Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
170s -
max time network
158s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
29/06/2024, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
setup.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
__MACOSX/._setup.msi
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
setup.msi
Resource
win10-20240404-en
General
-
Target
setup.msi
-
Size
4.2MB
-
MD5
83e54ade774631fd876d42db1aa9e2b5
-
SHA1
5d8628c67924bdb47cb4cb6553c548963248b82e
-
SHA256
172a2c8422fb92c9a1006e845d5c4712dd22e10a0ed0cc9480cf56aecd20ebf5
-
SHA512
c1b1498a354a70c3ad7df38039242b8effd93b914e11d618083214fad851b8f76dc84662959ca03f17d5413d6d5d68f0db4e53a3121673bd5c1d3020a81ba03e
-
SSDEEP
49152:Qr/6PGYzLFoc25e6+f/87lPjgzixI+vGYRnAWNRWw5EQbhpP9gY0dB0lAwvI/oQt:DPG6L40iuWfCsFaUDxQI4
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 2 5080 msiexec.exe 4 5080 msiexec.exe 6 5080 msiexec.exe 25 3664 MsiExec.exe 27 3664 MsiExec.exe 29 3664 MsiExec.exe 31 3664 MsiExec.exe 33 3664 MsiExec.exe 58 4316 MsiExec.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_56B2A1FF8D0F5C5B4060FCF88A1654FE MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_56B2A1FF8D0F5C5B4060FCF88A1654FE MsiExec.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files\InternetGuardian\uuid InternetGuardian.exe File opened for modification C:\Program Files\InternetGuardian\uuid InternetGuardian.exe File created C:\Program Files (x86)\Insec\tempinstaller.exe MsiExec.exe File opened for modification C:\Program Files (x86)\Insec\tempinstaller.exe MsiExec.exe File created C:\Program Files (x86)\Insec\InternetGuardian\installation_config.json.part MsiExec.exe File opened for modification C:\Program Files\InternetGuardian\iconfig.enc tempinstaller.exe File created C:\Program Files\InternetGuardian\installation_config.json tempinstaller.exe File created C:\Program Files\InternetGuardian\README.txt tempinstaller.exe File created C:\Program Files (x86)\Internet Guardian\Secure Downloader\readme.rtf msiexec.exe File created C:\Program Files (x86)\Insec\InternetGuardian\iconfig.enc.part MsiExec.exe File created C:\Program Files (x86)\Insec\InternetGuardian\InternetGuardian.exe.part MsiExec.exe File created C:\Program Files (x86)\Insec\tempinstaller.exe.part MsiExec.exe File created C:\Program Files\InternetGuardian\iconfig.enc tempinstaller.exe File created C:\Program Files\InternetGuardian\InternetGuardian.exe tempinstaller.exe File created C:\Program Files (x86)\Insec\tempinstaller.exe msiexec.exe File created C:\Program Files (x86)\Insec\InternetGuardian\README.txt msiexec.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIFD8B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFE38.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2D1.tmp msiexec.exe File created C:\Windows\Installer\e57fba8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIFC52.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI525.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57fba6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFFEF.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{24FD4F57-704D-4827-BFFB-FA874ADA2AAC} msiexec.exe File created C:\Windows\Installer\e57fba6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8D.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIFEC6.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 1844 tempinstaller.exe 1672 InternetGuardian.exe -
