653d46b5d17c5fd51248e6dde5adc57a5d7621299b7561cecf2479464da44efd

Resubmissions

12/06/2024, 04:57

240612-flpr1a1flp 6

12/06/2024, 04:52

240612-fhvtva1eqd 6

Analysis

max time kernel
132s
max time network
136s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PingPlotter Professional 5.24.3.8913/pingplotter_install.exe
Size

21.4MB
MD5

ae2015bc36bb8a0b872d049430c622c2
SHA1

c11db0f26d3554dea55b601eecdc50f90eae785d
SHA256

3586e0620442b8dfe2ae80f14dd389c224a7b9db7e6b9b29779a5b3d28e4a47f
SHA512

85c3b9380c2a803bb2f3f64a667bc062f0ee786f9bc5d50f6ce5157055eae20c76f6c6ae3d0ead0a89f011925dd7bb8097d5c6014c2fb5b077cf5ff734cceaf0
SSDEEP

393216:SeHSB8FeRF1NDgVEoZM9m5boLMMzgO+8+X7gj/pIBibcqBKOCCtbP:YzXay9UoL5+RgjLRgEP

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	pingplotter_install.exe
File opened (read-only)	\??\T:	pingplotter_install.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	pingplotter_install.exe
File opened (read-only)	\??\N:	pingplotter_install.exe
File opened (read-only)	\??\O:	pingplotter_install.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	pingplotter_install.exe
File opened (read-only)	\??\M:	pingplotter_install.exe
File opened (read-only)	\??\V:	pingplotter_install.exe
File opened (read-only)	\??\Z:	pingplotter_install.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	pingplotter_install.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	pingplotter_install.exe
File opened (read-only)	\??\S:	pingplotter_install.exe
File opened (read-only)	\??\U:	pingplotter_install.exe
File opened (read-only)	\??\W:	pingplotter_install.exe
File opened (read-only)	\??\E:	pingplotter_install.exe
File opened (read-only)	\??\H:	pingplotter_install.exe
File opened (read-only)	\??\L:	pingplotter_install.exe
File opened (read-only)	\??\Q:	pingplotter_install.exe
File opened (read-only)	\??\X:	pingplotter_install.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	pingplotter_install.exe
File opened (read-only)	\??\G:	pingplotter_install.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	pingplotter_install.exe
File opened (read-only)	\??\Y:	pingplotter_install.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PingPlotter 5\Topshelf.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Alert Audio\buzzer.mp3	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Castle.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Cors.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.WebSockets.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Drawing.Primitives.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileSystemGlobbing.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Nito.Collections.Deque.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Extensions\RemoteAgentScript\remoteagent.meta.json	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.Formatters.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.Client.Managed.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.Debug.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\SsdpRadar.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Resources\Fonts\Roboto\Roboto-Medium.ttf	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.TagHelpers.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Authentication.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Dynamic.Runtime.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Xml.XDocument.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Security.Principal.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.DependencyModel.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.HttpOverrides.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Threading.Timer.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.Internal.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Routing.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\core.bundle	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.DependencyInjection.Abstractions.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Primitives.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.TypeConverter.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Threading.Channels.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Composite.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.FileProviders.Physical.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.ComponentModel.Annotations.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Diagnostics.StackTrace.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Security.SecureString.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Runtime.Extensions.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\x64\LiteHtmlLib.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.DiaSymReader.Native.x86.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Remotion.Linq.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.AppContext.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Reflection.Primitives.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\x86\e_sqlite3.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\mustache-netstandard.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\NJsonSchema.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.Bson.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Net.Sockets.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.SignalR.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\MsgPack.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\MessagePack.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Hosting.Abstractions.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Extensions\MOSColumn\moscolumn.js	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Net.WebSockets.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Cryptography.KeyDerivation.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.Extensions.Logging.Configuration.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Server.Kestrel.Https.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Resources\SplashBundles\action_alert.bundle	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\Microsoft.AspNetCore.Mvc.dll	msiexec.exe
File created	C:\Program Files (x86)\PingPlotter 5\System.Linq.Parallel.dll	msiexec.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1C1B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\f779c31.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI1EE1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI201B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f779c30.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D57.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSI2F7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1DE6.tmp	msiexec.exe
File created	C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\ext.exe	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f779c30.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B40.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2386.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D28.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D78.tmp	msiexec.exe
File created	C:\Windows\Installer\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI24A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F8C.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f779c31.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CA9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E35.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2433.tmp	msiexec.exe
File created	C:\Windows\Installer\f779c33.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe

Executes dropped EXE 2 IoCs

pid	Process
1200	PingPlotter.exe
2280	PingPlotter.exe

Loads dropped DLL 24 IoCs

pid	Process
2188	pingplotter_install.exe
2188	pingplotter_install.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
2304	MsiExec.exe
2304	MsiExec.exe
2304	MsiExec.exe
2304	MsiExec.exe
2304	MsiExec.exe
2304	MsiExec.exe
2304	MsiExec.exe
2304	MsiExec.exe
2304	MsiExec.exe
2288	MsiExec.exe
2288	MsiExec.exe
2288	MsiExec.exe
2288	MsiExec.exe
2288	MsiExec.exe
2304	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	PingPlotter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5	PingPlotter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools	PingPlotter.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Pingman Tools\PingPlotter 5	PingPlotter.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Pingman Tools\PingPlotter 5\License = adf0308de21a01c33fa810922e71ab091d65b164aa199d1fe9130850099dd63ad175cb374c608d1f3a89c24c2b4ac93e	PingPlotter.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\ = "open"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\ = "&Open PingPlotter Sample Set"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\ = "Pingman Tools.PingPlotter 5.pp2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\ = "PingPlotter Sample Set"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\ = "URL:PingPlotter Protocol Handler"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductName = "PingPlotter 5"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|PingPlotter 5\|PingPlotter.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\ = "&Open PingPlotter workspace"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\PackageName = "{5716629D-5364-4C67-9992-4C03A559A38F}.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BDE4C0E5F8F1D9E448B630CA83009281\6289AABC43D6FF44EAFB8E089FC1DAEC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\ = "open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\ = "PingPlotter Workspace"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\FirewallICMPforUDP = "PingPlotter5Main"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WebInterface = "PingPlotter5Main"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\WindowsService = "\x06"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" \"%1\""	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2\ShellNew	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pp2\Pingman Tools.PingPlotter 5.pp2	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\pingplotter\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\DefaultIcon\ = "C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe,1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\ProductIcon = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\Pingman Tools.PingPlotter 5.ppws\ShellNew	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open\command\command = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d002000220025003100220000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Downloaded Installations\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\pingplotter\DefaultIcon	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|PingPlotter 5\|PingPlotter.exe\PingPlotter,Version="5.24.3.8913",Culture="neutral",ProcessorArchitecture="MSIL" = 5e00780078004e006a0064002c00790032003d0055006a0060004c00510066002b0032004c006b00500069006e00670050006c006f00740074006500720035004d00610069006e003e003700250067003300240058007e0037006000410051007a005e004e00750077002600330070002d0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\PackageCode = "D9266175463576C49929C4305A953AF8"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.ppws\DefaultIcon\ = "C:\\Windows\\Installer\\{CBAA9826-6D34-44FF-AEBF-E880F91CADCE}\\ext.exe,0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppws\ = "Pingman Tools.PingPlotter 5.ppws"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pingman Tools.PingPlotter 5.pp2\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pp2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pingplotter\shell\open\command\ = "\"C:\\Program Files (x86)\\PingPlotter 5\\PingPlotter.exe\" /url \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\PingPlotter5Main	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6289AABC43D6FF44EAFB8E089FC1DAEC\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6289AABC43D6FF44EAFB8E089FC1DAEC\Scripts = "PingPlotter5Main"	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	pingplotter_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	pingplotter_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	pingplotter_install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	pingplotter_install.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2964	msiexec.exe
2964	msiexec.exe
2304	MsiExec.exe
2288	MsiExec.exe
2288	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2188	pingplotter_install.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2188	pingplotter_install.exe
Token: SeIncreaseQuotaPrivilege	2188	pingplotter_install.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeCreateTokenPrivilege	2188	pingplotter_install.exe
Token: SeAssignPrimaryTokenPrivilege	2188	pingplotter_install.exe
Token: SeLockMemoryPrivilege	2188	pingplotter_install.exe
Token: SeIncreaseQuotaPrivilege	2188	pingplotter_install.exe
Token: SeMachineAccountPrivilege	2188	pingplotter_install.exe
Token: SeTcbPrivilege	2188	pingplotter_install.exe
Token: SeSecurityPrivilege	2188	pingplotter_install.exe
Token: SeTakeOwnershipPrivilege	2188	pingplotter_install.exe
Token: SeLoadDriverPrivilege	2188	pingplotter_install.exe
Token: SeSystemProfilePrivilege	2188	pingplotter_install.exe
Token: SeSystemtimePrivilege	2188	pingplotter_install.exe
Token: SeProfSingleProcessPrivilege	2188	pingplotter_install.exe
Token: SeIncBasePriorityPrivilege	2188	pingplotter_install.exe
Token: SeCreatePagefilePrivilege	2188	pingplotter_install.exe
Token: SeCreatePermanentPrivilege	2188	pingplotter_install.exe
Token: SeBackupPrivilege	2188	pingplotter_install.exe
Token: SeRestorePrivilege	2188	pingplotter_install.exe
Token: SeShutdownPrivilege	2188	pingplotter_install.exe
Token: SeDebugPrivilege	2188	pingplotter_install.exe
Token: SeAuditPrivilege	2188	pingplotter_install.exe
Token: SeSystemEnvironmentPrivilege	2188	pingplotter_install.exe
Token: SeChangeNotifyPrivilege	2188	pingplotter_install.exe
Token: SeRemoteShutdownPrivilege	2188	pingplotter_install.exe
Token: SeUndockPrivilege	2188	pingplotter_install.exe
Token: SeSyncAgentPrivilege	2188	pingplotter_install.exe
Token: SeEnableDelegationPrivilege	2188	pingplotter_install.exe
Token: SeManageVolumePrivilege	2188	pingplotter_install.exe
Token: SeImpersonatePrivilege	2188	pingplotter_install.exe
Token: SeCreateGlobalPrivilege	2188	pingplotter_install.exe
Token: SeCreateTokenPrivilege	2188	pingplotter_install.exe
Token: SeAssignPrimaryTokenPrivilege	2188	pingplotter_install.exe
Token: SeLockMemoryPrivilege	2188	pingplotter_install.exe
Token: SeIncreaseQuotaPrivilege	2188	pingplotter_install.exe
Token: SeMachineAccountPrivilege	2188	pingplotter_install.exe
Token: SeTcbPrivilege	2188	pingplotter_install.exe
Token: SeSecurityPrivilege	2188	pingplotter_install.exe
Token: SeTakeOwnershipPrivilege	2188	pingplotter_install.exe
Token: SeLoadDriverPrivilege	2188	pingplotter_install.exe
Token: SeSystemProfilePrivilege	2188	pingplotter_install.exe
Token: SeSystemtimePrivilege	2188	pingplotter_install.exe
Token: SeProfSingleProcessPrivilege	2188	pingplotter_install.exe
Token: SeIncBasePriorityPrivilege	2188	pingplotter_install.exe
Token: SeCreatePagefilePrivilege	2188	pingplotter_install.exe
Token: SeCreatePermanentPrivilege	2188	pingplotter_install.exe
Token: SeBackupPrivilege	2188	pingplotter_install.exe
Token: SeRestorePrivilege	2188	pingplotter_install.exe
Token: SeShutdownPrivilege	2188	pingplotter_install.exe
Token: SeDebugPrivilege	2188	pingplotter_install.exe
Token: SeAuditPrivilege	2188	pingplotter_install.exe
Token: SeSystemEnvironmentPrivilege	2188	pingplotter_install.exe
Token: SeChangeNotifyPrivilege	2188	pingplotter_install.exe
Token: SeRemoteShutdownPrivilege	2188	pingplotter_install.exe
Token: SeUndockPrivilege	2188	pingplotter_install.exe
Token: SeSyncAgentPrivilege	2188	pingplotter_install.exe
Token: SeEnableDelegationPrivilege	2188	pingplotter_install.exe
Token: SeManageVolumePrivilege	2188	pingplotter_install.exe
Token: SeImpersonatePrivilege	2188	pingplotter_install.exe
Token: SeCreateGlobalPrivilege	2188	pingplotter_install.exe
Token: SeCreateTokenPrivilege	2188	pingplotter_install.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2188	pingplotter_install.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1944	2964	msiexec.exe	29
PID 2964 wrote to memory of 1944	2964	msiexec.exe	29
PID 2964 wrote to memory of 1944	2964	msiexec.exe	29
PID 2964 wrote to memory of 1944	2964	msiexec.exe	29
PID 2964 wrote to memory of 1944	2964	msiexec.exe	29
PID 2964 wrote to memory of 1944	2964	msiexec.exe	29
PID 2964 wrote to memory of 1944	2964	msiexec.exe	29
PID 2964 wrote to memory of 2304	2964	msiexec.exe	35
PID 2964 wrote to memory of 2304	2964	msiexec.exe	35
PID 2964 wrote to memory of 2304	2964	msiexec.exe	35
PID 2964 wrote to memory of 2304	2964	msiexec.exe	35
PID 2964 wrote to memory of 2304	2964	msiexec.exe	35
PID 2964 wrote to memory of 2304	2964	msiexec.exe	35
PID 2964 wrote to memory of 2304	2964	msiexec.exe	35
PID 2964 wrote to memory of 2288	2964	msiexec.exe	36
PID 2964 wrote to memory of 2288	2964	msiexec.exe	36
PID 2964 wrote to memory of 2288	2964	msiexec.exe	36
PID 2964 wrote to memory of 2288	2964	msiexec.exe	36
PID 2964 wrote to memory of 2288	2964	msiexec.exe	36
PID 2964 wrote to memory of 2288	2964	msiexec.exe	36
PID 2964 wrote to memory of 2288	2964	msiexec.exe	36
PID 2288 wrote to memory of 1584	2288	MsiExec.exe	37
PID 2288 wrote to memory of 1584	2288	MsiExec.exe	37
PID 2288 wrote to memory of 1584	2288	MsiExec.exe	37
PID 2288 wrote to memory of 1584	2288	MsiExec.exe	37
PID 1584 wrote to memory of 1808	1584	cmd.exe	39
PID 1584 wrote to memory of 1808	1584	cmd.exe	39
PID 1584 wrote to memory of 1808	1584	cmd.exe	39
PID 1584 wrote to memory of 1808	1584	cmd.exe	39
PID 2288 wrote to memory of 2500	2288	MsiExec.exe	40
PID 2288 wrote to memory of 2500	2288	MsiExec.exe	40
PID 2288 wrote to memory of 2500	2288	MsiExec.exe	40
PID 2288 wrote to memory of 2500	2288	MsiExec.exe	40
PID 2288 wrote to memory of 2800	2288	MsiExec.exe	43
PID 2288 wrote to memory of 2800	2288	MsiExec.exe	43
PID 2288 wrote to memory of 2800	2288	MsiExec.exe	43
PID 2288 wrote to memory of 2800	2288	MsiExec.exe	43
PID 2964 wrote to memory of 1200	2964	msiexec.exe	45
PID 2964 wrote to memory of 1200	2964	msiexec.exe	45
PID 2964 wrote to memory of 1200	2964	msiexec.exe	45
PID 2964 wrote to memory of 2280	2964	msiexec.exe	47
PID 2964 wrote to memory of 2280	2964	msiexec.exe	47
PID 2964 wrote to memory of 2280	2964	msiexec.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe
"C:\Users\Admin\AppData\Local\Temp\PingPlotter Professional 5.24.3.8913\pingplotter_install.exe"
1⤵
- Enumerates connected drives
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2188

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A703E191B7F471631000DB965481D999 C
  2⤵
  - Loads dropped DLL
  PID:1944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A312B2E051A7AA8E51865620DBE9A529
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33F085D003894205F3850E2674B43CFC M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat"
    3⤵
    PID:2500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" /queue:1
    3⤵
    - Drops file in Windows directory
    PID:2800
- C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
  "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver initializeprofile quiet
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe
  "C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe" regserver quiet
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2008

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000318"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1352

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f779c32.rbs

Filesize
2.1MB

MD5
3c637802dcf530951126ee8b36d3e1e8

SHA1
1085952fd71150bab00cc8bd8d6bc5e0bcb8d994

SHA256
665d0915b162e95f286f55addfcff7cab9a69dac69db096b249fa3c4ca29a15a

SHA512
71a3ef668fa4706662ba338a467459859171abd4b3c7b6f1688f2540d3e3f484f05113158c5cc470f3790f40729d7aa8270563cd016ed4307d466f9b3bd931a6

Download Submit
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.DataGrid.Contrib.Wpf.dll

Filesize
87KB

MD5
9c43eb18df357b00aaf31b6684e57a53

SHA1
6de6fc5c23b5ef38eb2faab1eb643c3161c2e9f6

SHA256
abf2ec51aff791bee7580e77502a90b28aa034d2e729580e0d2b10d7ee296fd6

SHA512
fea50d9884aef63e24546d0947608fee8fb3aad6b0f8b5a02fdf5fead5564c2d8f16828fae1c182f1350b209a8a9b2e99201822957c36787b6ff36d266412309

Download Submit
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Docking.Wpf.dll

Filesize
677KB

MD5
b9d27fbdd161b1879aa1b5bf390b8114

SHA1
1e9ffc3fcefc25581fd726087c74d257c713ffe4

SHA256
3866414e85e128dd761a894b63befed29fded32788ab79087d0abc79335f17a4

SHA512
4af0057663f74f65af501ec45bed8cc75e225395b1acbd318220cd97eb28123b3b7290c34b865129edc20255c6876c58c25308ae1a458a97f5df285f5a2444c6

Download Submit
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Editors.Wpf.dll

Filesize
929KB

MD5
6f0e2870c72222d5989e9842d7d9e275

SHA1
9a847f1d5efe181c945c60bcfeeb43132db3f599

SHA256
b637f6e4c87ac32276f92c609ee71bb3d482b36d5516e383e5c52d8f615359e8

SHA512
ff99918d8a8510d70d250695a583deb91953f6db2abf2a71069a2d67932532977529d3a50ec012cd4547a03601cf8f5367592187768fe4d8aa5a80d8dacfda0d

Download Submit
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.PropertyGrid.Wpf.dll

Filesize
315KB

MD5
3e50933e28b0ac08f7158e3a783f6bf4

SHA1
2178728de734670785b749499e4cfda7e1e30f60

SHA256
7d0ee0f0aad53788758a43ccf295cad4b8e6afae6815f2a2800033b29b81c14a

SHA512
3324d40fdc9a82915b8323f5386d00361bea8ae42aa79fc85b4d9d95a087fbadfc557d9f77e34938ef4fdc8b04d0e6a9f24bbfca6569d981cf404626fb2eb7f6

