5f1b04e4a9cf5e1e3f3e11a4ff712702a102c93be276dd5da9c6927c4808575a

Resubmissions

21/08/2024, 19:45

240821-ygpwbaxbkc 6

Analysis

max time kernel
23s
max time network
27s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

njRAT0.7dFixedStealer (1).msi
Size

3.2MB
MD5

5d74155c3195e27633e1609d45b1ce07
SHA1

e1ea143d17a1700867bf1baea72a442109f27504
SHA256

5f1b04e4a9cf5e1e3f3e11a4ff712702a102c93be276dd5da9c6927c4808575a
SHA512

1d75aa24a3c9e161c36422aa543bbb60491ef5a8f497aee2fb29cb692170b6745b054dcd2ee8f881c68d182db033c04842fe2f1484385870488738d108145c36
SSDEEP

49152:+qf/c/f9r84jEHYDgE5e7vxP5Ferq7I5RJK5k1jcB6jWH5XzatCJkH105fASGdvi:tVHYDgpNxFecIC2H16l

Score

6^/10

discovery evasion trojan

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2864	msiexec.exe
5	2864	msiexec.exe
6	2964	msiexec.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI6AB.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CreatePolicyRegistries.exe	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f7700a0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7700a0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI200.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AD.tmp	msiexec.exe
File created	C:\Windows\Installer\f7700a2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77009d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FD.tmp	msiexec.exe
File created	C:\Windows\Installer\f77009d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A8.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1776	MSI6AB.tmp
1904	CreatePolicyRegistries.exe

Loads dropped DLL 6 IoCs

pid	Process
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1700	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI6AB.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CreatePolicyRegistries.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07F41161-5FF6-11EF-8732-52723B22090D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	CreatePolicyRegistries.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	CreatePolicyRegistries.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	CreatePolicyRegistries.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	CreatePolicyRegistries.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	CreatePolicyRegistries.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AED2CE1BD7CECD448AE07DA0C7D1626	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\PackageName = "njRAT0.7dFixedStealer (1).msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BF0ABA91F2A6F9C43A6486247A24464F\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\Version = "100794368"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BF0ABA91F2A6F9C43A6486247A24464F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\ProductName = "Task"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\PackageCode = "C0955259D5BD8A047B64ACC4855CCCCB"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF0ABA91F2A6F9C43A6486247A24464F\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AED2CE1BD7CECD448AE07DA0C7D1626\BF0ABA91F2A6F9C43A6486247A24464F	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	msiexec.exe
2964	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2864	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2864	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeCreateTokenPrivilege	2864	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2864	msiexec.exe
Token: SeLockMemoryPrivilege	2864	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2864	msiexec.exe
Token: SeMachineAccountPrivilege	2864	msiexec.exe
Token: SeTcbPrivilege	2864	msiexec.exe
Token: SeSecurityPrivilege	2864	msiexec.exe
Token: SeTakeOwnershipPrivilege	2864	msiexec.exe
Token: SeLoadDriverPrivilege	2864	msiexec.exe
Token: SeSystemProfilePrivilege	2864	msiexec.exe
Token: SeSystemtimePrivilege	2864	msiexec.exe
Token: SeProfSingleProcessPrivilege	2864	msiexec.exe
Token: SeIncBasePriorityPrivilege	2864	msiexec.exe
Token: SeCreatePagefilePrivilege	2864	msiexec.exe
Token: SeCreatePermanentPrivilege	2864	msiexec.exe
Token: SeBackupPrivilege	2864	msiexec.exe
Token: SeRestorePrivilege	2864	msiexec.exe
Token: SeShutdownPrivilege	2864	msiexec.exe
Token: SeDebugPrivilege	2864	msiexec.exe
Token: SeAuditPrivilege	2864	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2864	msiexec.exe
Token: SeChangeNotifyPrivilege	2864	msiexec.exe
Token: SeRemoteShutdownPrivilege	2864	msiexec.exe
Token: SeUndockPrivilege	2864	msiexec.exe
Token: SeSyncAgentPrivilege	2864	msiexec.exe
Token: SeEnableDelegationPrivilege	2864	msiexec.exe
Token: SeManageVolumePrivilege	2864	msiexec.exe
Token: SeImpersonatePrivilege	2864	msiexec.exe
Token: SeCreateGlobalPrivilege	2864	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2864	msiexec.exe
1196	iexplore.exe
2864	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1196	iexplore.exe
1196	iexplore.exe
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1712	2964	msiexec.exe	31
PID 2964 wrote to memory of 1712	2964	msiexec.exe	31
PID 2964 wrote to memory of 1712	2964	msiexec.exe	31
PID 2964 wrote to memory of 1712	2964	msiexec.exe	31
PID 2964 wrote to memory of 1712	2964	msiexec.exe	31
PID 2964 wrote to memory of 1712	2964	msiexec.exe	31
PID 2964 wrote to memory of 1712	2964	msiexec.exe	31
PID 2964 wrote to memory of 1700	2964	msiexec.exe	32
PID 2964 wrote to memory of 1700	2964	msiexec.exe	32
PID 2964 wrote to memory of 1700	2964	msiexec.exe	32
PID 2964 wrote to memory of 1700	2964	msiexec.exe	32
PID 2964 wrote to memory of 1700	2964	msiexec.exe	32
PID 2964 wrote to memory of 1700	2964	msiexec.exe	32
PID 2964 wrote to memory of 1700	2964	msiexec.exe	32
PID 2964 wrote to memory of 1776	2964	msiexec.exe	34
PID 2964 wrote to memory of 1776	2964	msiexec.exe	34
PID 2964 wrote to memory of 1776	2964	msiexec.exe	34
PID 2964 wrote to memory of 1776	2964	msiexec.exe	34
PID 2964 wrote to memory of 1776	2964	msiexec.exe	34
PID 2964 wrote to memory of 1776	2964	msiexec.exe	34
PID 2964 wrote to memory of 1776	2964	msiexec.exe	34
PID 996 wrote to memory of 1904	996	taskeng.exe	35
PID 996 wrote to memory of 1904	996	taskeng.exe	35
PID 996 wrote to memory of 1904	996	taskeng.exe	35
PID 996 wrote to memory of 1904	996	taskeng.exe	35
PID 1196 wrote to memory of 1452	1196	iexplore.exe	38
PID 1196 wrote to memory of 1452	1196	iexplore.exe	38
PID 1196 wrote to memory of 1452	1196	iexplore.exe	38
PID 1196 wrote to memory of 1452	1196	iexplore.exe	38

