d68edaaebc97db012bf9e89cc0f0ae71ad9f44228bd22d2658fa1a44206df381

Analysis

max time kernel
144s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToDesk (2).exe
Size

107.2MB
MD5

727ef69fd8802a5a9211f1b557674466
SHA1

2aa7bca568a5d9074181d8a52064d77ad5d2c544
SHA256

d68edaaebc97db012bf9e89cc0f0ae71ad9f44228bd22d2658fa1a44206df381
SHA512

74c4649854c268a95d6be9dedcf3882947a27c6c0023a4c918439f1ead577f9ba8972ede00565785f100c4bcf308ced177de5f2bff200dcc23603afb9d267ace
SSDEEP

3145728:EcGbmu6HFehEsw0Zfma2r9N8QfQnJMfQfC64:Vlehdw0Zea2rThfqMfQD4

Score

10^/10

discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023506-50.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	ToDesk (2).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	irsetup.exe

Executes dropped EXE 4 IoCs

pid	Process
1752	irsetup.exe
3224	ToDesk (2).exe
4308	MSI1F50.tmp
1072	VSpeedClient.exe

Loads dropped DLL 14 IoCs

pid	Process
1752	irsetup.exe
3224	ToDesk (2).exe
3224	ToDesk (2).exe
3224	ToDesk (2).exe
4740	MsiExec.exe
4740	MsiExec.exe
4740	MsiExec.exe
4740	MsiExec.exe
1072	VSpeedClient.exe
1072	VSpeedClient.exe
1072	VSpeedClient.exe
1072	VSpeedClient.exe
1072	VSpeedClient.exe
1072	VSpeedClient.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	VSpeedClient.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	VSpeedClient.exe
File opened (read-only)	\??\H:	VSpeedClient.exe
File opened (read-only)	\??\J:	VSpeedClient.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	VSpeedClient.exe
File opened (read-only)	\??\O:	VSpeedClient.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	VSpeedClient.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	VSpeedClient.exe
File opened (read-only)	\??\I:	VSpeedClient.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	VSpeedClient.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	VSpeedClient.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	VSpeedClient.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	VSpeedClient.exe
File opened (read-only)	\??\Q:	VSpeedClient.exe
File opened (read-only)	\??\V:	VSpeedClient.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	VSpeedClient.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	VSpeedClient.exe
File opened (read-only)	\??\U:	VSpeedClient.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	VSpeedClient.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	VSpeedClient.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	VSpeedClient.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234fe-5.dat	upx
behavioral2/memory/1752-12-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/1752-45-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/files/0x0008000000023506-50.dat	upx
behavioral2/memory/3224-54-0x0000000075260000-0x000000007531A000-memory.dmp	upx
behavioral2/memory/3224-83-0x0000000075260000-0x000000007531A000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\SSD\SSD\cache_18_0	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_1	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_2	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_3	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_4	msiexec.exe
File created	C:\Program Files\SSD\SSD\ddd.exe	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58196f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DE184F30-49FA-4B06-B385-B5885945A7D4}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F50.tmp	msiexec.exe
File created	C:\Windows\Installer\e58196f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI19BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AA9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AD9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C13.tmp	msiexec.exe
File created	C:\Windows\Installer\e581973.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ToDesk (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VSpeedClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ToDesk (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VSpeedClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	VSpeedClient.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3256	ipconfig.exe
232	ipconfig.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MSI1F50.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mmc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	VSpeedClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	VSpeedClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MSI1F50.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Recent File List	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Settings	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	VSpeedClient.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	MSI1F50.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@mmcbase.dll,-14008 = "Folder"	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	VSpeedClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSI1F50.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MSI1F50.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MSI1F50.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	VSpeedClient.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\LastUsedSource = "n;1;C:\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03F481EDAF9460B43B585B8895547A4D\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6436633746B9E645B5569C70BF5CEB5\03F481EDAF9460B43B585B8895547A4D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Net\1 = "C:\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03F481EDAF9460B43B585B8895547A4D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6436633746B9E645B5569C70BF5CEB5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\PackageName = "SSD-ww.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\ProductName = "SSD"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\PackageCode = "4E47E257F74BD9E4E975402B96420C3F"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3204	msiexec.exe