Download Submit
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.Shared.Wpf.dll

Filesize
1.9MB

MD5
674447f18caace5e1163fb227e4cf08d

SHA1
62082108201e8be712cd52806a66503cf51fe714

SHA256
56dfde9007145d5f6ed21730ecbb5ac04e7c6bc1370fb317acb0e29bffaf5c84

SHA512
89fcdc36bd040a554a3bf8be205541914a00e0eed741eed066831d7564fa0f2ede717fb21d1e85e9503d9d262145d2fef837e37ed40087bb7386159fa5411bb8

Download Submit
C:\Program Files (x86)\PingPlotter 5\ActiproSoftware.SyntaxEditor.Wpf.dll

Filesize
1.1MB

MD5
855914201fde2285b71d87c05c4bbcc2

SHA1
8bc1bdbb97c2775c0399e9d0e90a036f41357a4c

SHA256
580a06e4ff57218280a92877d2b5def390b563c86a16366882cfee5d30951bd6

SHA512
7040fcb1fa29171f10e9a6400deae3283a078899eb21c969d9fde51136ab5002d2cc95ef9b37ea1647fd28c18df1f1776bd80d12b16703a9b15f2776d97b7fbb

Download Submit
C:\Program Files (x86)\PingPlotter 5\CoreLib.dll

Filesize
2.2MB

MD5
4f79b56c4bebf4683f731c2fa68126ce

SHA1
be502d11260c83f3bdb67279f796b137094248b6

SHA256
28130a2c33fd8ac4a915bd2a695b1160e61ad179136860675b42bbebc878bb63

SHA512
3384c07d2378e87d9e7e85f5db6af6bbfe804b559057339b04fda64e744344255da4d309a75efed9ec3246afbb852d4b4dde9baa7d2a783230f25a56d5f6294f

Download Submit
C:\Program Files (x86)\PingPlotter 5\NGraphics.Net.dll

Filesize
24KB

MD5
50f77484e5ebbab4178d226457277f61

SHA1
f9ce26a5dac69bc620481e76ff4bcaa44610b4f1

SHA256
76a4ee07ad63c27d6d95b9e0cc9a903563514e9b8fb51744646a19e00c3175a5

SHA512
f094291b6097608443d168d7cc5cd6a288f98f6bdb418e22d6f606ea2f54a6c6c166f13fedd827a79e8812d598e4fca1d59f50af17264f80e8dd3621856c77da

Download Submit
C:\Program Files (x86)\PingPlotter 5\NGraphics.WPF.dll

Filesize
25KB

MD5
c15a90b02588f3c2e92086d729268d9a

SHA1
f3917545b0d2f1784d6c677940e184a8bdf199d7

SHA256
64c10c0c8c7e80b8697d395f4c89622f5323d89a1b5ae5bb5c2436d2b614667e

SHA512
821986403f4c2d96413f3b2f81ff570198d4445f6cbb5fca38dc43ce4f2f6d7fd571cec70ef047e93e24f32b2069695435344523ff3390d40a6a400e71144407

Download Submit
C:\Program Files (x86)\PingPlotter 5\NGraphics.dll

Filesize
100KB

MD5
36896e5b8ff559857c870c8d60470d79

SHA1
8abe9941ec44d19b2f079fa66c118d60ecd75141

SHA256
57f963ae4825b02214ccae01276708613cdda30d74c50289972f4a16bea3d823

SHA512
ddbd19c34fe0b38958778cb8e01ec0daf22882a5db774f24d5fbaf3f18938f71f48b55d6b8ed1d31ac31086d416c65f3e410168c891295412a3d67cbbf781793

Download Submit
C:\Program Files (x86)\PingPlotter 5\NLog.dll

Filesize
608KB

MD5
a55e8da594924aff7aac9494c91a63d7

SHA1
d92135f1aab51978f26d8f879dbd4e5ffc71146c

SHA256
95d5e5a3d6b1a0175bfeef2c10106ad2bee646bc9063d8c3bfdb70f284060b34

SHA512
ce0fd4ca5a5ef5e6d6413d7f526110ea2b2473e2218915b65935441ffa51982e62512b8e658d39a2705aaa90a5171bd73fb73d410deda0b11c5c11c61a9f1be0

Download Submit
C:\Program Files (x86)\PingPlotter 5\Newtonsoft.Json.dll

Filesize
693KB

MD5
9ef8fb5c101ca8cdcb20af7e2188496f

SHA1
a4f3566d20fe9003a092ab1bced77f12016b9022

SHA256
ae8b84a5e656c0df5a58e365cf91c6eedcd85ff31f93bd5f21db6f1fe025ccd0

SHA512
271198207f107f29b374e188efa318c052827d696e2296dfb58120608edfd7110272338f3effbcb7d3db6e45e72dbb168e5ca90b59836436d9e50276756ae72e

