888f312540912917d972b226084b34feb292adfc70c28f09ced9ac9add0e70df

Analysis

max time kernel
88s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSNSUSII.exe
Size

9.3MB
MD5

8623bab1f3b3464cb8af16e9deeb981d
SHA1

94e0c084065cfbd161db0035dca0ecf4f9f0f523
SHA256

888f312540912917d972b226084b34feb292adfc70c28f09ced9ac9add0e70df
SHA512

8081d79e96bc1c0fd819879d031d8b5fd12bf7aee975cffd4ed47bdee0510dd32c6b5e506d4a526d4775d8c880b89cc0333c29098930bb94eb1e317c470c2356
SSDEEP

196608:Pzpg/ro7pu275pizC/QKfC/LoyIbeo6F/rzP8/46R41O/7QSforeaS:Pzpg/rkpn9pizxKcLJoo/oR41YvaS

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	msninst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	ccsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation	msninst.exe

Executes dropped EXE 14 IoCs

pid	Process
1492	msvc.exe
2576	msvc.exe
4904	msninst.exe
1588	msniadm.exe
4616	ccclient.exe
4308	ccsetup.exe
1404	cc.exe
1512	msncc.exe
692	logonmgr.exe
4448	msnrt.exe
2632	msninst.exe
1396	msniadm.exe
4704	logonmgr.exe
1796	msncc.exe

