pikabot | f119f1e813cdb8dba30bd3348ef97cd8bf5213b3e1a9f25f008337e8b34eaee5

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f119f1e813cdb8dba30bd3348ef97cd8bf5213b3e1a9f25f008337e8b34eaee5msi.msi
Size

1.5MB
MD5

5ba3dd339379dd640002ca9dee880ce0
SHA1

d68b36f919b3f131f7c25c0d0cfa0ee22f79aa23
SHA256

f119f1e813cdb8dba30bd3348ef97cd8bf5213b3e1a9f25f008337e8b34eaee5
SHA512

3527a3f738e084c8522d8976594eb9d3d38642296b9794b6e58ea1a40850c52794e498fb72f997695d12aac800327370edccc2b6fcc97d3d4ab76b1ca4fb66ed
SSDEEP

24576:A5LWW2cDo6vLV15xTHfCIr43Hm2pDA9mtByVcNPEuXggR89g:OKW306vLV15AFGJ9uB0cBRXfp

Score

10^/10

pikabot botnet discovery persistence privilege_escalation

Malware Config

Signatures

Detects PikaBot botnet 7 IoCs

resource	yara_rule
behavioral2/memory/5012-70-0x0000000000F70000-0x0000000000FC3000-memory.dmp	family_pikabot_v2
behavioral2/memory/5012-71-0x0000000000F70000-0x0000000000FC3000-memory.dmp	family_pikabot_v2
behavioral2/memory/5012-75-0x0000000000F70000-0x0000000000FC3000-memory.dmp	family_pikabot_v2
behavioral2/memory/5012-81-0x0000000000F70000-0x0000000000FC3000-memory.dmp	family_pikabot_v2
behavioral2/memory/5012-82-0x0000000000F70000-0x0000000000FC3000-memory.dmp	family_pikabot_v2
behavioral2/memory/5012-83-0x0000000000F70000-0x0000000000FC3000-memory.dmp	family_pikabot_v2
behavioral2/memory/5012-84-0x0000000000F70000-0x0000000000FC3000-memory.dmp	family_pikabot_v2

PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
botnet pikabot

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	3956	msiexec.exe
23	3956	msiexec.exe
26	3956	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3220 set thread context of 5012	3220	rundll32.exe	104

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2AB.tmp	msiexec.exe
File created	C:\Windows\Installer\e580201.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e5801ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AB.tmp-\test.old.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI2AB.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI2AB.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI2AB.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5801ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE9.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4CA16F0E-B63A-4438-8B86-C1E921EB8A67}	msiexec.exe

Loads dropped DLL 9 IoCs

pid	Process
1120	MsiExec.exe
3988	rundll32.exe
3988	rundll32.exe
3988	rundll32.exe
3988	rundll32.exe
3988	rundll32.exe
3988	rundll32.exe
3988	rundll32.exe
3220	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3956	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchFilterHost.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005d98d1691ddd1b040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005d98d1690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005d98d169000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5d98d169000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005d98d16900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4612	msiexec.exe
4612	msiexec.exe
5012	SearchFilterHost.exe
5012	SearchFilterHost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
3220	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3956	msiexec.exe
Token: SeSecurityPrivilege	4612	msiexec.exe
Token: SeCreateTokenPrivilege	3956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3956	msiexec.exe
Token: SeLockMemoryPrivilege	3956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3956	msiexec.exe
Token: SeMachineAccountPrivilege	3956	msiexec.exe
Token: SeTcbPrivilege	3956	msiexec.exe
Token: SeSecurityPrivilege	3956	msiexec.exe
Token: SeTakeOwnershipPrivilege	3956	msiexec.exe
Token: SeLoadDriverPrivilege	3956	msiexec.exe
Token: SeSystemProfilePrivilege	3956	msiexec.exe
Token: SeSystemtimePrivilege	3956	msiexec.exe
Token: SeProfSingleProcessPrivilege	3956	msiexec.exe
Token: SeIncBasePriorityPrivilege	3956	msiexec.exe
Token: SeCreatePagefilePrivilege	3956	msiexec.exe
Token: SeCreatePermanentPrivilege	3956	msiexec.exe
Token: SeBackupPrivilege	3956	msiexec.exe
Token: SeRestorePrivilege	3956	msiexec.exe
Token: SeShutdownPrivilege	3956	msiexec.exe
Token: SeDebugPrivilege	3956	msiexec.exe
Token: SeAuditPrivilege	3956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3956	msiexec.exe
Token: SeChangeNotifyPrivilege	3956	msiexec.exe
Token: SeRemoteShutdownPrivilege	3956	msiexec.exe
Token: SeUndockPrivilege	3956	msiexec.exe
Token: SeSyncAgentPrivilege	3956	msiexec.exe
Token: SeEnableDelegationPrivilege	3956	msiexec.exe
Token: SeManageVolumePrivilege	3956	msiexec.exe
Token: SeImpersonatePrivilege	3956	msiexec.exe
Token: SeCreateGlobalPrivilege	3956	msiexec.exe
Token: SeBackupPrivilege	2424	vssvc.exe
Token: SeRestorePrivilege	2424	vssvc.exe
Token: SeAuditPrivilege	2424	vssvc.exe
Token: SeBackupPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3956	msiexec.exe
3956	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4860	4612	msiexec.exe	99
PID 4612 wrote to memory of 4860	4612	msiexec.exe	99
PID 4612 wrote to memory of 1120	4612	msiexec.exe	101
PID 4612 wrote to memory of 1120	4612	msiexec.exe	101
PID 4612 wrote to memory of 1120	4612	msiexec.exe	101
PID 1120 wrote to memory of 3988	1120	MsiExec.exe	102
PID 1120 wrote to memory of 3988	1120	MsiExec.exe	102
PID 1120 wrote to memory of 3988	1120	MsiExec.exe	102
PID 3988 wrote to memory of 3220	3988	rundll32.exe	103
PID 3988 wrote to memory of 3220	3988	rundll32.exe	103
PID 3988 wrote to memory of 3220	3988	rundll32.exe	103
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104
PID 3220 wrote to memory of 5012	3220	rundll32.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f119f1e813cdb8dba30bd3348ef97cd8bf5213b3e1a9f25f008337e8b34eaee5msi.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FA8245D9AC9C5B162B23EEA946F870C3
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI2AB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240649125 2 test.old.cs!Test.CustomActions.MyAction
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp79C.dll",Enter
      4⤵
      Suspicious use of SetThreadContext
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of WriteProcessMemory
      PID:3220
    - - C:\Windows\SysWOW64\SearchFilterHost.exe
        