3204	msiexec.exe
1072	VSpeedClient.exe
1072	VSpeedClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4240	msiexec.exe
Token: SeSecurityPrivilege	3204	msiexec.exe
Token: SeCreateTokenPrivilege	4240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4240	msiexec.exe
Token: SeLockMemoryPrivilege	4240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4240	msiexec.exe
Token: SeMachineAccountPrivilege	4240	msiexec.exe
Token: SeTcbPrivilege	4240	msiexec.exe
Token: SeSecurityPrivilege	4240	msiexec.exe
Token: SeTakeOwnershipPrivilege	4240	msiexec.exe
Token: SeLoadDriverPrivilege	4240	msiexec.exe
Token: SeSystemProfilePrivilege	4240	msiexec.exe
Token: SeSystemtimePrivilege	4240	msiexec.exe
Token: SeProfSingleProcessPrivilege	4240	msiexec.exe
Token: SeIncBasePriorityPrivilege	4240	msiexec.exe
Token: SeCreatePagefilePrivilege	4240	msiexec.exe
Token: SeCreatePermanentPrivilege	4240	msiexec.exe
Token: SeBackupPrivilege	4240	msiexec.exe
Token: SeRestorePrivilege	4240	msiexec.exe
Token: SeShutdownPrivilege	4240	msiexec.exe
Token: SeDebugPrivilege	4240	msiexec.exe
Token: SeAuditPrivilege	4240	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4240	msiexec.exe
Token: SeChangeNotifyPrivilege	4240	msiexec.exe
Token: SeRemoteShutdownPrivilege	4240	msiexec.exe
Token: SeUndockPrivilege	4240	msiexec.exe
Token: SeSyncAgentPrivilege	4240	msiexec.exe
Token: SeEnableDelegationPrivilege	4240	msiexec.exe
Token: SeManageVolumePrivilege	4240	msiexec.exe
Token: SeImpersonatePrivilege	4240	msiexec.exe
Token: SeCreateGlobalPrivilege	4240	msiexec.exe
Token: SeBackupPrivilege	4064	vssvc.exe
Token: SeRestorePrivilege	4064	vssvc.exe
Token: SeAuditPrivilege	4064	vssvc.exe
Token: SeBackupPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeBackupPrivilege	1804	srtasks.exe
Token: SeRestorePrivilege	1804	srtasks.exe
Token: SeSecurityPrivilege	1804	srtasks.exe
Token: SeTakeOwnershipPrivilege	1804	srtasks.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe
Token: SeTakeOwnershipPrivilege	3204	msiexec.exe
Token: SeRestorePrivilege	3204	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4240	msiexec.exe
4240	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1752	irsetup.exe
1752	irsetup.exe
1420	mmc.exe
1420	mmc.exe
1072	VSpeedClient.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1752	2652	ToDesk (2).exe	84
PID 2652 wrote to memory of 1752	2652	ToDesk (2).exe	84
PID 2652 wrote to memory of 1752	2652	ToDesk (2).exe	84
PID 1752 wrote to memory of 4240	1752	irsetup.exe	86
PID 1752 wrote to memory of 4240	1752	irsetup.exe	86
PID 1752 wrote to memory of 4240	1752	irsetup.exe	86
PID 1752 wrote to memory of 3224	1752	irsetup.exe	87
PID 1752 wrote to memory of 3224	1752	irsetup.exe	87
PID 1752 wrote to memory of 3224	1752	irsetup.exe	87
PID 3204 wrote to memory of 1804	3204	msiexec.exe	95
PID 3204 wrote to memory of 1804	3204	msiexec.exe	95
PID 3204 wrote to memory of 4740	3204	msiexec.exe	98
PID 3204 wrote to memory of 4740	3204	msiexec.exe	98
PID 3204 wrote to memory of 4740	3204	msiexec.exe	98
PID 3204 wrote to memory of 4308	3204	msiexec.exe	100
PID 3204 wrote to memory of 4308	3204	msiexec.exe	100
PID 4308 wrote to memory of 1940	4308	MSI1F50.tmp	102
PID 4308 wrote to memory of 1940	4308	MSI1F50.tmp	102
PID 1940 wrote to memory of 3256	1940	cmd.exe	104
PID 1940 wrote to memory of 3256	1940	cmd.exe	104
PID 4308 wrote to memory of 2292	4308	MSI1F50.tmp	105
PID 4308 wrote to memory of 2292	4308	MSI1F50.tmp	105
PID 4308 wrote to memory of 400	4308	MSI1F50.tmp	109
PID 4308 wrote to memory of 400	4308	MSI1F50.tmp	109
PID 400 wrote to memory of 3652	400	cmd.exe	111
PID 400 wrote to memory of 3652	400	cmd.exe	111
PID 400 wrote to memory of 5100	400	cmd.exe	112
PID 400 wrote to memory of 5100	400	cmd.exe	112
PID 400 wrote to memory of 3796	400	cmd.exe	113
PID 400 wrote to memory of 3796	400	cmd.exe	113
PID 4308 wrote to memory of 3464	4308	MSI1F50.tmp	114
PID 4308 wrote to memory of 3464	4308	MSI1F50.tmp	114
PID 1420 wrote to memory of 1072	1420	mmc.exe	118
PID 1420 wrote to memory of 1072	1420	mmc.exe	118
PID 1420 wrote to memory of 1072	1420	mmc.exe	118
PID 1072 wrote to memory of 4376	1072	VSpeedClient.exe	120
PID 1072 wrote to memory of 4376	1072	VSpeedClient.exe	120
PID 1072 wrote to memory of 4376	1072	VSpeedClient.exe	120
PID 4376 wrote to memory of 232	4376	cmd.exe	122
PID 4376 wrote to memory of 232	4376	cmd.exe	122
PID 4376 wrote to memory of 232	4376	cmd.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ToDesk (2).exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk (2).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\ToDesk (2).exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2392887640-1187051047-2909758433-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\SSD-ww.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4240
- - C:\ToDesk (2).exe
    "C:\ToDesk (2).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2E87AF80433204628BE47F710E8606BB
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4740
- C:\Windows\Installer\MSI1F50.tmp
  "C:\Windows\Installer\MSI1F50.tmp"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3256
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\208l4.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2292
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\FAmZ4.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:3652
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:5100
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:3796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\O9czX\2uS67~ww\p+C:\Users\Public\Pictures\O9czX\2uS67~ww\w C:\Users\Public\Pictures\O9czX\2uS67~ww\StreamEngine.dll
    3⤵
    PID:3464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Public\Pictures\O9czX\2uS67~ww\VSpeedClient.exe
  "C:\Users\Public\Pictures\O9czX\2uS67~ww\VSpeedClient.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581972.rbs

