af59c36b03ee77d584a3af87cc6444613bacf49094b7233369a835004cd0ad82

Analysis

max time kernel
104s
max time network
98s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ICCSafe.Installer.msi
Size

107.8MB
MD5

9599a8f5b6c834d4f16a8e7132acea39
SHA1

1306c6d51382fdfac74a6fd777ce93b293dc1a82
SHA256

af59c36b03ee77d584a3af87cc6444613bacf49094b7233369a835004cd0ad82
SHA512

28ad8b8f532460ba6b7401232e7abfe2946f9e895ceeac91d1b63f769c345d3d0bf7ef47ceb23b2450c3611292bfcc4679d9ead87fccf5b4f6c3e17ff9e24d62
SSDEEP

3145728:0GD6Whj3b1fnRj1llWxtHNhk14zpGJrGwxfr8kNq5RJ/64:H6Whj3b1fRRLkHN64NGJrFxf1Nq5D

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1F6B8A85985D5DAC27BA1C7BDF31199FE675D4FD\Blob = 0300000001000000140000001f6b8a85985d5dac27ba1c7bdf31199fe675d4fd0b00000001000000480000004d0061006300680069006e0065005400650073007400430065007200740069006600690063006100740065004900430043005f0077006900780043006500720074005f003100000020000000010000001507000030820711308204f9a0030201020210126252ac47bab72d9a76f7ef56d6f6e2300d06092a864886f70d01010b0500307b310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e3111300f060355040a0c0853534c20436f72703137303506035504030c2e53534c2e636f6d20455620436f6465205369676e696e6720496e7465726d65646961746520434120525341205233301e170d3232313130313138333934305a170d3234313033313138333934305a30820101310b30090603550406130255533111300f06035504080c08496c6c696e6f6973311b301906035504070c12436f756e74727920436c75622048696c6c7331293027060355040a0c20496e7465726e6174696f6e616c20436f646520436f756e63696c2c20496e632e310b3009060355040b0c0249543110300e06035504051307343239343439373129302706035504030c20496e7465726e6174696f6e616c20436f646520436f756e63696c2c20496e632e311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31193017060b2b0601040182373c0201020c0844656c617761726531133011060b2b0601040182373c02010313025553308201a2300d06092a864886f70d01010105000382018f003082018a0282018100be279f67058ee8fe4355f349d769608ed5e66e7d27e9ee997d00df310aecccfc754e66f3d1b73554e217100b04f4e85a50a030f1b12c3c977a079676b67a41493646e8507a0c62ebbf9a3919b7641d5eac2723575d4fa194e3cca187b5ad7f8c49fbf7aaaad5ecb9b0bc2ed8f32479dcfcfeeb9ce93211a7924e0061d84768ccf790245b7ae6c3d556a26e8cdc257f1d5ef35c677fa1c791ab125b996121becc73ee2089d65d650a1af5ccaddb710bdc180b7df4fe6ee59ede93a82b2ce367111f54a79771673d0db8981c36073e74d0ed3bb55050d548631205943927db60e7d9f056f7bf77cd764bfd6ffe40e72b886b6d3705a676b392f6c170f8197dd0375f0867159f3a85ae7b604d3048f52470d113f7cfc01e0894d122f65f096eba781a46b7a05fbef15342decf7b30b9546f38dfd72ec6fbbef43088c70182d696f9d55a884e10652b586aa4ee50d5a8a47ccad6e7adff9d5467469b394f99ac823d72236bc0528bb8aa617630049946000ba452fec7773a606e8c2193f75e6404e90203010001a382018730820183300c0603551d130101ff04023000301f0603551d2304183016801436bd49ff312cebaf6a40fe99c016edbafc48dd5f305b06082b06010505070101044f304d304b06082b06010505073002863f687474703a2f2f636572742e73736c2e636f6d2f53534c636f6d2d53756243412d45562d436f64655369676e696e672d5253412d343039362d52332e636572305f0603551d20045830563007060567810c0103300d060b2a84680186f67702050107303c060c2b0601040182a93001030302302c302a06082b06010505070201161