rhadamanthys | 395c44cce9624a5750c97c313b5ede45ea36dd623bc71f7d1bf2e4964492dcd4

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01-09-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer-master-BlackMythWukong.msi
Size

43.8MB
MD5

4cbea3318f7107adb73e10fd8de96abf
SHA1

c6db50f856e92e5b0fa2f4b3855cbd58aa408fc1
SHA256

395c44cce9624a5750c97c313b5ede45ea36dd623bc71f7d1bf2e4964492dcd4
SHA512

724291101a4859c8e700ff762e48f6e2ded60fed23bfd64be7c438552c885b22d35b693ec03c2d234afe60d9defdc39ada77fedd9d3c881710935aa4e4f9b931
SSDEEP

786432:H8JJ5v6bZ0no3r27KIvSOcaVWfoyI4aEK0Gpqq++mFIjqEKrdLi9VMkryQs:HC5i10noy7KS/RVLCqpP++mF+gLBf

Score

10^/10

rhadamanthys discovery persistence privilege_escalation stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

visapro.exe

description pid process target process

PID 1384 created 2364 1384 visapro.exe svchost.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

4516 ICACLS.EXE
3648 ICACLS.EXE

description	pid	process	target process
PID 1384 created 2364	1384	visapro.exe	svchost.exe

pid	process
4516	ICACLS.EXE
3648	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exeEXPAND.EXEchrome.exe

description	ioc	process
File created	C:\Windows\SystemTemp\~DFC3778789612FF4B6.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D2331EC5-01E6-4564-8DF3-B5D283A6767A}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57ec35.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ec35.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED7D.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0A332C8C9E2FE293.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF06AAF02FB44E4ECD.TMP	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\SystemTemp\~DF80F55DD90E22CF7B.TMP	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

visapro.exe

pid process

1384 visapro.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

2928 MsiExec.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

4460 msiexec.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4972 1384 WerFault.exe visapro.exe

pid	process
1384	visapro.exe

pid	process
2928	MsiExec.exe

pid	pid_target	process	target process
4972	1384	WerFault.exe	visapro.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

visapro.exeopenwith.execmd.exeICACLS.EXEMsiExec.exeICACLS.EXEEXPAND.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	visapro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICACLS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPAND.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009a5c3185e018bce80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009a5c31850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009a5c3185000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9a5c3185000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009a5c318500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696533305040590"	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msiexec.exevisapro.exeopenwith.exechrome.exe

pid	process
2276	msiexec.exe
2276	msiexec.exe
1384	visapro.exe
1384	visapro.exe
1092	openwith.exe
1092	openwith.exe
1092	openwith.exe
1092	openwith.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

5048 chrome.exe
5048 chrome.exe
5048 chrome.exe
5048 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	4460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4460	msiexec.exe
Token: SeSecurityPrivilege	2276	msiexec.exe
Token: SeCreateTokenPrivilege	4460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4460	msiexec.exe
Token: SeLockMemoryPrivilege	4460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4460	msiexec.exe
Token: SeMachineAccountPrivilege	4460	msiexec.exe
Token: SeTcbPrivilege	4460	msiexec.exe
Token: SeSecurityPrivilege	4460	msiexec.exe
Token: SeTakeOwnershipPrivilege	4460	msiexec.exe
Token: SeLoadDriverPrivilege	4460	msiexec.exe
Token: SeSystemProfilePrivilege	4460	msiexec.exe
Token: SeSystemtimePrivilege	4460	msiexec.exe
Token: SeProfSingleProcessPrivilege	4460	msiexec.exe
Token: SeIncBasePriorityPrivilege	4460	msiexec.exe
Token: SeCreatePagefilePrivilege	4460	msiexec.exe
Token: SeCreatePermanentPrivilege	4460	msiexec.exe
Token: SeBackupPrivilege	4460	msiexec.exe
Token: SeRestorePrivilege	4460	msiexec.exe
Token: SeShutdownPrivilege	4460	msiexec.exe
Token: SeDebugPrivilege	4460	msiexec.exe
Token: SeAuditPrivilege	4460	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4460	msiexec.exe
Token: SeChangeNotifyPrivilege	4460	msiexec.exe
Token: SeRemoteShutdownPrivilege	4460	msiexec.exe
Token: SeUndockPrivilege	4460	msiexec.exe
Token: SeSyncAgentPrivilege	4460	msiexec.exe
Token: SeEnableDelegationPrivilege	4460	msiexec.exe
Token: SeManageVolumePrivilege	4460	msiexec.exe
Token: SeImpersonatePrivilege	4460	msiexec.exe
Token: SeCreateGlobalPrivilege	4460	msiexec.exe
Token: SeBackupPrivilege	2588	vssvc.exe
Token: SeRestorePrivilege	2588	vssvc.exe
Token: SeAuditPrivilege	2588	vssvc.exe
Token: SeBackupPrivilege	2276	msiexec.exe
Token: SeRestorePrivilege	2276	msiexec.exe
Token: SeRestorePrivilege	2276	msiexec.exe
Token: SeTakeOwnershipPrivilege	2276	msiexec.exe
Token: SeRestorePrivilege	2276	msiexec.exe
Token: SeTakeOwnershipPrivilege	2276	msiexec.exe
Token: SeBackupPrivilege	3524	srtasks.exe
Token: SeRestorePrivilege	3524	srtasks.exe
Token: SeSecurityPrivilege	3524	srtasks.exe
Token: SeTakeOwnershipPrivilege	3524	srtasks.exe
Token: SeBackupPrivilege	3524	srtasks.exe
Token: SeRestorePrivilege	3524	srtasks.exe
Token: SeSecurityPrivilege	3524	srtasks.exe
Token: SeTakeOwnershipPrivilege	3524	srtasks.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

