af59c36b03ee77d584a3af87cc6444613bacf49094b7233369a835004cd0ad82

Analysis

max time kernel
50s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ICCSafe.Installer.msi
Size

107.8MB
MD5

9599a8f5b6c834d4f16a8e7132acea39
SHA1

1306c6d51382fdfac74a6fd777ce93b293dc1a82
SHA256

af59c36b03ee77d584a3af87cc6444613bacf49094b7233369a835004cd0ad82
SHA512

28ad8b8f532460ba6b7401232e7abfe2946f9e895ceeac91d1b63f769c345d3d0bf7ef47ceb23b2450c3611292bfcc4679d9ead87fccf5b4f6c3e17ff9e24d62
SSDEEP

3145728:0GD6Whj3b1fnRj1llWxtHNhk14zpGJrGwxfr8kNq5RJ/64:H6Whj3b1fRRLkHN64NGJrFxf1Nq5D

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1F6B8A85985D5DAC27BA1C7BDF31199FE675D4FD\Blob = 0300000001000000140000001f6b8a85985d5dac27ba1c7bdf31199fe675d4fd0b00000001000000480000004d0061006300680069006e0065005400650073007400430065007200740069006600690063006100740065004900430043005f0077006900780043006500720074005f003100000020000000010000001507000030820711308204f9a0030201020210126252ac47bab72d9a76f7ef56d6f6e2300d06092a864886f70d01010b0500307b310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e3111300f060355040a0c0853534c20436f72703137303506035504030c2e53534c2e636f6d20455620436f6465205369676e696e6720496e7465726d65646961746520434120525341205233301e170d3232313130313138333934305a170d3234313033313138333934305a30820101310b30090603550406130255533111300f06035504080c08496c6c696e6f6973311b301906035504070c12436f756e74727920436c75622048696c6c7331293027060355040a0c20496e7465726e6174696f6e616c20436f646520436f756e63696c2c20496e632e310b3009060355040b0c0249543110300e06035504051307343239343439373129302706035504030c20496e7465726e6174696f6e616c20436f646520436f756e63696c2c20496e632e311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31193017060b2b0601040182373c0201020c0844656c617761726531133011060b2b0601040182373c02010313025553308201a2300d06092a864886f70d01010105000382018f003082018a0282018100be279f67058ee8fe4355f349d769608ed5e66e7d27e9ee997d00df310aecccfc754e66f3d1b73554e217100b04f4e85a50a030f1b12c3c977a079676b67a41493646e8507a0c62ebbf9a3919b7641d5eac2723575d4fa194e3cca187b5ad7f8c49fbf7aaaad5ecb9b0bc2ed8f32479dcfcfeeb9ce93211a7924e0061d84768ccf790245b7ae6c3d556a26e8cdc257f1d5ef35c677fa1c791ab125b996121becc73ee2089d65d650a1af5ccaddb710bdc180b7df4fe6ee59ede93a82b2ce367111f54a79771673d0db8981c36073e74d0ed3bb55050d548631205943927db60e7d9f056f7bf77cd764bfd6ffe40e72b886b6d3705a676b392f6c170f8197dd0375f0867159f3a85ae7b604d3048f52470d113f7cfc01e0894d122f65f096eba781a46b7a05fbef15342decf7b30b9546f38dfd72ec6fbbef43088c70182d696f9d55a884e10652b586aa4ee50d5a8a47ccad6e7adff9d5467469b394f99ac823d72236bc0528bb8aa617630049946000ba452fec7773a606e8c2193f75e6404e90203010001a382018730820183300c0603551d130101ff04023000301f0603551d2304183016801436bd49ff312cebaf6a40fe99c016edbafc48dd5f305b06082b06010505070101044f304d304b06082b06010505073002863f687474703a2f2f636572742e73736c2e636f6d2f53534c636f6d2d53756243412d45562d436f64655369676e696e672d5253412d343039362d52332e636572305f0603551d20045830563007060567810c0103300d060b2a84680186f67702050107303c060c2b0601040182a93001030302302c302a06082b06010505070201161e68747470733a2f2f7777