Filesize
8KB

MD5
74464842722ce67e4a6e2aff2d87b1bc

SHA1
0b0beddc41801daec8ceb3db083e2ad70b9a6885

SHA256
2ee0dbe510305cd72da8790dcb17a3306ff06cad49607a2c3ad7ec7210fb756f

SHA512
9328ce53619682b65bd874a6a3e027459d693f0a9de5d252e25774e6b6e8ec1007fb28f3ce01fee6ed05e5990b1c04cfacb48f7e1323fcd8f42dec417e4dce03

Download Submit
C:\SSD-ww.msi

Filesize
21.9MB

MD5
322ed0425777bdd9a0622802c1cb4817

SHA1
b1034dab33ad2a2baf5874fc42a619cd8c6a834e

SHA256
89ae59ac9e6e54f2597759d01132c6071300e2ee6a0fcc6a9b2b0c8e4855a531

SHA512
863427741f74f633bee93cf4ad1be7c62b258e8e3a8d754369dd1122605d6c5b2ba63b04d85346e8a95a883585dabee240d998fa5cac8aa45c6ee56ce4e2468d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8588009f37c0775b2ca08c70da61a12b

SHA1
b46b012936c50e74c92cdef6a3f2818a76235a37

SHA256
5ba9ee2908a357e83f6bb222928ad86ee6bd9f7ce233276935ff883aca6b9b38

SHA512
95e107f16687ce0a905a34611286ad3eb9c30f188db34f49582f9bb468f7b99d96877ea98ffd356508ca48b29f91bf8a67b134ab2e74d146f6cda961a044f184

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\nsNiuniuSkin.dll

Filesize
287KB

MD5
bb0cdff5ac2d64723007a0b4f7962a02

SHA1
410889522ee8ea7308b054f71bc4cab078295e06

SHA256
33e460a080a621cda7896e96b6f1beee802b485cf99e18b27463cd362c484b08

SHA512
b4dc2614f01f5f01d5dec9e6a41e072d01e924d8a94ac0dc1050399fd1dc3cc8d53d7ccf162d750d166fca200771b0850191b30c7caada8edea9ba6d686e2402

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmE475.tmp\skin.zip

Filesize
733KB

MD5
121c40b2f8f3407211a14efec60088d3

SHA1
36bb7a0d4132f10cb165eb2b388489d7b9b3057c

SHA256
6c979c5efd4bca0ea050f24c2a063ce88d3fc02dfa4bc11f3bdb169da6e0875b

SHA512
23efc5b5c0ccc25ec568557f9e7a9a8237fbc86a9ccec7214b7e68482171c6a8077a8a1ffc123ce0078ec2771b00b0494a713289a2215919625e1911a5608266