e68747470733a2f2f7777772e73736c2e636f6d2f7265706f7369746f727930130603551d25040c300a06082b0601050507030330500603551d1f044930473045a043a041863f687474703a2f2f63726c732e73736c2e636f6d2f53534c636f6d2d53756243412d45562d436f64655369676e696e672d5253412d343039362d52332e63726c301d0603551d0e04160414e4446077e76b133a8440c8b3eca1782faa33c771300e0603551d0f0101ff040403020780300d06092a864886f70d01010b050003820201004b241c083d6163069494cb4c9d21886b3a6532905a3dbdec04cd84b5e32f460dd4fa0c07f2d9049ab0c26c9fe078c2a314ea952053338d459c2ded1b4f16f9f85a4342b1ca83389273fb9b929696524662fedf503a0923a74e9163fed45ff94b36c1c26472792135dfc659175aa038dbc917fff0e6cc1d9bc3c0b7c942b16ca51b7efcd6cac463c14cd988abbae32f2d21a30b7897eb49e625e9e63b308de2f051e6b3e87658b500361aa19fd1be12b5390c2d6ec7de64c74e92a4b4b30a201da477985c73f5629cd852b7fb5c783024e7f6a10854cfebd948d80e8e8e21eb123195ab0ccbcb7317df0ef688088befb56fedf11ba86cd1ceab7ec8423a6f8b6742e00441e291e2f72bdb203f405449b8047352f99bb8c339ff28943345bf7f2bf5554a78fd444cd38be6fceeaf06b7cb233c900be6f2999ce251e69598c13fb2fbabf07d57d5580930911ed3de76f0043e7fc655be0ae32ef44c45a75a6f9152d2d5adcdba1f13a83d91f0efc4cc8b6414336e2ae1895e079d1da5730e7d8744328bdba18eab60fbf9ce5000d1c6cdef29a76a93e96de7dbce4f677e85a1b916274b287fbfe263e0073cccfe40a7093e8cf90b333a1de555a8e2eaeb3a70c3b77e299ad7a962021d47467e4d64a95c4e0fa1ba917eb478aa6418aa55483f788a638ed4c2a53ea9a4e2125d63f2e6c7684c27111ebf6ce3a4321e9fb9f38e8b19	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D2953DBA95086FEB5805BEFC41283CA64C397DF5\Blob = 030000000100000014000000d2953dba95086feb5805befc41283ca64c397df50b00000001000000600000004d0061006300680069006e006500540065007300740043006500720074006900660069006300610074006500530053004c0049006e007400650072006d006500640069006100740065005f0077006900780043006500720074005f00310000002000000001000000e3060000308206df308204c7a0030201020210424b6a53cec766141c2a63b1a51c4104300d06092a864886f70d01010b0500308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f7269747920525341205232301e170d3139303332363137343432335a170d3334303332323137343432335a307b310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e3111300f060355040a0c0853534c20436f72703137303506035504030c2e53534c2e636f6d20455620436f6465205369676e696e6720496e7465726d6564696174652043412052534120523330820222300d06092a864886f70d01010105000382020f003082020a0282020100f0aa37f72b219120673a398e15e521ba5a132a8d51d0733dbdae018c137bd67ef86663edf47b2b92f1be636bf7a83765760d7c34a752b1d878f05fe99f777a613e8366ec66ceb7a43d7d1a95af1d5d7fc59549a0d8eabd23e6943f996e254638c45598383ca9f4e5ae79dafb756e001f103fb18f02ff42ae92fcf5d35a0925526388dd5ff491281615ab542e9cf1dee0dbd232692167466d575f9bcad1377fa769271eae3b6a5eb2c60aa03d601e7c76c51ca3026573843165edfe55689bac21d19d847eea01cfe4e74b4c185d6481773668c703f8cac436f69f126cdd44190be9607e092bdb9a3c36cf8ea11c01f775b5f66f870b035acf98d7cb285097a5a1f2a8211cfbb14c35ea185b16c7455c0020796f88d3506f70f7c5d2431f17927e3196a941ba43f2b9d18dc66892e09b8a80d679d6295fe6c0818af2cb0e4d18360b75aa4936ed23ce17ce518729d0d80ca2a266ffdbe793138b7c94c96b518d52d63bef8a0de4bdfe38a15a6859d807e7b535b090383c5b2d221097073bb