Loads dropped DLL 27 IoCs

pid	Process
1184	MSNSUSII.exe
2576	msvc.exe
1588	msniadm.exe
1588	msniadm.exe
1588	msniadm.exe
1588	msniadm.exe
4616	ccclient.exe
1404	cc.exe
1512	msncc.exe
1512	msncc.exe
1512	msncc.exe
1512	msncc.exe
692	logonmgr.exe
4308	ccsetup.exe
4448	msnrt.exe
1396	msniadm.exe
1396	msniadm.exe
1396	msniadm.exe
1396	msniadm.exe
1396	msniadm.exe
1396	msniadm.exe
1396	msniadm.exe
4704	logonmgr.exe
1796	msncc.exe
1796	msncc.exe
1796	msncc.exe
1796	msncc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{f65db027-aff3-4070-886a-0d87064aabb1} = "\"C:\\ProgramData\\Package Cache\\{f65db027-aff3-4070-886a-0d87064aabb1}\\vcredist_x86.exe\" /burn.runonce"	msvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSN\MsnInstaller\iasvcstb.dll	ccsetup.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\msninst.exe	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\msnsign.dll	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC67F.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\msncc.exe	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\SETB9D6.tmp	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\connectr.dll	cc.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC680.tmp	cc.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC681.tmp	cc.exe
File created	C:\Program Files (x86)\TMP4352$.TMP	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\msninst.ini	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\SETB98D.tmp	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\SETB98E.tmp	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\ccrestore.exe	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\ibrand.mar	msniadm.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\SETB9D3.tmp	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\TMP4352$.TMP	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC66F.tmp	cc.exe
File created	C:\Program Files (x86)\MSN\Support\SelfHeal\LStore.fdb	msiexec.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC6C7.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\SETB98F.tmp	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\msdbxi.dll	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\slhelper.dll	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC6B6.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\msnms.ico	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC66E.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\msnccore.dll	cc.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\SETB990.tmp	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\SETB991.tmp	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\SETB9B1.tmp	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\SETB9C2.tmp	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\msnitd.mar	msniadm.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\SETB991.tmp	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\install.mar	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC681.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC6C8.tmp	cc.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC6B6.tmp	cc.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\iBrand.mar	msniadm.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC66D.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC6A3.tmp	cc.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC6B3.tmp	cc.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC6B4.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\iasvcstb.dll	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\SETB9D5.tmp	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\SETB9D5.tmp	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\logonmgr.exe	cc.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\TMP4352$.TMP	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\SETB95D.tmp	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\SETB98E.tmp	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\SETB9D3.tmp	MSNSUSII.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC682.tmp	cc.exe
File created	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC6A3.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\iasvcstb.dll	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC6B3.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC66E.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC682.tmp	cc.exe
File created	C:\Program Files (x86)\MSN\Support\SelfHeal\ClearIECache.exe	msiexec.exe
File created	C:\Program Files (x86)\MSN\MsnInstaller\SETB98F.tmp	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\SETB9B1.tmp	MSNSUSII.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC680.tmp	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\msncc_downlevel.ico	cc.exe
File opened for modification	C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\SETC67F.tmp	cc.exe
File created	C:\Program Files (x86)\MSN\Support\SelfHeal\ClearCookies.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\MSN\MsnInstaller\iBrand.mar	msniadm.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57e5ad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e5ad.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57e5b1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{3D36105D-D6C2-413A-9355-7370E8D9125B}\_APP_ICON	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3D36105D-D6C2-413A-9355-7370E8D9125B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE80E.tmp	msiexec.exe
File created	C:\Windows\Installer\{3D36105D-D6C2-413A-9355-7370E8D9125B}\_APP_ICON	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000568bc29b24ea2ad20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000568bc29b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900568bc29b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d568bc29b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000568bc29b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3416	taskkill.exe
5080	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Software\Microsoft\Internet Explorer\IESettingSync	msniadm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	msniadm.exe
Key created	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	msniadm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	msniadm.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80C6BE8-E8A9-436F-B4B1-E034C77F8628}\InprocServer32\ThreadingModel = "Apartment"	msniadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{c8ff7695-75e8-4efd-9122-b1078a44ab05}\TypeLib	cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D410974-8F56-4D93-AEA8-9D98AC0B4144}\TypeLib	msncc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2EA9711-F1B2-4661-AFFF-AE578DC209AA}	logonmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFCB55ED-57F5-41DC-8D47-6C56F00DB70E}\InprocServer32\ThreadingModel = "Apartment"	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80C6BE8-E8A9-436F-B4B1-E034C77F8628}\ProgID\ = "MsnInst.MsnInstaller.1"	msniadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADD66F14-DEC8-4229-8ABA-08AE48ED0D96}\TypeLib	msncc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D50163D32C6DA314395537078E9D21B5\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MsnInst.InstallerBehaviorFactory\CurVer	msniadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11B13FF3-C8D0-4F98-82DA-E91CE65F54FA}	msncc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CFEBDA2-E225-4947-9C06-D5C949410941}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msncc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2EA9711-F1B2-4661-AFFF-AE578DC209AA}\TypeLib	logonmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A80C6BE8-E8A9-436F-B4B1-E034C77F8628}\ = "MsnInstaller Class"	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MsnInst.InstallerBehaviorFactory\CurVer\ = "MsnInst.InstallerBehaviorFactory.1"	msniadm.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{f65db027-aff3-4070-886a-0d87064aabb1}	msvc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CD7669F-332B-4EEB-B5E5-305C24614DCD}\ProxyStubClsid32	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B696C866-4801-4A5B-9CAD-83724D6ECB31}\TypeLib\ = "{311EDE7B-141B-4A7F-BC31-A1C0D946F514}"	msncc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2342E53E-8C6D-40DA-935C-94BB5C50B24C}\TypeLib\Version = "1.0"	msncc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98518768-D818-4AF7-B3D8-CE3CC823F0D4}	logonmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D07B7B98-CF8C-4290-8E1B-0FCD21D0C26D}\TypeLib\ = "{311EDE7B-141B-4A7F-BC31-A1C0D946F514}"	msncc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6C1D3CA-8032-4C3D-8B2D-FAAD24A321B4}	logonmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CFEBDA2-E225-4947-9C06-D5C949410941}\TypeLib	msncc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSNIASVC.MSNIAUI\ = "MSNIAUI Class"	logonmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F5182FF-4D54-4790-9E79-16C0E0325E33}	logonmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{f65db027-aff3-4070-886a-0d87064aabb1}\Dependents\{f65db027-aff3-4070-886a-0d87064aabb1}	msvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{94F1E179-D0CB-4FD1-87A6-D559AECBC5C2}\1.0\ = "MsnInst 1.0 Type Library"	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98518768-D818-4AF7-B3D8-CE3CC823F0D4}\TypeLib\Version = "1.0"	logonmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64AF61C8-7CC1-48B7-B5C1-6D6306980ED0}\VersionIndependentProgID	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64AF61C8-7CC1-48B7-B5C1-6D6306980ED0}\TypeLib\ = "{94F1E179-D0CB-4FD1-87A6-D559AECBC5C2}"	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E6D2E9F-79C6-457A-8DAC-6EE10470CB69}\TypeLib\ = "{F62EC210-3A46-4AE0-AFC4-22A796213285}"	logonmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64AF61C8-7CC1-48B7-B5C1-6D6306980ED0}\ProgID\ = "MsnInst.InstallerBehaviorFactory.1"	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CD7669F-332B-4EEB-B5E5-305C24614DCD}\ = "IMsnInstaller"	msniadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3f5182ff-4d54-4790-9e79-16c0e0325e33}\ProxyStubClsid32	cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0477936c-2ca6-4c67-a217-e37c3b152d56}\TypeLib	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFEBDA2-E225-4947-9C06-D5C949410941}\ = "IConnectionProfile"	msncc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5981A700-4EDA-4042-AB3E-A6B727AE9470}\ = "IPhonebook2"	msncc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D07B7B98-CF8C-4290-8E1B-0FCD21D0C26D}\TypeLib	msncc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF4B7636-E05D-4CBD-9199-9BE5C4457DCC}\TypeLib	logonmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64AF61C8-7CC1-48B7-B5C1-6D6306980ED0}\ProgID	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D4DE56-37EF-4F63-8789-38B55977B716}\InprocServer32\ = "C:\\Program Files (x86)\\MSN\\MsnInstaller\\MSNSIGN.DLL"	