Download Submit
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe

Filesize
2.9MB

MD5
aea6964efb6bfc8723f85e191c6db9b0

SHA1
f213e8ae0088838ae76d9d5841f9e9a2376c78a9

SHA256
89a3e51a67ef4684952ab912be4e9fd379b4cf46991d6c17c6e59d34f6ec5eac

SHA512
84a8587ccc35cdb2392f2de20a7323bf626bfdef0cc1ba6957273921aa8336086edd58689fac446e342d3ecb9f0a00e7dd2dbb2e5de223a5b6a42e75d845ab8a

Download Submit
C:\Program Files (x86)\PingPlotter 5\PingPlotter.exe.config

Filesize
27KB

MD5
928b8e104bc50973bad9150c577aaa64

SHA1
33eb7ed6547d26bbb8dbb087a45baf41292d01d2

SHA256
b42eb2bb81f89946449c5b27315afec9c87070ac01a6d0d1df91bd9d46702629

SHA512
3b8ac3ce5365b27c8156dfb1ccfeff4f8a0e3b10360c2e5639d3516f2b5aa3c2dc524ddbbd6e3d1941ae0d15f8867eb2e19a0df1c31d1872d25f7758c481cff2

Download Submit
C:\Program Files (x86)\PingPlotter 5\System.IO.dll

Filesize
15KB

MD5
ba3845f4986d242d62641e1f6e14caba

SHA1
9278fe4d60ed3462835a90c56bf187cadc35ddda

SHA256
ab5d0fa375fd11f411293552ffa7b127a62ecc7bef74c5c3a49cad629413e38b

SHA512
4ccc206b30208cf1ceef1e7341cf7f28e36f3ba90daff5051ee706841a1f30d49d654399c33b2d336d330789b76e5d3fac39d22d6d45d6d76a3ef643750a70cf

Download Submit
C:\Program Files (x86)\PingPlotter 5\System.Runtime.dll

Filesize
23KB

MD5
351865b759999ab60da018c38878662d

SHA1
2c6d09dfe7a95f78af5b27d0ffab491ca47dc2e5

SHA256
cfc8576cd3f50e93ead20e4a08cb1623e95cd928e5afcbaab9ad8ec1eba2528d

SHA512
7e329b5072fe7eb47871368a357643a4ec59576c0c7dfd2a48b671a33c9fb2fdf24198540ca283797ec2b274946c33f99d10d6b5aa5174872369aa5b58677f3b

Download Submit
C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.Dataflow.dll

Filesize
163KB

MD5
18dcf426a4822b80a52832439138e7f0

SHA1
270924f3bd1b1f7ac5efdd26e7a8eb922b584129

SHA256
be2c678b7e39d7af3e631a4b882302a38959b8736a114d9223720ab7d4077f5a

SHA512
5b7b6c327a8ff25703c8acbcbd9aa3398398fb51d68893ef938f64a7abeeb50cc9751f525f967b1346bb979a3122bf09ebaa444ad5b41f5deef824bf5c342870

Download Submit
C:\Program Files (x86)\PingPlotter 5\System.Threading.Tasks.dll

Filesize
16KB

MD5
e7120b5779730efb615235cf0107e386

SHA1
455ea9f216bbfcd1876f142d7a1b634fd85ef819

SHA256
ace34e85a2e954ed07ec11390cbdea7097ae4e56efd8b1bcef35788ce08c6777

SHA512
91f893b93d771eb1ac9b9f666561375da5c9a282bf778bca76489306f8aa398fd31bfa59eaeca2f1b1b16a598dc0f5cfa9d3f3d98b0a4cd2ec9fd5539bc3efb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c49d43fe9e08ae84631925d5e6c6fc5

SHA1
e37a209cc10ac87e91ca96182fd2bf3732170833

SHA256
6561f3c13db1fd0dcf73df343499c7e149eef06001d578647586054329c3b3e5

SHA512
575e5853bbf588baf8fd7e01e8c83f7c7abc3db31bcd41b56bc67d18e46bf2fa459c953d20d99c80435847feb8affd7e6b7d069a8b412f251caaaac5f58df8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab35B5.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8436.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI85A1.tmp

Filesize
561KB

MD5
5576bf4d22dc695564e49a68cbc98bc2

SHA1
80e0e045162a65d84939e22a821ecbbbde3f31d6

SHA256
20f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801

SHA512
4b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar836B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxj4htisnt.tmp

Filesize
48B

MD5
b16a5fba3793c99536148b33a7304ab1

SHA1
e353837d75409bf40a3933a4a33cc4241c1989f4

SHA256
172a427175692aa038ff7c36ed654549aec085ad7931cde5452b7814f6cc1832

SHA512
6bdf135a6aaceeb9013c71369a648ee1f9a2f48c5308706c9cb7c331b58fb48f7648e6d2d68ad7fa31439599a66b371a1b81146637f87b9164052c4c055dfab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxj4htisnt.tmp