        "C:\Windows\System32\SearchFilterHost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e580200.rbs

Filesize
8KB

MD5
fd8f0f7b8b9b8c8a7a037f415f8be39d

SHA1
9b4ec2ebe42b80d1aab94b5ab4e33470a684027a

SHA256
090e451a7a9b2736e53665d8d92b5da5ffb4aeacad3f6731a7c125a6c0831bdd

SHA512
da5c72ea74e66a8c6e565b3b2e60c48b28a1c8fa3f3f11ee3f8a4640df820db5c92d5b18c0de7a99f26e424190ad3cd711240fcd04b184c64b480467faa5624f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
66KB

MD5
cbd4d81adb8de27a146b030f815c34c0

SHA1
1e613ba4588649f1bfe0b635fa505122309b1a10

SHA256
26387b5d0bace55a16a07ca3ee536e73d9bfde8c47e9871648c34fec87de4b52

SHA512
8154e68df6971177ea006cd7f41f05eea037da1e6d125aacf0df55e2a0c078be597768bfec8211314ddbc2deda69b8221f79f85ad24cb89b8270bea4c661fa97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
e9430360980e2c38d930ac0e91f0c2f6

SHA1
a0542d02dc22290b682af7cca18b2cc360366ec5

SHA256
539e31a690d6d4704bec136d6b0abc7293b678923fbc79d30ecdaa5f1707b6d4

SHA512
75ebbb4d01405814075507ff9b31ff27950bf4788366123c4bfb12f08f90a350a111cca579e46196d4b4f05e0869c476d4206891994b5131160db7777dc42c33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
81a4e8aa208c8532f8cb2306ec751481

SHA1
4e0165c73aab2c512f08334cdd17e80c08ece944

SHA256
4fee701aebdab32d1bed511627fc9b46a765bf6af7f3e5a46167e70812713848

SHA512
11c1914eacd0ca3f61ef3ac8ea704acc04489c9eb65f84465de42fd4fcd70c79d219f1e9352262c4c70a86648350c1e67c8fe34c7e97a25ffa15c756c2d8e9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79C.dll

Filesize
1.1MB

MD5
56573f3b6ec3fc757a9586e5ff4b4fd5

SHA1
08fc58ac9b7da11b70802fe838115e4b4d651bb9

SHA256
2a387ad304d7278ddc83b6a5238cba3106f4474b7fa67972b6cec167422e7756

SHA512
35553ee65127ab50adb5af4efdd41a549d46e0b90735f75de6df2bd5fc37639570fa446b711fd09eb0bec2ee2e0db6c4f3b33aec5e2a260befd832fc449fcc75