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0477936c-2ca6-4c67-a217-e37c3b152d56}\TypeLib\Version = "1.0"	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37A85F53-828B-40E6-81B5-37C755B7386A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msncc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5981A700-4EDA-4042-AB3E-A6B727AE9470}\ProxyStubClsid32	msncc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E045D7EF-9031-486C-9E3D-4F1DCEF9A208}\TypeLib\Version = "1.0"	msncc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64AF61C8-7CC1-48B7-B5C1-6D6306980ED0}\ProgID\ = "MsnInst.InstallerBehaviorFactory.1"	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MsnInst.MsnInstaller\CLSID\ = "{A80C6BE8-E8A9-436F-B4B1-E034C77F8628}"	msniadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CD7669F-332B-4EEB-B5E5-305C24614DCD}	msniadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{c61523bf-b50a-45e9-bdd3-fdd6c7d0c635}\ProxyStubClsid	cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0A7BAD0-0DBA-4E65-900E-65D11B895C0D}\TypeLib	cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F62EC210-3A46-4AE0-AFC4-22A796213285}\1.0\0\win32	logonmgr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MsnInst.InstallerBehaviorFactory.1\CLSID	msniadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89735418-ce2d-46cc-a316-1fc96071e135}\TypeLib	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{a3a68231-ce0d-4d76-a85c-05636a0a8bb6}\TypeLib\Version = "1.0"	cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\msncc.EXE	msncc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{311EDE7B-141B-4A7F-BC31-A1C0D946F514}\1.0\HELPDIR	msncc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64AF61C8-7CC1-48B7-B5C1-6D6306980ED0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\msninstx.dll"	msniadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0A7BAD0-0DBA-4E65-900E-65D11B895C0D}\ProxyStubClsid	cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB998E97-ECAE-49E1-BF98-EEB0C44CDDA1}\ = "IPersistKeys"	logonmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64AF61C8-7CC1-48B7-B5C1-6D6306980ED0}\VersionIndependentProgID\ = "MsnInst.InstallerBehaviorFactory"	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CFEBDA2-E225-4947-9C06-D5C949410941}\ = "IConnectionProfile"	msncc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADD66F14-DEC8-4229-8ABA-08AE48ED0D96}\ProxyStubClsid32	msncc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CD7669F-332B-4EEB-B5E5-305C24614DCD}\TypeLib\Version = "1.0"	msniadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64AF61C8-7CC1-48B7-B5C1-6D6306980ED0}\VersionIndependentProgID	msniadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E045D7EF-9031-486C-9E3D-4F1DCEF9A208}\TypeLib\Version = "1.0"	msncc.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
4308	ccsetup.exe
1948	msiexec.exe
1948	msiexec.exe
1796	msncc.exe
1796	msncc.exe
1796	msncc.exe
1796	msncc.exe
1796	msncc.exe
1796	msncc.exe
1796	msncc.exe
1796	msncc.exe
1796	msncc.exe
1796	msncc.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1296	vssvc.exe
Token: SeRestorePrivilege	1296	vssvc.exe
Token: SeAuditPrivilege	1296	vssvc.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeBackupPrivilege	2156	srtasks.exe
Token: SeRestorePrivilege	2156	srtasks.exe
Token: SeSecurityPrivilege	2156	srtasks.exe
Token: SeTakeOwnershipPrivilege	2156	srtasks.exe
Token: SeShutdownPrivilege	1008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1008	msiexec.exe
Token: SeBackupPrivilege	2156	srtasks.exe
Token: SeRestorePrivilege	2156	srtasks.exe
Token: SeSecurityPrivilege	2156	srtasks.exe
Token: SeTakeOwnershipPrivilege	2156	srtasks.exe
Token: SeSecurityPrivilege	1948	msiexec.exe
Token: SeCreateTokenPrivilege	1008	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1008	msiexec.exe
Token: SeLockMemoryPrivilege	1008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1008	msiexec.exe
Token: SeMachineAccountPrivilege	1008	msiexec.exe
Token: SeTcbPrivilege	1008	msiexec.exe
Token: SeSecurityPrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeLoadDriverPrivilege	1008	msiexec.exe
Token: SeSystemProfilePrivilege	1008	msiexec.exe
Token: SeSystemtimePrivilege	1008	msiexec.exe
Token: SeProfSingleProcessPrivilege	1008	msiexec.exe
Token: SeIncBasePriorityPrivilege	1008	msiexec.exe
Token: SeCreatePagefilePrivilege	1008	msiexec.exe
Token: SeCreatePermanentPrivilege	1008	msiexec.exe
Token: SeBackupPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeShutdownPrivilege	1008	msiexec.exe
Token: SeDebugPrivilege	1008	msiexec.exe
Token: SeAuditPrivilege	1008	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1008	msiexec.exe
Token: SeChangeNotifyPrivilege	1008	msiexec.exe
Token: SeRemoteShutdownPrivilege	1008	msiexec.exe
Token: SeUndockPrivilege	1008	msiexec.exe
Token: SeSyncAgentPrivilege	1008	msiexec.exe
Token: SeEnableDelegationPrivilege	1008	msiexec.exe
Token: SeManageVolumePrivilege	1008	msiexec.exe
Token: SeImpersonatePrivilege	1008	msiexec.exe
Token: SeCreateGlobalPrivilege	1008	msiexec.exe
Token: SeShutdownPrivilege	3444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3444	msiexec.exe
Token: SeCreateTokenPrivilege	3444	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3444	msiexec.exe
Token: SeLockMemoryPrivilege	3444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3444	msiexec.exe
Token: SeMachineAccountPrivilege	3444	msiexec.exe
Token: SeTcbPrivilege	3444	msiexec.exe
Token: SeSecurityPrivilege	3444	msiexec.exe
Token: SeTakeOwnershipPrivilege	3444	msiexec.exe
Token: SeLoadDriverPrivilege	3444	msiexec.exe
Token: SeSystemProfilePrivilege	3444	msiexec.exe
Token: SeSystemtimePrivilege	3444	msiexec.exe
Token: SeProfSingleProcessPrivilege	3444	msiexec.exe
Token: SeIncBasePriorityPrivilege	3444	msiexec.exe
Token: SeCreatePagefilePrivilege	3444	msiexec.exe
Token: SeCreatePermanentPrivilege	3444	msiexec.exe
Token: SeBackupPrivilege	3444	msiexec.exe
Token: SeRestorePrivilege	3444	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1796	msncc.exe
1796	msncc.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1796	msncc.exe
1796	msncc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1396	msniadm.exe
1396	msniadm.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1492	1184	MSNSUSII.exe	89
PID 1184 wrote to memory of 1492	1184	MSNSUSII.exe	89
PID 1184 wrote to memory of 1492	1184	MSNSUSII.exe	89
PID 1492 wrote to memory of 2576	1492	msvc.exe	90
PID 1492 wrote to memory of 2576	1492	msvc.exe	90
PID 1492 wrote to memory of 2576	1492	msvc.exe	90
PID 1184 wrote to memory of 4000	1184	MSNSUSII.exe	99
PID 1184 wrote to memory of 4000	1184	MSNSUSII.exe	99
PID 1184 wrote to memory of 4000	1184	MSNSUSII.exe	99
PID 1184 wrote to memory of 4904	1184	MSNSUSII.exe	100
PID 1184 wrote to memory of 4904	1184	MSNSUSII.exe	100
PID 1184 wrote to memory of 4904	1184	MSNSUSII.exe	100
PID 4904 wrote to memory of 1588	4904	msninst.exe	101
PID 4904 wrote to memory of 1588	4904	msninst.exe	101
PID 4904 wrote to memory of 1588	4904	msninst.exe	101
PID 1184 wrote to memory of 4616	1184	MSNSUSII.exe	102
PID 1184 wrote to memory of 4616	1184	MSNSUSII.exe	102
PID 1184 wrote to memory of 4616	1184	MSNSUSII.exe	102
PID 4616 wrote to memory of 4308	4616	ccclient.exe	103
PID 4616 wrote to memory of 4308	4616	ccclient.exe	103
PID 4616 wrote to memory of 4308	4616	ccclient.exe	103
PID 4308 wrote to memory of 3416	4308	ccsetup.exe	105
PID 4308 wrote to memory of 3416	4308	ccsetup.exe	105
PID 4308 wrote to memory of 3416	4308	ccsetup.exe	105
PID 4308 wrote to memory of 5080	4308	ccsetup.exe	108
PID 4308 wrote to memory of 5080	4308	ccsetup.exe	108
PID 4308 wrote to memory of 5080	4308	ccsetup.exe	108
PID 4308 wrote to memory of 1404	4308	ccsetup.exe	110
PID 4308 wrote to memory of 1404	4308	ccsetup.exe	110
PID 4308 wrote to memory of 1404	4308	ccsetup.exe	110
PID 1404 wrote to memory of 1512	1404	cc.exe	111
PID 1404 wrote to memory of 1512	1404	cc.exe	111
PID 1404 wrote to memory of 1512	1404	cc.exe	111
PID 1404 wrote to memory of 692	1404	cc.exe	115
PID 1404 wrote to memory of 692	1404	cc.exe	115
PID 1404 wrote to memory of 692	1404	cc.exe	115
PID 1404 wrote to memory of 692	1404	cc.exe	115
PID 1404 wrote to memory of 692	1404	cc.exe	115
PID 1404 wrote to memory of 4284	1404	cc.exe	116
PID 1404 wrote to memory of 4284	1404	cc.exe	116
PID 1404 wrote to memory of 4284	1404	cc.exe	116
PID 4308 wrote to memory of 4288	4308	ccsetup.exe	117
PID 4308 wrote to memory of 4288	4308	ccsetup.exe	117
PID 4308 wrote to memory of 4288	4308	ccsetup.exe	117
PID 1184 wrote to memory of 4448	1184	MSNSUSII.exe	119
PID 1184 wrote to memory of 4448	1184	MSNSUSII.exe	119
PID 1184 wrote to memory of 4448	1184	MSNSUSII.exe	119
PID 4448 wrote to memory of 1008	4448	msnrt.exe	120
PID 4448 wrote to memory of 1008	4448	msnrt.exe	120
PID 4448 wrote to memory of 1008	4448	msnrt.exe	120
PID 4448 wrote to memory of 3444	4448	msnrt.exe	122
PID 4448 wrote to memory of 3444	4448	msnrt.exe	122
PID 4448 wrote to memory of 3444	4448	msnrt.exe	122
PID 1184 wrote to memory of 2632	1184	MSNSUSII.exe	124
PID 1184 wrote to memory of 2632	1184	MSNSUSII.exe	124
PID 1184 wrote to memory of 2632	1184	MSNSUSII.exe	124
PID 2632 wrote to memory of 1396	2632	msninst.exe	125
PID 2632 wrote to memory of 1396	2632	msninst.exe	125
PID 2632 wrote to memory of 1396	2632	msninst.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MSNSUSII.exe
"C:\Users\Admin\AppData\Local\Temp\MSNSUSII.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvc.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvc.exe /quiet /norestart
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvc.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvc.exe" /quiet /norestart -burn.unelevated BurnPipe.{FECCB7F1-2BB0-4052-8C28-706C0C2B3249} {F5A78CB8-A69F-4FF1-8935-A3C437F2D00A} 1492
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2576
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe advpack.dll,LaunchINFSection campaign.inf,DefaultInstall
  2⤵
  PID:4000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe /Action:Wait
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msniadm.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msniadm.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe /Action:Wait
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:1588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ccclient.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ccclient.exe /Q:A
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ccsetup.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ccsetup.exe /silent /noarp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM msncc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3416
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM logonmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cc.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cc.exe /q
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\msncc.exe
        