772e73736c2e636f6d2f7265706f7369746f727930130603551d25040c300a06082b0601050507030330500603551d1f044930473045a043a041863f687474703a2f2f63726c732e73736c2e636f6d2f53534c636f6d2d53756243412d45562d436f64655369676e696e672d5253412d343039362d52332e63726c301d0603551d0e04160414e4446077e76b133a8440c8b3eca1782faa33c771300e0603551d0f0101ff040403020780300d06092a864886f70d01010b050003820201004b241c083d6163069494cb4c9d21886b3a6532905a3dbdec04cd84b5e32f460dd4fa0c07f2d9049ab0c26c9fe078c2a314ea952053338d459c2ded1b4f16f9f85a4342b1ca83389273fb9b929696524662fedf503a0923a74e9163fed45ff94b36c1c26472792135dfc659175aa038dbc917fff0e6cc1d9bc3c0b7c942b16ca51b7efcd6cac463c14cd988abbae32f2d21a30b7897eb49e625e9e63b308de2f051e6b3e87658b500361aa19fd1be12b5390c2d6ec7de64c74e92a4b4b30a201da477985c73f5629cd852b7fb5c783024e7f6a10854cfebd948d80e8e8e21eb123195ab0ccbcb7317df0ef688088befb56fedf11ba86cd1ceab7ec8423a6f8b6742e00441e291e2f72bdb203f405449b8047352f99bb8c339ff28943345bf7f2bf5554a78fd444cd38be6fceeaf06b7cb233c900be6f2999ce251e69598c13fb2fbabf07d57d5580930911ed3de76f0043e7fc655be0ae32ef44c45a75a6f9152d2d5adcdba1f13a83d91f0efc4cc8b6414336e2ae1895e079d1da5730e7d8744328bdba18eab60fbf9ce5000d1c6cdef29a76a93e96de7dbce4f677e85a1b916274b287fbfe263e0073cccfe40a7093e8cf90b333a1de555a8e2eaeb3a70c3b77e299ad7a962021d47467e4d64a95c4e0fa1ba917eb478aa6418aa55483f788a638ed4c2a53ea9a4e2125d63f2e6c7684c27111ebf6ce3a4321e9fb9f38e8b19	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D2953DBA95086FEB5805BEFC41283CA64C397DF5\Blob = 030000000100000014000000d2953dba95086feb5805befc41283ca64c397df50b00000001000000600000004d0061006300680069006e006500540065007300740043006500720074006900660069006300610074006500530053004c0049006e007400650072006d006500640069006100740065005f0077006900780043006500720074005f00310000002000000001000000e3060000308206df308204c7a0030201020210424b6a53cec766141c2a63b1a51c4104300d06092a864886f70d01010b0500308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f7269747920525341205232301e170d3139303332363137343432335a170d3334303332323137343432335a307b310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e3111300f060355040a0c0853534c20436f72703137303506035504030c2e53534c2e636f6d20455620436f6465205369676e696e6720496e7465726d6564696174652043412052534120523330820222300d06092a864886f70d01010105000382020f003082020a0282020100f0aa37f72b219120673a398e15e521ba5a132a8d51d0733dbdae018c137bd67ef86663edf47b2b92f1be636bf7a83765760d7c34a752b1d878f05fe99f777a613e8366ec66ceb7a43d7d1a95af1d5d7fc59549a0d8eabd23e6943f996e254638c45598383ca9f4e5ae79dafb756e001f103fb18f02ff42ae92fcf5d35a0925526388dd5ff491281615ab542e9cf1dee0dbd232692167466d575f9bcad1377fa769271eae3b6a5eb2c60aa03d601e7c76c51ca3026573843165edfe55689bac21d19d847eea01cfe4e74b4c185d6481773668c703f8cac436f69f126cdd44190be9607e092bdb9a3c36cf8ea11c01f775b5f66f870b035acf98d7cb285097a5a1f2a8211cfbb14c35ea185b16c7455c0020796f88d3506f70f7c5d2431f17927e3196a941ba43f2b9d18dc66892e09b8a80d679d6295fe6c0818af2cb0e4d18360b75aa4936ed23ce17ce518729d0d80ca2a266ffdbe793138b7c94c96b518d52d63bef8a0de4bdfe38a15a6859d807e7b535b090383c5b2d221097073bb2b2326061c638156cb0bab57e83f93cb22a1ebfadcd58a78f6f3b6c37dfae882c47df111da8d714b465af4ff6a249b261700afed94e1778575e8925d2c41e4ad39e73ea146829022251fdcf14042eff1ef394949d7350acaaa92b4371218e7632962810592bec3f20e92ee6d3e3662511389c6943ead324a4ffa225ea080e28589ce90203010001a38201553082015130120603551d130101ff040830060101ff020100301f0603551d23041830168014f960bbd4e3d534f6b8f5068025a773db4669a89e307c06082b060105050701010470306e304a06082b06010505073002863e687474703a2f2f7777772e73736c2e636f6d2f7265706f7369746f72792f53534c636f6d2d526f6f7443412d45562d5253412d343039362d52322e637274302006082b060105050730018614687474703a2f2f6f637370732e73736c2e636f6d30110603551d20040a300830060604551d200030130603551d25040c300a06082b0601050507030330450603551d1f043e303c303aa038a0368634687474703a2f2f63726c732e73736c2e636f6d2f53534c636f6d2d526f6f7443412d45562d5253412d343039362d52322e63726c301d0603551d0e0416041436bd49ff312cebaf6a40fe99c016edbafc48dd5f300e0603551d0f0101ff040403020186300d06092a864886f70d01010b05000382020100728ffa81488291e26083255b7b8f2f940f8358ce8824fa99424e2d4e3789f89fb11eae744079f9decbf7ff2c25105298408f5438ff5dd12aa95ae6b702bbc87fee2ad3ff7fcc363c5529435d364996265d70e7f22b0567474c99581908f6b1c64f60d2fc38be02ac25d1880da52ce1ddd37d57cf6ac31960d26daa5d7b44e85a5b83dbc81b360a7e0af50a523678e29afb1354cc9cc947bf624e35af3ee1ba0fc993eed520b796b7507652357a9da13b2664371fcebc037bc461815289cc7bfe5a051a47aee412ca8e54e35a9fb0c18af2f95f4668b9afc7d93e84d12b2512383dbb9a01eadfcc66a8b6c51f6a9347b0ce069284ad43836a86395c4ce2024b7873ae4b28e6a4f8616980ccff34e8b02f6402490d8d2e1f7deba186050fed5e7034e5180200eb63be75266da71c905707ae99a58e37d2a7c3586ca5f4e7522235a75bbb6eeb48db9a72deaa5a6249099e902b120fc83adbaf68739dd9e379ca98f9681deae6582ea9186ccd993a9acd267044e666989c251e196ac7d8f3e7ffa63577fbf57dbb8c82c76f7d5432bbea990b39e82051152f89e32ae1c520f37a784e3daf176292548d278c9037dce329e84293b6f83b2b0b9950b8e434069823eeeadfb554bbaedbf1eadd72f945edb1da433b80fc6f6cdfdc916db8a5d4ef75cd654c642c59df132e021b4bfa0493c0bb371d1fb220d34f33af16a11cc0aaa888	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\893E994B9C43100155AE310F34D8CC962096AE12\Blob = 030000000100000014000000893e994b9c43100155ae310f34d8cc962096ae120b00000001000000500000004d0061006300680069006e006500540065007300740043006500720074006900660069006300610074006500530053004c0052006f006f0074005f0077006900780043006500720074005f00310000002000000001000000e2050000308205de308204c6a003020102021062f812a35f52bd74b718d610ac4b4783300d06092a864886f70d01010b0500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3138303931313039323832305a170d3233303931313039323832305a308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f726974792052534120523230820222300d06092a864886f70d01010105000382020f003082020a02820201008f366540e1d64dc0d7b4e946da6bea3347cd4cf97d7dbebd2d3df0db78e186a5d9ba095768ed573ea0d0084183e72841241fe37215d0011afb5e7023b2cb9f39e3cfc54ec6926d26c67bbbb3da279d0a86e9813705fef07171ecc31ce963a217149def1b67d385550202d649c9cc5ae1b1f76f329fc9d43b8841a89cbdcbabdb6d7b091fa24c7290da2b08fccf3c54ce670fa8cf5d96190bc4e372ebadd17d1d27ef92eb10bf5beb3bafcf80ddc1d296045b7a7ea4a93c3876a4628ea0395eea77cf5d00598f662c3e07a2a30526116997ea85b70f960b4bc840e150ba2e8acbf70f9a22e77f9a3713cdf24d136b21d1c0cc22f2a146f644699cca613507006fd6610811eabab8f6e9b360e54db9ec9f1466c95758dbcd8769f88a86120347bf661376ac777d34248583cdd7aa9c901a9f212c7f78b764b8d8e8a6f478b355cb84d232c478aea38f61ddce0853adec88fc15e49a0de69f1a77ce4c8fb814153d629c863806006612e459765a53c00298a2102b68447b8e79ce334a76aa5b81161bb58ad8d0007b5e62b409d686630ea6059549ba288b8893b2341cd8a4556eb71cd0de99553b23f422e0f9296626ec205077db4a0b8fbee5026070415ed4ae5039221426cbb23b7374554707798139a8301344e5048aae961325420fb953c49bfccde41cde3cfaabd6064a1f67a698301cdd2cdbdc18955766c6ff5c8b56f5770203010001a38201513082014d30120603551d130101ff040830060101ff020102301d0603551d0e04160414f960bbd4e3d534f6b8f5068025a773db4669a89e301f0603551d230418301680140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff04040302010630360603551d1f042f302d302ba029a0278625687474703a2f2f73736c636f6d2e63726c2e63657274756d2e706c2f63746e63612e63726c307306082b0601050507010104673065302906082b06010505073001861d687474703a2f2f73736c636f6d2e6f6373702d63657274756d2e636f6d303806082b06010505073002862c687474703a2f2f73736c636f6d2e7265706f7369746f72792e63657274756d2e706c2f63746e63612e636572303a0603551d2004333031302f0604551d20003027302506082b06010505070201161968747470733a2f2f7777772e63657274756d2e706c2f435053300d06092a864886f70d01010b05000382010100777c422589f0a06f50d8cc9b667b8fd38271e2d3ab5d1d0989cb2ce0a98aa69f37c4f8306dbaf1cd5616a51878a212f1ee0d7972dbc54259be5aab844a3a45eb8eea0291256d05fd52cacf4294afc1a9bedb88eff9f18b287ba8706e290cd259a2d1cdbb82adb33068b8fee67c6f33fe7e9511b421ee9e6a2da48322b58233e672a67cb6042402d50cbffa69df0e2ebfbf7594d72880c862a7558dc1acbf2d26435dadf9546e24c445f974f3cbf2e00e5af84898d866f58dec8e01c47c83f366078fc5c59f1814883e3b6e7fb292841af165f8c95d3165e17e60dd2558b402ba715a953b6aaf8cba326737a56056939a23c25740ecd8eb656a05890fdb9602c5	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	3560	msiexec.exe
14	3560	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIDBFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD96.tmp-\ICCSafe.CustomAction.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{C5CA12B5-D797-47D3-8734-241EC5F52F10}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID351.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cbdd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{C5CA12B5-D797-47D3-8734-241EC5F52F10}\Icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cbdb.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID301.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD96.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIDD96.tmp-\Newtonsoft.Json.dll	rundll32.exe
File created	C:\Windows\Installer\e57cbdb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC2D.tmp	msiexec.exe
File created	C:\Windows\Installer\{C5CA12B5-D797-47D3-8734-241EC5F52F10}\Icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD96.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD96.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICE7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBAE.tmp	msiexec.exe

