gh0strat | 21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WPS Office_104693057_401535.msi
Size

15.4MB
MD5

ca9086b9f4e1cbfae86204a0e2cbea07
SHA1

4fb147699ab8b80fc6b89d9d1473bfb60dbd2a15
SHA256

21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2
SHA512

b1f89f9342df8de10eaa1134eb9982942cee26abebf280b80a79b37f26e1f2b55de999d36249a731385c5a72bb2c3dd8b9b14f578263d3037799a1617279e984
SSDEEP

393216:WAxJ3qt2MkEOEsQ+D8PjbtTBQqc4dq47aJ7IKw9M38hoTjZ5Uu0H:WU3o2NNjgrpFQq3dd7aJkvFhoTrV0H

Score

10^/10

gh0strat purplefox discovery rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2560-87-0x000000002C2F0000-0x000000002C4AB000-memory.dmp	purplefox_rootkit
behavioral2/memory/2560-89-0x000000002C2F0000-0x000000002C4AB000-memory.dmp	purplefox_rootkit
behavioral2/memory/2560-90-0x000000002C2F0000-0x000000002C4AB000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/2560-87-0x000000002C2F0000-0x000000002C4AB000-memory.dmp	family_gh0strat
behavioral2/memory/2560-89-0x000000002C2F0000-0x000000002C4AB000-memory.dmp	family_gh0strat
behavioral2/memory/2560-90-0x000000002C2F0000-0x000000002C4AB000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	bDOnhmOcYL12.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	bDOnhmOcYL12.exe
File opened (read-only)	\??\R:	bDOnhmOcYL12.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	bDOnhmOcYL12.exe
File opened (read-only)	\??\P:	bDOnhmOcYL12.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	bDOnhmOcYL12.exe
File opened (read-only)	\??\Q:	bDOnhmOcYL12.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	bDOnhmOcYL12.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	bDOnhmOcYL12.exe
File opened (read-only)	\??\M:	bDOnhmOcYL12.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	bDOnhmOcYL12.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	bDOnhmOcYL12.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	bDOnhmOcYL12.exe
File opened (read-only)	\??\T:	bDOnhmOcYL12.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	bDOnhmOcYL12.exe
File opened (read-only)	\??\W:	bDOnhmOcYL12.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	bDOnhmOcYL12.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	bDOnhmOcYL12.exe
File opened (read-only)	\??\L:	bDOnhmOcYL12.exe
File opened (read-only)	\??\Y:	bDOnhmOcYL12.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	bDOnhmOcYL12.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	EXCEL.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	EXCEL.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	EXCEL.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	EXCEL.EXE