        "C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\msncc.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1512
    - - C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\logonmgr.exe
        
        "C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\logonmgr.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:692
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe advpack.dll,LaunchINFSection c:\Progra~1\MSN\MSNIAbackup\msncoreU.inf,DefaultInstall,1
        5⤵
        
        PID:4284
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" advpack.dll,LaunchINFSection C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\cc.inf,DelRegArpOnly,1
      4⤵
      PID:4288
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnrt.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnrt.exe /Q:A
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /q /uninstall {3D36105D-D6C2-413a-9355-7370E8D9125B}
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /norestart /q /i msnrt.msi
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3444
- C:\Program Files (x86)\MSN\MsnInstaller\msninst.exe
  "C:\Program Files (x86)\MSN\MsnInstaller\msninst.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Program Files (x86)\MSN\MsnInstaller\msniadm.exe
    "C:\Program Files (x86)\MSN\MsnInstaller\msniadm.exe" "C:\Program Files (x86)\MSN\MsnInstaller\msninst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\logonmgr.exe
"C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\logonmgr.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4704

C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\msncc.exe
"C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\msncc.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e5b0.rbs

Filesize
7KB

MD5
8c4139a4de67413dce0e941825561d0a

SHA1
af2f4f65faa326e3ed8ec4cd4717ce5027e0e110

SHA256
d7164c902a1587fdaeda88962aaf733c39459391919955606450e33a5b391e11

SHA512
40706f9d29420ad557b2b4fa96bbd19ce34fb49d7ae64b80193caa7e4cde2e64c974f403207b1b48fe9d25999913054d4bcea7958d1779322fae7c538aafdb64

Download Submit
C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\CONNECTR.DLL

Filesize
320KB

MD5
a739b6319f664851336a18c3e2dca45e

SHA1
ffee3cae4a5ed56fc9d7de478afe0f097759d476

SHA256
4d1d37ae0f1c8bd49e73484588e4b349192e3292997fc3289d23f05738922b62

SHA512
2c9c96b479c93f896ed43a628800e32a62b279383756dacb8e17c71114bc67c5aad8c9c3a032d6421588e1d460ddbd4ebc602dbeb9c78ab738bd02ebe9cdbb4a