msiexec.exechrome.exe

pid	process
4460	msiexec.exe
4460	msiexec.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

visapro.exe

pid process

1384 visapro.exe

pid	process
1384	visapro.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exevisapro.exechrome.exe

description	pid	process	target process
PID 2276 wrote to memory of 3524	2276	msiexec.exe	srtasks.exe
PID 2276 wrote to memory of 3524	2276	msiexec.exe	srtasks.exe
PID 2276 wrote to memory of 2928	2276	msiexec.exe	MsiExec.exe
PID 2276 wrote to memory of 2928	2276	msiexec.exe	MsiExec.exe
PID 2276 wrote to memory of 2928	2276	msiexec.exe	MsiExec.exe
PID 2928 wrote to memory of 4516	2928	MsiExec.exe	ICACLS.EXE
PID 2928 wrote to memory of 4516	2928	MsiExec.exe	ICACLS.EXE
PID 2928 wrote to memory of 4516	2928	MsiExec.exe	ICACLS.EXE
PID 2928 wrote to memory of 4492	2928	MsiExec.exe	EXPAND.EXE
PID 2928 wrote to memory of 4492	2928	MsiExec.exe	EXPAND.EXE
PID 2928 wrote to memory of 4492	2928	MsiExec.exe	EXPAND.EXE
PID 2928 wrote to memory of 1384	2928	MsiExec.exe	visapro.exe
PID 2928 wrote to memory of 1384	2928	MsiExec.exe	visapro.exe
PID 2928 wrote to memory of 1384	2928	MsiExec.exe	visapro.exe
PID 1384 wrote to memory of 1092	1384	visapro.exe	openwith.exe
PID 1384 wrote to memory of 1092	1384	visapro.exe	openwith.exe
PID 1384 wrote to memory of 1092	1384	visapro.exe	openwith.exe
PID 1384 wrote to memory of 1092	1384	visapro.exe	openwith.exe
PID 1384 wrote to memory of 1092	1384	visapro.exe	openwith.exe
PID 2928 wrote to memory of 1988	2928	MsiExec.exe	cmd.exe
PID 2928 wrote to memory of 1988	2928	MsiExec.exe	cmd.exe
PID 2928 wrote to memory of 1988	2928	MsiExec.exe	cmd.exe
PID 2928 wrote to memory of 3648	2928	MsiExec.exe	ICACLS.EXE
PID 2928 wrote to memory of 3648	2928	MsiExec.exe	ICACLS.EXE
PID 2928 wrote to memory of 3648	2928	MsiExec.exe	ICACLS.EXE
PID 5048 wrote to memory of 4860	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4860	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1120	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1400	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 1400	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4960	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4960	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4960	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4960	5048	chrome.exe	chrome.exe
PID 5048 wrote to memory of 4960	5048	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2364
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1092