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\ImproveScoutGenerous\node.dll	msiexec.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe	hdeQkiPuSHUY.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.wrapper.log	HMeBxhzrchEW.exe
File created	C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe	msiexec.exe
File created	C:\Program Files\ImproveScoutGenerous\CLAnZJhYUhSfSJqyvyQH	msiexec.exe
File created	C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe	hdeQkiPuSHUY.exe
File created	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe	hdeQkiPuSHUY.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous	bDOnhmOcYL12.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.wrapper.log	HMeBxhzrchEW.exe
File created	C:\Program Files\ImproveScoutGenerous\xlsx.xlsx	msiexec.exe
File created	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.xml	hdeQkiPuSHUY.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.xml	hdeQkiPuSHUY.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe	hdeQkiPuSHUY.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.wrapper.log	HMeBxhzrchEW.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57e927.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e927.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D4B5167E-8259-4CE2-9855-CF0E16C773B0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA12.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e929.msi	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
2392	hdeQkiPuSHUY.exe
1732	bDOnhmOcYL12.exe
3732	HMeBxhzrchEW.exe
5024	HMeBxhzrchEW.exe
4040	HMeBxhzrchEW.exe
3548	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdeQkiPuSHUY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bDOnhmOcYL12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bDOnhmOcYL12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bDOnhmOcYL12.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000532ba7f3274a467a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000532ba7f30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900532ba7f3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d532ba7f3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000532ba7f300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bDOnhmOcYL12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	bDOnhmOcYL12.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations\Location4	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Extensions\xls = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.12527&crev=3\Last = "0"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\CrashPersistence\EXCEL\964\0 = 0b0e10f58de7c1bdc6e64cb5d26895578af03523004691fde9f5d8e2c2ed016a0410240044ef616482a001008500a907556e6b6e6f776ec9062e225356466a38324f366d3157684631586f783930566f6b575a6c4c56565475494c4d54516a6b6f356e746f633d22ca0d420100c50e8908c9100378363400	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations\Location1	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\msacm.imaadpcm\MaxRTDecodeSetting = "6"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\PowerPoint\Security\Trusted Locations\Location1	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Netscape\Netscape Navigator\Viewers\TYPE4 = "application/msword"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData\ChunkCount = "uint64_t\|13"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\UILanguageTag = "en-us"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Word\Security\Trusted Locations\Location2\Path = "%APPDATA%\\Microsoft\\Word\\Startup"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared Tools\Font Mapping\Arial = "Helvetica"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData\ChunkCount = "uint64_t\|12"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\General\FileFormatBallotBoxAppIDBootedOnce = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\PowerPoint\Security\Trusted Locations\Location0\Description = "8"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\Common\CrashPersistence	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Netscape\Netscape Navigator\Suffixes	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations\Location2\Description = "5"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared Tools\Font Mapping\Chicago = "Arial"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\OverridePointerMode = "1"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\Common\ClientTelemetry\Sampling	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations\Location3	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared Tools\Font Mapping\Pica = "Roman 10cpi"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Roaming\BuildProvisioned = "(16.0.12527)"	EXCEL.