182133384c2326c5b7a57567e5cf0a529b8c19b20f413e6f20bd267262fb2ccc

Analysis

max time kernel
149s
max time network
146s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/05/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

startup.exe
Size

4.4MB
MD5

5008795ee2279d2454bccedf62e33592
SHA1

26f679abc0b7268af311458b042a9fdac258a955
SHA256

182133384c2326c5b7a57567e5cf0a529b8c19b20f413e6f20bd267262fb2ccc
SHA512

f4d458e4235d6d0b1d66f40eae12c9cc0a05a222ac3638f3872c73652b18c209e68cda322ee90c6334720b5061f17cf5be48487914e252dda45a5a235136c279
SSDEEP

98304:6pq/d8kCB0lMyQjujDW9tBcg2jGqwwAs75++hppCIhwoYkB3tiXqK:Tcb5ujyp8jGqwwhcU9/NtmqK

Score

8^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\K4W-21-17\SETBC81.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\K4W-21-17\klflt.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\K4W-21-17\SETBC80.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\K4W-21-17\SETBC80.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\K4W-21-17\klif.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\K4W-21-17\SETBC81.tmp	MsiExec.exe

Executes dropped EXE 1 IoCs

pid	Process
2388	startup.exe

Loads dropped DLL 64 IoCs

pid	Process
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
2388	startup.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
8844	MsiExec.exe
2596	MsiExec.exe
2596	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
33	8604	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	startup.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	startup.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	startup.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	startup.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIB397.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIAEE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB02B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB89A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA225.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA759.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFDB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e599e59.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Inf\oem0.PNF	MsiExec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA176.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA88.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABD2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{316E069F-B459-3A14-9721-D616E6BD04FF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4B1.tmp	msiexec.exe
File created	C:\Windows\Installer\e599e59.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1F5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA310.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA563.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6CB.tmp	msiexec.exe
File created	C:\Windows\Inf\oem1.PNF	MsiExec.exe
File created	C:\Windows\Inf\oem2.PNF	MsiExec.exe
File opened for modification	C:\Windows\installer	startup.exe
File opened for modification	C:\Windows\Installer\MSIAA58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB92.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB02A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBD8.tmp	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	startup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2388	startup.exe
2388	startup.exe
2596	MsiExec.exe
2596	MsiExec.exe
2596	MsiExec.exe
2596	MsiExec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
636	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2388	startup.exe
Token: SeIncreaseQuotaPrivilege	2388	startup.exe
Token: SeSecurityPrivilege	8604	msiexec.exe
Token: SeCreateTokenPrivilege	2388	startup.exe
Token: SeAssignPrimaryTokenPrivilege	2388	startup.exe
Token: SeLockMemoryPrivilege	2388	startup.exe
Token: SeIncreaseQuotaPrivilege	2388	startup.exe
Token: SeMachineAccountPrivilege	2388	startup.exe
Token: SeTcbPrivilege	2388	startup.exe
Token: SeSecurityPrivilege	2388	startup.exe
Token: SeTakeOwnershipPrivilege	2388	startup.exe
Token: SeLoadDriverPrivilege	2388	startup.exe
Token: SeSystemProfilePrivilege	2388	startup.exe
Token: SeSystemtimePrivilege	2388	startup.exe
Token: SeProfSingleProcessPrivilege	2388	startup.exe
Token: SeIncBasePriorityPrivilege	2388	startup.exe
Token: SeCreatePagefilePrivilege	2388	startup.exe
Token: SeCreatePermanentPrivilege	2388	startup.exe
Token: SeBackupPrivilege	2388	startup.exe
Token: SeRestorePrivilege	2388	startup.exe
Token: SeShutdownPrivilege	2388	startup.exe
Token: SeDebugPrivilege	2388	startup.exe
Token: SeAuditPrivilege	2388	startup.exe
Token: SeSystemEnvironmentPrivilege	2388	startup.exe
Token: SeChangeNotifyPrivilege	2388	startup.exe
Token: SeRemoteShutdownPrivilege	2388	startup.exe
Token: SeUndockPrivilege	2388	startup.exe
Token: SeSyncAgentPrivilege	2388	startup.exe
Token: SeEnableDelegationPrivilege	2388	startup.exe
Token: SeManageVolumePrivilege	2388	startup.exe
Token: SeImpersonatePrivilege	2388	startup.exe
Token: SeCreateGlobalPrivilege	2388	startup.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe
Token: SeRestorePrivilege	8604	msiexec.exe
Token: SeTakeOwnershipPrivilege	8604	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2388	1536	startup.exe	73
PID 1536 wrote to memory of 2388	1536	startup.exe	73
PID 1536 wrote to memory of 2388	1536	startup.exe	73
PID 8604 wrote to memory of 8844	8604	msiexec.exe	78
PID 8604 wrote to memory of 8844	8604	msiexec.exe	78
PID 8604 wrote to memory of 8844	8604	msiexec.exe	78
PID 8604 wrote to memory of 2596	8604	msiexec.exe	79
PID 8604 wrote to memory of 2596	8604	msiexec.exe	79
PID 8604 wrote to memory of 2596	8604	msiexec.exe	79
PID 8604 wrote to memory of 1248	8604	msiexec.exe	80
PID 8604 wrote to memory of 1248	8604	msiexec.exe	80

C:\Users\Admin\AppData\Local\Temp\startup.exe
"C:\Users\Admin\AppData\Local\Temp\startup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\temp\3720A1D03EB1FE119A39A66D3AED4F00\startup.exe
  "C:\Windows\temp\3720A1D03EB1FE119A39A66D3AED4F00\startup.exe" -initialNonSecureSetupPath="C:\Users\Admin\AppData\Local\Temp\startup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8604
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 97E0C38A4B6A5FD6B886981DA26AEE17
  2⤵
  - Loads dropped DLL
  PID:8844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8C35BB7570BB50C247909A55C9BB48A4 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2596
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding FDADC3FA89EB5ECDFBD6936D97B9C3DB E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\common.z

Filesize
12.3MB

MD5
a7c4a48a7ff7f604e1009fefccfc1c9a

SHA1
2f5988c7497cd07b07a0009f4ef29a9eb4bea0ce

SHA256
50356d53948bc8c4fad9b7bdb80da8196d30177e9df5bdafa6536bfb306048c2

SHA512
32e2987eaed8634bf1adbf408497d94ef6eb1d4281aad4211a4126a1cfd74e4b06cf2036fbccd905e5bbbbf497b0bea13931ab55ec9de896ee48cf52d105351c

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\corebasesx64.cab

Filesize
340KB

MD5
6135015a549a10d652169665ec922376

SHA1
8b43914a78a3d8aa3564a7cc9bc0e8e6a7c7b5ef

SHA256
dc7af838335b63cfd3ab05a2d4cdf2d81f18be47b4bd8afce9946ca76330d92a

SHA512
0a4695d8e211192d9b5147498768b3fef8a834bfcf2a7747e799f2c4932b637d0a0456f3eedb4fd9630523ed59071ee2c14a4ec7651ea7fc6a43d9fd2f79e520

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\coreproduct.z

Filesize
41.5MB

MD5
e07b2da2ddce539444ceb7b088acf9d9

SHA1
d2d169bc85bd87bb4bad74fee78e43c38d6e537f

SHA256
ffd8e83333cd5600703d8572ffd0b4ff86efb3855bf39daaf9211993f1ecf6e6

SHA512
56a7da56ee0699d30b6891b663ff4597532c9b7dea07d60e7efbda8c4ecf754db5f214181ade63e0a0220ae60d681e3b1132270f06ce9840872327c63cf571f6

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\coreproductgdpr.z

Filesize
95KB

MD5
2eb5a56ae9438651e403a2c257e7e354

SHA1
e410b4b15e57d219a44c84659e33af8ac00a6796

SHA256
1892f6303600f4b2a28aeaac78e15b341cee2d25da0fa51b714ea37ad12fc4b5

SHA512
36c4a2e26653a6a971c2af7771480e2ea1c36a284045e5057cc141e974dd0d71f8cd6adecdd5a42d4deb5754fec55e855ac6932682410df61b05ab2999c1447f

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\coreproductnogdpr.z

Filesize
91KB

MD5
c7e59794bc200e5a69bd5540ca1d5642

SHA1
60fa86ead86ad9f6f77b862da5e600a01e5680e6

SHA256
4db4b96ce3eda29e46c301adcc4d02f49f2bc7309dfe337218794b3f40a64eed

SHA512
8a3bef5dc4fc92ac55ed64ab52656a2e7768a78cb06a33d4c5da176546cc8a30e6d90cf1b839c57e4104ee9003e3244d358d61031ebcccbc5c26c00aec5e879d

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\coreproductx64.z

Filesize
8.8MB

MD5
a630026589e9ec5fb987f3d910cf1aee

SHA1
5c23d7835a6f6398087bcbfe474dcfb47d2125f8

SHA256
69719a7f165c74e6599f344de5d669e21f6a94ae3e414d765bcd7c079a6959b6

SHA512
69ac50497eea9f8006522317759153cc280d127a37732bf33807507e53941679dd54bf211c69d6468f0a730cfed28f920c35ca16cce54151425b714b25088501

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\esb-win7x64.cab

Filesize
1.2MB

MD5
6f3dee35174b39344b4fd0533c958282

SHA1
f741cce381bce286ac9b391a180aea5e952c688f

SHA256
87ae57a309460018aeec896be4db7c530c17841f6f596ead0d827c4d3b92d3cf

SHA512
b4f4a6da30bce68c9e85caed54f3565b431d43339a7b86c1faa77ce296430e947f5b9f3be0f7c1e999efe530974f83f57f9d54a3673822c6a837025bb18adc26

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\esb-win8x64.cab

Filesize
1.2MB

MD5
6d520e351eebecb490936711699970a4

SHA1
3999d65a49775221fac2b5f01290b85fdff7c5f7

SHA256
3cc94bad016663b94b1fe78a6aec62af40077635711df573bf94ac38cad31a16

SHA512
6b5da2ca5e3c0ebf09cfc5780abe41f4aa346fe73a4c148d2a8e3c9b0855d282ddb6010ee979562674c3f9f857a746b2a08625a9228b104f1ddcc566e3612c9d

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\ipm.cab

Filesize
184KB

MD5
84237cbdf98a89d9bbded576682ffab7

SHA1
b12b50939867949ff066e58e8d16aca0d71a1633

SHA256
50d3acad2481c6aa901edb0b9672a4ce0739476a039ed1d95fd9444d9c5492ff

SHA512
02e0c072a45c08a19412ec023d45d1791ffb60561e1d2b699d861df27428b33766845c4634d80ec8cc631fa73a3d0e30bff7397d13442655e616ad03a56b959b

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\kdscrl.rdb

Filesize
3KB

MD5
79a78149e4ef2e6e09cc061338c7b151

SHA1
99505d2461a18f16d4d185603887c60e226347ee

SHA256
e6c0da20fc5d9eda24e4128faa5641f8b2d39951e0a0236c013e1f1efcbf83fd

SHA512
a3baf55b373b943f8f1c8840cdc2f02a94aed436c54fdcb8cf6eeac9b5840a5e1a11be0c70460da0c17f6fda1b01b87f4e2a688abb5ddeb7819301a1354d688e

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\kleaner.cab

Filesize
2.7MB

MD5
d1cc206b28b5668d7915a753b39a2c2d

SHA1
5f27b63d3213279a5e3d197fa7fd4e7cdaf24982

SHA256
37a7930ff4caa79508ad02c8d2fd1288b070d3f68728e489a4321ab128aa821f

SHA512
f4c97c8f0ea3b29525a0baf4c0b08b76613218f78438def2e8f89b9f5e054786af3d8611efa9c72da7e0a8d362ff87210f0bd234adcad59b8b08254389a11452

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\ksde.cab

Filesize
3.3MB

MD5
5418c66fb9aa8b699ee1b17a4d55c3f1

SHA1
6f55b7af35a5c025f070e8eaae7df6582f5c880e

SHA256
2e0f85354c3de051973817d16b4e0a787f5e5ef7b678604fc77f5add398272ba

SHA512
3f6f8d7236c2421b4f48269c7dcc9d85898b2c9023e7f9f7b3c3f510a6fd569c379f5ce2ca46eafdfb4a3387dd770e66b5d5ab04fefb526cff427314d9b1334c

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\ksde.msi

Filesize
10.9MB

MD5
1eaf6174e93104044b5d32f1aebfc4d0

SHA1
3ecff36153f26398e5868da04d58f753041f8b46

SHA256
af50722cbc007d86ed68c1180720a6e19196188e13a5f32f0153f0e5f08abc9b

SHA512
c1bc1a3e2a665115def7f8ae835536bae93ce2313ceb9e5ee4858964976d2b4dca5e591661c3ef57daf6dea6bbcf12e2572635032659a8f031a4a735e06d828c

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\ksde_corebases.cab

Filesize
2.6MB

MD5
ab04b49547711bb40bd72f59f9bd936b

SHA1
7c3eec3765d358ce93bcee24e11ebb5cf0759753

SHA256
716730267543fe015c208d27bd741323e7b1bac1e6085a8cec02178550b19064

SHA512
5ce6f4f0bae01ce0c55343deb98fb0b000b72e5453fe10a5047c53021377c2df87f5db679ec8478ad889c80cb6795fce9b6f86f8b400c990c79c9950c445b1f1

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\ksde_coreproduct.z

Filesize
25.5MB

MD5
bb85c9aa6f0d571102f397416a72de14

SHA1
aa59ff769accc32ebf5734fb4dd12e084743d163

SHA256
b19dc76906bbb5b7ab57db8fbbbcfcb3299c96a6ddc4776d27ecaedc8565c84c

SHA512
c7ddf493d58dc53e1de56e32e7acf1fd31f0ffe837aba9308284f128bbde00fafe462adad0522894188454feeabc10aa208806c3b9c0745d86dcca22f2c35c99

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\ksde_coreproductgdpr.z

Filesize
45KB

MD5
4221d52fa6025cb5b40c22dc1686f509

SHA1
1bd8cf4c2c321c7ad1e16d49a5ce9b32ab92e1c2

SHA256
d4cd2d554dd0036e80111835b40646ce631a6c3ee2092c2760468d6f00578582

SHA512
89fb88e7ce6f2821ec3b0ed21f02949d9140fe759e1cfa263ff129a751a6a9b55b317c3aef012a1071d0d4c01256c97a92dfa4b7c58c6bc8f92fcddc914c266f

