fatalrat | 9005cc0bc07d213f5691fe31f65b686b6f73a66b1117c2020941c44d53c88df9

Analysis

max time kernel
331s
max time network
1190s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-07-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b6f99.msi
Size

9.2MB
MD5

99606454c555b45ccf7d94e9ecd73cee
SHA1

5f90e81883ffe92fe903b2150c2690eedc2bbed4
SHA256

9005cc0bc07d213f5691fe31f65b686b6f73a66b1117c2020941c44d53c88df9
SHA512

cbde49abf9744fb0eff5e09439f030caf166f717cb25bda41a361cb020a86abefc7becee1f8dbd8a0977dce328dc606a2e63d6a17ad1deb276b6fd6d2dde92e8
SSDEEP

196608:CWxLkNZONktVDrKfuNL2WO/2eCr4hUQQAcLdu9FtVy7QGO8m:CELkNZONk7r7AW2ichTQTiUg

Score

10^/10

fatalrat bootkit infostealer persistence privilege_escalation rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/4620-279-0x0000000002ED0000-0x0000000002EFA000-memory.dmp	fatalrat
behavioral1/memory/1388-302-0x0000000002A40000-0x0000000002A6A000-memory.dmp	fatalrat

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001ac7c-230.dat	upx
behavioral1/memory/3508-231-0x0000000001030000-0x00000000015D3000-memory.dmp	upx
behavioral1/memory/3508-310-0x0000000001030000-0x00000000015D3000-memory.dmp	upx
behavioral1/memory/3508-318-0x0000000001030000-0x00000000015D3000-memory.dmp	upx
behavioral1/memory/3508-319-0x0000000001030000-0x00000000015D3000-memory.dmp	upx
behavioral1/memory/3508-322-0x0000000001030000-0x00000000015D3000-memory.dmp	upx
behavioral1/memory/3508-336-0x0000000001030000-0x00000000015D3000-memory.dmp	upx
behavioral1/memory/3508-339-0x0000000001030000-0x00000000015D3000-memory.dmp	upx
behavioral1/memory/3508-340-0x0000000001030000-0x00000000015D3000-memory.dmp	upx

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	3836	msiexec.exe
4	3836	msiexec.exe
9	3836	msiexec.exe
11	3836	msiexec.exe
26	600	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WPS.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA79C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADD6.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a604.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABBA.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC68.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6A0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA77C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA879.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA20.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAACD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB5B.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5379F1F6-582A-4EEA-8F4B-3BA41AF5550E}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADD4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD36.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC67.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a604.msi	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
3968	MSIADD4.tmp
3860	MSIADD5.tmp
3508	WPS.exe
4620	thelper.exe
1388	thelper.exe