2b2326061c638156cb0bab57e83f93cb22a1ebfadcd58a78f6f3b6c37dfae882c47df111da8d714b465af4ff6a249b261700afed94e1778575e8925d2c41e4ad39e73ea146829022251fdcf14042eff1ef394949d7350acaaa92b4371218e7632962810592bec3f20e92ee6d3e3662511389c6943ead324a4ffa225ea080e28589ce90203010001a38201553082015130120603551d130101ff040830060101ff020100301f0603551d23041830168014f960bbd4e3d534f6b8f5068025a773db4669a89e307c06082b060105050701010470306e304a06082b06010505073002863e687474703a2f2f7777772e73736c2e636f6d2f7265706f7369746f72792f53534c636f6d2d526f6f7443412d45562d5253412d343039362d52322e637274302006082b060105050730018614687474703a2f2f6f637370732e73736c2e636f6d30110603551d20040a300830060604551d200030130603551d25040c300a06082b0601050507030330450603551d1f043e303c303aa038a0368634687474703a2f2f63726c732e73736c2e636f6d2f53534c636f6d2d526f6f7443412d45562d5253412d343039362d52322e63726c301d0603551d0e0416041436bd49ff312cebaf6a40fe99c016edbafc48dd5f300e0603551d0f0101ff040403020186300d06092a864886f70d01010b05000382020100728ffa81488291e26083255b7b8f2f940f8358ce8824fa99424e2d4e3789f89fb11eae744079f9decbf7ff2c25105298408f5438ff5dd12aa95ae6b702bbc87fee2ad3ff7fcc363c5529435d364996265d70e7f22b0567474c99581908f6b1c64f60d2fc38be02ac25d1880da52ce1ddd37d57cf6ac31960d26daa5d7b44e85a5b83dbc81b360a7e0af50a523678e29afb1354cc9cc947bf624e35af3ee1ba0fc993eed520b796b7507652357a9da13b2664371fcebc037bc461815289cc7bfe5a051a47aee412ca8e54e35a9fb0c18af2f95f4668b9afc7d93e84d12b2512383dbb9a01eadfcc66a8b6c51f6a9347b0ce069284ad43836a86395c4ce2024b7873ae4b28e6a4f8616980ccff34e8b02f6402490d8d2e1f7deba186050fed5e7034e5180200eb63be75266da71c905707ae99a58e37d2a7c3586ca5f4e7522235a75bbb6eeb48db9a72deaa5a6249099e902b120fc83adbaf68739dd9e379ca98f9681deae6582ea9186ccd993a9acd267044e666989c251e196ac7d8f3e7ffa63577fbf57dbb8c82c76f7d5432bbea990b39e82051152f89e32ae1c520f37a784e3daf176292548d278c9037dce329e84293b6f83b2b0b9950b8e434069823eeeadfb554bbaedbf1eadd72f945edb1da433b80fc6f6cdfdc916db8a5d4ef75cd654c642c59df132e021b4bfa0493c0bb371d1fb220d34f33af16a11cc0aaa888	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\893E994B9C43100155AE310F34D8CC962096AE12\Blob = 030000000100000014000000893e994b9c43100155ae310f34d8cc962096ae120b00000001000000500000004d0061006300680069006e006500540065007300740043006500720074006900660069006300610074006500530053004c0052006f006f0074005f0077006900780043006500720074005f00310000002000000001000000e2050000308205de308204c6a003020102021062f812a35f52bd74b718d610ac4b4783300d06092a864886f70d01010b0500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3138303931313039323832305a170d3233303931313039323832305a308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f726974792052534120523230820222300d06092a864886f70d01010105000382020f003082020a02820201008f366540e1d64dc0d7b4e946da6bea3347cd4cf97d7dbebd2d3df0db78e186a5d9ba095768ed573ea0d0084183e72841241fe37215d0011afb5e7023b2cb9f39e3cfc54ec6926d26c67bbbb3da279d0a86e9813705fef07171ecc31ce963a217149def1b67d385550202d649c9cc5ae1b1f76f329fc9d43b8841a89cbdcbabdb6d7b091fa24c7290da2b08fccf3c54ce670fa8cf5d96190bc4e372ebadd17d1d27ef92eb10bf5beb3bafcf80ddc1d296045b7a7ea4