\site-packages\osgeo\gdal.pyFilesize
130KB
MD5493d82273c4e792d21933a78b8dc47b7
SHA19a119301a5a67149ba7388b037e0998d76ba4c18
SHA25656a8bf4e9eecf1624e5e6b5971f8a3278f616cd2be6cf5ea1787f588a58716a8
SHA5125c8f57c57426e111a180b681771a2f092351c63c605988cece09ba8e89e81f59accb8d71bb6a8dfae194b5986856fec6a326bf2aba395e9deba559742f117fee
-
F:\PythonX\Lib\site-packages\osgeo\gdal_array.pyFilesize
18KB
MD5f1a909dfbee3c18504b5f729bbb85e6f
SHA1b9fd7550ac578903da52e71509782b5eb55f475e
SHA256231fb20d1e982ca5fc82f2a9b5947cbcc6e27019e8a9b0022a150114c8e1ad94
SHA51271c003f5b063ad9461676b46c0ba1f03978377e0ceaac502a48aff7c1613c8ce368896cf1e1ba7c6ba10704e8a1c14da11f0bc8498b0eb24ded72d84e3835e11
-
F:\PythonX\Lib\site-packages\osgeo\gdalconst.pyFilesize
7KB
MD57a2382358fcbf6b580099750cc9d0546
SHA1edc8f82dc11a2d4c8c31d6c3a9984d5a1dbf90c5
SHA256070f8a1bc7b829221547f63b45dd6b6157e06c3d310e1443c12a7e9574d38a2d
SHA51261b65fbcc3185142502c31ce2c14d7336513c7661dafba8db97e6e95a59210fb943281c550fcda4ef2a1371cc4832d27f966f12d9f6d4f9301971ae61e67c312
-
F:\PythonX\Lib\site-packages\osgeo\gdalnumeric.pyFilesize
53B
MD53d0826c4d961a6833de80b309c5f3fd8
SHA1c8850fd1278b46faf25632309bf72e79627a4b8a
SHA256ccee937010ea093585c72c3f0c00e79792ae0c79312444972d95fcc7f20c42fd
SHA512851db29e66770934e64afa957d06933680552edfc4d4dca5492dbab4b2fd7acc7c139c55d33e36b26f657d20a7a17d9be4bdd79368a8c6fb0f1acc68c15aeb03
-
F:\PythonX\Lib\site-packages\osgeo\gnm.pyFilesize
11KB
MD5b6cd8dadd657ce3085d9af76c5573889
SHA163c4c862d95270ff4bd48acd12ca0119d4f5f100
SHA25639a13bba3cb8a02ad0086e287803ccb67d335fae022b0f5e7f560c7de11d4c23
SHA512f12fea3217b2b17cfaef63eb2f4dd67d6da6e61d448aba0bbcaf5a99e665ccf2264878d4a06566509f0a86e688e5495688c2e87f174bbb9bd234afdd04937e85
-
F:\PythonX\Lib\site-packages\osgeo\ogr.pyFilesize
240KB
MD50b02b2d513fa22a860f2fe5fbaacfc50
SHA1c2e9f06d8f37a7e50f1c25f6f0a1c3ddf69a4fe9
SHA25621d68c00562211f1f5ab96dfe9ed77345e6171c08674da308bd868d7777914fe
SHA512137c83c849608dc435b81e341aeee5324a0931b5e89a1053453622b2d88ff3d8b1dc59851b6d82e0acab8c4ba387b30b83a2573fb0045fdc6f9b217df2e1deba
-
F:\PythonX\Lib\site-packages\osgeo\osr.pyFilesize
35KB
MD525a9da028a90e4ddcc3d56e7ce033ecf
SHA1fa0cfba50eea1346a3d2a3950816d158cd785fd0
SHA256f84b62cf2577c4a5f29d90ad08a46eac1bf44d7b943dfe6f0d249e92bbae643c
SHA512d57c8a96fa3a5b756b3409969f4e61f80662a71dcbae5187a70201ef91f56744ce6db4a72231197f51effde3513e4c772aa3f9258be38b518edaf199b3aa8586
-
F:\PythonX\Lib\site-packages\osr.pyFilesize
130B
MD5e88ab6e2dadbda1c1b7d8d13c9efae8f
SHA19e6cd97183444391685b38f312090ec648b2ed11
SHA25646f1d33f1e26aa635e7308c599e87f9e6be23508bedcffa6fc27beccce5a83be
SHA51230949f12db5890ab909102a82ce1d37469424718ddcbf855fa1f75f69c4e83323dfa713f279a85b18b8ac1466f2213dfea3cee8d3956bc13b62551689e8fc6da
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
25.0MB
MD5e965525c67f31c6ef2c0defd7606acb7
SHA1b0822a702bacfd345235033b578b1a9b549b1c3c
SHA256a3fbe8f7eab5172c9c0afd606930a94fc0be0660284a9d53003aa926c5be5cac
SHA5129ca1aeba1be02fdc485f83bd33c4059df69f08c8a90e34140533119599814681e631fa67111735aa46fc17d48cd33a51843f354382aa8ee52e730f1f38cd9799
-
\??\Volume{e5051d0a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{32629699-7613-484f-ae48-4df600694841}_OnDiskSnapshotPropFilesize
5KB
MD51aa2d67ea3f0d0a3ffb3a13fc1b37d75
SHA1088d8f2487ddc83f25f8a9404b43b019b4a9a8e3
SHA2563a387657e848832c03cb80d6c7217b1fe72350fa63e437daeef2614098565850
SHA512c1381760c69ae1fc30990dffccc528c1bd7160d17d671acc5e5513103816e212a803d47037cc25fad815735725d699cd8bd2603aeea283544a48c4ea8bb638b8
-
\Windows\Installer\MSIE5AA.tmpFilesize
248KB
MD5db9184bf5e4e27808b864f906e1ffc0b
SHA13a46f59dac2a39df93b75e230ab846bbd5e0d74b
SHA256045af0b600177b2ab12effc643435dc4ca0b267050ff937ecf29dbe5642385aa
SHA512d0acf1dfe06672b399bea3fc8e4d12a2fdedd340bb2c48d732b73c2a55819fbce494e2dbad38168e24ed3ca9ef92cb0344840ede38d9ef0287a4ad2c87cabdcf
-
memory/2524-2-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2524-11-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2524-0-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2524-5410-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4124-3270-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4124-5294-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4124-15-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4124-4915-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4124-12-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4124-6-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4124-5394-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4124-5406-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/4124-5409-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB