93f42b3c26cf0078ddb233257b162c7515e408741c16cbb7488a7d240e5bc451

Analysis

max time kernel
138s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProHance Mate v9.8.2.410 Setup.msi
Size

5.6MB
MD5

202a0e961910a546b753fa7eaad788fc
SHA1

72bf6d9f4fb755fd57a0135ca93acacca7f2ecd6
SHA256

93f42b3c26cf0078ddb233257b162c7515e408741c16cbb7488a7d240e5bc451
SHA512

f1b3bbfcff2873c409577f587964d7fc06cf683297dd3899d9a6180969b01fb54a3b6c95618dd8cbef24f7c0d6ee37e25611513be8cf6fcba66e45acacaf245b
SSDEEP

98304:j9Yic5MoLZzbSn8N303FHqViHpEjd5X2f41mqQcq50DYlMX+Od9AYImyZWB5xjgo:yiqMoLBSn8N3y0iHujX5mLL5FK+CF

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2584	netsh.exe
1692	netsh.exe
1788	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2316	PHMateService.exe
1556	PHMateUpdateService.exe

Loads dropped DLL 12 IoCs

pid	Process
2364	MsiExec.exe
2364	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
576	MsiExec.exe
576	MsiExec.exe
576	MsiExec.exe
576	MsiExec.exe
624	installutil.exe
624	installutil.exe
2320	installutil.exe
2320	installutil.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\serviceinstall.log	installutil.exe
File opened for modification	C:\Windows\SysWOW64\serviceinstall.log	installutil.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ProHance Mate\GFramework.WinForm.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMessageService.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\System.Linq.Dynamic.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHProbeCalenderMeetings.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\Update\PHMateHealthProperties.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateService.exe	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateIdleTimeProcess.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateUpdater.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\Update\PHMateUpdateService.InstallState	installutil.exe
File created	C:\Program Files (x86)\ProHance Mate\Update\PHUpdate.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\OpenCvSharp.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateWebSocketServer.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHStartMate.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\RestSharp.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHInstallerLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\ProHance.AT.UI.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateLogRetriever.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\BrowserPlugin\PHProbeBrowserPluginNativeAPI.exe	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateSocketServerLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\BrowserPlugin\nativeapimozila.json	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\log4net.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\ProHance.AT.Model.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\Update\PHUpdate.properties	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\GFramework.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateUninstall.exe	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\System.Management.Automation.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateMonitorLockedUsers.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\NetOffice.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHInstallerLib.InstallState	MsiExec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateSoftwareProcessMonitor.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateService.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\Update\PHMateUpdateService.exe	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\Update\log4net.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateHealthProperties.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateAuthentication.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\BrowserPlugin\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateFTPUtilityService.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateHealthProcess.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\Update\PHMateUpdateService.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMate.exe	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHScreenDataFlush.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\BrowserPlugin\Plugins\[email protected]	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\BrowserPlugin\nativeapichrome.json	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateServiceHealth.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHScreenAT.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHWorkOutput.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateFRDataFlush.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateMoniterServices.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\Banner.jpg	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\ProHance.FileHandler.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\ClientProperties.dat	PHMateService.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateUserProbeProperties.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateAsyncClientServerLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\Renci.SshNet.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateService.InstallState	installutil.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateUserActivityProcessor.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateRegistration.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\OfficeApi.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateLicense.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\PHMateMultiThreadQueueLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\OutlookApi.dll	msiexec.exe
File created	C:\Program Files (x86)\ProHance Mate\ProHance.AT.URLCT.dll	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8835.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f768650.ipi	msiexec.exe
File created	C:\Windows\Installer\f768650.ipi	msiexec.exe
File created	C:\Windows\Installer\f76864f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76864f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI868E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI874A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI897F.tmp	msiexec.exe
File created	C:\Windows\Installer\f768652.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A89.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1532	sc.exe
2696	sc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	installutil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	installutil.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	installutil.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	installutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	installutil.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateRegistration.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateDataFlush.dll\PHMateDataFlush,Version="3.0.0.1",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e004500680039007b004a0077005e0056003d005b004f0077002a002e00470057006b0040006d002e0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|Renci.SshNet.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PH Probe IPC Framework.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateHealthProcess.dll\PHMateHealthProcess,Version="3.0.0.1",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e002c006a0046002a00500069006a003900790040005b00650064007700580079002a0074005d00430000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateSocketServerLib.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateUserActivityProcessor.dll\PHMateUserActivityProcessor,Version="3.0.0.1",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e006900290056003200610042007b004500300068006c0048005600270058007700760057005800790000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateAuthentication.dll\PHMateAuthentication,Version="3.0.0.1",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e006c005100440079002400360059004a004e0048004c002d0073002700430052002e002c002e00630000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|OutlookApi.dll\OutlookApi,Version="1.7.4.0",Culture="neutral",PublicKeyToken="D0B2DC7C792D5CA6",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e00400076006a002d00480054002e007e00390040007a00350041006e00670043006e007b005200630000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2860321622FD86B4EB6144541FE5BFCA\399B3E3F47400C642B842BB8035E34A0	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateUserProbeProperties.dll\PHMateUserProbeProperties,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e003f00480077004c00680079003f002a006f007300500070002c0044005f00320066002b005100630000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMate.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\399B3E3F47400C642B842BB8035E34A0\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateMonitorLockedUsers.dll\PHMateMonitorLockedUsers,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e0063004d00630051006f0050004a007300210066005b0054003800730039003000260061003100360000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateIdleTimeProcess.dll\PHMateIdleTimeProcess,Version="3.0.0.1",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e002b007e00490029004d003500500052006400550027006e002c0062003d0070006a006f007e002d0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateHealthProperties.dll\PHMateHealthProperties,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e002c00710071002600720079005e00460067004b003d003600360061005f0044004a0034003300620000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|RestSharp.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|NetOffice.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|Update\|PHMateUpdateService.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\399B3E3F47400C642B842BB8035E34A0\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|GFramework.WinForm.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHProbeCalenderMeetings.dll\PHProbeCalenderMeetings,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e006b00640062006e002e0030002b007a0046005f00440035002b004a005900790072007d0028005d0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateMonitorLockedUsers.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateHeartBeat.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|System.Management.Automation.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|DotNetZip.dll\DotNetZip,Version="1.16.0.0",Culture="neutral",PublicKeyToken="6583C7C814667745",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e006e0034004f0064007600350029003d00540068005d003d004d0032002c00480074004d006000550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateSocketServerLib.dll\PHMateSocketServerLib,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e0051004900580073004a0057006800260072005e0047004c0048006b004e004700690068004d00310000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHWorkOutput.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateUserProbeProperties.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateFRDataFlush.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|BrowserPlugin\|PHProbeBrowserPluginNativeAPI.exe\PHProbeBrowserPluginNativeAPI,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e006d006a006f0034006a0071002a0077007a005e006e006f007a005f005a004f0024006a004f00410000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHStartMate.dll	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\399B3E3F47400C642B842BB8035E34A0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\399B3E3F47400C642B842BB8035E34A0\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\399B3E3F47400C642B842BB8035E34A0\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateUpdater.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateService.exe	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|Update\|PHMateUpdateService.exe\PHMateUpdateService,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e00330078006a005600560078002c0049003f0047005e004e00280051004500670021002e005d00580000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|DotNetZip.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|OfficeApi.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|ProHance.AT.UI.dll\ProHance.AT.UI,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e0048005400280079002d00560063007400610049006700730039005800680035006a0039006200700000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateHeartBeat.dll\PHMateHeartBeat,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e007600380076005900670064002100740032007800490058007d004f002d005b00530033002800580000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|ProHance.AT.JAB.dll\ProHance.AT.JAB,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e0065007d0056004e007500250030002900390028005b00770047002d00570035006500340034003d0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHConfigService.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateMultiThreadQueueLib.dll\PHMateMultiThreadQueueLib,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e0079004900570055004f003d004a004a0064004b007d004c0067005f006f0064003200730030002e0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|Newtonsoft.Json.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateIdleTimeProcess.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateFTPUtilityService.dll\PHMateFTPUtilityService,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e0078005e002b00480079005e00690067005d004500740041002900610055007a00570078002a00290000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateAsyncClientServerLib.dll\PHMateAsyncClientServerLib,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e006700340053002a00540072006a007900460040003d004b0024002a0037004c007800610029006b0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMessageService.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\399B3E3F47400C642B842BB8035E34A0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\399B3E3F47400C642B842BB8035E34A0\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|Update\|PHUpdate.dll\PHUpdate,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e0026007d00410032005700580026005500740028006d007a00630028002a00770050004e003400790000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|BrowserPlugin\|PHProbeBrowserPluginNativeAPI.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\399B3E3F47400C642B842BB8035E34A0\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|ProHance.AT.URLCT.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateFTPUtilityService.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateLicense.dll\PHMateLicense,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e006200640070003f006e002b0045007400780073004e00760027006a0063003400630061007100760000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|GFramework.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|System.Linq.Dynamic.dll\System.Linq.Dynamic,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e002a0025004f0077004c0061005b0059005700770034005400270069006d002e00510026006300630000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMate.exe\PHMate,Version="3.0.0.37",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e00500032004f004b0058004f002d00720053003f0021004b003600420038003d00500033002800410000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|BrowserPlugin\|Newtonsoft.Json.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateUninstall.exe	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ProHance Mate\|PHMateUninstall.exe\PHMateUninstall,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 4d0049006c0048007700520031006e0067003d0062007500450075005400320077004c00410026003e0021004b00460043006c002d002c0075004500470028002b002c003300580077006e007d005500520000000000	msiexec.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3000	msiexec.exe
3000	msiexec.exe
2316	PHMateService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	3000	msiexec.exe
Token: SeTakeOwnershipPrivilege	3000	msiexec.exe
Token: SeSecurityPrivilege	3000	msiexec.exe
Token: SeCreateTokenPrivilege	1752	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1752	msiexec.exe
Token: SeLockMemoryPrivilege	1752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1752	msiexec.exe
Token: SeMachineAccountPrivilege	1752	msiexec.exe
Token: SeTcbPrivilege	1752	msiexec.exe
Token: SeSecurityPrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeLoadDriverPrivilege	1752	msiexec.exe
Token: SeSystemProfilePrivilege	1752	msiexec.exe
Token: SeSystemtimePrivilege	1752	msiexec.exe
Token: SeProfSingleProcessPrivilege	1752	msiexec.exe
Token: SeIncBasePriorityPrivilege	1752	msiexec.exe
Token: SeCreatePagefilePrivilege	1752	msiexec.exe
Token: SeCreatePermanentPrivilege	1752	msiexec.exe
Token: SeBackupPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeShutdownPrivilege	1752	msiexec.exe
Token: SeDebugPrivilege	1752	msiexec.exe
Token: SeAuditPrivilege	1752	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1752	msiexec.exe
Token: SeChangeNotifyPrivilege	1752	msiexec.exe
Token: SeRemoteShutdownPrivilege	1752	msiexec.exe
Token: SeUndockPrivilege	1752	msiexec.exe
Token: SeSyncAgentPrivilege	1752	msiexec.exe
Token: SeEnableDelegationPrivilege	1752	msiexec.exe
Token: SeManageVolumePrivilege	1752	msiexec.exe
Token: SeImpersonatePrivilege	1752	msiexec.exe
Token: SeCreateGlobalPrivilege	1752	msiexec.exe
Token: SeCreateTokenPrivilege	1752	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1752	msiexec.exe
Token: SeLockMemoryPrivilege	1752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1752	msiexec.exe
Token: SeMachineAccountPrivilege	1752	msiexec.exe
Token: SeTcbPrivilege	1752	msiexec.exe
Token: SeSecurityPrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeLoadDriverPrivilege	1752	msiexec.exe
Token: SeSystemProfilePrivilege	1752	msiexec.exe
Token: SeSystemtimePrivilege	1752	msiexec.exe
Token: SeProfSingleProcessPrivilege	1752	msiexec.exe
Token: SeIncBasePriorityPrivilege	1752	msiexec.exe
Token: SeCreatePagefilePrivilege	1752	msiexec.exe
Token: SeCreatePermanentPrivilege	1752	msiexec.exe
Token: SeBackupPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeShutdownPrivilege	1752	msiexec.exe
Token: SeDebugPrivilege	1752	msiexec.exe
Token: SeAuditPrivilege	1752	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1752	msiexec.exe
Token: SeChangeNotifyPrivilege	1752	msiexec.exe
Token: SeRemoteShutdownPrivilege	1752	msiexec.exe
Token: SeUndockPrivilege	1752	msiexec.exe
Token: SeSyncAgentPrivilege	1752	msiexec.exe
Token: SeEnableDelegationPrivilege	1752	msiexec.exe
Token: SeManageVolumePrivilege	1752	msiexec.exe
Token: SeImpersonatePrivilege	1752	msiexec.exe
Token: SeCreateGlobalPrivilege	1752	msiexec.exe
Token: SeCreateTokenPrivilege	1752	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1752	msiexec.exe
1752	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2364	3000	msiexec.exe	29
PID 3000 wrote to memory of 2364	3000	msiexec.exe	29
PID 3000 wrote to memory of 2364	3000	msiexec.exe	29
PID 3000 wrote to memory of 2364	3000	msiexec.exe	29
PID 3000 wrote to memory of 2364	3000	msiexec.exe	29
PID 3000 wrote to memory of 2364	3000	msiexec.exe	29
PID 3000 wrote to memory of 2364	3000	msiexec.exe	29
PID 3000 wrote to memory of 2088	3000	msiexec.exe	33
PID 3000 wrote to memory of 2088	3000	msiexec.exe	33
PID 3000 wrote to memory of 2088	3000	msiexec.exe	33
PID 3000 wrote to memory of 2088	3000	msiexec.exe	33
PID 3000 wrote to memory of 2088	3000	msiexec.exe	33
PID 3000 wrote to memory of 2088	3000	msiexec.exe	33
PID 3000 wrote to memory of 2088	3000	msiexec.exe	33
PID 3000 wrote to memory of 576	3000	msiexec.exe	34
PID 3000 wrote to memory of 576	3000	msiexec.exe	34
PID 3000 wrote to memory of 576	3000	msiexec.exe	34
PID 3000 wrote to memory of 576	3000	msiexec.exe	34
PID 3000 wrote to memory of 576	3000	msiexec.exe	34
PID 3000 wrote to memory of 576	3000	msiexec.exe	34
PID 3000 wrote to memory of 576	3000	msiexec.exe	34
PID 576 wrote to memory of 2584	576	MsiExec.exe	35
PID 576 wrote to memory of 2584	576	MsiExec.exe	35
PID 576 wrote to memory of 2584	576	MsiExec.exe	35
PID 576 wrote to memory of 2584	576	MsiExec.exe	35
PID 576 wrote to memory of 1692	576	MsiExec.exe	38
PID 576 wrote to memory of 1692	576	MsiExec.exe	38
PID 576 wrote to memory of 1692	576	MsiExec.exe	38
PID 576 wrote to memory of 1692	576	MsiExec.exe	38
PID 576 wrote to memory of 1788	576	MsiExec.exe	39
PID 576 wrote to memory of 1788	576	MsiExec.exe	39
PID 576 wrote to memory of 1788	576	MsiExec.exe	39
PID 576 wrote to memory of 1788	576	MsiExec.exe	39
PID 576 wrote to memory of 624	576	MsiExec.exe	42
PID 576 wrote to memory of 624	576	MsiExec.exe	42
PID 576 wrote to memory of 624	576	MsiExec.exe	42
PID 576 wrote to memory of 624	576	MsiExec.exe	42
PID 576 wrote to memory of 624	576	MsiExec.exe	42
PID 576 wrote to memory of 624	576	MsiExec.exe	42
PID 576 wrote to memory of 624	576	MsiExec.exe	42
PID 576 wrote to memory of 1080	576	MsiExec.exe	43
PID 576 wrote to memory of 1080	576	MsiExec.exe	43
PID 576 wrote to memory of 1080	576	MsiExec.exe	43
PID 576 wrote to memory of 1080	576	MsiExec.exe	43
PID 1080 wrote to memory of 1532	1080	cmd.exe	45
PID 1080 wrote to memory of 1532	1080	cmd.exe	45
PID 1080 wrote to memory of 1532	1080	cmd.exe	45
PID 1080 wrote to memory of 1532	1080	cmd.exe	45
PID 576 wrote to memory of 2320	576	MsiExec.exe	51
PID 576 wrote to memory of 2320	576	MsiExec.exe	51
PID 576 wrote to memory of 2320	576	MsiExec.exe	51
PID 576 wrote to memory of 2320	576	MsiExec.exe	51
PID 576 wrote to memory of 2320	576	MsiExec.exe	51
PID 576 wrote to memory of 2320	576	MsiExec.exe	51
PID 576 wrote to memory of 2320	576	MsiExec.exe	51
PID 576 wrote to memory of 1412	576	MsiExec.exe	49
PID 576 wrote to memory of 1412	576	MsiExec.exe	49
PID 576 wrote to memory of 1412	576	MsiExec.exe	49
PID 576 wrote to memory of 1412	576	MsiExec.exe	49
PID 1412 wrote to memory of 2696	1412	cmd.exe	47
PID 1412 wrote to memory of 2696	1412	cmd.exe	47
PID 1412 wrote to memory of 2696	1412	cmd.exe	47
PID 1412 wrote to memory of 2696	1412	cmd.exe	47
PID 576 wrote to memory of 2652	576	MsiExec.exe	50

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\ProHance Mate v9.8.2.410 Setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89AAB632D912F1D46381A48A17B8ADA5 C
  2⤵
  - Loads dropped DLL
  PID:2364
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A31B8CC9C005995E2742C10D9DC42476
  2⤵
  - Loads dropped DLL
  PID:2088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7D3E47D9E91771220F29DFDB81CE0E81 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\syswow64\netsh.exe
    "netsh" advfirewall firewall add rule name = "ProHance Mate Service" dir=in action=allow program="C:\Program Files (x86)\ProHance Mate\C:\Program Files (x86)\ProHance Mate\PHMateService.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:2584
- - C:\Windows\syswow64\netsh.exe
    "netsh" advfirewall firewall add rule name = "ProHance Mate" dir=in action=allow program="C:\Program Files (x86)\ProHance Mate\C:\Program Files (x86)\ProHance Mate\PHMate.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:1692
- - C:\Windows\syswow64\netsh.exe
    "netsh" advfirewall firewall add rule name = "ProHance Mate Update" dir=in action=allow program="C:\Program Files (x86)\ProHance Mate\C:\Program Files (x86)\ProHance Mate\PHMateUpdateService.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Modifies data under HKEY_USERS
    PID:1788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" /i /LogFile=serviceinstall.log /LogToConsole=false "C:\Program Files (x86)\ProHance Mate\PHMateService.exe
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    PID:624
- - C:\Windows\syswow64\cmd.exe
    "cmd" /C sc failure "ProHance Mate Service" reset= 86400 actions= restart/300000/restart/300000/restart/300000
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\sc.exe
      sc failure "ProHance Mate Service" reset= 86400 actions= restart/300000/restart/300000/restart/300000
      4⤵
      Launches sc.exe
      PID:1532
- - C:\Windows\syswow64\cmd.exe
    "cmd" /C sc failure "ProHance Mate Update Service" reset= 86400 actions= restart/300000/restart/300000/restart/300000
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1412
- - C:\Windows\syswow64\net.exe
    "net" start "ProHance Mate Service"
    3⤵
    PID:2652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "ProHance Mate Service"
      4⤵
      PID:1284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" /i /LogFile=serviceinstall.log /LogToConsole=false "C:\Program Files (x86)\ProHance Mate\Update\PHMateUpdateService.exe
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    PID:2320
- - C:\Windows\syswow64\net.exe
    "net" start "ProHance Mate Update Service"
    3⤵
    PID:2936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "ProHance Mate Update Service"
      4⤵
      PID:1560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2756