a93c3876a4628ea0395eea77cf5d00598f662c3e07a2a30526116997ea85b70f960b4bc840e150ba2e8acbf70f9a22e77f9a3713cdf24d136b21d1c0cc22f2a146f644699cca613507006fd6610811eabab8f6e9b360e54db9ec9f1466c95758dbcd8769f88a86120347bf661376ac777d34248583cdd7aa9c901a9f212c7f78b764b8d8e8a6f478b355cb84d232c478aea38f61ddce0853adec88fc15e49a0de69f1a77ce4c8fb814153d629c863806006612e459765a53c00298a2102b68447b8e79ce334a76aa5b81161bb58ad8d0007b5e62b409d686630ea6059549ba288b8893b2341cd8a4556eb71cd0de99553b23f422e0f9296626ec205077db4a0b8fbee5026070415ed4ae5039221426cbb23b7374554707798139a8301344e5048aae961325420fb953c49bfccde41cde3cfaabd6064a1f67a698301cdd2cdbdc18955766c6ff5c8b56f5770203010001a38201513082014d30120603551d130101ff040830060101ff020102301d0603551d0e04160414f960bbd4e3d534f6b8f5068025a773db4669a89e301f0603551d230418301680140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff04040302010630360603551d1f042f302d302ba029a0278625687474703a2f2f73736c636f6d2e63726c2e63657274756d2e706c2f63746e63612e63726c307306082b0601050507010104673065302906082b06010505073001861d687474703a2f2f73736c636f6d2e6f6373702d63657274756d2e636f6d303806082b06010505073002862c687474703a2f2f73736c636f6d2e7265706f7369746f72792e63657274756d2e706c2f63746e63612e636572303a0603551d2004333031302f0604551d20003027302506082b06010505070201161968747470733a2f2f7777772e63657274756d2e706c2f435053300d06092a864886f70d01010b05000382010100777c422589f0a06f50d8cc9b667b8fd38271e2d3ab5d1d0989cb2ce0a98aa69f37c4f8306dbaf1cd5616a51878a212f1ee0d7972dbc54259be5aab844a3a45eb8eea0291256d05fd52cacf4294afc1a9bedb88eff9f18b287ba8706e290cd259a2d1cdbb82adb33068b8fee67c6f33fe7e9511b421ee9e6a2da48322b58233e672a67cb6042402d50cbffa69df0e2ebfbf7594d72880c862a7558dc1acbf2d26435dadf9546e24c445f974f3cbf2e00e5af84898d866f58dec8e01c47c83f366078fc5c59f1814883e3b6e7fb292841af165f8c95d3165e17e60dd2558b402ba715a953b6aaf8cba326737a56056939a23c25740ecd8eb656a05890fdb9602c5	MsiExec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2264	msiexec.exe
5	2264	msiexec.exe
7	2720	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIEFEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA73.tmp-\ICCSafe.CustomAction.dll	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIA73.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA73.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE713.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C5CA12B5-D797-47D3-8734-241EC5F52F10}\Icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA73.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA73.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\f77dcc8.msi	msiexec.exe
File created	C:\Windows\Installer\f77dcc9.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI718.tmp	msiexec.exe
File created	C:\Windows\Installer\f77dccb.msi	msiexec.exe
File created	C:\Windows\Installer\{C5CA12B5-D797-47D3-8734-241EC5F52F10}\Icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f77dcc9.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77dcc8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE84.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI552.tmp	msiexec.exe