Loads dropped DLL 20 IoCs
pid Process 4316 MsiExec.exe 4316 MsiExec.exe 1204 MsiExec.exe 1204 MsiExec.exe 1204 MsiExec.exe 1204 MsiExec.exe 1204 MsiExec.exe 1204 MsiExec.exe 1204 MsiExec.exe 1204 MsiExec.exe 1204 MsiExec.exe 1204 MsiExec.exe 3484 MsiExec.exe 3484 MsiExec.exe 3484 MsiExec.exe 3484 MsiExec.exe 3484 MsiExec.exe 3484 MsiExec.exe 3484 MsiExec.exe 3664 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
pid Process 5080 msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe -
Modifies data under HKEY_USERS 23 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" tempinstaller.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" tempinstaller.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" tempinstaller.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections InternetGuardian.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" tempinstaller.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections tempinstaller.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ tempinstaller.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MsiExec.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\ProductName = "Secure Downloader" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E9DA32F946BB6043BCF835C22B7910A msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\PackageCode = "7B6D97C01CD10F941B653EC44B35C5AB" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\Version = "16777216" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E9DA32F946BB6043BCF835C22B7910A\75F4DF42D4077284FBBFAF78A4ADA2CA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\SourceList\PackageName = "setup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75F4DF42D4077284FBBFAF78A4ADA2CA\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75F4DF42D4077284FBBFAF78A4ADA2CA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75F4DF42D4077284FBBFAF78A4ADA2CA\MainFeature msiexec.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1204 MsiExec.exe 1204 MsiExec.exe 4620 msiexec.exe 4620 msiexec.exe 1672 InternetGuardian.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5080 msiexec.exe Token: SeIncreaseQuotaPrivilege 5080 msiexec.exe Token: SeSecurityPrivilege 4620 msiexec.exe Token: SeCreateTokenPrivilege 5080 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5080 msiexec.exe Token: SeLockMemoryPrivilege 5080 msiexec.exe Token: SeIncreaseQuotaPrivilege 5080 msiexec.exe Token: SeMachineAccountPrivilege 5080 msiexec.exe Token: SeTcbPrivilege 5080 msiexec.exe Token: SeSecurityPrivilege 5080 msiexec.exe Token: SeTakeOwnershipPrivilege 5080 msiexec.exe Token: SeLoadDriverPrivilege 5080 msiexec.exe Token: SeSystemProfilePrivilege 5080 msiexec.exe Token: SeSystemtimePrivilege 5080 msiexec.exe Token: SeProfSingleProcessPrivilege 5080 msiexec.exe Token: SeIncBasePriorityPrivilege 5080 msiexec.exe Token: SeCreatePagefilePrivilege 5080 msiexec.exe Token: SeCreatePermanentPrivilege 5080 msiexec.exe Token: SeBackupPrivilege 