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\ProtocolExecute\excel\WarnOnOpen = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor\ULSAllCategories = "10"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Netscape\Netscape Navigator\Viewers\application/pot = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\POWERPNT.EXE"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{64AB6C69-B40E-40AF-9B7F-F5687B48E2B6}\urn:schemas-microsoft-com:office:smarttags#phone	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared Tools\Font Mapping\Letter Gothic = "Courier New"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\General\Actors = "Actors"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\General\MyPictures = "My Pictures"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\User Settings\OneNoteToIEAddin	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4 = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\General\Startup = "STARTUP"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigIds = "std::wstring\|P-R-1098158-1-5,P-R-76757-1-2,P-R-26146-5-17,P-D-29635-1-1,P-D-27087-1-9,P-R-79688-1-3,P-R-53532-1-5,P-R-51436-1-6,P-R-51427-18-12,P-R-40464-18-9,P-X-98518-6-9,P-R-38390-18-21,blockedgraphicsadapter5:475899,P-R-35099-2-4,P-R-61408-18-3,P-R-55746-2-5,P-R-53512-1-4,P-R-46974-18-18,P-R-38953-1-11,P-R-36551-18-18,P-R-71414-1-6,P-R-40253-6-19,P-R-40254-6-18,P-R-35401-6-7,P-R-32107-22-22,P-R-39146-14-15,P-R-39147-14-20,P-R-28546-6-11,P-R-28165-6-28,P-R-24980-8-48,P-R-24390-5-12,P-R-18279-2-65,P-D-34200-4-5,P-R-51145-2-7,P-R-37721-11-47,P-R-29928-2-20,P-R-73334-3-9,P-R-67932-1-4,P-R-67201-1-4,P-R-64545-1-4,P-R-64035-1-4,P-R-53515-18-9,P-R-53280-1-6,P-R-52247-1-5,P-R-51958-1-5,P-R-51842-1-5,P-R-51277-2-6,P-R-47451-18-20,P-R-46577-18-14,P-R-45984-18-17,P-R-45919-18-19,P-R-45085-18-12,P-R-41442-18-18,P-R-38085-12-9,P-R-18744-6-22,P-D-34239-1-6,P-R-1034169-10-7,P-X-1418180-2-3,P-X-1416129-1-5,P-X-1315162-2-3,P-X-1269026-2-3,P-X-1249328-1-3,P-X-1232877-1-3,P-X-1159291-2-3,P-X-1157811-2-3,P-X-1150274-2-3,P-X-1069820-2-5,P-X-1007231-1-5,P-X-110928-1-7,P-X-84249-1-5,P-E-28677-C1-3,P-R-1418833-14-16,P-R-1416513-13-19,P-R-1378374-14-12,P-R-1269039-14-16,P-R-1249345-13-15,P-R-1232880-13-11,P-R-1159304-14-13,P-R-1157836-14-15,P-R-1150379-14-14,P-R-75020-1-4,P-R-71457-1-4,P-R-70427-1-4,P-R-69608-1-4,P-R-66155-18-6,P-R-61931-1-4,P-R-59969-1-4,P-R-59664-1-4,P-R-58090-18-6,P-R-55122-8-8,P-R-54971-1-4,P-R-54435-1-6,P-R-54374-1-4,P-R-53862-1-5,P-R-53448-1-4,P-R-53007-1-5,P-R-52812-1-4,P-R-52056-1-4,P-R-51740-1-5,P-R-51941-18-19,P-R-51687-1-4,P-R-51670-18-13,P-R-51244-1-9,P-R-46541-26-20,P-R-51112-2-6,P-R-51036-18-3,P-R-49735-18-12,P-R-50408-18-15,P-R-49894-18-14,P-R-50255-10-9,P-R-50164-1-5,P-R-50118-26-16,P-R-49943-18-31,P-R-49774-18-14,P-R-48626-18-13,P-R-48713-18-12,P-R-48444-18-16,P-R-48445-18-15,P-R-48298-C17-13,P-R-46450-18-20,P-R-44907-1-9,P-R-46288-18-6,P-R-44929-C7-40,P-R-46174-18-12,P-R-46000-18-14,P-R-45022-18-16,P-R-45314-10-16,P-R-45091-18-26,P-R-43367-18-32,P-R-44965-C1-6,P-R-44703-18-26,P-R-42516-18-13,P-R-43472-4-7,P-R-43378-18-18,P-R-43060-18-20,P-R-43036-18-11,P-R-41912-1-3,P-R-40828-2-3,P-R-37551-20-9,P-R-38013-18-20,P-R-37373-18-27,P-R-36659-2-5,P-R-36590-2-8,P-R-33312-6-18,P-R-32214-58-55,P-R-32173-22-18,P-R-32170-20-22,P-R-31415-1-4,P-R-30540-1-5,P-R-30539-4-7,P-R-30534-8-10,P-D-1004644-9-1,P-D-92545-9-1,P-D-62373-9-1,P-D-61717-9-1,P-D-61583-1-2,P-D-51798-9-1,P-D-50612-3-2,P-D-50611-1-1,analyzedatafallbacktoelse-treatment:634807,36cd3799:634885,augloopanalyzedataworkflowtimeout-treatment:622946,llmchartreco-treatment3:614622,79c1c370:614623,12c81978:521049,usev2auth-treatment:477115,analyzedatatimeout-treatment:478412,xls-excelsharedcopilot-treatment:475885,insights-logrecommendationssignalsdesktopon:384222,exins226:233377,exins412:217538,exins463:120765,analyzedatafallbacktoelse-treatment:634807,augloopanalyzedataworkflowtimeout-treatment:622946,llmchartreco-treatment3:614622,usev2auth-treatment:477115,analyzedatatimeout-treatment:478412,xls-excelsharedcopilot-treatment:475885,P-X-1240823-1-3,P-E-38231-C1-4,P-R-1245662-15-4,P-R-94560-14-12,P-R-94189-14-13,P-R-93882-14-26,P-R-54728-16-23,P-R-54698-16-16,P-R-54658-18-19,P-R-38306-C17-3,P-R-35717-5-30,P-R-34019-4-3,win32devicecanary:541483,win32devicecanary:541483,P-R-19657-22-43,P-X-53845-1-9,P-X-53772-1-3,P-X-51790-1-3,P-R-1025232-24-9,P-R-71358-1-4,P-R-70941-1-4,P-R-69065-1-3,P-R-67160-1-7,P-R-59781-1-4,P-R-55631-1-4,P-R-54215-1-4,P-R-53751-1-4,P-R-53752-1-4,P-R-53526-1-4,P-R-52110-1-4,P-R-49765-15-32,P-R-48818-17-25,P-R-50679-1-4,P-R-50486-18-12,P-R-44830-18-13,P-R-49416-4-14