Download Submit
C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\MSNDUI.dll

Filesize
42KB

MD5
18a19051c1d239c7172516c5249c6de8

SHA1
8e0416db22b4dc52c855483b57e05eaaf6debf28

SHA256
da906be8a964170d5aa103264f4118b8dd21e8f1e9398ff7b548d5ab3bf0ea31

SHA512
9924689293361ad7bd1e0ee1eea6e1d7cf6c1d67a21a82f3aa60201f82173e4dc156be7388024b8e8a7890a6f8b5a1a56822774440b866bc6e0aa34c451b391e

Download Submit
C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\canvas.DLL

Filesize
256KB

MD5
f877d6b9d056363866a6354bbe8923a8

SHA1
0343f974dc29d86ab0cf57eba27a9e52b6f5bbe2

SHA256
d754af68fae3f103d2322281ceec499701880b3020bf527f3416be32e8f7cc92

SHA512
d6e1b0172c8a83547410289c2e11c68d301e3796ebc31172f5c4b3dabb4128a66b464e4fccb7443c13af0d9155555cbec5d1e2c6e84ef1aad004fd2eb3afb98f

Download Submit
C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\msnccore.dll

Filesize
128KB

MD5
e0a5ad5eca30a9f3a275411ce71828e4

SHA1
d20e069f834c5fe2bc00fe673f327314d87d3283

SHA256
2f28ea05c8edf0efe3e3651e8bbba67e3064d84ead8069ec1ac3a849a3d26257

SHA512
8bba9829c366a1923539b888a87c2106b1612d42c063d818bb45deee6df9dcc833692f84989d12fa7ddc90404e119bd4679c4b0b5442cb16cb23c67da2de97c2

Download Submit
C:\Program Files (x86)\MSN\MSNIA\CC\MSNCC\msndui.dll

Filesize
14KB

MD5
4789b66b616ed0e9c14133485d5ecbac

SHA1
f780429cd04faa9dae0d46715387b85641c86860

SHA256
60cce1f1b6a6a338715f0a5255494daddd32f5a1b6ca312150f0a1f3c9225a67

SHA512
feb7dc30a7547a59bb3f78881493cc550564961e7682f962de9b22f14d3ff2e2a878b7d321acf23371e61ae3f7ee3da577777ab97efe2f555b8224f7c28966b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
110KB

MD5
b2c59b053e9f0968893aca63d9dd0ac5

SHA1
ec9a36215ed8a28ca5319e5593602c3cc5c2be7e

SHA256
df3c85030c04445693d87f8191c4da17a99f2acb3a24c8f02efacf7c716e068b

SHA512
25bf299b6a85564e30e722591feae9a9b67998c3f37c307656885fd78ce793c2528ee420f5d4b5f636b1d98c3a0310d48aaf6dddff2de2eca0fca806bac4bc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\campaign.inf

Filesize
1KB

MD5
99328a1d223adb3daf4c882151e93670

SHA1
b7adfe4ddb4779617ac53456a08ad0b0cceba918

SHA256
3e8174aaee4d8fd6ff4277a864e35e3b75ad957b753c54d264e5ebc80137bb87

SHA512
b33bd314a4ac3b69e5d86becaa6264d578178a043f75d9a475a0a17787013b6b9316b26d725cc1be970c03829e877bfb354741923089c2b2951f7f92ac2073ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ccclient.exe

Filesize
1.9MB

MD5
366afbc6d3ff8ded4708d3b222a28a7a

SHA1
4bebc5368bcba64a4fbb9f24406c63d11f40cf52

SHA256
136badb59679c53d9ba78a996cba21b840afdf77aad79f8dff21bc0313c8a014

SHA512
9b7fdfafd59fd7cf55ee27f98330128cd92c2cc2cb62c96f0a4e8516dcc1e0cf0f365a4a9cd70a65361e952190a36351ef5ff7ac6fae19c60cea8cc1697cd4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iasvcstb.dll

Filesize
79KB

MD5
5a5e92f86d468599ffab44a35789cd4b

SHA1
372c7f4d16ca8826734d03b0f5f04ff1a91e5b68

SHA256
1f7cf66f6d9e56c69848f58627cbdbca85ced22cd5743ec20804230356c860d5

SHA512
6536e08c656993462599bac42dad679356504ff42e398467a124583a5c17297e32157b0f3d09ee2e0398621d6ce237509253ac6382280e28ad1257c084b32343

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.mar

Filesize
3.0MB

MD5
5af28313c346bf5b1daffe043a5093dc

SHA1
fdbcd61d763b23a010fe2eab41be0234b3d2c0a9

SHA256
1dc0e9110d2d36dfa65aea607407326bb437c38a0970c017fd34f4fdc38d4645

SHA512
9d73c5ae1b946c101c96848d1fffb8419e7e4de7ff6640b045f059833aaf898fe8f6c4d87f664f62aed7ed7211964bfeb78ef944c5a1a4090086368b5bf1cac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdbxi.dll

Filesize
106KB

MD5
d37edd75b383138bc291f0e997ba0a4e

SHA1
4e77f447b6ec1b5bbe1cb67784bf1beb7a06dcf0

SHA256
3bb639cef8a718aa1e97b56652e980603f3567db8ca451173740e0597b0761cc

SHA512
468890cf38b032a7402a76051544ba30c9fc0256c69e78bcf2c2e509ab758a0937b59a3cd38edc3fa9c27bde62a10edfedcc7930fcb8a29eafab2967c6d272cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msniadm.exe