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Installer-master-BlackMythWukong.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A7517CDD9D11C322CA611EF1733D79E4
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-05093a5e-e96e-4354-b43d-4dc0ce01f1d7\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4516
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\MW-05093a5e-e96e-4354-b43d-4dc0ce01f1d7\files\visapro.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-05093a5e-e96e-4354-b43d-4dc0ce01f1d7\files\visapro.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 732
      4⤵
      Program crash
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-05093a5e-e96e-4354-b43d-4dc0ce01f1d7\files"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-05093a5e-e96e-4354-b43d-4dc0ce01f1d7\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1384 -ip 1384
1⤵
PID:3956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92f88cc40,0x7ff92f88cc4c,0x7ff92f88cc58
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1784,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4448,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4456 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4600,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3724,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=212,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5000,i,9465279272655336981,7213096163449267011,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3224 /prefetch:8
  2⤵
  PID:2640

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

File and Directory Permissions Modification

T1222

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7006aa9b-cd4f-46db-af62-a8316c5bec57.tmp

Filesize
101KB

MD5
a8587914a70d0af9261a7643baef179c

SHA1
b7ef0f4018887b9630a05b167ff8982b83634b13

SHA256
3e19dffce4c34cb1bd9174212a9c4772832db10153f3630895661a3ea3a668dc

SHA512
6263eb6305e7de0a8fedd1bf6b14598b76fc3a6d2b433cf62d4843158f88154b691829cf009f2646530b5831aebf8132fe87f3222ad8e1a4be5eb0e48b12fa51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6055ab2939e4d9ef0685db45313542a0

SHA1
220c1f641bd79cf0568eb4d1861e8a7c2a92a735

SHA256
2bbd16f6cc471496fab3638f52915a2b495727988d41fe6cc1efd338d2ec669a

SHA512
83a885bb8880c4b6e39f5c9145c6d4017c36bfd40e29b6593df40d8dcba2e457cfaca982636cb00e3791ca4f49805cfa138756a9a7ac1fc6b612b96dbf6c1abc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
0afb426bccfe3587c7b41b9451830a12

SHA1
27f5d9e9e9355dcb552ac968ff6d1d4ce745a369

SHA256
ccba7e8941164599f0e1e725addc7b1d0fd86179b5c1024b8ff8a8d1cc3e132a

SHA512
557f8d09271ea6eb3d32d14030d5a373af22eb4d02e537fb2781a4f781a03bd2ea579db8b6fa7bab23d0aeb7e04aba9bd11bdd0623e36bb9289ae0a49d45a755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
3070f3118243199e72eb73af327828e5

SHA1
8e0d92449a2018e0d3cdb004eb4564dfed255c69

SHA256
780f325975f5b60eb8611023d9d9f5438b2c950e73acc845aef3655f4f7e7a79

SHA512
b0114a40ebac3478eca86825731b1363830677ee4a5d3389f06f0a5ad2ad03daf397e95017b1d14131f3d7fab6d51af0a0308ba3357c5adf9d9205a3c580f608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c86698f0285b8c25adca649efab276ce

SHA1
fd637b3785a3ff48410d4f79db74a135ddb16efc

SHA256
5c27d51b707340cfd859485c55b96216f334ccd1f236cb05916954789fbe7cf2

SHA512
296102da9cf450e429119d2980d34ed746fa4ef32a480647b12d3e0f89b523826b0c351cf37dfe96f8c0cc9defa6e92244e4bb7903255df13c23518a06920b19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3e516350bbdb82d686ac95f0af5699a1

SHA1
c4e1d1c5aa1f446a20e00b2857938cf6a75a49bb

SHA256
26e9bdf5098c0865446baa1201277c8f7db07d46c14c3723e03a4770780c5628

SHA512
5ed5b68b8acb3b40c53896ab626456ae79d7a7fbb7b6cd0d723fbc94d1afae91fa399b96a58390be0f6d483951c8d97c3fd7af96c058ac5bb32d57bea02083b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7fd06b8cee5dc2138545315fbee095a6

SHA1
61f07c8b66991f3695e6b1fe083953ea846efeec

SHA256
c698915f154419566e559b77522d9987e60e408ae556f69192b72cd008442a2e

SHA512
89e460966971fb1563d3831e014cbc2ad1ef798f46f45fb9bcb682dbb6023e3c39439c62420174fa0458f8c7d2b013779ad335f7a2fbed412a0e9d5f1166211c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
764e70e4406cfb61f8e6151e5bff1d9e

SHA1
f51b2cdfe3373140db4ff367bbaa3016b0db4a26

SHA256
6cf40b0b303b658200821973e8810a706e621d5da8fbda72c06f16e1cdcb9307

SHA512
95490d9d0c2c48526dc2fba901248c8843b725a24ef9b86b319f01134730bc5198f15066a8a533f3a4b31e40bf707ebf010f5f521333769ee23d515602759f77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fbe8fef6c429d5798c7e575ef168c2f8