Filesize
48B

MD5
9e3a645eefcedc75fd12957ecee400a6

SHA1
3336d6e406ed53b4403557953b431517cfa871eb

SHA256
3c4499fadbddfa0adc98cd8a422018cf9ec5daec6ce23c64ea6c1eb0a1806c93

SHA512
507c9a7c2fec9eb57bcb8d60f03439440f52091dec99076ec7d92ef88e0edbd45c74f42fb8c425fd964ae0b2b41dc3a56bab60b0e8bf97edfdb317260ac48b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7185CD67-9B19-48BA-8AC5-F197A1F6DA5B}.bat

Filesize
104B

MD5
f6818e7ca5e3b67451c9e672aab6f176

SHA1
816b7e4c7d0e7f5a200c008f4b2fbab16401ad43

SHA256
748e284ad9f27b7067978564a0989f1dbe23fb0ac1750778e08267373f9601c2

SHA512
bfea7b7800b33f8431d4807954315a13f4e8f67cb8d72a0c3e23f15875688a0a96e872d5feb5a5ac4e4b0f30479b74b61cff026d8cde3ef3e417eee23830df96

Download Submit
C:\Windows\Installer\MSI1D07.tmp

Filesize
195KB

MD5
71c143221c4d2f06e495ee3f9e51a7f0

SHA1
44a3aa0ca190243d6f21becbd5b0c5e923426135

SHA256
8d245ef042215b0e9211692c7deaef442f4d46bd5323d74aa1bf25d676525bd9

SHA512
98a97a4f45cb70eb671ddc3c8d26a9a4c3d34745f0d1b6ee052a2080e1b4b3dac11303eb9a0c8d38e34df624edc28864e52f13e4d79bc16fe9223c5663372445

Download Submit
C:\Windows\Installer\MSI1DE6.tmp

Filesize
849KB

MD5
99dc199a4a390a86f2728f5232a2f9a6

SHA1
21b03b2dacbc5e19f3334054703ce53c8ba4a15f

SHA256
12b9deeb6e80129593bae1439bcbc491c6f602bfff255f72eba627100a54e2f9

SHA512
8ba930b0fb37257bbb0d5ea97bbb581ec7d545b737bdce03a78e713b3ad95a2f4b2b6d101817102763100edfe8e46f4532946a7bd3ac24d2142358ac26ec45db

Download Submit
C:\Windows\Installer\MSI1EE1.tmp

Filesize
409KB

MD5
e34827bf55cae867e83cc6122d25154a

SHA1
e513c23028532a6997692965765e235d42d96efa

SHA256
7f8ce80c53a7a4c3cecfbf497ee443538fd126a6e369b9930a3b021db548b55a

SHA512
506143a220f58c4236e4736f404c9421b9d5e0caaa21eff950953258ccf783de3534ea702e476acf565719964da6aeaeed787fca2d66c2b8ef5aa51c9b6e38d2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2D3A.tmp\DotNetChecker.dll

Filesize
84KB

MD5
f18364fa5084add86c6e73e457404f18

SHA1
6d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a

SHA256
39c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91

SHA512
716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2D3A.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
\Windows\Installer\MSI1D78.tmp

Filesize
196KB

MD5
94fa9ff9c26724e0b8ac910c1e7c40aa

SHA1
0cf47957200dec349d6b6da432e24165afd590eb

SHA256
adae076f90908818d67777c050c5b1b6cc94be728017bab6c638dfc7763d4d09

SHA512
becb8229e8ef77a673829c547d2520d6fec94218abf2a21e2948ae5c156bf4a1eb64bfec38653b49902bb31708d9cf770c38f042c1f869d4d4695313b2acfefb

Download Submit
memory/1200-562-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/1200-570-0x000000001B070000-0x000000001B10C000-memory.dmp

Filesize
624KB

Download
memory/1200-568-0x000000001B780000-0x000000001B832000-memory.dmp

Filesize
712KB

Download
memory/1200-566-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download
memory/1200-572-0x0000000000CE0000-0x0000000000D0C000-memory.dmp

Filesize
176KB

Download
memory/1200-559-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/1200-573-0x0000000000D40000-0x0000000000D64000-memory.dmp

Filesize
144KB

Download
memory/1200-560-0x0000000000690000-0x00000000006AA000-memory.dmp

Filesize
104KB

Download
memory/1200-564-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/1200-555-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/1200-553-0x00000000004B0000-0x00000000004CA000-memory.dmp