Filesize
970KB

MD5
6b5dc9c5c8efb425a35fa22da38109e5

SHA1
0c9224d9a9f570f3c1a01dadd1b63c9114aba224

SHA256
cccb57f325507bd6842294a017d214ae387ce242200f94220fb68c7b1fee292c

SHA512
fc85b35c55548c41b94a2985ccf344de64dcce0dc3c444e34a5e7570bb2447c625f0ecb9acf870d8e7b3c7d15c7bace1374bbfb6f768359a5cdd554cf8d5dd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msniadm.exe

Filesize
128KB

MD5
16f8f39bf9093a4d728520ad680a998d

SHA1
5b90772cda84697ecf46aacbf983f44c61a0fb73

SHA256
64bd854d70949f180193914cf5c1076ff8b5e130c3ed22b64c375e71fbbc5521

SHA512
92dbcc2f263ebff7b8711f0a51d565e28e00c1dfb6c1c6af5b63d558fae4dfe7214d42f97d590ec5d260bf84dd2ca179408f2807b5f3dc1f66c17b16445ec1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnihc.mar

Filesize
27KB

MD5
c913c00d28530fd45238ad84e373736e

SHA1
490c0abfaf04372237e7504611230f1b35ea914a

SHA256
91ff4b8886e13d6511b49d2a3411bf524e6204bfb57f42055b48a55edb87c445

SHA512
344155f5a5fb065578892c6027f1c87c8ed660dbdbc0dd22135ed3c227e9ac24260c4b63b13b235e9731c9b980fe8e80ce9b05057d672caa0be3a4fad2176d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnilc.dll

Filesize
39KB

MD5
2dfe6d2124cece86fe76f2dcfb02f75e

SHA1
61cb1c1866015ae3ab75962a8a4925c6909a80d1

SHA256
2c89c097046aecf22f93abfa2db91a1eaae7668ad73cb7ad17e0a27b9f11db9f

SHA512
faec3856782c9493bdee7eb19a51ddd46391d269ca7bafa746c42d66b07f0b0f0524f73855d62f124d1c43634da2b2b2e1f00d5a9cb45d5bc2b1cb8fd9443e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe

Filesize
942KB

MD5
4e47acd565c8bce8b1442c52b664acbc

SHA1
fec127c61d5e65c28bd413d1092e7bb99a80a0d9

SHA256
1996353b0ac662ee1cebefe1e61ce52b28b795c16ead2fe97509ab549e549d8d

SHA512
e38d4b2cdd02bddc9d397b6c22147d5057e2700afed528a355d510b82eea47e251099a3c40345f2dfeab70709463a72b6ba7a7c29bfab5b425496c0b76f8bd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninstx.dll

Filesize
270KB

MD5
9b2aad18502a0a0588863c5529f3c8eb

SHA1
bfc9d5df7bd70c4efebc3bf70c575b4f542f55b8

SHA256
a0d7c2dd41d78fc8b9924ab42ee4a624e5a1df9f63926d5adb244554ba2ff96a

SHA512
3f8c2e8328223f6fa40ab02ceb9187d11e81d0bbaaa26651f5f94a93273d4f8d511ea3619338048a6f6d42f3c4e76774882ec36c0e64298da9c56edf9065003a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnitd.mar

Filesize
55KB

MD5
9e530202fe768bc4b9ce55546e006044

SHA1
fc494116f4f435dddbc5a1cd332b191ae41baeae

SHA256
2e77b31c97159e83981ac3fc3c83e26cdb3906c9ad026e5e203492bc0213c527

SHA512
9fb1ca8b3bb3040e68016d80a9cc93e63c08dc1259ff14958ea2717cd0f8e4ca1284c5871352cc83a68e0b68f87a08eef26a8f3b0266854db05cce7d9c1f4d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msniusr.exe

Filesize
970KB

MD5
7718948f6167d8d12e99021439c25db5

SHA1
1a825d79725324b74d2412b41c0cceea40abb3cb

SHA256
bf7b7c48ad26f5716c0874084e5f71961a0157bd4a4d6ccb3515d40bb92cf02b

SHA512
0ea1cc723f1dd3619e23dec274b09d28354f174ae7f4334546f5615dd6a317d9c3691deb8476776eb92a43f65609d94f753d7a50ec07df2d697e08ef5b0a97f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnms.ico

Filesize
290KB

MD5
7401849092affba79342affb6a0e94bc

SHA1
0ae9aa664dbc1b3a938430fe06d9600b133e1ccf

SHA256
430c9f15225b0e5aeffa3de5095586d5b9ef84d2261f04d34acf18c76117967f

SHA512
fdd9b6c9c47d7fe83ef3d99d0c3e7084af43fdbeccca71a29bbf7e7f5650783130c40d9a5ba9a646780ab1af4130470911abdb6bd97c96e7519ecedeaa368287

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnrt.exe

Filesize
262KB

MD5
6b4dd26c191223d7156cea3750d9fa75

SHA1
026dacf386580812bb331ad8a1227ca8a819f98c

SHA256
9e883200e243154e754dacb34fcb53e8089626c962c28713b4046322da464f08

SHA512
eabd8c753e7a52cd60ae6c928d074e51c7825a4c0842064b67eb6c00f5cc52b9ca77263c48a1e6c38af6bcd96c1a91a58484519dae10754836157370413b2fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsign.dll

Filesize
1.0MB

MD5
a68f1eedfdcdf0801a0cbb20abf95daa

SHA1
4147eeac60646748a9f2f96854b03e51349947f8

SHA256
f1dc0f8fc1db06523fb65b0a422648b3bc9c2285ec6212be10a3cdaf082acd29

SHA512
d9b8287f1c8c2cbe95a693ab787b3ffbd7f477b4a85b19e311666c697e486831f62de84904600a1f1624e014f48ec81ca081d9bbba394a49228f415c050e3899