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A4" "00000000000005B4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2168

C:\Windows\SysWOW64\sc.exe
sc failure "ProHance Mate Update Service" reset= 86400 actions= restart/300000/restart/300000/restart/300000
1⤵
- Launches sc.exe
PID:2696

C:\Program Files (x86)\ProHance Mate\PHMateService.exe
"C:\Program Files (x86)\ProHance Mate\PHMateService.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Program Files (x86)\ProHance Mate\Update\PHMateUpdateService.exe
"C:\Program Files (x86)\ProHance Mate\Update\PHMateUpdateService.exe"
1⤵
- Executes dropped EXE
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f768651.rbs

Filesize
149KB

MD5
9217091789608a71ad26df7c0ecf4be4

SHA1
8714e21c66c4e3dea61d7ade94fec5af7f8e50bb

SHA256
0214d6731d3a7bebcbf86f4e42b6dd01502edc1e7fb387ac2247cef11a129d4f

SHA512
f0f5903b5bd451858a0c398b5d5e706083e4171d9ab7606f37d1ba0e6bef9bc7599e4229123fe8982b5a0a9bb8d9961e336726641f0b17c6b6e7f7c1117d79d0

Download Submit
C:\Program Files (x86)\ProHance Mate\Banner.jpg

Filesize
5KB

MD5
4cbc574da3c00ce0452cb0d7dc16c477

SHA1
59c750cd20d7897fa07426a431e3a5e9003be757

SHA256
d2f4a4c4bd89823953b9d8a42a2d0dd6966c5f08246b92050d900e7b870c9c91

SHA512
26abe43b0a70d309aca043f06711b8ab923045a548be1d655e153f27261a1d10b8c07d41ad80b1b21cfad3763650d79327f5bcaee1edeb0c4f776f190c1db07c

Download Submit
C:\Program Files (x86)\ProHance Mate\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Program Files (x86)\ProHance Mate\PHMateFTPUtilityService.dll