,P-R-48457-2-6,P-R-47468-16-19,P-R-47974-16-18,P-R-46544-18-11,P-R-45609-14-6,P-R-45197-2-6,P-R-44046-18-11,P-R-44015-18-20,P-R-43723-2-6,P-R-42457-18-6,P-R-41994-9-24,P-R-41742-18-32,P-R-41721-18-13,P-R-37963-18-26,P-R-40980-18-16,P-R-40359-2-10,P-R-39029-5-18,P-R-38835-18-48,P-R-38193-28-39,P-R-37676-18-46,P-R-38162-24-67,P-R-37467-18-44,P-R-36478-4-6,P-R-36310-4-5,P-R-35945-10-5,P-R-35854-20-8,P-R-35165-2-7,P-R-35143-4-4,P-R-33553-4-6,P-R-33536-12-13,P-R-29809-1-7,P-R-26968-3-9,P-R-18425-8-62,P-R-18426-5-30,P-R-18424-4-34,fiser190:377704,happy03172020-1:61977,happy02062020-0:28428,P-R-53545-4-5,P-R-50711-18-11,P-R-49736-6-22,P-R-48706-18-18,P-R-48467-18-18,P-R-42696-18-12,P-R-32106-7-33,P-R-30085-1-9,P-R-29138-38-83,P-R-29315-36-69,P-R-27574-6-38,P-R-25157-8-14,P-R-24363-6-13,P-R-22238-10-21,P-R-21631-10-64,P-R-19898-1-22,P-R-19814-1-62,P-R-19014-1-26,P-R-19012-1-57,P-X-50220-1-3,P-X-49730-1-3,P-R-69347-1-5,P-R-64574-1-4,P-R-54116-1-4,P-R-53585-18-18,P-R-52594-18-5,P-R-52386-1-4,P-R-50980-2-4,P-R-50938-1-4,P-R-50152-18-20,P-R-49175-18-22,P-R-36683-18-40,P-R-47260-18-23,P-R-46773-18-20,P-R-44156-18-26,P-R-43284-18-19,P-R-43285-12-22,P-R-42482-1-4,P-R-40990-12-15,P-R-39333-18-28,P-R-35972-2-5,P-R-35572-14-3,P-R-35439-12-21,P-R-33215-18-19,P-R-31352-12-25,P-R-28751-2-20,P-D-34269-2-5,gruse488:570358,grico406:19777,P-R-1044721-8-5,P-R-49830-18-15,P-R-40586-18-27,P-R-40732-18-16,P-R-39143-18-23,P-R-32996-18-24,P-D-40316-9-5,P-R-50429-18-8,P-R-36539-10-5,P-R-24084-1-16,P-R-23391-1-9,P-R-65295-18-30,P-R-61861-1-4,P-R-61737-1-4,P-R-51777-18-8,P-R-50920-1-6,P-R-50366-18-19,P-R-35985-14-23,P-R-35891-18-5,P-R-32004-2-5,P-X-1276509-1-5,P-R-1280425-13-17,P-R-68336-2-4,P-R-67286-2-6,P-R-51513-2-4,P-R-49589-18-37,i0d76970:598689,P-R-79963-1-2,P-R-52043-1-3,P-R-51764-1-4,P-R-49388-2-6,P-R-48335-4-16,P-R-47308-3-9,P-R-42392-2-4,P-R-39073-1-5,P-R-1123376-10-12,P-R-1009855-12-14,P-R-98856-18-48,P-R-43489-30-15,P-R-38410-12-23,P-X-1291246-2-3,P-X-1019581-1-3,P-X-1006174-1-5,P-R-25943-8-15,P-R-66436-1-4,P-R-64178-18-9,P-R-62873-1-4,P-R-51097-1-5,P-R-50706-18-7,P-R-50055-18-7,P-R-49315-18-5,P-R-45382-18-7,P-R-42660-18-35,P-R-37603-3-6,P-R-36649-8-9,ch371179:600396,oemic639:397753,oeall843:375887,P-R-42379-2-3,P-R-42378-2-3,P-R-66539-1-4,P-R-66538-1-4,P-R-65278-1-4,P-R-65279-1-4,P-R-59180-1-4,P-R-48070-1-5,P-R-47386-1-4,P-R-55342-2-2,P-R-53377-2-6,P-R-52481-2-5,P-R-49759-2-8,P-R-46100-20-9,P-R-38510-2-10,P-R-37550-20-13,P-R-32186-28-29,P-R-58135-2-4,P-R-56618-1-3,P-R-56027-1-4,P-R-46145-18-18,P-R-35513-4-4,P-R-33892-1-8,P-R-33696-1-5,P-R-33569-1-9,P-R-31987-1-6,P-R-55749-1-4,P-R-53662-1-4,P-R-52246-1-4,P-R-52245-1-4,P-R-52238-1-5,P-R-43644-6-13,P-R-39912-1-2,P-R-39283-4-10,P-R-50380-18-18,P-R-50379-18-17,P-X-117740-1-3,P-R-68146-1-5,P-R-63409-1-5,P-R-50542-18-14,P-R-50500-18-16,P-R-48365-18-24,P-R-48161-18-32,P-R-46597-1-4,P-R-33943-54-44,P-R-33737-1-4,graphicsfilterextralockdown:496048,P-E-29662-C1-3,P-R-29303-2-20,P-R-56654-2-4,P-R-53785-18-9,P-R-51703-1-5,P-R-50133-2-9,P-R-47242-18-11,P-R-46410-1-5,P-R-45550-18-46,P-R-45490-16-9,P-R-44885-18-20,P-R-42512-1-3,P-R-40169-8-13,P-R-38704-4-6,P-R-37581-18-17,P-R-37313-18-22,P-R-36664-4-4,P-R-35973-2-4,P-R-35946-6-4,P-R-35476-2-5,P-R-35407-4-3,P-R-35237-14-11,P-R-35150-2-4,P-R-35129-2-4,P-R-35056-4-5,P-R-34889-8-4,P-R-34044-2-4,P-R-33718-6-5,P-R-33459-1-5,P-R-30292-4-8,P-R-28644-1-4,P-R-24037-1-7,P-R-23445-3-7,P-R-23434-3-7,P-R-18513-1-30,P-D-34699-4-4,P-D-34697-2-4,P-D-34675-1-4,P-D-34673-1-4,P-D-34654-1-4,P-D-34609-1-3,P-D-34587-3-5,P-D-34266-1-4,P-D-34262-1-5,P-D-34260-1-5,P-D-34258-2-5,P-D-34250-1-3,P-D-32465-1-5,P-D-32459-2-4,P-D-32458-5-4,P-X-1083427-2-5,P-R-69529-1-5,P-R-65011-1-3,P-R-53622-18-4,P-R-50541-2-7,P-R-49893-22-9,P-R-36932-2-13,jh8ab447:380633,P-R-69232-18-13,P-R-26442-1-8,P-R-23681-2-7,P-D-32502-2-3,P-D-32501-2-3,P-D-32415-2-3,P-R-64513-18-11,P-R-51916-84-31,P-R-23746-32-46,P-R-38248-20-26,P-R-1001617-5-11,P-R-1286642-1-3,P-R-1280186-1-3,P-R-49459-15-25,P-R-1267084-2-5,P-R-1262663-1-3,P-R-1258784-3-5,P-R-1248414-1-3,P-R-1245296-4-6,P-R-1239218-1-3,P-R-1236953-3-5,P-R-1157570-2-4,P-R-1152538-1-3,P-R-1132821-2-4,P-R-1119013-1-3,P-R-1098796-1-3,P-R-1097039-1-3,P-R-1094445-1-3,P-R-1080412-1-3,P-R-1073291-4-6,P-R-1071033-5-7,P-R-1069769-2-4,P-R-1068115-1-3,P-R-1049175-1-3,P-R-1045118-2-4,P-R-25269-14-21,P-R-1044408-1-3,P-R-1044141-7-9,P-R-1042159-1-3,P-R-1037887-1-3,P-R-1037879-1-3,P-R-1036293-1-3,P-R-1036292-1-3,P-R-1036289-2-4,P-R-1036288-1-3,P-R-1036068-2-4,P-R-1036039-2-4,P-R-1035933-2-4,P-R-1035149-2-4,P-R-1033817-1-3,P-R-1028168-1-3,P-R-1009717-3-5,P-R-1000061-2-4,P-R-117548-2-4,P-R-115946-3-5,P-R-114468-2-4,P-R-111853-2-4,P-R-111682-1-3,P-R-109880-4-6,P-R-107832-2-4,P-R-105731-36-38,P-R-104435-13-15,P-R-100294-1-3,P-R-99633-1-3,P-R-98929-2-4,P-R-98250-1-3,P-R-93077-1-3,P-R-90895-3-5,P-R-88419-3-5,P-R-86118-1-3,P-R-80517-7-9,P-R-78112-4-6,P-R-77403-1-3,P-R-77397-1-3,P-R-77266-5-7,P-R-77140-2-4,P-R-77129-2-4,P-R-76944-6-8,P-R-76942-2-4,P-R-76939-3-5,P-R-76918-2-4,P-R-76721-1-3,P-R-76659-2-4,P-R-76432-4-6,P-R-76128-3-5,P-R-75440-2-4,P-R-73676-1-3,P-R-72829-2-4,P-R-72461-4-6,P-R-72449-7-10,P-R-72030-4-6,P-R-68069-2-4,P-R-66975-1-3,P-R-65567-1-3,P-R-62596-1-3,P-R-62212-2-4,P-R-60602-3-5,P-R-58471-2-4,P-R-58093-1-3,P-R-52633-1-3,P-R-52236-2-4,P-R-52171-2-4,P-R-52011-2-4,P-R-51921-8-10,P-R-51258-8-10,P-R-50752-2-4,P-R-50681-2-4,P-R-50599-4-6,P-R-50596-4-8,P-R-50553-1-3,P-R-49597-3-5,P-R-49458-2-4,P-R-48530-7-9,P-R-47948-1-4,P-R-46580-3-5,P-R-46484-10-12,P-R-46122-1-3,P-R-45858-2-4,P-R-44950-1-3,P-R-43966-2-4,P-R-43502-19-21,P-R-43238-3-5,P-R-43188-6-8,P-R-41430-1-3,P-R-40751-8-10,P-R-40273-4-6,P-R-39238-5-7,P-R-38878-2-4,P-R-38682-3-5,P-R-37588-2-4,P-R-37548-4-6,P-R-37376-2-4,P-R-34355-8-10,P-R-26266-4-9,P-R-26834-3-8,P-R-24662-16-22,P-R-27479-6-11,P-R-26056-7-15,P-R-27006-7-12,P-R-32191-9-11,P-R-30338-3-7,P-R-30178-79-81,P-R-30080-21-23,P-R-30053-8-10,P-R-27458-1-5,P-R-25822-16-19,P-R-25083-6-9,P-R-24690-42-46,P-R-24689-2-5,P-R-24666-2-5,P-R-24663-6-11,P-R-24659-7-10,P-R-23762-5-8,P-R-23744-7-9,P-R-23739-7-9,P-R-23736-14-17,P-R-23734-7-9,P-R-23730-21-24,P-R-23723-10-12,P-D-32588-1-3,P-D-32534-1-3,P-D-32524-1-3,P-D-32518-1-3,P-D-32512-1-3,P-D-32509-1-3,P-D-32504-1-3,P-D-32485-1-4,P-D-32484-1-4,P-D-32405-1-3,P-X-93407-1-5,P-X-73179-1-7,P-E-38455-2-4,P-R-1087141-4-7,P-R-60033-12-29,P-R-50705-14-15,P-R-49160-12-12,P-R-48282-14-16,P-R-47046-C17-23,P-R-47601-18-13,P-R-46834-12-14,P-R-46900-18-8,P-R-46202-18-11,P-R-45817-20-16,P-R-44018-18-13,P-R-43355-18-12,P-R-40152-18-16,P-R-39981-18-9,P-R-39509-10-14,P-R-39420-12-12,P-R-39377-18-14,P-R-35869-12-10,P-R-35337-16-7,P-R-33916-1-5,P-R-33739-1-7,P-R-33580-8-9,P-R-32042-2-14,P-R-31966-21-25,P-D-65084-5-51,ucsha513:233051,enablenotesearch:149734,P-X-117400-1-3,P-R-59175-18-4,P-R-53292-14-10,P-R-49130-18-23,P-R-46913-18-8,P-R-46820-18-18,P-R-42780-14-19,P-R-41493-18-21,P-R-37449-18-15,P-R-25867-1-6,uxmediumiconluminance:353455,P-R-48549-18-11,P-R-19262-2-12,P-E-44774-2-9,P-E-29661-C1-3,P-R-44869-16-16,P-R-33918-1-11,P-R-1128630-1-7,P-R-1098412-1-5,P-R-1091267-1-53,P-R-81720-1-2,P-R-58406-1-5,P-D-50697-2-4,P-D-29719-1-1,P-D-29718-1-1,P-D-29593-1-6"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	bDOnhmOcYL12.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\ODBC\ODBC.INI\ODBC Data Sources\dBASE Files = "Microsoft Access dBASE Driver (.dbf, .ndx, *.mdx)"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Shared Tools	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{64AB6C69-B40E-40AF-9B7F-F5687B48E2B6}\urn:schemas-microsoft-com:office:smarttags#phone\XLMAIN = "2"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Experiment\excel\SubscriptionCustomerLicenseInfo = "0"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\User Settings\PowerPivotExcelAddin	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\Common\Migration\Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Netscape\Netscape Navigator\Suffixes\application/ppt = "PPT"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations\Location2	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Word\Large Icon = "[13]"	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\Common\Roaming\Identities	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\16.0\Common\ExperimentEcs\excel\Overrides	EXCEL.EXE
Key created	\Registry\User\.Default\Software\Microsoft\Office\PowerPoint\Addins\OneNote.PowerPointAddinTakeNotesService	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared Tools\Font Mapping\Monotype Sorts = "ZapfDingbats"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared Tools\Font Mapping\Times Roman = "Times New Roman"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared Tools\Font Mapping\Zapf Chancery = "Monotype Corsiva"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\PerpetualLicenseInfo = "std::wstring\|2016"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\LicenseCategoryInfo = "std::wstring\|3"	EXCEL.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData\ChunkCount = "uint64_t\|4"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\ODBC\ODBC.INI\dBASE Files\Engines\Xbase\Threads = "3"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\ODBC\ODBC.INI\Excel Files\UID	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\PowerPoint\Security\Trusted Locations\Location3\Description = "11"	EXCEL.EXE