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsusi.inf

Filesize
8KB

MD5
c4b5415c261162065f4cb0d2aaacddf7

SHA1
a9d0eb81a73398ea357bc2c1ec290e053b78063f

SHA256
e807ff9ef1674b978b046e840d26dc8c715116aaa99c50dd46b2f6b7786f4a8a

SHA512
5334213c8ac5445f761f404f7867eeb7df7830366af9da061070db3d672d4fec0b7ed6e283cc96980359cc4d2a1f23329777ada022309c429a11c7d80d968f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvc.exe

Filesize
6.2MB

MD5
0fc525b6b7b96a87523daa7a0013c69d

SHA1
df7f0a73bfa077e483e51bfb97f5e2eceedfb6a3

SHA256
a22895e55b26202eae166838edbe2ea6aad00d7ea600c11f8a31ede5cbce2048

SHA512
729251371ed208898430040fe48cabd286a5671bd7f472a30e9021b68f73b2d49d85a0879920232426b139520f7e21321ba92646985216bf2f733c64e014a71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ADVPACK.DLL

Filesize
123KB

MD5
4fe6aa4422bec5dc3995051c670ffb26

SHA1
1cd95c2a21f7f7796689a0ca04719a05dfd62e86

SHA256
17b12b2c3d7f3deb25069268896fa55cb704209a4a9321c3a787222341bb3a07

SHA512
508aed217028685ceca9a20d2c9c3d2a652a4600c5f945e72ac1752f9fc78755916c299276b928413e18e5ad58d8ab3b4949606f999820c854710cb38c93a9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\accessmgr.inf

Filesize
467B

MD5
b3de74ee4fbf9c77701b0823e4228821

SHA1
216a064bc63b19ae2e331dbfd3119da9f3dd4842

SHA256
49ce7c83970fc1ba09aa69126d0fbd02c8833a495b423149947d36204382b9d8

SHA512
5bc43f09254d196ca60682f2ebe3d65d8cba6cf485304635f50e0b2dbfd9cbbc358822288ea8bb5ed3835f51868f57a88c2d1d3e5dbaac0a3fd6aaa053ae2bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cc.exe

Filesize
1.7MB

MD5
92900b278c870637acf0fd1cfc4ac179

SHA1
1b7db454f0440dc55d773e053ea35dd16ddf8cea

SHA256
53f9bc2dd43218fae28dc86922c465b389d0ccce1d5c9c75f8fe1686b3d5ca01

SHA512
d17eb2e0dcff5c9c790de0612e23a0829aae850f4491099bae1b4b4688d33c12405489bb59b098aa300838f810e2096b273697926eb40bdc8a9af67f4ce5cf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ccsetup.exe

Filesize
536KB

MD5
d9ec1755c3d7773a86df6ef99beb4950

SHA1
dedaadb414a06c817b8de399a819a9b7f9621d61

SHA256
7b048975b5ad338e92ff9bc3458b7e6806ef5c62360688f588e93883a45717fc

SHA512
57df5b41dae9ed21ca8c93354a687df7770b96d908a687271dab7fda944c801f3928922d9e061569b658151d67e5e0dc3fa3bde2e0a454d0ad31a230d7f893f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\msnrt.inf

Filesize
558B

MD5
dbe4fd794babbde7bac389276e0c7c35

SHA1
2fe673e8a8b61e91b13823fc51a73db2cac6988e

SHA256
2d88b091af460a49d5d006f92fbb08086a2f06d75724b38528deee4f9692e876

SHA512
e5fcf0413c9af3008c4226d8ee164dd3b9f6c6f0a5c5b155d977958809802d50b7ab8bf9986e057637c5cc76e63c3384138cfc9ff5b8790c380e7d1cce7be7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\msnrt.msi

Filesize
212KB

MD5
ac54aabc320540668209a707e640d6a6

SHA1
18b94298babb9824d6cca2c0f2c43b3e179a3315

SHA256
6d84bf9f0151ebfe838e682e617693e8f2f4f6b14620c5e668830ec8f2ec54c3

SHA512
aaafe66966b40156bf4440dd410619fd4b3c02daf22b3e175d51ebcb8e917f2308b71163556414b2a5c861d5f803d825b046e6622d1da54a05bad3f9a61aa7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\canvas.dll

Filesize
2.2MB

MD5
16c7a36c66d99351641e80f7aab32df8

SHA1
3394ff8c373ac794e6721e1f23eeaf7d15ccc5d2

SHA256
8de919f9dc3381519a4d474a90898ebd23348d3a1b107af090dbf933fa709644

SHA512
4ce293830029ecdcd04f0c493ecbea9c9620d7af3647da6284c4b95085ff068c4ff2507edb4a2f2311e5c15b672e85b0205819062aca547a7a420bcea009716e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cc.inf

Filesize
14KB

MD5
28bc30bef504c7e2a1aed61413418aaf

SHA1
931399d7c5e020350d8dc597f38da4766acc5593

SHA256
453b741185762b655748cc79c1b14bf9fb4d78ab6cee3ca31fb086a31253f482

SHA512
ea3d83627e38a979880e01a7554f6e637796ed31351f4030df092076a9f66eae6043e735249bfd9f8a08703e9dd8b5f0bdcfa418bc5152f0571ec5090022d0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ccrestore.exe

Filesize
113KB

MD5
77329b43a352b87dc1044ebd6490fabf

SHA1
61b90335f7c8cdac970e5bb1fc667f703b367932

SHA256
1ee81bfb1a72bc58ec78c1348b4a7ddd70685a25d9e33844010c355689da3b46

SHA512
bf8aed78c2e3f4da5feb55d4dc28e412002ff656737bba11940bfad6c8d330e895641ae6e7d771b3836574e5a7c87e2aec20bedfbf328e7dc0584f7e233b0457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\connectr.dll

Filesize
583KB

MD5
c13f11c1e0d6342778d3af4dc715d32f

SHA1
380ee3d3634020820a0fab41117433c7ab7a7788

SHA256
84e62078077d38df5511206996fd28b3def9a9fe7d4ceaceb41e6772a0e32fb2

SHA512
97fba8c8f7b19865167a8bad4ed858994f3550dd7354ad576fc1935d3d544db5d669e5c25534b4937e1cbc3f2e99cad59c21f1d09f54a3d8c607df36bcf8b383