Filesize
77KB

MD5
c899ec02d56eba6323486dc3ef6d6b7c

SHA1
0ff609ae40ae2dbf4d34f1aedd030278d95dc68f

SHA256
efc116a446adcf6a3919f07b840abf14f5c0d8cfabd414c767855dc6587b8140

SHA512
f8bbb2915800436e68502df144f693c15f001b6f7636d163a8a693bb3cfa76c6abceb2c35e6d4a795ed43840da34bcb38b0c8b287068192498f94341ae829865

Download Submit
C:\Program Files (x86)\ProHance Mate\PHMateLib.dll

Filesize
497KB

MD5
4588b6a55b9dab34e0ffce565fbe763c

SHA1
c933779cae27ddf28e5c345ef5afbad43968dae9

SHA256
da82119b74b9de7ff7d0f2766be55f9af92648a3024da7a5bfeb30ffd0592cdd

SHA512
3816bc66f03017d45bfb88a49f9016c0b32a97d7799354a3f55b72065b5666a279624ab698b1adf2b2280b4a66bef367a200457f99bb4bcb494cd9942f4af226

Download Submit
C:\Program Files (x86)\ProHance Mate\PHMateProperties.dll

Filesize
126KB

MD5
0ad191e8e0619549f482eeda22bf9fbf

SHA1
b539554c14eb45f566a319ad4070fa70e022cb5c

SHA256
82a3e25eea4037443fb46b228c9653f72e34e601121ab135accec19d9ad07bb7

SHA512
47a1315b007437fc80d7f00351f02ecd4a2640d9f87072354a197b158e973ebabe80510817c8c0028994e7ce3f871c46dc821619a7a6eef065ff8283f18e9145

Download Submit
C:\Program Files (x86)\ProHance Mate\PHMateService.exe

Filesize
55KB

MD5
8dd555edf5b7fa445749b73773d8c6f7

SHA1
6d4fff8c53ec78b41e2eea8e5c72e59e921cdc16

SHA256
5def3048156219bcf4f98a3e32eb189a59060db23b05a443c89573db4ed10e4e

SHA512
a7a3ff54de8f44d5a41e7ee4bc6906227f78afc62401a3daabaa23e43cf0be43b70f094780187b0e7dccc8936cf940e621a0d52e50144205d51b9daa71b46d64

Download Submit
C:\Program Files (x86)\ProHance Mate\PHMateService.exe.config

Filesize
2KB

MD5
ca90c946969af93a03bc019486996b32

SHA1
c63158e0970322ee98d49708bd9bdd41c2c3867a

SHA256
a0d10402777ba4458497535637baa86458e91dfbffa1e0c4c8cd4daabf68448e

SHA512
bed15a80895fa09b687494fb5c44081e940e52d030de2063045804334247b2c2bf2c25f4508622e6476b91abc1c67e705a646c8362c722fc34c37ada3c0002c9

Download Submit
C:\Program Files (x86)\ProHance Mate\ProHance.FileHandler.dll

Filesize
19KB

MD5
59108d3011cc325cbb6fccb597a340f5

SHA1
eb1672426ba7c917999a63f732d0d860eedd7a8a

SHA256
5cd31c5fda4ab18b42bbd1cb6ac1118fe0a26aa4e97eb7fafe1e073d844be5cc

SHA512
495a48258005cc3470dd1ce8eb317ed5d316208c55c3a3f38abce97bad0b4a634559cd4388d82d43e303013d8c9120d36074d7538fe4403432065cc8ae0f5625

Download Submit
C:\Program Files (x86)\ProHance Mate\Update\PHMateHealthProperties.dll

Filesize
17KB

MD5
a19c5aa620613d8e7a0e87133725f31b

SHA1
a971e71c93c7ac1aa5cf486e61a1c2ed1d62e56a

SHA256
4c376449704d3d1e7948da073e50f7ee7a9f8dd68118462dd420ef5fc837c85f

SHA512
03ac19f0042d41945c87ced95071900b60e86c104c161aee3bd580a5fe19cdf326d6c984650557954732683b9842e7ea2960ccb5854c1144658cdb009d04c9b7

Download Submit
C:\Program Files (x86)\ProHance Mate\Update\PHMateUpdateService.exe

Filesize
10KB

MD5
f0988ba69de76dc1cdae66e4a1413ce6

SHA1
ad8408f2c931ecc584f00fea49d515cfe5eee6a8

SHA256
bbf288728584dfc92b8945e5b22a782c6e596ae4c429b0ee00821afb62a958c5

SHA512
dba96072c2d8988d9b4c17b4fb4b916db5cb4fa6ef15415829e00e1838e73f7dd956dff9bcb7d74581790bc03be656ec42cf8eac7d38a7b884e19e74b3997dcb