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E7615B4D95282EC48955FCE0617C370B\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\PackageCode = "AF348A689A608BD48AB3AAADE413931C"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6AC22BE4B23DFEC45BB98FF5AC3DB9CF	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E7615B4D95282EC48955FCE0617C370B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Version = "50593801"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6AC22BE4B23DFEC45BB98FF5AC3DB9CF\E7615B4D95282EC48955FCE0617C370B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\ProductName = "ImproveScoutGenerous"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\PackageName = "WPS Office_104693057_401535.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
964	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	msiexec.exe
1600	msiexec.exe
1732	bDOnhmOcYL12.exe
1732	bDOnhmOcYL12.exe
4040	HMeBxhzrchEW.exe
4040	HMeBxhzrchEW.exe
3548	bDOnhmOcYL12.exe
3548	bDOnhmOcYL12.exe
3548	bDOnhmOcYL12.exe
3548	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe
2560	bDOnhmOcYL12.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3368	msiexec.exe
Token: SeSecurityPrivilege	1600	msiexec.exe
Token: SeCreateTokenPrivilege	3368	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3368	msiexec.exe
Token: SeLockMemoryPrivilege	3368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3368	msiexec.exe
Token: SeMachineAccountPrivilege	3368	msiexec.exe
Token: SeTcbPrivilege	3368	msiexec.exe
Token: SeSecurityPrivilege	3368	msiexec.exe
Token: SeTakeOwnershipPrivilege	3368	msiexec.exe
Token: SeLoadDriverPrivilege	3368	msiexec.exe
Token: SeSystemProfilePrivilege	3368	msiexec.exe
Token: SeSystemtimePrivilege	3368	msiexec.exe
Token: SeProfSingleProcessPrivilege	3368	msiexec.exe
Token: SeIncBasePriorityPrivilege	3368	msiexec.exe
Token: SeCreatePagefilePrivilege	3368	msiexec.exe
Token: SeCreatePermanentPrivilege	3368	msiexec.exe
Token: SeBackupPrivilege	3368	msiexec.exe
Token: SeRestorePrivilege	3368	msiexec.exe
Token: SeShutdownPrivilege	3368	msiexec.exe
Token: SeDebugPrivilege	3368	msiexec.exe
Token: SeAuditPrivilege	3368	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3368	msiexec.exe
Token: SeChangeNotifyPrivilege	3368	msiexec.exe
Token: SeRemoteShutdownPrivilege	3368	msiexec.exe
Token: SeUndockPrivilege	3368	msiexec.exe
Token: SeSyncAgentPrivilege	3368	msiexec.exe
Token: SeEnableDelegationPrivilege	3368	msiexec.exe
Token: SeManageVolumePrivilege	3368	msiexec.exe
Token: SeImpersonatePrivilege	3368	msiexec.exe
Token: SeCreateGlobalPrivilege	3368	msiexec.exe
Token: SeBackupPrivilege	3716	vssvc.exe
Token: SeRestorePrivilege	3716	vssvc.exe
Token: SeAuditPrivilege	3716	vssvc.exe
Token: SeBackupPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeBackupPrivilege	4596	srtasks.exe
Token: SeRestorePrivilege	4596	srtasks.exe
Token: SeSecurityPrivilege	4596	srtasks.exe
Token: SeTakeOwnershipPrivilege	4596	srtasks.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3368	msiexec.exe
3368	msiexec.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE
964	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 4596	1600	msiexec.exe	94
PID 1600 wrote to memory of 4596	1600	msiexec.exe	94
PID 1600 wrote to memory of 2940	1600	msiexec.exe	96
PID 1600 wrote to memory of 2940	1600	msiexec.exe	96
PID 1600 wrote to memory of 2940	1600	msiexec.exe	96
PID 2940 wrote to memory of 2392	2940	MsiExec.exe	97
PID 2940 wrote to memory of 2392	2940	MsiExec.exe	97
PID 2940 wrote to memory of 2392	2940	MsiExec.exe	97
PID 2940 wrote to memory of 1732	2940	MsiExec.exe	99
PID 2940 wrote to memory of 1732	2940	MsiExec.exe	99
PID 2940 wrote to memory of 1732	2940	MsiExec.exe	99
PID 2940 wrote to memory of 964	2940	MsiExec.exe	100
PID 2940 wrote to memory of 964	2940	MsiExec.exe	100
PID 2940 wrote to memory of 964	2940	MsiExec.exe	100
PID 4040 wrote to memory of 3548	4040	HMeBxhzrchEW.exe	106
PID 4040 wrote to memory of 3548	4040	HMeBxhzrchEW.exe	106
PID 4040 wrote to memory of 3548	4040	HMeBxhzrchEW.exe	106
PID 3548 wrote to memory of 2560	3548	bDOnhmOcYL12.exe	107
PID 3548 wrote to memory of 2560	3548	bDOnhmOcYL12.exe	107
PID 3548 wrote to memory of 2560	3548	bDOnhmOcYL12.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\WPS Office_104693057_401535.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E43761466F7AC8F733A4715D4BEA5E5A E Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe
    "C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe" x "C:\Program Files\ImproveScoutGenerous\CLAnZJhYUhSfSJqyvyQH" -o"C:\Program Files\ImproveScoutGenerous\" -pNOcFSwDtYEhVUsSNDuRc -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2392
- - C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe
    "C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe" -number 237 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1732
- - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Program Files\ImproveScoutGenerous\xlsx.xlsx"
    3⤵
    - Drops file in System32 directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe
"C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe" install
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3732