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\ksde_coreproductnogdpr.z

Filesize
43KB

MD5
a114e2cc5bc9e8f29cb82a4b8a10a228

SHA1
973b2c39ef470f2dd2e1b305113718c67fa0b5be

SHA256
29e6ca86df711771ceda2a3dd1553d4cf957f7c3b856e93f266a6d01b0a4c70c

SHA512
33cdf87ca587abbe1c12da787c8c05128ab8bf15f47b7cb1f91445e4ba4c4fc853a764ef421248c0537ba0ba4fbfc7b87415629f75ca46ab7001bd0ad8ad8a69

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\ksde_coreproductx64.z

Filesize
173KB

MD5
850c56e3ccf183c35f4d12517f9dd7e2

SHA1
e89976dad0cd7e012c8a99934c728d7361be8a1b

SHA256
85456f8e20e43317508390f0a290b5b1b3b8e5e128f7cb60f1cd70885004f9d2

SHA512
307c1e2792ebe6fe161876dc7a6ea00cba1f10620954e96aee75d5d9d26a5bc737dc79a6a131f3bd3a20298daa6bdb4ddbfd1a17b57352cccdf74b81a5e9cea4

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\ksde_ipm.cab

Filesize
29KB

MD5
c56ea27a84e082b694cc6a53fababa6a

SHA1
76b516a12f5ec4f63f60876f017ba3aa67fd4501

SHA256
c27db797f4a72b9faafa77dc2e1542d54600b79defb5688bcf18585aaa0f8fa5

SHA512
8c902c0e75bcf8d8dde52e83c72973e205b3958de11b768468add7283a946c2afa3b6878c1ff1bb76629668fbe02dca1946c03b5e0e0dd74362a6cc3c8a2f4f2

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\ksde_x64.cab

Filesize
195KB

MD5
1857f03d7d1e6e0c3f8ed6f90dc0423a

SHA1
5a7de1eec2707d575aefb4a849ff1534c8f132e1

SHA256
9ce66e76c5bfdc9538db24d81cce80548fa030d14b1c3782ad00d4981c93f7e9

SHA512
c1d74e24e48798ba9b7801a5e0041daf39e20c534272ed185c5c03c121b1c3388f1137a125c1443d48e32c9e3526b71ac2d4c7b7c47e949801c72ee6e4d77117

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\product.cab

Filesize
7.8MB

MD5
64df9433f23c49b0478cf90c903697fd

SHA1
3af2209047510e3892d1a9310005c8f0cb52445d

SHA256
dfda364d6ed345be8a03fb5ba6e2d332bfb5597630c4c364f8fee69df662aa8c

SHA512
eda92aa6974691e13f73f656dd57c050e652f8b671798ce00e46f2382b0fa61a9d0ca0ae3e911b53f41709502756275fe4369925b6756f87fda7de8f100ab9c4

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\product.msi

Filesize
15.5MB

MD5
8614fe0253b4cd9722232036a97cca1e

SHA1
2ee3613df9845c08cc0b722e4703c92269f3ac51

SHA256
d901519bea648844a99e31e5cc1e27dd19d89f216078f5b8f66febe2772b6e4c

SHA512
6a0a739c984ce724eb5fe41d51190b267be820d6310578a41b0f303cfd79b23764c5c5c9505fd8ee4d3a341c3321792d9f4656339718a53cb3a2fc5454c05cd9

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\productbases.cab

Filesize
12.6MB

MD5
7cbec0e145a7c2c3850f4646ad295e62

SHA1
cf740647573806b12442287af666b6ed238a9c52

SHA256
0cbc4ad3776daf4ae2ae6095c9687d0f5dd267c9e35bb9c100e053790bce9241

SHA512
c62ba1ccf55b0ee2190fe17b4135cdb7a21ecd97dc88840b54ee3e5374299750c2ac2ed01bec515e0a62edcf09f9ded67398fba816514065035e8fed4c0d75d3

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\startup.bin

Filesize
4.4MB

MD5
be7d3a230fcb8af21b6d55d872a640ff

SHA1
a9a65961ac49c822f961494abfa630eb8e76c110

SHA256
4f6124516e0ee7ae39f71b71b2d40bf08696a40a7334496ffaaffd86ffc3cedc

SHA512
f93b4edcc61af25cbb34d0e2cf2cb231353c23e5c7d2d691a2599b5a3054c166c096130cdb05f11e685372f2de908fd7b220b0601903d577637276250adb7eb6

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\startup_m.bin

Filesize
4.4MB

MD5
621e841be8bd670f2133e9065acee22d

SHA1
c124f1e5c52c6be56d2fb45da4efc1ef105acf83

SHA256
3bea4a09d462aa1755d84667c172f659330dcbfaa49acaf98140615023c8ddec

SHA512
54f03ff25e0e7571234b110fed0038141d24f29dc7efc128613520691a5154d64b4a927f5f1550c3b163b1629a47f5e03885c9507aa1c876ac89c16f49f14447