Loads dropped DLL 16 IoCs

pid	Process
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201\Revit2023	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201\SSLCerts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\ProductName = "ICC Digital Codes Premium Add-In"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F484EFD2FBA32564C828FE6A2BE9FCC7\5B21AC5C797D3D74784342E15C5FF201	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\PackageName = "ICCSafe.Installer.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\PackageCode = "15A12A31DC9A0574F9F159A56C401459"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201\Revit2024 = "\x06"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\ProductIcon = "C:\\Windows\\Installer\\{C5CA12B5-D797-47D3-8734-241EC5F52F10}\\Icon.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201\Revit2022 = "\x06"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201\RevitCommon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\Version = "33619968"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F484EFD2FBA32564C828FE6A2BE9FCC7	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\Media\2 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2720	msiexec.exe
2720	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2264	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeSecurityPrivilege	2720	msiexec.exe
Token: SeCreateTokenPrivilege	2264	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2264	msiexec.exe
Token: SeLockMemoryPrivilege	2264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2264	msiexec.exe
Token: SeMachineAccountPrivilege	2264	msiexec.exe
Token: SeTcbPrivilege	2264	msiexec.exe
Token: SeSecurityPrivilege	2264	msiexec.exe
Token: SeTakeOwnershipPrivilege	2264	msiexec.exe
Token: SeLoadDriverPrivilege	2264	msiexec.exe
Token: SeSystemProfilePrivilege	2264	msiexec.exe
Token: SeSystemtimePrivilege	2264	msiexec.exe
Token: SeProfSingleProcessPrivilege	2264	msiexec.exe
Token: SeIncBasePriorityPrivilege	2264	msiexec.exe
Token: SeCreatePagefilePrivilege	2264	msiexec.exe
Token: SeCreatePermanentPrivilege	2264	msiexec.exe
Token: SeBackupPrivilege	2264	msiexec.exe
Token: SeRestorePrivilege	2264	msiexec.exe
Token: SeShutdownPrivilege	2264	msiexec.exe
Token: SeDebugPrivilege	2264	msiexec.exe
Token: SeAuditPrivilege	2264	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2264	msiexec.exe
Token: SeChangeNotifyPrivilege	2264	msiexec.exe
Token: SeRemoteShutdownPrivilege	2264	msiexec.exe
Token: SeUndockPrivilege	2264	msiexec.exe
Token: SeSyncAgentPrivilege	2264	msiexec.exe
Token: SeEnableDelegationPrivilege	2264	msiexec.exe
Token: SeManageVolumePrivilege	2264	msiexec.exe
Token: SeImpersonatePrivilege	2264	msiexec.exe
Token: SeCreateGlobalPrivilege	2264	msiexec.exe
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeBackupPrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeLoadDriverPrivilege	3024	DrvInst.exe
Token: SeLoadDriverPrivilege	3024	DrvInst.exe
Token: SeLoadDriverPrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2264	msiexec.exe
2264	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2556	2720	msiexec.exe	34
PID 2720 wrote to memory of 2556	2720	msiexec.exe	34
PID 2720 wrote to memory of 2556	2720	msiexec.exe	34
PID 2720 wrote to memory of 2556	2720	msiexec.exe	34
PID 2720 wrote to memory of 2556	2720	msiexec.exe	34
PID 2720 wrote to memory of 2556	2720	msiexec.exe	34
PID 2720 wrote to memory of 2556	2720	msiexec.exe	34
PID 2720 wrote to memory of 2308	2720	msiexec.exe	35
PID 2720 wrote to memory of 2308	2720	msiexec.exe	35
PID 2720 wrote to memory of 2308	2720	msiexec.exe	35
PID 2720 wrote to memory of 2308	2720	msiexec.exe	35
PID 2720 wrote to memory of 2308	2720	msiexec.exe	35
PID 2720 wrote to memory of 2308	2720	msiexec.exe	35
PID 2720 wrote to memory of 2308	2720	msiexec.exe	35
PID 2308 wrote to memory of 776	2308	MsiExec.exe	36
PID 2308 wrote to memory of 776	2308	MsiExec.exe	36
PID 2308 wrote to memory of 776	2308	MsiExec.exe	36
PID 2308 wrote to memory of 776	2308	MsiExec.exe	36
PID 2308 wrote to memory of 776	2308	MsiExec.exe	36
PID 2308 wrote to memory of 776	2308	MsiExec.exe	36
PID 2308 wrote to memory of 776	2308	MsiExec.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ICCSafe.Installer.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D0B7DE24814DE163A7122EC1321C56A8
  2⤵
  - Loads dropped DLL
  PID:2556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3316BAF454E818C05FD0C75224B39985 M Global\MSI0000
  2⤵
  - Manipulates Digital Signatures
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA73.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259525353 63 ICCSafe.CustomAction!ICCSafe.CustomAction.CustomActions.SaveConfigJson
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000580" "000000000000031C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77dcca.rbs

Filesize
102KB

MD5
719fbda58fec8710582b0380e4516381

SHA1
6b2a45ad995bae82ec219034c60cad91360895f0

SHA256
e3d07b776612b666b811f58fd457498941dbc370df99e2f14907a35919602925

SHA512
fd1a1bf8b5b73b0a1c5816b74959a3296e7a4926be7daf8e53240bd86da7735360e2362ff2602be4e249f394debc1690dc23d1b15da31123467d011b0ce3c78d