Loads dropped DLL 14 IoCs

pid	Process
1124	MsiExec.exe
1124	MsiExec.exe
1124	MsiExec.exe
924	MsiExec.exe
924	MsiExec.exe
924	MsiExec.exe
924	MsiExec.exe
3372	rundll32.exe
3372	rundll32.exe
3372	rundll32.exe
3372	rundll32.exe
3372	rundll32.exe
3372	rundll32.exe
3372	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000039a337e041d2b58d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000039a337e00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090039a337e0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d39a337e0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000039a337e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201\SSLCerts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201\Revit2024 = "\x06"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\PackageCode = "15A12A31DC9A0574F9F159A56C401459"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\PackageName = "ICCSafe.Installer.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F484EFD2FBA32564C828FE6A2BE9FCC7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201\RevitCommon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201\Revit2022 = "\x06"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F484EFD2FBA32564C828FE6A2BE9FCC7\5B21AC5C797D3D74784342E15C5FF201	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\Version = "33619968"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\Media\2 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\ProductName = "ICC Digital Codes Premium Add-In"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B21AC5C797D3D74784342E15C5FF201\Revit2023	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\ProductIcon = "C:\\Windows\\Installer\\{C5CA12B5-D797-47D3-8734-241EC5F52F10}\\Icon.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B21AC5C797D3D74784342E15C5FF201\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
872	msiexec.exe
872	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3560	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3560	msiexec.exe
Token: SeSecurityPrivilege	872	msiexec.exe
Token: SeCreateTokenPrivilege	3560	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3560	msiexec.exe
Token: SeLockMemoryPrivilege	3560	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3560	msiexec.exe
Token: SeMachineAccountPrivilege	3560	msiexec.exe
Token: SeTcbPrivilege	3560	msiexec.exe
Token: SeSecurityPrivilege	3560	msiexec.exe
Token: SeTakeOwnershipPrivilege	3560	msiexec.exe
Token: SeLoadDriverPrivilege	3560	msiexec.exe
Token: SeSystemProfilePrivilege	3560	msiexec.exe
Token: SeSystemtimePrivilege	3560	msiexec.exe
Token: SeProfSingleProcessPrivilege	3560	msiexec.exe
Token: SeIncBasePriorityPrivilege	3560	msiexec.exe
Token: SeCreatePagefilePrivilege	3560	msiexec.exe
Token: SeCreatePermanentPrivilege	3560	msiexec.exe
Token: SeBackupPrivilege	3560	msiexec.exe
Token: SeRestorePrivilege	3560	msiexec.exe
Token: SeShutdownPrivilege	3560	msiexec.exe
Token: SeDebugPrivilege	3560	msiexec.exe
Token: SeAuditPrivilege	3560	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3560	msiexec.exe
Token: SeChangeNotifyPrivilege	3560	msiexec.exe
Token: SeRemoteShutdownPrivilege	3560	msiexec.exe
Token: SeUndockPrivilege	3560	msiexec.exe
Token: SeSyncAgentPrivilege	3560	msiexec.exe
Token: SeEnableDelegationPrivilege	3560	msiexec.exe
Token: SeManageVolumePrivilege	3560	msiexec.exe
Token: SeImpersonatePrivilege	3560	msiexec.exe
Token: SeCreateGlobalPrivilege	3560	msiexec.exe
Token: SeBackupPrivilege	4752	vssvc.exe
Token: SeRestorePrivilege	4752	vssvc.exe
Token: SeAuditPrivilege	4752	vssvc.exe
Token: SeBackupPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeBackupPrivilege	4304	srtasks.exe
Token: SeRestorePrivilege	4304	srtasks.exe
Token: SeSecurityPrivilege	4304	srtasks.exe
Token: SeTakeOwnershipPrivilege	4304	srtasks.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeBackupPrivilege	4304	srtasks.exe
Token: SeRestorePrivilege	4304	srtasks.exe
Token: SeSecurityPrivilege	4304	srtasks.exe
Token: SeTakeOwnershipPrivilege	4304	srtasks.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe
Token: SeTakeOwnershipPrivilege	872	msiexec.exe
Token: SeRestorePrivilege	872	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3560	msiexec.exe
3560	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 4304	872	msiexec.exe	101
PID 872 wrote to memory of 4304	872	msiexec.exe	101
PID 872 wrote to memory of 1124	872	msiexec.exe	103
PID 872 wrote to memory of 1124	872	msiexec.exe	103
PID 872 wrote to memory of 1124	872	msiexec.exe	103
PID 872 wrote to memory of 924	872	msiexec.exe	104
PID 872 wrote to memory of 924	872	msiexec.exe	104
PID 872 wrote to memory of 924	872	msiexec.exe	104
PID 924 wrote to memory of 3372	924	MsiExec.exe	105
PID 924 wrote to memory of 3372	924	MsiExec.exe	105
PID 924 wrote to memory of 3372	924	MsiExec.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ICCSafe.Installer.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1E5DA1299F64CFCDF800122E2A65C8DC
  2⤵
  - Loads dropped DLL
  PID:1124
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 313C020A95AE475EC08293BEA91229F9 E Global\MSI0000
  2⤵
  - Manipulates Digital Signatures
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIDD96.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240639390 64 ICCSafe.CustomAction!ICCSafe.CustomAction.CustomActions.SaveConfigJson
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:3372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cbdc.rbs

Filesize
711KB

MD5
6426dc37e0b9058821f18dc1e1d72157

SHA1
7217dbeb3ca4ddc660e1f46171d437d65e1c3a18

SHA256
7e1fe9149e67b35978c26b4efa90da9fe1169ece80227a13be80c7b570a76718

SHA512
49afcfba3f0b88867dbf254fb6fbf4224b47d6f81191ea38fcb9d2ada520f5ded6000140fe9b4c077da72f6b270491f96f52f0b5720481e7e7cd6cb129c48132