SHA1
d9cdb38720329672d1018a78ca8eda14bdee5f57

SHA256
d43fdc0d272c7f2ebf36c526577c4f6ee637c549eb59fbb1e802c27cbc9adad6

SHA512
b723e39d7f6dc94d7c1c1e176f3239a9b1c95a216386d16aee78b3e3cb4f5dc070572188d33f164c5594665717b69fa44240be2e6c49352d8e1668542e4ad272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
386733daca16998f9528639e49f4bb0c

SHA1
1993563d70ebe9503c77801d47cb3dc819bb116d

SHA256
8711ed0f495a43af84bab8a8c23e55e627e7a705cb7c422369dd716c3e42fd5d

SHA512
256095da2b7d5a5228b372b71e47325148eb6fe37ebc1e9ebc4eb2a29e226e77996cebc65b1eb60fb057dbc09700e9d5230a27b800452b69352d11999c6c91ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25abd786444bae5daa43f898e389aca4

SHA1
3957ad65c192fe0c89cb5cd6258f3519abdacd36

SHA256
96b64147ab404ecba06cbc5b57e6c96310acb4a4a20a715bd7f7b7fe1e3d4908

SHA512
bb188f5c9c2ffed2a29b5016345942d312f592071e7505c6443ce76bbc721ee0fb121ef4541970a71a82addfbe31874eeaa0996604b2afed35bfb1ff07dda7b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86e459b264ca02325fac0ed06d410863

SHA1
72e1885639c5faa1d678aca4001a25b108e8fad1

SHA256
c6126a40578b0b0c19f14a5c80fa993e5412ecdb21c0e16321faa7acb0451a0c

SHA512
ccd86f90e65b84e93af183c0cf151c656ada9e0dd7a24440c1f62ac45befa9357cc7fa64b3b24907d2aea900472a835708c8aee442cedbd367cd22890cd0ef7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b01b01ea182e6417ba7dac00fb8021d8

SHA1
c35178b59ce2047a240e36080b52239ae1b716bf

SHA256
ee9e00881aa3ba4c540f4ec0f2fb43e1ea707f715fea5748595cb3bd4a8e8cf5

SHA512
068fb895a7cf0e80bfb9a6300f7ddef9a3bed6aac46e451630bfb059c9ba5cedb75630813bef74433fdffb0055cbbb7da64105a952b6cefb79050183120ebbb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6edbc7b8718fff6f74a43bf342596e2c

SHA1
02a1e559b11ca4757dc14ccd653b590980577dcb

SHA256
1e9aaa0687d381b979d7d5b4b08f5513b56b5a1e30ca7a0ba17cd5b71ff440e6

SHA512
0747b8633d38a9bac9beea030a85b1b57e79e3d08e15710c7442e082ad4ef9bf31d5fc6706e0df8605ba1747952bfaa46cfcfa2f5a46f46bc22d8a85039f96ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
859cb1647772b5a00295ee622581e6c7

SHA1
b0223c9692e5e459bd554f553ab17d857c6d1155

SHA256
e39f535273ea7d7bc3ed23c20b02d2e487df3cbb81af5775bf157d368b87594e

SHA512
b5e80ec1c5759ef81101ea7dd2e8ddb2fd38729a8fd7d4fca6c587f7c43c0ac7a8519cdb615c5640a2c65f62e411d1fca0765e44ceb677b098238560f138342d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
f09809e8bfe6cd3baf05ce8f61a07891

SHA1
6a16f15c214c5fc79155ed1d7007f67fe86d4562

SHA256
4b2da0c9aaef288b62f888fac0f639979b292b869d285fefd0b6eca5386ca6fb

SHA512
58001e71a4db4035c55f52dca3615429055fd6910e537673e50ca8c7b583741fa02d024001545ed0f86de2e0597cd5187d25a4fe7f89e8bbb1b7168b3b6141e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
295f1252e098df24f3740ca8ff230736

SHA1
34e410abc41c66b6e0986d6c7e4a2fab8b49cfe0

SHA256
a53bc58619c1e49b61518e40e31100ef2a2153a05887f657879d31c6302e3075

SHA512
6602d65d25328f53bea0a93769a616f859cf18e0c5177cdb835ebe3c14cf86a80f6f73a6a49bddb8950280d0b2abf2bf92b2be3825a85480f6d0069eb4a8f28a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
132785aaf684f3ed5bd375122e8d3897