Download Submit
C:\ProgramData\Autodesk\Revit\Addins\ICCSafe\AppConfig.json

Filesize
783B

MD5
47b11a8d356442dab4645737c0be6954

SHA1
d5c75a282565f9ee7ac31acfc34d371864d7a6a1

SHA256
43d1db3d41453d1b8d9b2814ed2c502536d07e387d649769352752628fe5be11

SHA512
4f770f817631d474fbaaf2835b0ed6c72c16c83788c6e6ff963210c8d2952cd058e74387eb384e89f89865e819cbd1de94f5f2202153241f3be283903d95dbd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763

Filesize
1KB

MD5
866912c070f1ecacacc2d5bca55ba129

SHA1
b7ab3308d1ea4477ba1480125a6fbda936490cbb

SHA256
85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69

SHA512
f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763

Filesize
326B

MD5
92c2468f68331c4a38f4b5f2b35ceb8e

SHA1
46d3ed0fc1cf957e9e73cd833fd1938cd1df1d04

SHA256
39d299f0e57e754760813746cfc06c279518c1b179cb7925b883bd2cab197860

SHA512
998eeb62963b4df7a0b44fd729abc91be8ebd35bd3bd434d436f77013df8ff03f9057ddcb788a54cc05e45e56c7ce48ba1b7b8395bf35c3041d6ca3cbd06b318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9dfc1289eeb027a1573d38e29c6ecd5

SHA1
d15b4f8360699b92430f194af1b34ea7f62a7965

SHA256
e89ac1bb22b536e3ba6688473e06fc052dccde3a5ef1500872986f90917484ef

SHA512
e6ca2b1ad9c9d8af4e673b71c36808fce65f5e881331fba8b621e8a9de994a11f48786ddfff1fad373162f79940fd45dbcb092cd79dc72610f55541d1467dc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab986B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar98AC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp5FA.tmp

Filesize
2KB

MD5
97085b889cc3f31cc6d453276184cb9c

SHA1
b406ca70673463db3ec6151008f19548c55d4ced

SHA256
c1b61a27b13e788da13c71699b379334dfb135f9da6365133c23f5bf67819934

SHA512
3178cf71b8beca122d219d921a41ca04fec5659544e77f4725045179181e0ce62dd23b9b53f484881ea89e6aec48c3c30fd88a0d110df15ef859734dc0574840

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6C5.tmp

Filesize
2KB

MD5
3cd0b9fe9ab61cc06d50bf2e4778b776

SHA1
a270038fe17d57bd76d381e7c9ad0110860509e6

SHA256
be0445cfa571f9b7e41743e577dacfdaa62221381ec9d83dbd2ba1652427d0e1

SHA512
e94781e8c10b11d7d71755efc1cc551eca33c120ebd173fdb4b68b7e1d7fb035323f90e2b0156d1b4c675353e97f6509257cdc9f7a219e725742482f4f38bed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7A1.tmp

Filesize
2KB

MD5
c840aa3fab09920811128fcdf379fc46

SHA1
7001bca924ec212b55deff310e24b0701d20840c

SHA256
4145eb118ffd67df9a67a2361b80cdbe6c5fcea1e56578361b3a69ee89109b26

SHA512
f044e742244b2cbee275fc893c8d874bc13b6d4bb74c523282601c3d1b9d227c42ab1ad45c4f28c4734dd65eb960bd0a7fa47809f1fa033560bb37c8fdc62b9e

Download Submit
C:\Windows\Installer\MSIA73.tmp

Filesize
469KB

MD5
05443d07e99428a958238614d092ff03

SHA1
98a1362ea8a31583beac37c5855bf4b730991b99

SHA256
422f51b0455b13b8ecd9cb86340de02620663a9c98147c063e33c324b0363795

SHA512
7f9524db8ef6fa496dc7a8c804e3d5275360a6335f82e1159b1bef092a4e88bd4bd298b7009ed1b4c2ed9cab5dbb4b308c7e563f4bb630fa9a50a200c204208d

Download Submit
C:\Windows\Installer\MSIA73.tmp-\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Windows\Installer\MSIE713.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIEE84.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
C:\Windows\Installer\f77dcc8.msi