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\logonmgr.exe

Filesize
249KB

MD5
30c6c8890b85ba03a9cd5f2147dee69a

SHA1
11e87014d6caf5f683997514de82028afff6a599

SHA256
c20293fd207bf5d51195f507de2acad5b1500556a3d463bdcdf18f27bc50ae48

SHA512
fcca61a39c84daefbc44f7d9ba65d1bafc5f692338d692dbbeba7c1c8d804eed444955a7007bf2618005ac7d7365fc0ee9810f12e55183b95ab9eea7761d0401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\logonmgr.exe.manifest

Filesize
1KB

MD5
61e9899043a7dd548178db2af348f207

SHA1
a367380816afafdf1ab6addc4c0652a9d3cf0121

SHA256
65193b302f909d8d6cbe04c4e6e7f1a0f80915b105440e20b1908926cdbb62c8

SHA512
f0394e47ab5ccb268da4810091b778d65bf42693d992c3d43d7bb61df9e921c5e1406fbf87245d2c798b542617761378a6e9bbc9f6ba9d1814e636a1c24f5b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\msncc.chm

Filesize
133KB

MD5
43ba14035f59554e4f0201444c1d877d

SHA1
94861fc38eb3b743d89b4c6ce38c49187ceea363

SHA256
d76c3d842a0d6cf742ecfd87a8531a9a056538ca79a7275cb3df64757548c901

SHA512
be3906b12939e69dc95a26b27744b13d09edaab528c9b6199846ac9c09a6a120a1a35b482c3f897baf45b18b392cc8f5cf30c27e8a4cfbe2d7b468913add7527

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\msncc.exe

Filesize
193KB

MD5
c863df6e5763a8afd6b0a3ed3424b56b

SHA1
f74e7f285a7ac79678fa154571518720390d2552

SHA256
fdaec66217fed38f80e82d932e8d61b897835dbdd607d29de39023c00cd8bfac

SHA512
db8a97bdd62d616c4e0fb63928bfc7dbe8e6aaaa2c7697666e4b73ff4b6889a4657d64bda6267bb077e1ca5c7a6c28ba0da1411e8c9c0bff18a9d0b6155bea15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\msncc_downlevel.ico

Filesize
1KB

MD5
d0968cb31e04c2138b076c36b8db9357

SHA1
96272a1d5e4a6fc354097a41151a64a7b523027c

SHA256
2d35e86d8c6f9c60bac03835bd616bfbb6b2c2a351ab2874a748b97bd3c02c53

SHA512
57004ae87c8ee761a427382fb97919d3330ecfaf02b23c48ed5dca6dd0fb8d6b0e413e76b21ed84f5dd50c3268e3f10110610ff88b73ab69c5d1f38a531ff73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\msnccore.dll

Filesize
267KB

MD5
8e8b4b1dc941c497c811aceb1bdda39f

SHA1
da75d356394e0026ce40f1637537458ac83b2300

SHA256
25c5b3a0ef655adc59c7d51834b7ea762a2ab2e77eb5bb57cf7fc368c3228847

SHA512
0747d3cad046fae8184bf753dc4e895015f229e094fb52369a941a03a4cb3d928b665b413733fbe9ac69cb593c59a0a46747b7e23232c46ce5bdbcad5072e841

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\msncoreU.inf

Filesize
1KB

MD5
8e7bd9f79403034103290fe9dd5908b8

SHA1
545c250608543799346af082d3dcb94f515970b2

SHA256
8e27fe2b012cd65201e2aa1b4a95c7dfebdf5828d4c62214622bdc835e641a6b

SHA512
2bf4669f844921b86136ce94a83ac268651044c922c6c07e3074dc41ae1d92f6853acc80de5871914edaa71d50b052b590607a263a636c660e1cb21269352354

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\msndui.dll

Filesize
768KB

MD5
0a256655223667f5fa62816e3c5d7fd9

SHA1
ab410edb56efded857b096820f59598cb7297e03

SHA256
d9983c47a414874cf9f5b090cf826d296e23b074d904f8e2e538b64152e86e90

SHA512
112f6faa34049cd73ed875748611d575ea61178119d6b55c6c4aa935fe051b038fb523832b23b37a3780f482820a08575d18f6169e42ee16b85d189e5d4e6985

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slhelper.dll

Filesize
100KB

MD5
de9c3d4167476c832cfc6a43e7a2b04b

SHA1
82d3aaef7d343669d0b68a26f8948e4344d56ea1

SHA256
192e9894fb9b12ea29d5d6d311990c368df7825d5e805b03014401efc84d054b

SHA512
0f338c0ec91c1ba6cb04c54661661b4dd4a06c3d342f991b6cb6e88ea2e158c3a4d90b6f86dc0f170503588693d5c8f5a6b2753860de1ff1f61fcd03aaa4dbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll

Filesize
117KB

MD5
a52e5220efb60813b31a82d101a97dcb

SHA1
56e16e4df0944cb07e73a01301886644f062d79b

SHA256
e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf

SHA512
d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe

Filesize
450KB

MD5
2335ab0c0e19c0ef416d07df66fee649

SHA1
1e8794aff453f7647a6c149f3d38f7a3ff4ccd1b

SHA256
f0e46c0f9b2991fa6d187c6b2bed28139c67804cc58cc45c77f06a6f217cb21a

SHA512
518580d7a0d8f9610c8ec0204ae879a91a24325fb5e45348e6f0769aa25a69525992bc0f722df113993aa29a1a917de8fbecfb39d547d6f25354c3488bf06a62

Download Submit
memory/1796-528-0x00000000016A0000-0x00000000016A1000-memory.dmp

Filesize
4KB

Download
memory/1796-549-0x00000000016A0000-0x00000000016A1000-memory.dmp

Filesize
4KB

Download