5080 msiexec.exe Token: SeRestorePrivilege 5080 msiexec.exe Token: SeShutdownPrivilege 5080 msiexec.exe Token: SeDebugPrivilege 5080 msiexec.exe Token: SeAuditPrivilege 5080 msiexec.exe Token: SeSystemEnvironmentPrivilege 5080 msiexec.exe Token: SeChangeNotifyPrivilege 5080 msiexec.exe Token: SeRemoteShutdownPrivilege 5080 msiexec.exe Token: SeUndockPrivilege 5080 msiexec.exe Token: SeSyncAgentPrivilege 5080 msiexec.exe Token: SeEnableDelegationPrivilege 5080 msiexec.exe Token: SeManageVolumePrivilege 5080 msiexec.exe Token: SeImpersonatePrivilege 5080 msiexec.exe Token: SeCreateGlobalPrivilege 5080 msiexec.exe Token: SeCreateTokenPrivilege 5080 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5080 msiexec.exe Token: SeLockMemoryPrivilege 5080 msiexec.exe Token: SeIncreaseQuotaPrivilege 5080 msiexec.exe Token: SeMachineAccountPrivilege 5080 msiexec.exe Token: SeTcbPrivilege 5080 msiexec.exe Token: SeSecurityPrivilege 5080 msiexec.exe Token: SeTakeOwnershipPrivilege 5080 msiexec.exe Token: SeLoadDriverPrivilege 5080 msiexec.exe Token: SeSystemProfilePrivilege 5080 msiexec.exe Token: SeSystemtimePrivilege 5080 msiexec.exe Token: SeProfSingleProcessPrivilege 5080 msiexec.exe Token: SeIncBasePriorityPrivilege 5080 msiexec.exe Token: SeCreatePagefilePrivilege 5080 msiexec.exe Token: SeCreatePermanentPrivilege 5080 msiexec.exe Token: SeBackupPrivilege 5080 msiexec.exe Token: SeRestorePrivilege 5080 msiexec.exe Token: SeShutdownPrivilege 5080 msiexec.exe Token: SeDebugPrivilege 5080 msiexec.exe Token: SeAuditPrivilege 5080 msiexec.exe Token: SeSystemEnvironmentPrivilege 5080 msiexec.exe Token: SeChangeNotifyPrivilege 5080 msiexec.exe Token: SeRemoteShutdownPrivilege 5080 msiexec.exe Token: SeUndockPrivilege 5080 msiexec.exe Token: SeSyncAgentPrivilege 5080 msiexec.exe Token: SeEnableDelegationPrivilege 5080 msiexec.exe Token: SeManageVolumePrivilege 5080 msiexec.exe Token: SeImpersonatePrivilege 5080 msiexec.exe Token: SeCreateGlobalPrivilege 5080 msiexec.exe Token: SeCreateTokenPrivilege 5080 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5080 msiexec.exe Token: SeLockMemoryPrivilege 5080 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5080 msiexec.exe 5080 msiexec.exe 5080 msiexec.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4620 wrote to memory of 4316 4620 msiexec.exe 74 PID 4620 wrote to memory of 4316 4620 msiexec.exe 74 PID 4620 wrote to memory of 4316 4620 msiexec.exe 74 PID 4620 wrote to memory of 1204 4620 msiexec.exe 76 PID 4620 wrote to memory of 1204 4620 msiexec.exe 76 PID 4620 wrote to memory of 1204 4620 msiexec.exe 76 PID 4620 wrote to memory of 4328 4620 msiexec.exe 81 PID 4620 wrote to memory of 4328 4620 msiexec.exe 81 PID 4620 wrote to memory of 3484 4620 msiexec.exe 83 PID 4620 wrote to memory of 3484 4620 msiexec.exe 83 PID 4620 wrote to memory of 3484 4620 msiexec.exe 83 PID 4620 wrote to memory of 3664 4620 msiexec.exe 84 PID 4620 wrote to memory of 3664 4620 msiexec.exe 84 PID 4620 wrote to memory of 3664 4620 msiexec.exe 84 PID 4620 wrote to memory of 1844 4620 msiexec.exe 85 PID 4620 wrote to memory of 1844 4620 msiexec.exe 85 PID 1844 wrote to memory of 1672 1844 tempinstaller.exe 86 PID 1844 wrote to memory of 1672 1844 tempinstaller.exe 86 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5080