Loads dropped DLL 49 IoCs

pid	Process
600	MsiExec.exe
600	MsiExec.exe
600	MsiExec.exe
600	MsiExec.exe
600	MsiExec.exe
600	MsiExec.exe
600	MsiExec.exe
600	MsiExec.exe
600	MsiExec.exe
600	MsiExec.exe
600	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
600	MsiExec.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
4620	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
3836	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	thelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	thelper.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
600	MsiExec.exe
600	MsiExec.exe
4888	msiexec.exe
4888	msiexec.exe
3508	WPS.exe
3508	WPS.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe
1388	thelper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3836	msiexec.exe
Token: SeSecurityPrivilege	4888	msiexec.exe
Token: SeCreateTokenPrivilege	3836	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3836	msiexec.exe
Token: SeLockMemoryPrivilege	3836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3836	msiexec.exe
Token: SeMachineAccountPrivilege	3836	msiexec.exe
Token: SeTcbPrivilege	3836	msiexec.exe
Token: SeSecurityPrivilege	3836	msiexec.exe
Token: SeTakeOwnershipPrivilege	3836	msiexec.exe
Token: SeLoadDriverPrivilege	3836	msiexec.exe
Token: SeSystemProfilePrivilege	3836	msiexec.exe
Token: SeSystemtimePrivilege	3836	msiexec.exe
Token: SeProfSingleProcessPrivilege	3836	msiexec.exe
Token: SeIncBasePriorityPrivilege	3836	msiexec.exe
Token: SeCreatePagefilePrivilege	3836	msiexec.exe
Token: SeCreatePermanentPrivilege	3836	msiexec.exe
Token: SeBackupPrivilege	3836	msiexec.exe
Token: SeRestorePrivilege	3836	msiexec.exe
Token: SeShutdownPrivilege	3836	msiexec.exe
Token: SeDebugPrivilege	3836	msiexec.exe
Token: SeAuditPrivilege	3836	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3836	msiexec.exe
Token: SeChangeNotifyPrivilege	3836	msiexec.exe
Token: SeRemoteShutdownPrivilege	3836	msiexec.exe
Token: SeUndockPrivilege	3836	msiexec.exe
Token: SeSyncAgentPrivilege	3836	msiexec.exe
Token: SeEnableDelegationPrivilege	3836	msiexec.exe
Token: SeManageVolumePrivilege	3836	msiexec.exe
Token: SeImpersonatePrivilege	3836	msiexec.exe
Token: SeCreateGlobalPrivilege	3836	msiexec.exe
Token: SeBackupPrivilege	4328	vssvc.exe
Token: SeRestorePrivilege	4328	vssvc.exe
Token: SeAuditPrivilege	4328	vssvc.exe
Token: SeBackupPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3836	msiexec.exe
3836	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4716	4888	msiexec.exe	78
PID 4888 wrote to memory of 4716	4888	msiexec.exe	78
PID 4888 wrote to memory of 600	4888	msiexec.exe	80
PID 4888 wrote to memory of 600	4888	msiexec.exe	80
PID 4888 wrote to memory of 600	4888	msiexec.exe	80
PID 4888 wrote to memory of 2524	4888	msiexec.exe	81
PID 4888 wrote to memory of 2524	4888	msiexec.exe	81
PID 4888 wrote to memory of 2524	4888	msiexec.exe	81
PID 4888 wrote to memory of 3968	4888	msiexec.exe	82
PID 4888 wrote to memory of 3968	4888	msiexec.exe	82
PID 4888 wrote to memory of 3968	4888	msiexec.exe	82
PID 4888 wrote to memory of 3860	4888	msiexec.exe	83
PID 4888 wrote to memory of 3860	4888	msiexec.exe	83
PID 4888 wrote to memory of 3860	4888	msiexec.exe	83
PID 4620 wrote to memory of 1388	4620	thelper.exe	86
PID 4620 wrote to memory of 1388	4620	thelper.exe	86
PID 4620 wrote to memory of 1388	4620	thelper.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6b6f99.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3836

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4716
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5C065B3F871829C4FA18AB405149DCFD
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:600
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BCF63E16A86CC744C30CD258D54F4EB7 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2524
- C:\Windows\Installer\MSIADD4.tmp
  "C:\Windows\Installer\MSIADD4.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\WPS.exe"
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\Installer\MSIADD5.tmp
  "C:\Windows\Installer\MSIADD5.tmp" /DontWait "C:\ProgramData\Microsoft\MF\thelper.exe"
  2⤵
  - Executes dropped EXE
  PID:3860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4708

C:\Users\Admin\AppData\Roaming\WPS.exe
"C:\Users\Admin\AppData\Roaming\WPS.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\ProgramData\Microsoft\MF\thelper.exe
"C:\ProgramData\Microsoft\MF\thelper.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\thelper.exe
  "C:\Users\Admin\AppData\Local\thelper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a607.rbs

Filesize
377KB

MD5
bcdb92a71ccc5d1021b6c8151c76505a

SHA1
fb26b30eba3bfc1ebae79a8464b714b22fcd143b

SHA256
eff8223d798ff03367bb3a84110a159c6a70ad805310d0aa1082b99c2acbe60f

SHA512
5076ecbe82bccad8de541243bcdd9081a6d708d71a048bc0e7cfe9cf5114c1b025e00cada6db67c3ef28a148217332c109c697a04a0e393375c32654731fcb1e