Download Submit
C:\Windows\Installer\MSI2AB.tmp

Filesize
386KB

MD5
d1e6f2ac7b55f285bc080a3d8eb9617a

SHA1
1c9c739b227ff40f4d543422e55c30cab95d31d5

SHA256
84b9d246d329c0f7463956a978b782011c30f5ee9bb3e7968f4789c195290202

SHA512
168dcddcf29476522c560996d50a2d830d22177eaaa469d10b0ee217c69deea3ba9a981c42097f672c121224342e6a1ff642dc1170637610f3c7796d1b3734a2

Download Submit
C:\Windows\Installer\MSI2AB.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
4e04a4cb2cf220aecc23ea1884c74693

SHA1
a828c986d737f89ee1d9b50e63c540d48096957f

SHA256
cfed1841c76c9731035ebb61d5dc5656babf1beff6ed395e1c6b85bb9c74f85a

SHA512
c0b850fbc24efad8207a3fcca11217cb52f1d08b14deb16b8e813903fecd90714eb1a4b91b329cf779afff3d90963380f7cfd1555ffc27bd4ac6598c709443c4

Download Submit
C:\Windows\Installer\MSI2AB.tmp-\WixSharp.dll

Filesize
425KB

MD5
ea800f52639d12279a3e602e43a07636

SHA1
e997386cc618aed516169111ba3ca7ceae91783d

SHA256
7eea616ea886145913c13d239f3e0ead58ace3a226e5aa330e67bbdd16673510

SHA512
33d46c6980743eb319b74bf89c300c5b886a960c222efcb2e66339b4eb7467cbf6546deef28a34ab09c4ed2c170efe76f38e4bc724603485e5e776d8e0457ccf

Download Submit
C:\Windows\Installer\MSI2AB.tmp-\test.old.cs.dll

Filesize
13KB

MD5
3b8ed94e66516498a7adaaa3716b6c93

SHA1
b4a62ec489fbbcd1cf3186cba65f3586aaab08aa

SHA256
59befc71c0412fa3d5ffe0432bdca3bb35bfc877c19402fbb41b61753d7f5904

SHA512
6e0c56c1064fae872703262e936df0b2a35e88d9f9e8c7b1a00efe7c50b7afd249ce87e4e1fef5ce65e7b9706ef24c879ae1c2020361ba5b3ced4f485777f2ac

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
86115e85e4bc77dc7784ce12a493ce56

SHA1
1c53477c0b15fe31d449094b2cf61bd211b39f52

SHA256
e222b74f1fdfc8672990de9f9afb88ba207b80195d85720a0bf5b6237eaeb4b3

SHA512
659ca566b3c6d12bb3798dc815f6802b4a0697048c30311740419b6c61eec11b3a8b308f13493ef432d7fb468b4b616a2c3108dbd3f84ab18f71622917634772

Download Submit
\??\Volume{69d1985d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c5dbe687-5dcc-45d9-b74d-98381375d587}_OnDiskSnapshotProp

Filesize
6KB

MD5
004cbc4a54ed594e6b913fc87df95174

SHA1
72f10e752e341fb9fb44c7a526a00dd3a9dc2e92

SHA256
f2006541572b13b180cdb32323cd43611d5940bc44d6d3fc5d95047e5bdeb8c8

SHA512
9a15582ed69c139cfadf6eeb8cb0bf1b6d6667c083b76fa72bd3e229e6f2c086c31fac56fd1fbc9aa377338fe2f86a7d4de63758d29cf53261c0ba9aab73398f

Download Submit
memory/3220-72-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3988-43-0x0000000004910000-0x0000000004980000-memory.dmp

Filesize
448KB

Download
memory/3988-39-0x0000000004820000-0x000000000482A000-memory.dmp

Filesize
40KB

Download
memory/3988-35-0x00000000047E0000-0x000000000480E000-memory.dmp

Filesize
184KB

Download
memory/5012-70-0x0000000000F70000-0x0000000000FC3000-memory.dmp

Filesize
332KB

Download
memory/5012-71-0x0000000000F70000-0x0000000000FC3000-memory.dmp

Filesize
332KB

Download
memory/5012-75-0x0000000000F70000-0x0000000000FC3000-memory.dmp

Filesize
332KB

Download
memory/5012-81-0x0000000000F70000-0x0000000000FC3000-memory.dmp

Filesize
332KB

Download
memory/5012-82-0x0000000000F70000-0x0000000000FC3000-memory.dmp

Filesize
332KB

Download
memory/5012-83-0x0000000000F70000-0x0000000000FC3000-memory.dmp

Filesize
332KB

Download
memory/5012-84-0x0000000000F70000-0x0000000000FC3000-memory.dmp

Filesize
332KB

Download