Download Submit
C:\ProgramData\Autodesk\Revit\Addins\ICCSafe\AppConfig.json

Filesize
783B

MD5
47b11a8d356442dab4645737c0be6954

SHA1
d5c75a282565f9ee7ac31acfc34d371864d7a6a1

SHA256
43d1db3d41453d1b8d9b2814ed2c502536d07e387d649769352752628fe5be11

SHA512
4f770f817631d474fbaaf2835b0ed6c72c16c83788c6e6ff963210c8d2952cd058e74387eb384e89f89865e819cbd1de94f5f2202153241f3be283903d95dbd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
49KB

MD5
7b6f4c65049bbe115a5dfbdd66dd6383

SHA1
943a1b668f19e507407093bbac88e18f428c25d3

SHA256
72cff6370b1d5e17a1de73f8e97efb8dd9638583c3d080d39931df6f78dfed7f

SHA512
cf1fe5896a56d377ab3f9b0a92fe557a4c7a88c3a8be0d35d9a5f0fcd1409b5a73ab2b3d69e082b1d2e21789799c43d4d73d89407aef86e4f2fa0a768744a4f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
196da11b4a5faba52b92bb967cec4a1c

SHA1
f50de49bee2f5658da756570f6e54d021e22aa0b

SHA256
faed671ed25e886b8ed9ef29019148d3ae683d0f2838358f7c0afc999ad1d063

SHA512
c7d24d8079be5c91e6ce0c6520066949e869ee1924affebd8eea12000d32976eda9fb092c93dd64f14092d55afbf61981afcff0287262eaf867c0bfca423f907

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
a51fa4b814ece54051d6cb5c5b657b49

SHA1
d2b6c13ecbfd25bf61714c7ee5b4c9399a7ed60b

SHA256
45b260d5e9c4cd8349a96f1452f1c95b4a091eedbaf52caba62fcc3220858ff9

SHA512
00f79a3492e5c627d03956f241f20ab4a41234b2e0088e736c45aa3465bf0abad46fb2899d434a221f102c91ff6f77d64e53e4aad3836f599c43e058d4c4a6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD36D.tmp

Filesize
2KB

MD5
97085b889cc3f31cc6d453276184cb9c

SHA1
b406ca70673463db3ec6151008f19548c55d4ced

SHA256
c1b61a27b13e788da13c71699b379334dfb135f9da6365133c23f5bf67819934

SHA512
3178cf71b8beca122d219d921a41ca04fec5659544e77f4725045179181e0ce62dd23b9b53f484881ea89e6aec48c3c30fd88a0d110df15ef859734dc0574840

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD3AC.tmp

Filesize
2KB

MD5
3cd0b9fe9ab61cc06d50bf2e4778b776

SHA1
a270038fe17d57bd76d381e7c9ad0110860509e6

SHA256
be0445cfa571f9b7e41743e577dacfdaa62221381ec9d83dbd2ba1652427d0e1

SHA512
e94781e8c10b11d7d71755efc1cc551eca33c120ebd173fdb4b68b7e1d7fb035323f90e2b0156d1b4c675353e97f6509257cdc9f7a219e725742482f4f38bed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD3BD.tmp

Filesize
2KB

MD5
c840aa3fab09920811128fcdf379fc46

SHA1
7001bca924ec212b55deff310e24b0701d20840c

SHA256
4145eb118ffd67df9a67a2361b80cdbe6c5fcea1e56578361b3a69ee89109b26

SHA512
f044e742244b2cbee275fc893c8d874bc13b6d4bb74c523282601c3d1b9d227c42ab1ad45c4f28c4734dd65eb960bd0a7fa47809f1fa033560bb37c8fdc62b9e

Download Submit
C:\Windows\Installer\MSICE7B.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSID301.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
C:\Windows\Installer\MSIDBAE.tmp

Filesize
224KB

MD5
4837bbfa20c65ac97910388f07d1785e

SHA1
e066a3d68c8a5c099633f22a32e22cb8c4f24d8c

SHA256
29b9f6167ea343f279c7ebafa18f8fba0fa8c3c21f9f33e7741452c856d45664

SHA512
91cade5a43fedce4c06e21cd68023ad13ecc18ddf34379544f8111569868980d3852e93d8f0ccbb013df317f9ee1ac97d9a16862878371ec2cb0fd51b3468037