C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe
"C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:5024

C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe
"C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe
  "C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe" -number 208 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe
    "C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e928.rbs

Filesize
7KB

MD5
b8a7186f36dcfdeea2e10060f5697879

SHA1
67747d7ad48014113acb1c8504cf17d817a8d2ee

SHA256
36b845f35b4fb782728442c98e60c9fce50a55c7996692e11cd72848ae4b71fd

SHA512
20bc66019217a3f5d4457df5c0c00a211a5c9e6ad3f3329da4692d0e66e3da9d6b8ce5d1faed6fa81e84a3bac36955dd813e029a42e6c7d34a1d2b1edf3c5d78

Download Submit
C:\Program Files\ImproveScoutGenerous\CLAnZJhYUhSfSJqyvyQH

Filesize
1.7MB

MD5
b52875621f2ed8ba730e1baa322994ac

SHA1
2ddb59cc65ee3297eb0a959f868633c36d8bdab6

SHA256
ae9b0f8b4d037535b0682905c7082607b9bd730d2ac549c1f86f36ad459e06f8

SHA512
2958f18969b1ce08adce13d6b0b249eacb627099387a9fe60472f8a4ef78ee37f4c17c77a2fea62f2b59a80724cd46dd6a74fd1c994eabd8a8f6f36f873c524d

Download Submit
C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.wrapper.log

Filesize
264B

MD5
954db6d0fbed8dcdface2ae09f9fb9ab

SHA1
48329e34d280df93167f950508b102f97fd80bcf

SHA256
2f440f79f2a6afe58887c43253a4415851fd5cc01292d3615273941c72c1a510

SHA512
6367793a415a066128004a6c7ae6feda00d7fe49997faa6f2cdfdbe7c8ef6f56efa521b55a7c7945f78ab06140602212099b1f5ab06b3081e41d8b7431c90d41

Download Submit
C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.wrapper.log

Filesize
419B

MD5
87860351b3a913f41c9324656aff530b

SHA1
1bde0ef893bfc96c24a77f8f5dad5eaf491d8e40

SHA256
ebabcbd6a404992fa4722f4f430b1179696a7f5e625a7065933efa8052d34f80

SHA512
e24b1e26e9c186db03612d3bac3ef5133ac2adcd63d2b947f34d8dd871da3c0b6212650db5ea60b3738aceee7bfa404bd4c56b828cd57730e1ef470efe9cd52c

Download Submit
C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.wrapper.log

Filesize
483B

MD5
0b06fde15bd33df16c7381d4b2993e0b

SHA1
4bd43a86be122fcaa0f6027848434d65ec4b4102

SHA256
d42fd29fb180d4699a5c8e2b08ef67d89ba6f0f5f10f8e2474390f140f134d99

SHA512
523505b480f5d3920295a1917d07110f3f855e55c340128b0e3255a77fd7e9afb458a9e3d3267033832a66b844ce4a807b319207a0eb75ccca0eac7ed1d05d03

Download Submit
C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.wrapper.log

Filesize
729B

MD5
be8a8ea3bfebdc7941d086ea03b1df34

SHA1
02dbe9aa3a9172a03311764e09cc4e3ca8b3efb4

SHA256
23bfcf79bc96442e10fb3f302a038b793bcb28828e00eab01848bca20ca13374

SHA512
ffd12f93f31a28518149d558f55ffb9a0ad2f89894ceafa3b32f465bd80245d80b6f6b9334638680f7681e0a1b5a82e0533ec9ffa50220d01ef76792eae6282a