Download Submit
C:\ProgramData\Microsoft\MF\XLFSIO.dll

Filesize
900KB

MD5
a06090c5f2d3df2cedc51cc99e19e821

SHA1
701ac97c2fd140464b234f666a0453d058c9fabf

SHA256
64ffdffb82fc649e6847b3c4f8678d9cca0d5117fa54c9abbb746625d3feef89

SHA512
541804db74a25fc5f50801f23b4d9f2be788d3c95d3d23dd8098f4c8888d1fc808e6eb6959c458965c639ea28b594a87dff7f3a89c4750c109b29b573c4535cf

Download Submit
C:\ProgramData\Microsoft\MF\XLGraphic.dll

Filesize
730KB

MD5
74c75ae5b97ad708dbe6f69d3a602430

SHA1
a02764d99b44ce4b1d199ef0f8ce73431d094a6a

SHA256
89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

SHA512
52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

Download Submit
C:\ProgramData\Microsoft\MF\ic.dll

Filesize
165KB

MD5
1fcd1d41cd1d799989c4d9b1d7b7be07

SHA1
14f762898c75356519702817804ddf6fb95b7ea2

SHA256
8ac99c6716bd235986cad57cc30602c9cb5f15685971b93c77a36e70de5a3d44

SHA512
d8f601d6d7694b339ed931ff48899844bbe7e52d0b2df725f1134b7cfd14baa61c4fdc54f27d574479cca554a2c8a9c87eb764974864411ce72a467e802eb637

Download Submit
C:\ProgramData\Microsoft\MF\libpng13.dll

Filesize
157KB

MD5
bb1922dfbdd99e0b89bec66c30c31b73

SHA1
f7a561619c101ba9b335c0b3d318f965b8fc1dfb

SHA256
76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

SHA512
3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

Download Submit
C:\ProgramData\Microsoft\MF\mt.dll

Filesize
1.5MB

MD5
bfaa6c11ad36cb958d175f3d4740c90d

SHA1
2fe774c4e7e61404b0e78341823248fbc1ccf1b2

SHA256
7ad42985ab304dcd65ba10186e0a0892dc55303236eef902bdc2f89dbbae10dc

SHA512
8d47f98674f3303d8213dd80979d9e2f4114e7fea98d0695fb4bb7a4fb47491d9509f539c869da97906923a6e39c97e09338470d67587c91d8ec3b7c7be5a0e5

Download Submit
C:\ProgramData\Microsoft\MF\thelper.exe

Filesize
226KB

MD5
ffbed32e4009acd7fadcaa4bf1bdd898

SHA1
7485fcf366f7b3e61afc02130f296e0016d342c3

SHA256
79b496701e7a68dea3406f01b81e4d05fa484597a5a711889875f1cfb743822a

SHA512
320006a900494d77c82013a683b6300f7d578b0a9c6a1597af1a2ba877f61eb546ee85a5e2b640b5944b36f4c8e27ca75e77744e6eb087f51bba2dc64e4cc29f

Download Submit
C:\ProgramData\Microsoft\MF\zlib1.dll

Filesize
62KB

MD5
37163aacc5534fbab012fb505be8d647

SHA1
73de6343e52180a24c74f4629e38a62ed8ad5f81

SHA256
0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba

SHA512
c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5

Filesize
1KB

MD5
4d54a398a9de3773110b08e3053c6922

SHA1
442e8ad891dc493f3abe3f30a9ed9e76e75ca06e

SHA256
e921a4033d60b79777a57cbfdb802a3ed1e9a09fa900ead5283c02e6fc74f46a

SHA512
ab83a99b7620a790030dd50e0328ff7af71b4d6575914895eff330670b7f279825ad02a5bbe7b71a1305811b4e3b5ab734154bb0269060ccfb3ec2d50424dae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B03113490075047F519A3F760F0FF379_F891537EEBBDBB955ED6C40DCF761C31