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 13FEA94DE8285240C198F3C5C072F586 U2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4316
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 65E38137620041F3984570F431B70E66 C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1204
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4328
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E27715B6D549F28A09BA2EDC30C7FA002⤵
- Loads dropped DLL
PID:3484
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B509209C2EC78335B5CB7A1579030B2F E Global\MSI00002⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3664
-
-
C:\Program Files (x86)\Insec\tempinstaller.exe"C:\Program Files (x86)\Insec\tempinstaller.exe" Command Line2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Program Files\InternetGuardian\InternetGuardian.exe"C:\Program Files\InternetGuardian\InternetGuardian.exe" install3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1672
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
769KB
MD574f861a386bca774172672dcb0b0e4f4
SHA13f9c7eedc040b782a9501cd3666c233a6630c6ba
SHA25677f9e42b7c18deece929c70ff8ebbfbb3b0062b274a12bdebc94cde94ca0df00
SHA512468cc83ae32472b58e8d3c71d81b36a0d71ff03d02989f47176abbe784251912a3abaa82114f500159ca7fed4a6f98dfb088b1e2fff05215c5a82c86678c9719
-
Filesize
147B
MD55295346e4407544f638f594926c8937a
SHA157f96ef76d6bc64a009a9ec6452a9721d80f91dd
SHA256f3b237b037a53c7986eab18ac4bbf8b8110c5773eef200cbcdb4c96e92f2792e
SHA5128a865d8b1b0ba8061d90a507d62cba9ce35af036524cd7ff2395c8a0f979ba907a61480f96c716ca14411a412ee8d1fcf79085c8f83c06b8f1b567475269f2ac
-
Filesize
16B
MD5396a420a4586053fcb9d0ab0857ff5f9
SHA15174c6b3bbe8243656e1d97dec5f44e41c453722
SHA256dec4b8f8a4a7151f955e3ad8aaa90ed98b0dff6954a452962fd220ae4c94afc2
SHA51243e808d132c077b97f84821a52b724cc132fdd696ec5e1588828e42d723c142ffeae36cb6ca09064a221f7a29236f5a882a28cf2c1a80e3fdc6a37957fc7be1d
-
Filesize
335B
MD5479292d3957df6daa5b456686b7f3db1
SHA1ecd29ce573d8d0375aa13caf68a451959cf90f1c
SHA256ce28da956c98cd3ae0b0f7737305a0fa96ade80fedc3cfe7f495cb37d1e8d048
SHA512133f75d1e35ca7147f5a99cb6282178fe8c5b9d31a6f9256a2b96b7dadd5024a5209cad764da93f9192514767fb3d6b8b2abd492cc30a2f7399132ed2edaaf29
-
Filesize
7KB
MD59972f919358962eabe294af775eed43a
SHA1c572db540bd34cccc2aa3aa74cfe301ad7c2ce20
SHA256bb7859ec94678bf42a01ddd0f59388ffa75ed9701f158e5288bfab9949980cc1
SHA512d0fe9a930ced426d34824d80203cac63122ea9fcdb0f55c834dfd8626b23160a69b4b68c0c8422a033bf77e91328fab2510c91b6bee05566dc0c774456de3283
-
Filesize
21.9MB
MD5ca8f7b881c167189fc780b279394f007
SHA1dd682883a493d453637f6f460dd27adf9865e2ac
SHA256443e8c36a2b0838c5fb7903ded84b23f5b19b6377b905e83efb7f1483177969e
SHA512e78ed722939620b9d0b4731d99b95161a4b70fe50c733e9b50a146678d317ccec460756f7d0604d2b6fc2687c63c23614af4d4974813bcc2e774fced492f4fd4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
Filesize765B
MD5ba3d357dbe4f13a772b433ed0addb038
SHA164333c9173199151fb56f8f7d3710dd035582b1e
SHA256a614f9564a37f2d1a8389b1ef6c133b1e8660017c8bc89b3b6634e4845f4b3ed