Download Submit
C:\Windows\Installer\MSIDD96.tmp

Filesize
469KB

MD5
05443d07e99428a958238614d092ff03

SHA1
98a1362ea8a31583beac37c5855bf4b730991b99

SHA256
422f51b0455b13b8ecd9cb86340de02620663a9c98147c063e33c324b0363795

SHA512
7f9524db8ef6fa496dc7a8c804e3d5275360a6335f82e1159b1bef092a4e88bd4bd298b7009ed1b4c2ed9cab5dbb4b308c7e563f4bb630fa9a50a200c204208d

Download Submit
C:\Windows\Installer\MSIDD96.tmp-\ICCSafe.CustomAction.dll

Filesize
8KB

MD5
d92d7cd04ba1d714e083c249bde42b7c

SHA1
e0ef82fa55b14cbf1e32fff499c4fd97e835dee6

SHA256
45a43b2179421541025a173e24d3f3f845a5fac3b6c58d54cac1204d25ec8f0d

SHA512
d3a6bd3f77a0b699f7f27741bcc047d2226aa2a90e3ee4be9a1551df7091f1c3c0ac4366cfde2a84cff233e5dcd8d77b155dbebbd4edf14179b4a74d0b3f7797

Download Submit
C:\Windows\Installer\MSIDD96.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
179KB

MD5
1a5caea6734fdd07caa514c3f3fb75da

SHA1
f070ac0d91bd337d7952abd1ddf19a737b94510c

SHA256
cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

SHA512
a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

Download Submit
C:\Windows\Installer\MSIDD96.tmp-\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Windows\Installer\e57cbdb.msi

Filesize
107.8MB

MD5
9599a8f5b6c834d4f16a8e7132acea39

SHA1
1306c6d51382fdfac74a6fd777ce93b293dc1a82

SHA256
af59c36b03ee77d584a3af87cc6444613bacf49094b7233369a835004cd0ad82

SHA512
28ad8b8f532460ba6b7401232e7abfe2946f9e895ceeac91d1b63f769c345d3d0bf7ef47ceb23b2450c3611292bfcc4679d9ead87fccf5b4f6c3e17ff9e24d62

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
b953b39cbd6da86fd612f9c0d9038bde

SHA1
79efe1d460e6b1331075a33082db0a749b6d217b

SHA256
f2c8e31d35b4cde9a070bffb8d847c9900a1ed091a9f6fa7ff1eeebafda487d3

SHA512
9f73de1cbfaab35de5f796ccb6a470e251d22f05b67a9cebea490114462752949d61cc78080b5f9f1ed7c2a598a13d85feb1b6da687a1cd62b58fae8a4bdce86

Download Submit
\??\Volume{e037a339-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{94ce2aa3-aa0a-4700-8e1d-63ef155ca181}_OnDiskSnapshotProp

Filesize
6KB

MD5
741c98527ca0327ef20afaf14c1bb813

SHA1
4884ae1eeccc3bf03a655f3c6f262d0429a7329c

SHA256
851fb1571b77e295e20760cb42b6e393efb844649999bf9c76491aaf46f58348

SHA512
1ecd9d14ee67b68208dbb1a89fd16f32a796d8082406da71fc71097c66c08d7137e1a1e53150500714c75ae4ed9bea0535b80e426611292351bbcad8b672c49e

Download Submit
memory/3372-192-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3372-194-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3372-199-0x0000000004860000-0x0000000004868000-memory.dmp

Filesize
32KB

Download
memory/3372-195-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3372-203-0x0000000004920000-0x00000000049D0000-memory.dmp

Filesize
704KB

Download
memory/3372-206-0x00000000049D0000-0x0000000004A46000-memory.dmp

Filesize
472KB

Download
memory/3372-193-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/3372-208-0x00000000048E0000-0x0000000004902000-memory.dmp

Filesize
136KB

Download
memory/3372-209-0x0000000004A70000-0x0000000004A8E000-memory.dmp

Filesize
120KB

Download
memory/3372-210-0x0000000004B70000-0x0000000004EC4000-memory.dmp

Filesize
3.3MB

Download
memory/3372-221-0x0000000073430000-0x0000000073BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3372-190-0x0000000004820000-0x000000000484E000-memory.dmp

Filesize
184KB

Download
memory/3372-191-0x0000000073430000-0x0000000073BE0000-memory.dmp

Filesize
7.7MB

Download