Download Submit
C:\Program Files (x86)\ProHance Mate\Update\PHMateUpdateService.exe.config

Filesize
1KB

MD5
41f85af6a77e7021e84d188b3b1d586d

SHA1
5a8f623d95a7ca4a03ef55a7157960b0c6217ed3

SHA256
f02e0b4b1e3f88f9b325df06b6cfbcabe02ee37fc2e6d0795f9acd1c95478070

SHA512
d0c79e392884727439744892d23f9c4b906548387e2335c47c50f51a621b45349be0fc4b2709528faafb1ced9fb4ec27bfa4fafd140e0f459e5d6b92fe9847cf

Download Submit
C:\Program Files (x86)\ProHance Mate\Update\PHUpdate.dll

Filesize
115KB

MD5
67e17ff7d05d2e97f9c95cff72a59027

SHA1
0110fb4ce737ace28b7e4a6ca5f9d49d817346bc

SHA256
eda332c54e5810b9a0244155a1258df193e86bb50d7d2db109d1ee2b9bc1192a

SHA512
d0be4781f66b41cae54a0b885ba036f53fa2640159bef65d3ca69dbf5f4add28e946ccc73252abdcb21ef48d109232687fb30023d85c922ce01f105f4ac7a134

Download Submit
C:\Program Files (x86)\ProHance Mate\Update\PHUpdate.properties

Filesize
103B

MD5
abf98a0e91328db17bdb5c9a7166440c

SHA1
00a31ab09ee691d2aee87a41690cef346ce75973

SHA256
5b2d4d02cbcef135e01ba8a2c49166dbe8890e9d85233a8a8090d71d14eb11a8

SHA512
faacfa826c07c0754d6f37ccbf34e4d9e9f644538c047fe3be0531507180f233fadba6331878bb524f3f384286528042a750c9ac16a3b7f9e0f8ad290fa11a82

Download Submit
C:\Program Files (x86)\ProHance Mate\Update\log4net.dll

Filesize
264KB

MD5
5c1c94140a2f815f64117dbb63a4477a

SHA1
9a79e9c6325e20e5c10e654908d6fd923a25229b

SHA256
55b2fe686bc8f739ce845d1689fd08cbca20381c8e0d2417185d1a0018d8a938

SHA512
502e77236418afac1d9a15d9840b3b6872440f8a1601706e7a4b0e98a62d0de70c3acd192d53d5c29994d1e088fab07c7e299ab7f6b3232a858cc8782d283084

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG86CC.tmp

Filesize
150B

MD5
84f2f872035a2b2007494208ac3b98c4

SHA1
385b4bf0d62025d669935f690b9b64345de41273

SHA256
f5ba88b4a9928b710c9dbf757f0c4dee5bc6b6a56985d5bfeba8620c8ae65b6c

SHA512
d1f141da4761d82feb78563ddbaef0c7b422cc4d80db23a9895b71ec525ffdb907351d9ecfd263ee1004dcf919ef66e287a254117e24eab6da2ae539779db2e6

Download Submit
C:\Windows\Installer\f76864f.msi

Filesize
512KB

MD5
8e803544a828bc78db02e06b7f24e981

SHA1
1b28f6872e43c94aa2a7ed2f58fad0fe34fd1b8f

SHA256
f7687bb4e359f314d731b163cd8bce99fbf1668ccc65f9561173729cf1f8e9fc

SHA512
2fde5358db40290555d4e76880c646ae5456ce1187c8487c54ee2f959cfc94325875bec2600b045aa0c16daf1c4e873f52fcd970836ab9ac6247e8489c75d2f3

Download Submit
C:\Windows\SysWOW64\serviceinstall.log

Filesize
1KB

MD5
6b0ae85814cdea66d6900972783dbf2b

SHA1
a3e163b4375f05003a07477489162862eaa100a2

SHA256
478e6f667c83300818df24b2900cb55b63ddfd6a0f2e41fb80bf0a19890c4bf1

SHA512
2665eeec62c0f599e5263d8c5f163110ca29c29cb592402428b7132e7bc8be7891e1ff227506aea12ef8f49ec37dbf55c61c17498c3ff01f9f8c5a2636d6519d