SHA5127f5d828152bd5674192bf78b553e5f7fe6f81dbaff0d976c17f3c639f341b7cb64e107b3141919aab79c6112088d61fe89b01e1c558458afe5af97b7515a1722
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_F3543FA39F5B690A02B6B906948BAED0
Filesize638B
MD5a38514391d6b5d4d094c11e7396f5b71
SHA12a3daea8d1f0a439e572d31dc517ef7c385e6f89
SHA25632b07251823d83f49c3b8dc0b1dbcf6508981088467d0b632f401381e0043e27
SHA512d6ab531f6ea53a8e430419c8236605a092fa7d64f60b18c2167d497d3b993edc12ecc17e707605967af7afdc905a7b6fa1e9c66e65111bff99f06a04dda8d538
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize1KB
MD5135b24da73e2fcd2b5ec4e90b96c0504
SHA1828bc9243f97848bf431c6f5e57b667e45399de8
SHA256541554c40629d298ba4cf9e3691946804882ea13df2e4848ca43a7934bcab289
SHA51234da98e8c9ee5927ab022c869b0ca01cc1186f1471c6911d06cf39d34cb100f781926c7360a029c7f9b64e5afff00c33cbba521ef3133ed9ea94d9b469e4c691
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
Filesize484B
MD5f23362b6d89c425c046889d70df61afa
SHA16ca30b3f44d76ccf9958babf91bbfbf1cd4fd333
SHA25610d5e3124d0184158e229d6bc9eff898bc10014d0089f5b3067c787b3f816a14
SHA512673b71104669e1eb19e5dcff0f078b2a172416baf53c2a31b509d6bea70bd1c79a8c2b1d2439acc942bf82c78e995180da47c1f82ba5ae879d3ff0f7d85b0735
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_F3543FA39F5B690A02B6B906948BAED0
Filesize476B
MD5dc9f2ead2ab5abb5c94c7fcb31a3edf2
SHA1992e3500642a15daecdc8233e9dab59342c87fbc
SHA2563fc8ae87c416d58b1037d19bd7366b73b575552079166c22fc7461006ceeeca0
SHA51263482274f4df25f87a695594b48f80b924f0dd8c43b4d0795ae5e5114bb2937072e07c9a3855bd680e2025f17acc3f6cd69c2f8e561712fb73b999cb0d1d9063
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize482B
MD582c5b72aeedff300eccb4dcb7881169e
SHA1435f24f8d2b6a3634a088f181d46a11de3796724
SHA2569872d2c2f164ef25c6f0b9885f6c23c06b255df09f79ae9e9bb37a4d9054374a
SHA5120d6cb317165f461d812d10c0b120497607068d3818ce3b106495832c73657b89d782796f72b15eaadc1e6a72f99b15027c156fefa9fd08c0afc74922e8f19cde
-
Filesize
84B
MD5e342393cd78ccf8df63cafbdaaba75b6
SHA12007cc312349c5cea05db974b7b77eaad7eabdab
SHA25623850e88dd9abb5f7214bb108cdaf82b4cded2ce9e0a252d56cafe1e4350b1b3
SHA512eb693291f7cd186b44d40ab35b301c71027acf03501e975a369289a176b3a5ea8bf2375de2c464dcf82cfc0d3adbc967b50054269171ee386f48ea8bdd367de3
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\665dd79920a59ade4c2aa809\1.0.0\{30BD4FB3-AEE5-41D1-884B-B4B24893CECF}.session
Filesize32KB
MD5323a96512014be7127b612e0dc6da28f
SHA1dc22c26b9ed9043e287d560e4e9f02f9081fe000
SHA2567e1843489728aa8a64b3594e4b2adee1e8ace7b7d9c35f9cb577d31e11af19f2
SHA512a5b578c2d6614dc2209a9f267c67256fcbb7352385ef9c48352507c69f6af9de4b976813c5573736d996a0a514d0a5292a4bde356be98a3b2d940c312e1ab5f8
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\665dd79920a59ade4c2aa809\1.0.0\{30BD4FB3-AEE5-41D1-884B-B4B24893CECF}.session
Filesize37KB
MD59d31e97dc6512ec255eed1130fdbde48
SHA14980c9a6cfc038845660a216ec148898ccc3ea6e
SHA25631d3b0290952d8c71a29e435cd19918fc3980ab83d49f9e015fb27c08488a288
SHA512087664c35097eebf5a6ed85297c4ec4f376110a028162de6b26c514f26a99365a030406134a78c0b35b45638e1fa72325b9478da472b92f4df648393a0f60453
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\665dd79920a59ade4c2aa809\1.0.0\{30BD4FB3-AEE5-41D1-884B-B4B24893CECF}.session
Filesize38KB