Filesize
100KB

MD5
0b34edd7f7e78ba4224f0ff457d1cc70

SHA1
9dc6da0ed29ecb87cd3849fab4acac5192257280

SHA256
fd700c56d83dc0731db2ecf1b777d78451bfeb7ffe93e6b1623a4609d81e8520

SHA512
b1d11bd23519e0fd9caa042cdb5415b0f06c10f5e20387a1be9c5af028653bd629dd628d7a7586bc9a4036ea83bef0f26d40a29c5bdd27d656f31b9c3a2ee9d6

Download Submit
\Windows\Installer\MSI552.tmp

Filesize
224KB

MD5
4837bbfa20c65ac97910388f07d1785e

SHA1
e066a3d68c8a5c099633f22a32e22cb8c4f24d8c

SHA256
29b9f6167ea343f279c7ebafa18f8fba0fa8c3c21f9f33e7741452c856d45664

SHA512
91cade5a43fedce4c06e21cd68023ad13ecc18ddf34379544f8111569868980d3852e93d8f0ccbb013df317f9ee1ac97d9a16862878371ec2cb0fd51b3468037

Download Submit
\Windows\Installer\MSIA73.tmp-\ICCSafe.CustomAction.dll

Filesize
8KB

MD5
d92d7cd04ba1d714e083c249bde42b7c

SHA1
e0ef82fa55b14cbf1e32fff499c4fd97e835dee6

SHA256
45a43b2179421541025a173e24d3f3f845a5fac3b6c58d54cac1204d25ec8f0d

SHA512
d3a6bd3f77a0b699f7f27741bcc047d2226aa2a90e3ee4be9a1551df7091f1c3c0ac4366cfde2a84cff233e5dcd8d77b155dbebbd4edf14179b4a74d0b3f7797

Download Submit
\Windows\Installer\MSIA73.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
179KB

MD5
1a5caea6734fdd07caa514c3f3fb75da

SHA1
f070ac0d91bd337d7952abd1ddf19a737b94510c

SHA256
cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

SHA512
a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

Download Submit
\Windows\Installer\MSIA73.tmp-\Newtonsoft.Json.dll

Filesize
117KB

MD5
2e1c82a9133c16be8acee263103713b8

SHA1
350138dcb8d3eb8309f860acb862ba7c01c850e7

SHA256
8a501a6fe11f9f80926158da6bb2df601b838ff880d79ef7dadcbe2a6fd5b69e

SHA512
75b61c79b3dc46e81fbbf26dcef7ad7fcd9224115a463a5bcae51ff2f9c31dfcaa506c07051c87ece1a7ab8df49d2f8130939e964524c1c3943b4dbe2e503b3a

Download Submit
\Windows\Installer\MSIA73.tmp-\Newtonsoft.Json.dll

Filesize
190KB

MD5
361d2983ff21580e13b28fdf32255ae0

SHA1
87646a7159369aacf1ea39d0be88f61987c6a2d2

SHA256
8fac30eccdde4abf0b52b5500eb2af7c6885c7a1bff11a85d1dc956e6c360e9f

SHA512
b7bc78d447088f51466f412584260b1721e7454b97583a09fca1884eb3b585a34e7b751f494fbe7250a9eda1b463547c4442cebd849a64f115bec0796a651c68

Download Submit
\Windows\Installer\MSIA73.tmp-\Newtonsoft.Json.dll

Filesize
85KB

MD5
fdc7cb39a45de55020c2d04a35d01d85

SHA1
b1970d7170c76262c5c86a24e3566af900e8612a

SHA256
8ef6454984b3c6f8b7fc289a75303053684fb8b84cb75e185149f50f44f3755d

SHA512
356a05364f6cdaf63c0084f098dfcb1070052f3516087a72d0b9b8dbb3c6a231be87b1317413aba3049c6825c2acf46d666e861b415ee3ccc8a2a9d29306edfd

Download Submit
memory/776-429-0x0000000002160000-0x0000000002210000-memory.dmp

Filesize
704KB

Download
memory/776-425-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/776-421-0x0000000002210000-0x0000000002250000-memory.dmp

Filesize
256KB

Download
memory/776-420-0x0000000000430000-0x000000000045E000-memory.dmp

Filesize
184KB

Download
memory/776-444-0x0000000073100000-0x00000000737EE000-memory.dmp

Filesize
6.9MB

Download
memory/776-416-0x0000000073100000-0x00000000737EE000-memory.dmp

Filesize
6.9MB

Download