Download Submit
C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.xml

Filesize
436B

MD5
4cf97c82fea731dbe69cab5edd0aa0f6

SHA1
b0ffded6207300193a5f866329acb3caf68c56c5

SHA256
8040dc13f00cf121f852bf0ad8595e7030b64633e5b16b91a290a51d66876e17

SHA512
ac2a208697f8da081f924c695f68d35f10b5330c59c3939d375eb85eca071081e7c1916d023335ad6b09c58df8a7e85ba05f78d40fbf5ab1586782fb748349b8

Download Submit
C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe

Filesize
2.8MB

MD5
8e355304eb0c0a6c787c158c6097d35d

SHA1
4978f2462040aee13f3d79e1f1dab5b4d4e8feb3

SHA256
ecf62496c9c74d3fddbd737964629a8cad0f42968c6f6c88652ca9f9b9bc9d3f

SHA512
9b3ab911e2e5002bea4877628dc4dd14e99ab8a5ece51fd76d5a65f0f39fbd7812390ebc328b857422d0bcde571385c9e6ab85d1a9214d7124e4f3d100490542

Download Submit
C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\ImproveScoutGenerous\xlsx.xlsx

Filesize
8KB

MD5
5001ead50aa6c32c9d7e6c6dfb4033f0

SHA1
c273c9bc2a996bb9ab65f7d30ccbf38bb755ed57

SHA256
a3d37b43693ef32bfcd324bb4f2523c828648e012828504302f3f182c97c4cda

SHA512
28d970204f02d6bc270fae20cf0ba78a8086e6dd2552f10f6c30d72c324fa2ca5ca44b2aca3830064caa57abd7255edb1147ea2bf0d103b22b75094f20f6d0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HMeBxhzrchEW.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
C:\Windows\Installer\e57e927.msi

Filesize
15.4MB

MD5
ca9086b9f4e1cbfae86204a0e2cbea07

SHA1
4fb147699ab8b80fc6b89d9d1473bfb60dbd2a15

SHA256
21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2

SHA512
b1f89f9342df8de10eaa1134eb9982942cee26abebf280b80a79b37f26e1f2b55de999d36249a731385c5a72bb2c3dd8b9b14f578263d3037799a1617279e984

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
b4654ae8fe3df329ea1e73a2d33fba4f

SHA1
b9a78c02783326f02c82c9814b60f297c7037e5f

SHA256
428f7b6fefc9631e88123fc3bd92ba72c7a4a4a8f59aaf861dad3789128ccf22

SHA512
e8fde80537a34544dc9ce61f1da794445db1788915b4ba0dcaf61175df3c3a6d0c3bba861f860577cd31e26aabcc0a9e6a7b15f2c248a67ed053069603e7cde7

Download Submit
\??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f1e6b553-5cfc-455a-aa0e-017ce0fa6e06}_OnDiskSnapshotProp

Filesize
6KB

MD5
2f7fcb03dee61bacbe547b19d88669fc

SHA1
135bcd9b29f47ce3087679e20db5fef555d25e6d

SHA256
a7b79bf497839f3d2729b8323206e91dde2b3c52e0dca1ab88322e280dfa3334

SHA512
78029893d071aa3023dd5d5a4911a81ef2ad363000881fbcbb293c68e0deddbe58a65109311326e30700e0abcbf8d6e387e2ce992666e3a53f08460cd5e53e8f

Download Submit
memory/964-47-0x00007FF9D7AB0000-0x00007FF9D7AC0000-memory.dmp

Filesize
64KB

Download
memory/964-44-0x00007FF9D7AB0000-0x00007FF9D7AC0000-memory.dmp

Filesize
64KB

Download
memory/964-40-0x00007FF9D9B10000-0x00007FF9D9B20000-memory.dmp

Filesize
64KB

Download
memory/964-41-0x00007FF9D9B10000-0x00007FF9D9B20000-memory.dmp

Filesize
64KB

Download
memory/964-42-0x00007FF9D9B10000-0x00007FF9D9B20000-memory.dmp

Filesize
64KB

Download
memory/964-43-0x00007FF9D9B10000-0x00007FF9D9B20000-memory.dmp

Filesize
64KB

Download
memory/964-39-0x00007FF9D9B10000-0x00007FF9D9B20000-memory.dmp

Filesize
64KB

Download
memory/1732-45-0x0000000029840000-0x000000002986A000-memory.dmp

Filesize
168KB

Download
memory/2560-86-0x000000002A6C0000-0x000000002A703000-memory.dmp

Filesize
268KB

Download
memory/2560-87-0x000000002C2F0000-0x000000002C4AB000-memory.dmp

Filesize
1.7MB

Download
memory/2560-89-0x000000002C2F0000-0x000000002C4AB000-memory.dmp

Filesize
1.7MB

Download
memory/2560-90-0x000000002C2F0000-0x000000002C4AB000-memory.dmp

Filesize
1.7MB

Download
memory/3732-49-0x00000000001A0000-0x0000000000276000-memory.dmp

Filesize
856KB

Download