Filesize
2KB

MD5
0ba0a57d0973c75a874c8d488b388416

SHA1
49393bb338381be8a85788cbcab5307b4d1c6366

SHA256
98e9408a6fc0de2bb8c77f4a3d1d652f46a9b75ce8500a34c62fdb1199072bd0

SHA512
6a0fbf476942adc34b4b91f6ad5f2aed5a72b956bb99909f1e22fe08168c9853fb3e43038577b98277113dfc14699e4041030ed458d576e525bb98d262e27550

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5

Filesize
412B

MD5
8cb0fddc6a5d0df8d017ea5f1432087c

SHA1
35562cd186c686af291f582294624ff6406e3e98

SHA256
32011fd83c391987f41e49781bbc35f26409719d1ce9de19bd918a1cf8cfdbce

SHA512
a20198ae2ba78dc22e89623def48eb92bb6b5d43f7a6f1103312e340c9b4c71cd50bbf596c018e355fa9addd0fa5972024988fdbe75b700a106dba860e28b127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B03113490075047F519A3F760F0FF379_F891537EEBBDBB955ED6C40DCF761C31

Filesize
428B

MD5
9de0daa1cce4cb9cae8e699d965fee78

SHA1
c48da763fe98bf98dee6406328248610d53d5d74

SHA256
4a84ac9fcd193cb2204c37cc849569f93d749c5ffc5ad2b0f5df9ccc2267c0e3

SHA512
f592c5d45a5a547754d5c7b9243d58d45d370af4a0349d29e240ad72729a7882b8500cbf7a145904cacdb8c0e31ed9fe25695c71634fe1f80e85747b06434a21

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6696c9562ff508bfba81ef0a\76.20.36\tracking.ini

Filesize
84B

MD5
d4d8a05ef7eef8e6a61b4599c1f414bb

SHA1
a5fe4dacbad7bdd2eebdb45b2d1dd27679525fca

SHA256
43ca9adacbeb97fa353772f3c5b101fc846ed8d52fd3a58de9feb088da4510f7

SHA512
8f71a0e7ba940d7d5351c3cf5f246e81244f3c8964a5a81c0d445ac989c94fd30677b59fd5675120f0ed651eb7ab22ef0a7b216465c8cafc0e31fb6c3847db36

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6696c9562ff508bfba81ef0a\76.20.36\tracking.ini

Filesize
84B

MD5
2039d657ef5740a21559224137fb7552

SHA1
9f8a903ee9517a29c139a9f6beb90e43fd6370b7

SHA256
6e799db6bad71d82f28620a0293142dbe03e248fa246e571c19d51d56c7785ec

SHA512
0e8ff80fc16d6263d4edbdea7802c3ea3bed8a220d4b18f0e4efad30f989a5a7584036b4e966734357ff55d9979584a0ed9cbe1506f6530dcca34f31cacd1d93

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6696c9562ff508bfba81ef0a\76.20.36\{C9C2EC17-FB8B-4B04-9B4E-56E367A36035}.session

Filesize
12KB

MD5
c87eb8f6f862d926e3fabc0b75eef824

SHA1
2a4a95d2bb22caae5fcb3d717d083475ed8b261d

SHA256
e1cd02d630a71837e4511923a7acbcba47e14623a85356f7df54828ad14863a9

SHA512
6799da60e32c976610575d45b2e3d16685930cbdd113f0d8951a2ba453ae6f695310177a7f0584b2552ee16f7ec4c5101a375b90ba4016a56dc69239ce453654

Download Submit
C:\Users\Admin\AppData\Roaming\WPS.exe

Filesize
2.9MB

MD5
b52ba2b99108c496389ae5bb81fa6537

SHA1
9073d8c4a1968be24357862015519f2afecd833a

SHA256
c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8

SHA512
6637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397

Download Submit
C:\Windows\Installer\MSIA6A0.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSIA77C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIAC68.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSIADD5.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\ProgramData\Microsoft\MF\XLFSIO2.dll