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\njRAT0.7dFixedStealer (1).msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2864

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8B60389C927C4532999B1A30FCFC4C2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 96A7DCCA1BDE0E1715D443B724DBB842 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1700
- C:\Windows\Installer\MSI6AB.tmp
  "C:\Windows\Installer\MSI6AB.tmp" https://seekspot.io/tyy
  2⤵
  - Checks whether UAC is enabled
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1776

C:\Windows\system32\taskeng.exe
taskeng.exe {50053C48-A323-4A00-9180-22EF156D1138} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\CreatePolicyRegistries.exe
  C:\Windows\SysWOW64\CreatePolicyRegistries.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1196 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1452

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7700a1.rbs

Filesize
224KB

MD5
83fb9369870581e105f05a35781ee19c

SHA1
e3b096c7da609d0e5a5446e4bf553d82221092f3

SHA256
500a73828a259945d5bfafe2049036d2311e081331dc0486cf34afa58798a824

SHA512
22f78dee5fdcda58c459fdf3da82538f37b9d6b974ca771de5c019da36a78a70446c1a4da81dbdffc349d4654201f2ff2b8d07141899b25b9f3e2f68e6e08c01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07298EE8EBA9732300AE62BDCA6B6898

Filesize
1KB

MD5
e11e31581aae545302f6176a117b4d95

SHA1
743af0529bd032a0f44a83cdd4baa97b7c2ec49a

SHA256
2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c

SHA512
c63aba6ca79c60a92b3bd26d784a5436e45a626022958bf6c194afc380c7bfb01fadf0b772513bbdbd7f1bb73691b0edb2f60b2f235ec9e0b81c427e04fbe451

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07298EE8EBA9732300AE62BDCA6B6898

Filesize
312B

MD5
48932921b6686e9c5259418ce0a05861

SHA1
84820ed399d81fda9d953da3a9d45b2f067a4e7f

SHA256
7ce8b3634d21a7b8cb580b12d404fa9eb36342515951151f80174636b704a3b9

SHA512
34e49b6c0726e19a5b60ec6bae3da37c0413c2c7bd17e933af7d6e48e3696e659babc6c4a610a0acfd71d206e91776c82d1b565e713813b261c2b3ea6303664d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52681cc8a18db429f6f5452ed332caa6

SHA1
8cd7ee588973fe2379e3a494c3c4951fd7647c57

SHA256
c486cf8803dede15692228c7ea6d281c7767e4d4c8554b11a862235b2e1a2842

SHA512
f7eb0daa00d39aae3776cee07815adbff755b35ae83a93cbce0a3857405282740ebb9266e96ba738d7db5945ab4daaa97b8388aa2b7a9fd6b564ce1d33de3399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8382624d5349b2add5cc3b75c5f8951c