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\startup_o.bin

Filesize
4.4MB

MD5
84724e36cfae87f06abaaf27ef2c0516

SHA1
0669d8c0f22e241bdebfc349cb2cbc1aad7f5ad7

SHA256
6c4fd2781c42b7788edf48019db6fa7a42414badf89bc11ec787aaec12fdede6

SHA512
842fe04cae2eb06c84c98ab0bb6e54c9e3336d942c3984c4bb1bc68800ce2538cf8b0d18780ad7420f1072cedada4176669859d6611eda3779cae87f6926fe80

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.17.7.539.0.146.0\x64.cab

Filesize
8.6MB

MD5
07c9f0777e76d0db24b497dd41587ead

SHA1
dca238063b147d663dafb7b2aaa53681fbf08cb7

SHA256
f85f3af978db1b501d84ecb3595156bb2ef55560e7e7ce5d556bb5fff431a811

SHA512
dad1dbd9dd35e7184d30d904957e7ab53eacdb7a7bb5ded1b8fd2101ab7381e4f636f24fb30db779837da9db34db426d0225cebee05164e461a9dc6ac77d04c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0D68ADF9-1BE3-11EF-A993-6AD6A3DEF400\downloader_en-US-xnotgdpr.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B4A0C6C-1BE3-11EF-A993-6AD6A3DEF400\netcoredistr_6010_x86.z

Filesize
29.5MB

MD5
03ff30359ff064c6840910d360f4384e

SHA1
cf1cc90ab752a9f81113377152ca187993723eaa

SHA256
d3aa9586ea76a1c3d1a6705639903fadf5f9ed7cb44511d26f0616dd4c9947de

SHA512
8c6c2768b48c76f0694379fddec0a5230ee2c1681d22138b389149ada4a5d17d9fd4fc2c332b8a7127ac2237e9d118ae79555f4f5caef1a5a6866a5685375d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\kl.ui.framework.uikit.b2c.dll

Filesize
631KB

MD5
445e34aa976419cae54e13ede8d41ce5

SHA1
98ca3ee808f97ae16970b0fcefd3387bd07278eb

SHA256
a255bb5dfaa685d7443dbc8bb7fca71417c8f0b1f617ade7077ee437a23a9b24

SHA512
86b4084cf781d4efbb814fce3ed6ca48addbf4c15c5ed3630673350cf65056a80e2a9bc00581a45ae370a64f0bc720d506622eccd9d7ef170814faab1cce14c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kl-install-2024-05-27-04-41-28_SAAS.21.17.7.539.log

Filesize
1KB

MD5
78c6f1472fd6ce267cbed578aa682a0c

SHA1
3166c97d94dddc24c144c54e5ccd801d78cfc87e

SHA256
604d2de3ed9ce23ade9de79ef7ba4962a3bc53a68332e88e642cfba43432f2a4

SHA512
63060b624663300c73a8c00dfd5d67c4026734bfe7518d46173a6dcb02baefe6b23be7a9b6f8cc37e8c0bc0424cda9c8ea0f1fc3a23c210cf3b0912b0d4350d5

Download Submit
C:\Windows\Installer\MSIA225.tmp

Filesize
2.4MB

MD5
ca2075b3d77c759f034d4c911632434a

SHA1
ef16eaa8ff61c3bc738b8367f7392aab7d2643ea

SHA256
3ad0b3bd73a326ec155c4f441da332394281aa83cb6af0ee20ce5f537df7fb5a

SHA512
a3a405f8884b644ba3972ec7c743485cb46e3ad54b7ea4deeb8cbf0b204e5dab924a4eaf9a0f79af16cd633ad169bcfa01ff790bbbb9c02f2b29ed4e4d436214

Download Submit
C:\Windows\Installer\MSIA6CB.tmp

Filesize
387KB

MD5
8d466ddf3c56f23fdc2092048d72ff9c

SHA1
ef52c7bffc600d19c9145dae3945fefa93d1fd51

SHA256
be4e6bc0ea54cdf516b5515fc49d6bad6421a348e1272d3c949ff7434758f14d

SHA512
31834233d1069e6c4bb864b23edd0946a49a9fcae25d793343656b0909bab4b9ca47de3ec698002bdfaeade667f1c6e5c546268ffb9ab4e4ebc05fbabd1cc3a9

Download Submit
C:\Windows\Installer\MSIB02B.tmp

Filesize
684KB

MD5
0ca3d2247d3e12432de156a305245066

SHA1
963ababe5168e198a760363b06be103e404384c6

SHA256
558e1b191c53ffe82f5635e4cc1ade7c0a91f2155f89dccd773d034eacb6c636

SHA512
3573c5b32cd48b7a0955b8249b63681786c851e6a386b62d3b94d96ee10cb2f854b0033e21f079bbeaab90ccbeddb294959d58a21ac06ac64f3f827f3bac3b0f