Download Submit
C:\Users\Admin\AppData\Roaming\FAmZ4.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Users\Public\Pictures\O9czX\2uS67~ww\CacheDll.dll

Filesize
116KB

MD5
97cab7fd2a1d835599cdccfff0f6b393

SHA1
f15874f899c218dfaf95e8a8d7407a01bbe2aa7b

SHA256
21eb7d7218c7e9bce9d05979556c681c2c5ddcb8f491eb280e7d27649503a089

SHA512
5dda1fb0952bf58fd8b52449852baa7c27684b1c95c5f0a1d3e1fd4da65511f3deb1929f81b148119a48be46c42c5b7fe374181cc714e769f4a4483aadc8f4b2

Download Submit
C:\Users\Public\Pictures\O9czX\2uS67~ww\ClientShell.dll

Filesize
212KB

MD5
911b261f1597897a78be05166c847dae

SHA1
65fab80c1da705b710551b36a8c44111b10c98d9

SHA256
a70b05531f955a577560ef08a500dc405e35d7a31180c3fcabfd56657e47f510

SHA512
a79e3f8affd25d0925574bcf382657308cb86bed80fcc51a84a135b7ed53637aaf80fbba4b900b115e4c8042d2aa5a720625410e9cbf258bbd68cf9f51dbe487

Download Submit
C:\Users\Public\Pictures\O9czX\2uS67~ww\NH.txt

Filesize
179KB

MD5
01bcb4d28321f659cc9254be39535b98

SHA1
31e8be201441d8d8ab0edde11b0cd2160e03841d

SHA256
28e2a38278d91320ecffdcad84ae94b878f18ee01756432abbb9d568a12926be

SHA512
aaa978445fd45e25d472de2f5e49a179eded6553894527f66efef0862a5da5886c6b93f1a31f0c46e4f42753d4d8a12bc8d6998be5a32def355dd4ae7455af71

Download Submit
C:\Users\Public\Pictures\O9czX\2uS67~ww\P2PNet.dll

Filesize
248KB

MD5
0129d9ec5e0631b6801e01dd1eb18337

SHA1
42684e0de84bb6930f69c690f467795f9bd41f94

SHA256
599b515a62b92d53008fecfab80096f6d9ff24727037c7549bfa34ec18cdb1b2

SHA512
0a2da208614e2dc003356f41b99be6192925f6817870d735e13522b78d8d9368a2c4e2c32adca8294da3c5498666a012c490e1a662b83bc04adc46e1b148200a

Download Submit
C:\Users\Public\Pictures\O9czX\2uS67~ww\RoomShell.dll

Filesize
160KB

MD5
1a28e9ee25ad1a0058673ff4d649a78a

SHA1
0e2737769faefeac7cff1f1cd244af142de8344d

SHA256
e56d815d0be4bd7d076d9c4374db535b1dcd044513f7a7f8d9150f598aab01f8

SHA512
783afaefeb6230157f1ece22dfd52615b1e696ca9c64308dfc7d1e4e939fbebe1ddb051593c1b00a182599ea41f91212cb945baf05bfb7fb1fc5ea2234ba2450

Download Submit
C:\Users\Public\Pictures\O9czX\2uS67~ww\StreamEngine.dll

Filesize
1.7MB

MD5
a1ce0c5e873696cd30fb2ac2b95538d3

SHA1
e066cdb8be29f30b2ebd9b994aa568e466cc2e44

SHA256
b7b4d032a25481b286eb2678c702f69cf92f94ea5798469b51646906464b48ee

SHA512
4e2389b52e2c25ffeadd2be47ce452f62291d94fc0e6d689436f9a5e4a1c7cc7b369afb4e08a4a13a7bd392536e61d4f3599045506eb41b28feea4e05a6391a1

Download Submit
C:\Users\Public\Pictures\O9czX\2uS67~ww\VSpeedClient.exe

Filesize
1.2MB

MD5
e3c674e4d894a0b1b53121e79d35bc87

SHA1
a15c7f16e019ee3b8895048e10194ffdd6e4215d

SHA256
0c1438dfa2c863b95b7546b5820c69dabfa7f479190be5e74462ce259cd5fd70

SHA512
d256551af0068b3ffc726613893206715f32656d4722c67106acf0c125ad5dc54086038399a72941a4cd8b175caa4b0f0106cb875c0ca9601b8110ee699e6366