SHA1
a7c9646e025919e461fb01da23e339353f9c193e

SHA256
10a129fb088db293363759ea837467c8b6e44422d8b06e3b3867edede12d0c64

SHA512
370a6dd90d3ab1e6ae5a7b9ac738ae91c1533b3bef737fa95dbc79c5f45ad098464e626b970d30cb985a8e2148a46ff5f2731463a30a8315c6fea9487d0aebb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35468117d949838de00f1edcd474a8f1

SHA1
97933d622aad483765718f3b677a92af3ceefa03

SHA256
a26be1f78b990321fa5d1f7cb6452190b853ffd92db677cd3772db0de3c1ac56

SHA512
fb9711ffd4c333bb87374073887a93326d99a3bbab75e49594870153f7e0dbcc3aa3ec7d90801ca12c614e0c7b6a2aba5281831e54c6277a746a3200ac86ac41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7fcef1927db2f2a03fa7a615324c49f

SHA1
36a726f7ae54ed2270b1808fcf4746be73724bb9

SHA256
b0c695e2114d8ddb7f6c229bcdb4465a55e6628ca0e44007b5ffaee594467128

SHA512
ea6e61a324511bca906e2777de3593c6eb5b1ee694fc851259a6fac70999aaa03110ebebde05ea622a6d5d10f11352098510046dac49df55d395b7a31a3d29f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
271b4a609f8379355f9a7202771acab9

SHA1
8f22aaf27e4d1ee15b0a9cbc42e8227cc73278c5

SHA256
8d84fd86f0ac22032197e8b7454116ba6e566751fe1e04b3d22199b24f1a393c

SHA512
607a3ec4d370c37c79c7780720e2b2a0a7e770c918b679733021e1a2ab9884992424e49b8c049660e71de2312d74938968c40d20f2d0c8c4405dd670e557bd8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0f158ae5ead51527b572aebfe806327

SHA1
f89de7538acd2574022e7ab67c7ff37f10a5763b

SHA256
2341459e794dbfa7a358c094df5f1c0e9ccfaee9ebe1494125a5737f5b1408da

SHA512
1a1abda35d3c5625f85d12a99d85edc7733b3e868132656a6d315e59a80bf409d457475a1a673b1237f77b017c73317505402123530cb52e5d457a5cf454af2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8f418333db85a3d10c8757b0d02fd14

SHA1
1dd822c0c1f5d8ebbddbde2596e9840376968a70

SHA256
f5dcfbb77bbaa0fe59ca7bfe85e29065347fa9bde0e6f9dc07e59ac3c666ddf4

SHA512
846b46773696c9c9a677b9d383fc2c5bf5ef2ef6d313a11370304ad36f56de37fd85e599121a138fef795517fe8a786a20b9a2171e0e58be523d48f175db44e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58a7716ac4201c2f900d0b9dc1c1763e

SHA1
f32c9cb45c029ab78e61d8d9207f21f721b21cc9

SHA256
a2dcf7ac618325713ddcd04bba432eb02ecdef8f4c90d784ab196f8f5d6b0043

SHA512
1939484e086ab70afb610b6deec43e0af78c1cb30c979f25ec2b556bd78c578ea025069339074e58c7d7448f466b351febd9f0efe846347ba22e387cf8a313e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18c3eb6219c17021b28765eec3a2a0d9

SHA1
dfd80f9c53f9b5007e6dc26575938fa681c3556a

SHA256
47b9990b7c20eee1df7d8b4fe50758a23ced1c142d2498d80f93515664b520f6

SHA512
fc3f399ab68c15b611b0b5c6f1efe1b6927f13e825f48a927f5f125832569f093ccdda8007049e2288de4714dfcbb65dfc0a5b5fc6e52ce4a84b605f8023e311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a44fc687847a569b1d0206b585616d00

SHA1
8b28f93478b1f0b2b588eeecf9e646cdfa3f64d5

SHA256
fa099f24afaadef82530d19045b218d044ad6534ac1cbc535757af19e612087a

SHA512
7dc6588de122362662f7477ce06957914b6321589027186b1e308348453846a9a17374a31afe5348e063548c7968bec674992ea01faa554cade1837278529de3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12a43c5ff79976a6565b951525f3becd

SHA1
80077bd45a7c620d0518d9bad2d40434304c76da

SHA256
445d3f0307e3512a089940de3942ae0bb80cf9767c9f8b0c24673104950aaaba

SHA512
b4556da00fb00ebb2615eef17b77f59fa894c2f290ba37f2d3b0f64eeccec767dae7d9a87e25f6f9d56d2186f86e3ad147ef1ad1c81836d8e9df13234576f3c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37f11ac3e94540b65a20837293850172

SHA1
fb60ff67b6d26c3d0986d0d3d1b3e2d10fcfa000

SHA256
7a67e4050c067d5a859724605b4b83716f8adf44d84ee3b5b2575f293720bd4d

SHA512
9a3c819ab542d283ecd476fc00c8e1a8597e562615a45619a1f7af19e56e38ba71beb65e52193268ebf41fc154a8645022af9bba8a5cd2a1996455067b2be7bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f2ca856a358f2a7aa945cecb0e13381