Download Submit
C:\Windows\Temp\3720A1D03EB1FE119A39A66D3AED4F00\startup.exe

Filesize
4.4MB

MD5
5008795ee2279d2454bccedf62e33592

SHA1
26f679abc0b7268af311458b042a9fdac258a955

SHA256
182133384c2326c5b7a57567e5cf0a529b8c19b20f413e6f20bd267262fb2ccc

SHA512
f4d458e4235d6d0b1d66f40eae12c9cc0a05a222ac3638f3872c73652b18c209e68cda322ee90c6334720b5061f17cf5be48487914e252dda45a5a235136c279

Download Submit
\Users\Admin\AppData\Local\Temp\1A26A970-1BE3-11EF-A993-6AD6A3DEF400\Cleaner\cleanapi.dll

Filesize
3.3MB

MD5
e3d171fc0705dab98060ddbe21447241

SHA1
ff65ade8efd78c00e8fa8021ea15731dfa485ee6

SHA256
1364700815eaa0fe7c733c81c675034072677c4776cdbce4bc3f7f4fdfe8d8eb

SHA512
551de6fb2e3bff1f9671c61265959a1450953ce0751bb82e315a5c577e240357d35c015f7ff996bd390f011db112b2b43ccaea909a423727bf02543829f564fd

Download Submit
\Users\Admin\AppData\Local\Temp\614E3AF9-1BE3-11EF-A993-6AD6A3DEF400\cbi.dll

Filesize
131KB

MD5
1dd503877a5191fb874d01e09f0944d4

SHA1
7609b3ea2db9b514cd6712d407d20bb76694efa6

SHA256
b356106de4c346c2d3dc4e91416c0c2d8f09549212b5cd0c7302a434f69538ad

SHA512
78c490f2ebf39b7e3d26238e6138995f39cb4c2c8f02f0e12673d0a29e8deb756bcc735b29f62cb707b844db75be4dcefd226c0c3792c1a70c8fc2e5fc602796

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\kl.setup.ui.core.dll

Filesize
89KB

MD5
2c8f5ec07cb84d844e3fdee32b2a8e00

SHA1
2e27daffed27a7e6ee3adc50eef1710da318ca32

SHA256
8d5bd8184fbc3f79ea9edc2c25e1a5a935514518c3fba89bde308c06722375f9

SHA512
ef37109b456a68d55dee8a45340e25cb9901909b30f9f882f62060951bec20d838561dbe5ebe0480aa2feb668c6ffbb2137ed2f69cd3d6337c6f38cf395f6eca

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\kl.setup.ui.dll

Filesize
278KB

MD5
1bebc399a1b31eabc3361169df0316d1

SHA1
56091143fafa680dc65dd5f2b5d6fafa94590041

SHA256
894914e74da8c8faf8bb9b34e0f9b586db3cb248c3f6edb715a7cb8c930dd66b

SHA512
d0d1fb7e23391a352f6bb3d5756dbbcd5a3558e0c477b265453931940a223dfa31cafe20232a9d08fbb127158bce325dd8b769e7bb62907be89019cd3f02f1ac

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\kl.setup.ui.interoplayer.dll

Filesize
56KB

MD5
baf69d3c6977161e0c2b631b3f9958d4

SHA1
a1b2982c11811c4e5f6bce95f3072a855d11c369

SHA256
e6392d0cf3a5984034ca0b346476d7482243550ddd0c65a8c0ff2f03a15867bc

SHA512
2fb765d07638d239b666d4043f9ae75e91dc271ddf399dfe5bfd1c894bcabb95e6e965b478f5208687d9ebaa18cdafd6fc3400cd47694fd9db4ac30f3f1d5839

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\kl.setup.ui.visuals.dll

Filesize
420KB

MD5
6181240bc579d2dfb176a1ca260f5a90

SHA1
eb13b6cd4a242c8399396795d1863954b8d79507

SHA256
b07c4d99d4cbb62b31a425e60c993b809c7043518a9ef0b7b561abd180a1b768

SHA512
f5bb4bdd05836c494a560dc9aa16d62d29b90df7c5854d4a97b8e274890dd1476de955637237867a666c1f08785f5dc06d571e023b124530ee87cf6fdb98689f

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\kl.ui.framework.dll

Filesize
264KB

MD5
2ad2ab4f8517da8e2efdfed22ad49f1e

SHA1
55916e3e5c4c40cf2e5644fbad07baf31459673e

SHA256
6efe8efc6701c80d59ad33bd139aeca1b47a27f49d3ccc16ed01a49da9bfc2e7

SHA512
12800c7d475af627c98cecb6e6c2de8247094166126978e24bd8be3f7193828781e853ee10b3133c989d625f0e2860ce4551369d864748b70db4ec220c515bbd

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\kl.ui.framework.localization.dll

Filesize
283KB

MD5
079ac68d4beb2ab9602d754b09ff652b

SHA1
90032834cc5cffd0b00119e4e38b5f4c5f877e4c

SHA256
9377c35b19c30ee75c010b1e592796daf1d3493b397ef9d61a1c63a5ab30a88e

SHA512
53782adc516950888ec69b21e744fe4d7f8567223e7c067e362800c78e3621dc148d5aa19f6011962bece1ada3691ef1ef40838a8072480c54aeedb2f4e0c9b9