Download Submit
C:\Users\Public\Pictures\O9czX\2uS67~ww\p

Filesize
888KB

MD5
7a35e73367a2d8c0dbdd3f5edf04dc80

SHA1
cb287efeea8c269d4627d9998d344b9874ccd76e

SHA256
e371d248fa2e2e825e72a41f1132ed6e608730583a6ba93c3882994912db0bc1

SHA512
9f039c1834522bafd0399d18e548fd4730c72842de28acb5a839e68b2de2f8440d7f0adb3b0324a60bc1158acab95fdcdf6168d2f57788c257620d15e5214395

Download Submit
C:\Users\Public\Pictures\O9czX\2uS67~ww\w

Filesize
888KB

MD5
64f63170cd52ee26b8a0d27f6f00bea0

SHA1
7a51b15031606a70cfa7235b2beed5a2096e92aa

SHA256
78d10f5700d729a62ed5f6d0446b5b04d110300988b0a86787590ee635fb274f

SHA512
96c347e9f3075c69f3ef3ffb436645b18dec13c7791f90373c3382cc0d8dbdb017a459aaef4043336d0f467fdb61320af7a7b58dd0f8234662fb940c93edda94

Download Submit
C:\Windows\Installer\MSI19BD.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI1F50.tmp

Filesize
14.2MB

MD5
31514994bb708a57092ee814043e74b5

SHA1
89f3041396b6dc5ec41fe0e774806a7d4ea2a7b1

SHA256
9d065d74419fa9b28f10026fdc27b12b5eb14d33c73b2aaf17a2c75f960cb7d0

SHA512
2e6b0819d9da2a44e7d65faf2ba24075a3b39d918d0a60d8bdfb42a6d8b9f59e3183ab2d1b14aab49624b21b6ae4fdd4a6f625185234ca569e4f5d8c31e8aa4b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
258daca1b518ca0612fe5a5f07670f5f

SHA1
2affeb18e73aee0e81ee0f147effd5e0fdd0f734

SHA256
8476a6be2182be0df5088affc9aef36877f03ab129d2c47dc8bfeb9836fdaedf

SHA512
909b52a0e6ef4fff402796d260decffcd44a420cc3421a817fe611e1cf4d297266b8c0e98b6e94872214125b603cec9bb7dff0029278344f6ffb3c555519df35

Download Submit
\??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e34ea90b-278e-4d4f-915e-f491adb6ac34}_OnDiskSnapshotProp

Filesize
6KB

MD5
a3cd21fa0bdf82355a211bc486b41cbc

SHA1
acdf502f6001585d1b070acf34e74109f1a63157

SHA256
d6e8e10d6536148156614e75b7635b045466091222c366cf92b830381fdd8240

SHA512
e8494ac2cfbcd49aa0b5e187fadcceec5a30e71ab77adcda13ad3bb7b4a6c370f2c2e308870552fa280d0e820d8f6fa9ccf3bcd0f1667574d33567a2d5b351f2

Download Submit
memory/1072-153-0x0000000000B00000-0x0000000000B2C000-memory.dmp

Filesize
176KB

Download
memory/1072-182-0x0000000002470000-0x00000000024D9000-memory.dmp

Filesize
420KB

Download
memory/1072-154-0x0000000000B30000-0x0000000000B75000-memory.dmp

Filesize
276KB

Download
memory/1072-158-0x0000000002470000-0x00000000024D9000-memory.dmp

Filesize
420KB

Download
memory/1072-159-0x0000000002470000-0x00000000024D9000-memory.dmp

Filesize
420KB

Download
memory/1072-184-0x0000000002470000-0x00000000024D9000-memory.dmp

Filesize
420KB

Download
memory/1072-183-0x0000000002470000-0x00000000024D9000-memory.dmp

Filesize
420KB

Download
memory/1072-181-0x0000000002470000-0x00000000024D9000-memory.dmp

Filesize
420KB

Download
memory/1072-179-0x0000000002470000-0x00000000024D9000-memory.dmp

Filesize
420KB

Download
memory/1072-160-0x0000000002470000-0x00000000024D9000-memory.dmp

Filesize
420KB

Download
memory/1752-45-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/1752-12-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/3224-54-0x0000000075260000-0x000000007531A000-memory.dmp

Filesize
744KB

Download
memory/3224-83-0x0000000075260000-0x000000007531A000-memory.dmp

Filesize
744KB

Download
memory/4308-124-0x0000000180000000-0x000000018023A000-memory.dmp

Filesize
2.2MB

Download
memory/4308-123-0x0000000180000000-0x000000018023A000-memory.dmp

Filesize
2.2MB

Download
memory/4308-125-0x0000000180000000-0x000000018023A000-memory.dmp

Filesize
2.2MB

Download