Filesize
104KB

Download
memory/1200-574-0x00000000011A0000-0x00000000011D2000-memory.dmp

Filesize
200KB

Download
memory/1200-551-0x000000001C0D0000-0x000000001C1E6000-memory.dmp

Filesize
1.1MB

Download
memory/1200-549-0x0000000000450000-0x00000000004A2000-memory.dmp

Filesize
328KB

Download
memory/1200-557-0x0000000000660000-0x000000000067C000-memory.dmp

Filesize
112KB

Download
memory/1200-545-0x000000001B4E0000-0x000000001B5CC000-memory.dmp

Filesize
944KB

Download
memory/1200-547-0x000000001BC70000-0x000000001BE4E000-memory.dmp

Filesize
1.9MB

Download
memory/1200-575-0x000000001C800000-0x000000001CE06000-memory.dmp

Filesize
6.0MB

Download
memory/1200-576-0x0000000001080000-0x0000000001092000-memory.dmp

Filesize
72KB

Download
memory/1200-578-0x000000001AC70000-0x000000001AC88000-memory.dmp

Filesize
96KB

Download
memory/1200-579-0x000000001B5D0000-0x000000001B61C000-memory.dmp

Filesize
304KB

Download
memory/1200-577-0x00000000011E0000-0x00000000011F6000-memory.dmp

Filesize
88KB

Download
memory/1200-582-0x000000001CED0000-0x000000001CEE2000-memory.dmp

Filesize
72KB

Download
memory/1200-581-0x000000001B840000-0x000000001B864000-memory.dmp

Filesize
144KB

Download
memory/1200-580-0x000000001CE10000-0x000000001CECA000-memory.dmp

Filesize
744KB

Download
memory/1200-585-0x000000001D360000-0x000000001D68E000-memory.dmp

Filesize
3.2MB

Download
memory/1200-543-0x0000000000DF0000-0x0000000000E9E000-memory.dmp

Filesize
696KB

Download
memory/1200-539-0x0000000001200000-0x00000000014F0000-memory.dmp

Filesize
2.9MB

Download
memory/1200-541-0x000000001B190000-0x000000001B3D2000-memory.dmp

Filesize
2.3MB

Download
memory/2280-605-0x000000001B530000-0x000000001B61C000-memory.dmp

Filesize
944KB

Download
memory/2280-607-0x000000001B290000-0x000000001B2E2000-memory.dmp

Filesize
328KB

Download
memory/2280-609-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download
memory/2280-608-0x000000001BE10000-0x000000001BF26000-memory.dmp

Filesize
1.1MB

Download
memory/2280-610-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2280-619-0x0000000000D70000-0x0000000000D9C000-memory.dmp

Filesize
176KB

Download
memory/2280-620-0x000000001AB00000-0x000000001AB24000-memory.dmp

Filesize
144KB

Download
memory/2280-618-0x000000001BFF0000-0x000000001C08C000-memory.dmp

Filesize
624KB

Download
memory/2280-617-0x000000001BF30000-0x000000001BFE2000-memory.dmp

Filesize
712KB

Download
memory/2280-616-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/2280-615-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/2280-614-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/2280-613-0x0000000000630000-0x000000000064A000-memory.dmp

Filesize
104KB

Download
memory/2280-612-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2280-611-0x0000000000480000-0x000000000049C000-memory.dmp

Filesize
112KB

Download
memory/2280-602-0x0000000001330000-0x0000000001620000-memory.dmp

Filesize
2.9MB

Download
memory/2280-606-0x000000001BC30000-0x000000001BE0E000-memory.dmp

Filesize
1.9MB

Download
memory/2280-621-0x000000001C460000-0x000000001C492000-memory.dmp

Filesize
200KB

Download
memory/2280-622-0x000000001C800000-0x000000001CE06000-memory.dmp

Filesize
6.0MB

Download
memory/2280-623-0x000000001B410000-0x000000001B422000-memory.dmp

Filesize
72KB

Download
memory/2280-627-0x000000001CE10000-0x000000001CECA000-memory.dmp

Filesize
744KB

Download
memory/2280-626-0x000000001C600000-0x000000001C64C000-memory.dmp

Filesize
304KB

Download
memory/2280-625-0x000000001C4A0000-0x000000001C4B8000-memory.dmp

Filesize
96KB

Download
memory/2280-629-0x000000001CED0000-0x000000001CEE2000-memory.dmp

Filesize
72KB

Download
memory/2280-628-0x000000001C650000-0x000000001C674000-memory.dmp

Filesize
144KB

Download
memory/2280-624-0x000000001B620000-0x000000001B636000-memory.dmp

Filesize
88KB

Download
memory/2280-632-0x000000001D190000-0x000000001D4BE000-memory.dmp

Filesize
3.2MB

Download
memory/2280-604-0x000000001AF00000-0x000000001AFAE000-memory.dmp

Filesize
696KB

Download
memory/2280-603-0x000000001B040000-0x000000001B282000-memory.dmp

Filesize
2.3MB

Download