SHA1
c95d836ed53540d1b8aa36991d05b0bba80c2579

SHA256
b168ec78e4ea6f25b825a89657d5dfdc773b1b960148e1f8e0fc72a11c624e88

SHA512
9c637ad60e621eec65d3ab77300dc28a9f8a8cc628adb8898a008c10278782a5ffa33cd131341021fa2537c5a76a80e155ae71b399ae3f4c5232c2967e78f906

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-05093a5e-e96e-4354-b43d-4dc0ce01f1d7\files.cab

Filesize
43.4MB

MD5
9f1ce12a6a16d2755d486fdbd2c0f506

SHA1
8082354009566d640b028f1266e0e3bfd2fc333d

SHA256
0bd8fb2d6b28c93dcf4c3badffae9041287221a2db276ff872a78221ac1e0f31

SHA512
bd8d0308e4504c92f9e59f46bafe90ff278218ad858736e32ade76c9d48ff9db83572d972dbd7f269a2d11913c2b2c0e2b6a2c7f37dc5f27d7be45dc323cdbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-05093a5e-e96e-4354-b43d-4dc0ce01f1d7\files\visapro.exe

Filesize
49.6MB

MD5
53a23a0592e5aab08e0fa996497337f4

SHA1
7c843871ef5debb284915c6c7628d96563e3693e

SHA256
d3f7809ae8ccc194787198cc370952ab22a9b74bcae1e249f840c18798205bc1

SHA512
d21aaae60d62b2c9a1bf52fa4464cefc777ca81e9122aca8989afcf0676f81e39af8f3df405c4cc3b8c68f8a1bcb94adcb60a718f80d63084bb79323f775d321

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-05093a5e-e96e-4354-b43d-4dc0ce01f1d7\msiwrapper.ini

Filesize
1KB

MD5
5f4b6d1b5bf3304f6d0eaf65efd180bf

SHA1
53159067da4027d8f45d5baf7899402b74f93a13

SHA256
120e22f6af0c84a925c53f6134983073f649ac070a9a1627ec43732278eed6e8

SHA512
732749160ec61d3486168b7ffbd6bf2f77aa7b4160d82b2a3046be75b3179147c378fc96453ce77704974b6b48a6d5eec87ec0b475ad8c97c3939eae1d0a84fe

Download Submit
C:\Windows\Installer\MSIED7D.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
a5cb6a605e712a994f28f7babc1b4976

SHA1
c8f93aae333e8f7ca957537d4474b8e3ec2a39ec

SHA256
064830d011f37a77961c23f1d494d6dc1d27ec98ec1a110e8600b633b8f6ee48

SHA512
388af9cdd0da3a782dd26104ceeedbac2c58f82ac82987fce5dedcb2c7c220a9ab2ecbd159683822507943a429981a525c1866896639ce9b87bc109ad9d351b0

Download Submit
\??\Volume{85315c9a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{26383583-e288-4d46-92db-e60cd264cdb1}_OnDiskSnapshotProp

Filesize
6KB

MD5
b56caee85de844dfe9ec6ced49eb2ef9

SHA1
fd0c1a1c2a406193415da466a9984a8a8899a38e

SHA256
17ca26e4123042a59dc1d02a0116909b57aca3f3bd5e696b75cc1541d9d9d2c5

SHA512
ef54d0b8b5300d07319adbb789b3410ff3be446d70638420250c1d30087d54593179a6bd415ac9a33b60abde1b8c139dc063063ff52608671121aa3157a840cb

Download Submit
\??\pipe\crashpad_5048_ZYKGFYZDPAJUFBJW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1092-77-0x0000000002CA0000-0x00000000030A0000-memory.dmp

Filesize
4.0MB

Download
memory/1092-78-0x00007FF952040000-0x00007FF952249000-memory.dmp

Filesize
2.0MB

Download
memory/1092-80-0x0000000077250000-0x00000000774A2000-memory.dmp

Filesize
2.3MB

Download
memory/1092-75-0x00000000010B0000-0x00000000010B9000-memory.dmp

Filesize
36KB

Download
memory/1384-72-0x00007FF952040000-0x00007FF952249000-memory.dmp

Filesize
2.0MB

Download
memory/1384-70-0x0000000003810000-0x0000000003C10000-memory.dmp

Filesize
4.0MB

Download
memory/1384-71-0x0000000003810000-0x0000000003C10000-memory.dmp

Filesize
4.0MB

Download
memory/1384-74-0x0000000077250000-0x00000000774A2000-memory.dmp

Filesize
2.3MB

Download