Download Submit
C:\Windows\SysWOW64\serviceinstall.log

Filesize
1KB

MD5
4c696997490558c33a361fb8b2784b5a

SHA1
f774c2d23caf9219b6cca30dfb6d43c51090ce5e

SHA256
69480a493826cbce8b4d2054931fa12aab281d397a01c7195e65262edf2a4f15

SHA512
4956b3dde6bf9256c1e0f56758f8fa7556b300f3c4d99b2dd87c4377b0282c216a6b9f8aad96d733f43a6c8a1a24fbf4b4957f0eb856349f6c9c5a5baf988c46

Download Submit
C:\Windows\SysWOW64\serviceinstall.log

Filesize
1KB

MD5
805a46260594bb2f612491b4b2293bfa

SHA1
00d42c803ba87146d1940d9d8eb7a4f64ce5f6c0

SHA256
b45d63952a6f0a96d160be5fd915baeb1fa267aa9ae4dc71440abde66d05c7b1

SHA512
898ab543b24f7a2271fed4db19d94c3e6343675edb1554616d66afb8e185b1c9d0a84d66422d5e9a0588663d20ffa8f65e5b56ea75c256cb3f3ceda2d3a86aca

Download Submit
C:\Windows\SysWOW64\serviceinstall.log

Filesize
2KB

MD5
48bfdc338bcb7aba39815d866fe32ce9

SHA1
401c56774c50f2f284d7695f5431a17e559f7d85

SHA256
0c97c0e4df919e325780c36856b41ac41eb8f98eb40ac62db7b2877f7defdb1a

SHA512
0e0d81eae35810b4e04f77c4a8e4196d1d4a4b579dbcb1da41e8bafc47d1503db6a4c5a90985cf4c8aa3c1238794253a67fff094cd1c627f95d63e09941f505c

Download Submit
\Program Files (x86)\ProHance Mate\PHInstallerLib.dll

Filesize
29KB

MD5
7db32c31b966203a0b90acd581a1d6f3

SHA1
1bb1cb2ba7d97df8c47937a4a31692af5c6189dc

SHA256
4cab38738050c86fcdb07e2a0d6953cd36ea81aeed689456a00124da90b6809d

SHA512
02a1676a3a9d40c882439becb8fa8018c89532e7b1b52c4b642ee73dff0f584709c470d6df526917adbf83f8ca42ed6967e53bae51b3d00a01b63631c7c977f9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1287.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
\Windows\Installer\MSI897F.tmp

Filesize
106KB

MD5
77c9fc2bca8737f2de4d1d31ac0e385d

SHA1
4eb76332e4cfb9d217cd42b7a0a31fc1b092be98

SHA256
f9f945ef8cf84de18a4c2a5fabf14f425bec19225f99164684ef3f65e9eeadbd

SHA512
867b2d0b59c54b909076120f7a92bb7d1d3e86e098dfb0284d50592cf9ed6a03b5c9d24e6bba7d424c67a4b9c0564095a28f744af393fa276053073a7cdbb45f

Download Submit
memory/576-131-0x0000000000920000-0x000000000092E000-memory.dmp

Filesize
56KB

Download
memory/624-176-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/624-159-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/624-148-0x0000000000530000-0x0000000000544000-memory.dmp

Filesize
80KB

Download
memory/624-145-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/624-143-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/1556-235-0x0000000000C90000-0x0000000000CD6000-memory.dmp

Filesize
280KB

Download
memory/1556-236-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/1556-252-0x00000000197A0000-0x0000000019820000-memory.dmp

Filesize
512KB

Download
memory/1556-251-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/1556-237-0x00000000197A0000-0x0000000019820000-memory.dmp

Filesize
512KB

Download
memory/1556-239-0x00000000192E0000-0x0000000019302000-memory.dmp

Filesize
136KB

Download
memory/1556-233-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/2316-230-0x0000000019B90000-0x0000000019C40000-memory.dmp

Filesize
704KB

Download
memory/2316-249-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-216-0x0000000000640000-0x0000000000686000-memory.dmp

Filesize
280KB

Download
memory/2316-226-0x0000000000B20000-0x0000000000B3A000-memory.dmp

Filesize
104KB

Download
memory/2316-220-0x0000000019550000-0x00000000195D2000-memory.dmp

Filesize
520KB

Download
memory/2316-214-0x0000000000F50000-0x0000000000F64000-memory.dmp

Filesize
80KB

Download
memory/2316-218-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/2316-217-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-224-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2316-222-0x0000000000AE0000-0x0000000000B06000-memory.dmp

Filesize
152KB

Download
memory/2316-250-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/2320-181-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2320-177-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2320-182-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-195-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/2320-211-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download