Filesize
209KB

MD5
1bc7af7a8512cf79d4f0efc5cb138ce3

SHA1
68fd202d9380cacd2f8e0ce06d8df1c03c791c5b

SHA256
ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62

SHA512
84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

Download Submit
\ProgramData\Microsoft\MF\XLLuaRuntime.dll

Filesize
249KB

MD5
5362cb2efe55c6d6e9b51849ec0706b2

SHA1
d91acbe95dedc3bcac7ec0051c04ddddd5652778

SHA256
1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40

SHA512
dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

Download Submit
\ProgramData\Microsoft\MF\XLUE.dll

Filesize
2.4MB

MD5
0abbe96e1f7a254e23a80f06a1018c69

SHA1
0b83322fd5e18c9da8c013a0ed952cffa34381ae

SHA256
10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

SHA512
2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

Download Submit
\ProgramData\Microsoft\MF\libexpat.dll

Filesize
668KB

MD5
5ff790879aab8078884eaac71affeb4a

SHA1
59352663fdcf24bb01c1f219410e49c15b51d5c5

SHA256
cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f

SHA512
34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

Download Submit
\Windows\Installer\MSIA879.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit
memory/1388-296-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/1388-321-0x00000000713A0000-0x00000000715B7000-memory.dmp

Filesize
2.1MB

Download
memory/1388-320-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/1388-290-0x0000000000E90000-0x0000000000F98000-memory.dmp

Filesize
1.0MB

Download
memory/1388-292-0x0000000000D10000-0x0000000000D4F000-memory.dmp

Filesize
252KB

Download
memory/1388-294-0x0000000000FD0000-0x0000000001005000-memory.dmp

Filesize
212KB

Download
memory/1388-298-0x0000000002A00000-0x0000000002A31000-memory.dmp

Filesize
196KB

Download
memory/1388-302-0x0000000002A40000-0x0000000002A6A000-memory.dmp

Filesize
168KB

Download
memory/1388-297-0x00000000713A0000-0x00000000715B7000-memory.dmp

Filesize
2.1MB

Download
memory/3508-319-0x0000000001030000-0x00000000015D3000-memory.dmp

Filesize
5.6MB

Download
memory/3508-318-0x0000000001030000-0x00000000015D3000-memory.dmp

Filesize
5.6MB

Download
memory/3508-340-0x0000000001030000-0x00000000015D3000-memory.dmp

Filesize
5.6MB

Download
memory/3508-339-0x0000000001030000-0x00000000015D3000-memory.dmp

Filesize
5.6MB

Download
memory/3508-336-0x0000000001030000-0x00000000015D3000-memory.dmp

Filesize
5.6MB

Download
memory/3508-231-0x0000000001030000-0x00000000015D3000-memory.dmp

Filesize
5.6MB

Download
memory/3508-322-0x0000000001030000-0x00000000015D3000-memory.dmp

Filesize
5.6MB

Download
memory/3508-310-0x0000000001030000-0x00000000015D3000-memory.dmp

Filesize
5.6MB

Download
memory/4620-288-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/4620-289-0x0000000070F30000-0x0000000071147000-memory.dmp

Filesize
2.1MB

Download
memory/4620-251-0x0000000001060000-0x0000000001168000-memory.dmp

Filesize
1.0MB

Download
memory/4620-270-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/4620-268-0x00000000013F0000-0x0000000001425000-memory.dmp

Filesize
212KB

Download
memory/4620-256-0x0000000001170000-0x00000000013E6000-memory.dmp

Filesize
2.5MB

Download
memory/4620-274-0x0000000070F30000-0x0000000071147000-memory.dmp

Filesize
2.1MB

Download
memory/4620-275-0x0000000002E90000-0x0000000002EC1000-memory.dmp

Filesize
196KB

Download
memory/4620-279-0x0000000002ED0000-0x0000000002EFA000-memory.dmp

Filesize
168KB

Download