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\kl.ui.framework.uikit.dll

Filesize
2.7MB

MD5
18defb1e3b7460f592a8ca61e4b40ff0

SHA1
8f8f7d7d1ee8a048d162603cc21a0f4c40b9036b

SHA256
02a884babc5584fec80b227eb1c52dc800c516f1117ff9637617ad84c632da9d

SHA512
7cbdc0c113a0c7ff9628674a8a23f4224290455d4a9a41a66889d01baf1f28b0175197c3078a791ecf6b2052c3fdfc35cf38cfae5bf5917bde80f82499d40b12

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\setup.dll

Filesize
5.7MB

MD5
76020092f060850f0ce7fb95ce43d11c

SHA1
1e643903623d936976b2e5ce08f437eeb02d7538

SHA256
55949efe1873e6c784470b8ce27247572b6fc82d441e06ed6bf91b220b1160c1

SHA512
96f3d2bb7adbd256fe9cc47ee62fc67de6a4906a06d205727727429f5e0c52da99b7cb10ed43f93a79ecdb8f41165a0bd2270e94794740393f55c3d6480d66b8

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\sharpvectorconverterswpf.dll

Filesize
137KB

MD5
a56a73b39703d5ff85b5cf12f9b00009

SHA1
e6448c87f969e19ae4c6514d69d8286d26a2b5db

SHA256
bb5966185017d904d2d7fd952bcc6d5c19fdf6bbbe34ab29c63a3784cd1074c7

SHA512
7fa07a1fcc0735186ee71b3c123b1c4076f04dba5ad319588ea695ef117ab7c39918593e4ee42f18cbd3fe01d043e896981ca6f07293fc2fb0a9bce5d66992b5

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\sharpvectorcore.dll

Filesize
201KB

MD5
24e3b7177eeabdf085a01796b49c8e55

SHA1
6916a0bb98892252f59692fd0405e6da62af0f8b

SHA256
eab963926cf2d62b575c6f33804372fea04db328b2b3f0adfb45fee3f27e5386

SHA512
5e377e609673f3d84e22d070012578b8a18fce848a3815d9da05e10043d3e9fde8070094d1841acb44a4f876d8741e371a5fbcc86cce80cdf826131370a41e64

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\sharpvectorcss.dll

Filesize
109KB

MD5
726d04bbe783a3510b18a491adac05c0

SHA1
11a01c68204dd80b32c01dcdb2e51f5b0ee34d98

SHA256
639e091c9e87986eaf9fe00f0f401834e14878ebc48084697fd4307713a065ca

SHA512
90592ddef83b6640cf8f28f0818098f95acc4139c7b3f5e8afa63bb873530be1613d42ee02dae12160737ee612187fc0139e19ee4a7f1abb3fec1fcaee1ae297

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\sharpvectordom.dll

Filesize
55KB

MD5
e4f6efef27708458ecda4ee22edf3cef

SHA1
07ccb5fa980dead816737ad83802cbfed18e4a4f

SHA256
413e485d8dd07231d70107d86ee1a17ce705517aed8346b4701747d1fdbfdfc3

SHA512
4920e508304df14041df1189938a1102e4a71e2e57ac4b9b804b6b0405c89c8292012a5ff4dae21268204ed6d9b56a279f4ce18d709074d1cba71cc9d5e11a1d

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\sharpvectormodel.dll

Filesize
998KB

MD5
225a73e5a0cf87453832b578db6daddb

SHA1
a36717a1b2c7eb2ba160fec5fa80e48b9e57c4ac

SHA256
0499708762c56b9339c980e731ffab294e9b18362af3dcb4ad4481f1c7bd60c1

SHA512
565ee2105bd626650857e0e6f9c8f7d87a68c3ec41923de119a3b710038a4785e16ccf79feb4c1c4f8a308f682163089228ac4ac81295cea754ae1189311c965

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\sharpvectorrenderingwpf.dll

Filesize
203KB

MD5
faec58e7785c287a7c688f274207048d

SHA1
66c038c720035b7212a7d3733da4520e3b95d63b

SHA256
4c76dd0441a8021a308be24cf0c1957bee280451abcc1467acf47f1a6f7f5dce

SHA512
9269a91a5bab01f076d8e9fde2991463fb224dc6382f8cde3a118e83cb35bdf580b4ea7686f2ea767a2a9c04650222edfc3a8b2569978b734c51b7135915448e

Download Submit
\Users\Admin\AppData\Local\Temp\8FDA86D03EB1FE119A39A66D3AED4F00\sharpvectorruntimewpf.dll

Filesize
69KB

MD5
0e203d24d04e89779638dd70d5335b39

SHA1
98ffc3718c6e34bd6d696bbcce605db666f99b01

SHA256
f15b5199850b8ed98d2202972ada759823a17893a68d60ca3a0f76ee31aeb204

SHA512
a07f54cce2add948340807b8ecf430e72c07032332046e5dd05d9da90f7d732921c0ff628592ff0710914ec9d9b7188b46377e1594a9f9809a107a022de1cfee