MD5b62d7ab2d983778218310a275167b735
SHA1fe78c9974912146986f1d052d3220293ecf66248
SHA2561789a52c4847ff95ee266cf4319c1ef72f4ec30827d934aa07d43e22f77a3bdd
SHA5122c8c179b28fd4ce92634cc4d47bb2e09b04fc4dc029ef4c0b710c7eeb4f74ee078b863e4750cd8344c618043cf8c873044869829e3caf4b3b28af8a13f5d070e
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\665dd79920a59ade4c2aa809\1.0.0\{30BD4FB3-AEE5-41D1-884B-B4B24893CECF}.session
Filesize32KB
MD5ce12b7a50ebaa04296bcf2588907a567
SHA1141771585bd2afa58d04c4c1427b1a3683c651a9
SHA256e58d1f532c022baaba6f296a3c5ca9f7ce520d94921154b69f39b1d2bd04359b
SHA512fcb379ad02dabeda402220b98778482b0b1ba92d7110f68584cfd1fae88a281c6905beaef86a449a597376e70f269a07f1c440b3d95009a5560ca1e2ca571464
-
Filesize
23KB
MD5b2e5eade81a1533ad7ff4a2f7076fbec
SHA183cc87b7e788a1b5ae33e8eab06af217df64f89c
SHA256cebcf964d9cec015f96d1b712a1ae681ba659d15dbaa73bdd190ef97d09b6fb8
SHA512b181b3b477227fb806a1dea384cfc2eca60f90c1e6cc88f25f2c67566118cca6ba23358d3659f33859baf0bff23d9bd471c51d0e151e2b398ba2d89eb9601c7e
-
Filesize
738KB
MD5ee45c6dffaf86ed2a76d8f969c390c08
SHA1ff5b2942ffa7d28ed3f72208e8e76391b2991b5a
SHA256118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca
SHA512a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664
-
Filesize
760KB
MD58902a6ac2a5960c78853e3c2f3f8f03c
SHA196a68b4a47d95ef809aa477e1f1cec1fa2af726d
SHA2567c8e0dd0a2f919d0d77d0f64a90c75d41e352c4282bed57226cf2e901ff273ef
SHA512d5f661f89df9ed67f84347c90c4e18ed3c9f78b838a3ec35eea24cb9ff839a9a36b9a6cc41193fe00a0076f7cfecb7bd3cb119301ab43f80613f114630bc155e
-
Filesize
4.2MB
MD583e54ade774631fd876d42db1aa9e2b5
SHA15d8628c67924bdb47cb4cb6553c548963248b82e
SHA256172a2c8422fb92c9a1006e845d5c4712dd22e10a0ed0cc9480cf56aecd20ebf5
SHA512c1b1498a354a70c3ad7df38039242b8effd93b914e11d618083214fad851b8f76dc84662959ca03f17d5413d6d5d68f0db4e53a3121673bd5c1d3020a81ba03e
-
Filesize
26.0MB
MD5a370b35039dca6c077fd519e581117ed
SHA19be2ca282c399083cd453d0d5c2ce79ab7167776
SHA2568574ce6fc95729303721b0f4ca4da04254e30ea424b36226fc30eed75a3ef3c2
SHA51263278f2d3fe956a20a1119fa1b9b431c974eff2e21afb6221465c9c0541ffeb8bd7e9b1ffe25d07c9ee078762f7afb3298cd7213cd9c375a0908c7f2c0073a19
-
\??\Volume{38fc2686-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c2e7e59b-f92e-415a-b973-068c02b0601e}_OnDiskSnapshotProp
Filesize5KB
MD54bc113254ff56212d1a727565859e1bc
SHA1df4dc7e78c267d5f4cd1957c9c6c960a692bfe25
SHA2565607a7aa4a4df19ad67b33b7fc324f2d1436bbe74f154381e310bc8b9ba982b3
SHA5128acfa1f8fee67a3dac7bf4d67a6142be416d84be017f9f7e3626888d76aabd4bcab269f631886bdc725aa4fad0e6d6084a7c306d0b9d5ffc65a4b4b1c5dbc377
-
Filesize
1.1MB
MD5653aeab3f1eec2a35e9c45846bb9de3a
SHA163276d320f031e4a3b6e25d2e008254934f22fe5
SHA2562b095b7abdaec9aed2c6d9bfa8093da6d09be95eba4f9402ab043ba886a82ef9
SHA5126d7b6bb757f909132af0ce29f5e4627d6febb39aae9d86647c9c1d6b267b4fe18d19fdc1d439631c698a41a14de38ca00b99ab78a9d8a90d092687d5d83ee95c
-
Filesize
1.1MB
MD5e6d26b10972bc3b58ccd535e1278cc32
SHA110996e7f0b267e7f0c6843f9860bc7da89e5d2c2
SHA2563dbb46ee1950b828c53f2c5dee3371559327f8c6932e549c3543eaf16846a5de
SHA512530836aef2da9287a08cfebfcb195cfd986ee6a8265e84fe372fb17e58a7b37814e529f49ef22bf204c860a1e451be78213d51a60356f501cf44ff10c0482eb9