SHA1
01c731425e5db981eed62e958cebf3366e42abf6

SHA256
9cbbedaf2ee9960731892ae9ef719469894d51bc80e05e816fec2dedc445a88d

SHA512
75898a3a6e5534b5c7600e9ac8e15f74d94221d967db582be4050e56a5346fc4dc7dad337449db0c90e0b76fbd83a6f4919808a16ef5a16f380661d6fd853754

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e17114cf8a03700c82c8e834ba4bd54

SHA1
7232b2eb330b9bb95546ab07a6fa72d170e4f9e0

SHA256
d3e07a302b651b4b5630bb81a4bfcd45d880690fc7fd78d87cea600f3daebd66

SHA512
042c8a852bc36c18b0bd3d08958dadf454b2724204b84a9a593047d42f975d08dc536f6ad34767fa764efee0a7cebecccb02da57d22d4639c4f7532e39b2732e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFD06.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFEAF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\URL6C4.url

Filesize
49B

MD5
d123fceb9cd9d24dda8642582d5b3e50

SHA1
35b07f8300e9b950f635329eab9b1f707bc1fbd1

SHA256
6cca417b473ebdee60498efdb981ee339f899abccca09884d2c74d771bf47e8f

SHA512
f92000dab680ff02b068d40642999657760a10e7cea31ef7dd87684ea415fcb950a1ae7fa8dcf3045af90154552fd6b8fe7ec830f9fb1a2d11393c7ec44e6333

Download Submit
C:\Windows\Installer\MSI200.tmp

Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit
C:\Windows\Installer\MSI2DC.tmp

Filesize
1.1MB

MD5
e612b2f3c68a7d5c34592c88778766b2

SHA1
e18329c9f763f923682408032b7b35a4e62fdf81

SHA256
403869ed494bcbc3e535b492f2ebfad95748049e203ff7c31ac1afb38d8909ed

SHA512
753c8d4600595c0b83f1a5bca9da637d56d7778ffd74a90942ee243e6b998c113e372b35cde4aa90b4a11152176812e354a6c0761b169243ecf5d3a9c793b543

Download Submit
C:\Windows\Installer\MSI5AD.tmp

Filesize
216KB

MD5
c4d90c83e2fe2693549c97433a61fff7

SHA1
c0d15050b51b79838fce008279ad8aed835b0228

SHA256
9c845f330716ed4228b6176b8fc9fd9ea90f687d6915c01ed5e5745537d5c1f4

SHA512
467e3e0fcab89de5fe0af7ecf0a081ff25db10718d5a99f317fc0511d71c5b0e54141a25138bccce61ca7ac03c768da78ec8bf2e5bbb1fa73cb3fc632a5f869d

Download Submit
C:\Windows\Installer\MSI6AB.tmp

Filesize
416KB

MD5
968b71f1a1ddeb430fd85b3935c0832e

SHA1
e8f037a8cfd6c213efe9ab2674e67759dd83315d

SHA256
b39fe8097e0ec833475e8d2d6f2ee15fa0360f2d2344a3962b2516e697476a0e

SHA512
36322dbf6ee602e92d59638d14dc7a14e78a468fccd35351ddce6e3151d974bbc800f87c1a0aa6e3f000d2a76a8826c182c9c43b4628daa3b8d61db557b4e200

Download Submit
C:\Windows\Installer\f77009d.msi

Filesize
3.2MB

MD5
5d74155c3195e27633e1609d45b1ce07

SHA1
e1ea143d17a1700867bf1baea72a442109f27504

SHA256
5f1b04e4a9cf5e1e3f3e11a4ff712702a102c93be276dd5da9c6927c4808575a

SHA512
1d75aa24a3c9e161c36422aa543bbb60491ef5a8f497aee2fb29cb692170b6745b054dcd2ee8f881c68d182db033c04842fe2f1484385870488738d108145c36

Download Submit
C:\Windows\SysWOW64\CreatePolicyRegistries.exe

Filesize
8KB

MD5
4e645d7b2898ecf396a3d11588b7a7e1

SHA1
f46d4bcad68ce48d30c940ef2e24819d436d6d9a

SHA256
a8ff74b484e337f8309cc42954578fc0e1e747af58d31df9bf017f7e83cb1037

SHA512
a62e01457f195f45d316ee39a8e80241ccf988466e02d9d93cf5a331fab203833ced91bc661063bc7acf0699a745d30b090b67a18158046891523f32e96d66b5

Download Submit
memory/1776-199-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/1904-201-0x0000000000070000-0x0000000000078000-memory.dmp

Filesize
32KB

Download