Download Submit
\Users\Admin\AppData\Local\Temp\{B1200BD7-2F71-401A-BC51-D25C9D9303E8}\product_info.dll

Filesize
269KB

MD5
8c54c9a5ef361e2e47519a83f9d344a1

SHA1
a489ca82b68954dd8230c78f2f155a2822b4fe33

SHA256
bd401169975aa5babe4858330feac645cb94fd613fb89dffe4ca2e09b963fde4

SHA512
da965fdec05b7330995282b700c38c32e0fb1651b49bb67cbe525c43fdfa9fd4ed330971f5cd5f0d37f29b66dab850a6d81636f3beff0ec7cb822a4936cd25cb

Download Submit
\Windows\Installer\MSIA176.tmp

Filesize
140KB

MD5
384cf5800c192575e21341023c7bd6f1

SHA1
88518d2603cd95f650f5cd28c1760960c35a5515

SHA256
2d7c1fb74efe47f69fd512a6b26aec3781904206f71e614aea8d9e920a58ef6d

SHA512
ddc262f9d3ae6baae53a8e08f2b95e6b00e1c88a6710e4d185276178dd44d541955d546f19e99a1ee82447a6bc3e07577d790a13857711aac6c164a7441400ab

Download Submit
memory/1536-2-0x0000000077B90000-0x0000000077BA0000-memory.dmp

Filesize
64KB

Download
memory/1536-0-0x0000000077B90000-0x0000000077BA0000-memory.dmp

Filesize
64KB

Download
memory/1536-1-0x0000000077B90000-0x0000000077BA0000-memory.dmp

Filesize
64KB

Download
memory/1536-3-0x0000000077A42000-0x0000000077A43000-memory.dmp

Filesize
4KB

Download
memory/2388-94-0x0000000008E60000-0x0000000008EA8000-memory.dmp

Filesize
288KB

Download
memory/2388-4343-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-462-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-4383-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-4384-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-4385-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-461-0x0000000072DBE000-0x0000000072DBF000-memory.dmp

Filesize
4KB

Download
memory/2388-341-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-340-0x000000000DCB0000-0x000000000DCB8000-memory.dmp

Filesize
32KB

Download
memory/2388-279-0x000000000E9B0000-0x000000000E9E8000-memory.dmp

Filesize
224KB

Download
memory/2388-263-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-228-0x0000000009DA0000-0x0000000009DB2000-memory.dmp

Filesize
72KB

Download
memory/2388-220-0x0000000009D30000-0x0000000009D4C000-memory.dmp

Filesize
112KB

Download
memory/2388-224-0x0000000009D50000-0x0000000009D5E000-memory.dmp

Filesize
56KB

Download
memory/2388-216-0x0000000009E10000-0x0000000009F0A000-memory.dmp

Filesize
1000KB

Download
memory/2388-212-0x0000000009A10000-0x0000000009A42000-memory.dmp

Filesize
200KB

Download
memory/2388-208-0x0000000009A60000-0x0000000009AF2000-memory.dmp

Filesize
584KB

Download
memory/2388-207-0x0000000009990000-0x00000000099B2000-memory.dmp

Filesize
136KB

Download
memory/2388-203-0x0000000009950000-0x0000000009984000-memory.dmp

Filesize
208KB

Download
memory/2388-152-0x0000000009730000-0x00000000097CE000-memory.dmp

Filesize
632KB

Download
memory/2388-133-0x0000000009530000-0x000000000959A000-memory.dmp

Filesize
424KB

Download
memory/2388-135-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-98-0x0000000009270000-0x0000000009530000-memory.dmp

Filesize
2.8MB

Download
memory/2388-90-0x0000000008AD0000-0x0000000008AE6000-memory.dmp

Filesize
88KB

Download
memory/2388-86-0x0000000008920000-0x0000000008962000-memory.dmp

Filesize
264KB

Download
memory/2388-58-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-57-0x0000000072DB0000-0x000000007349E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-56-0x0000000007EE0000-0x0000000007F26000-memory.dmp

Filesize
280KB

Download
memory/2388-46-0x0000000005180000-0x000000000518E000-memory.dmp

Filesize
56KB

Download
memory/2388-40-0x0000000072DBE000-0x0000000072DBF000-memory.dmp

Filesize
4KB

Download
memory/2388-7-0x0000000077B70000-0x0000000077B80000-memory.dmp

Filesize
64KB

Download
memory/2388-8-0x0000000077B70000-0x0000000077B80000-memory.dmp

Filesize
64KB

Download
memory/2388-10-0x0000000077A42000-0x0000000077A43000-memory.dmp

Filesize
4KB

Download
memory/2388-9-0x0000000077B70000-0x0000000077B80000-memory.dmp

Filesize
64KB

Download