chaos | 2b685da51e11e912a197f6b099cc129ea596e0a17e1acda327a14da2f29cc14d

Analysis

max time kernel
38s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.exe
Size

886KB
MD5

5de66177f354c6897c28610c4f7bae57
SHA1

e8ad1bee7ca5c991d1837eb59d0c9b4033e055bf
SHA256

2b685da51e11e912a197f6b099cc129ea596e0a17e1acda327a14da2f29cc14d
SHA512

a4b7044c28e0ead07ade9325de64e0e1e9069d27ab4d228df4acc84952a9c9f7e05e04cdae7adb05322e413756cf906163ccf728564258ad21d558da1da471e0
SSDEEP

24576:pIRvCHulB7EdTNb8aJFWKtJ8Bx2BIQPGfK9wNJnkSDSvmEF:pIRvCOlBOF8aJFWKtJ8Bx2BXSK6NJ

Score

10^/10

chaos xworm defense_evasion discovery execution impact persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

nohicsq.localto.net:3985

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.00138959 BTC Bitcoin Address: bc1q7njx7z489vx9444agzf759u4q46vfgtydzwyll

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3556-2842-0x000000001C040000-0x000000001C04C000-memory.dmp	family_chaos
behavioral1/memory/1364-2855-0x00000000007D0000-0x00000000007DC000-memory.dmp	family_chaos
C:\Users\Admin\AppData\Local\Temp\bjpdgm.exe	family_chaos

Chaos family
chaos

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/3556-80-0x000000001C260000-0x000000001C26E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\XClient.exe	family_xworm
behavioral1/memory/3556-24-0x00000000001D0000-0x00000000001E8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Output.exeXClient.exeBootstrapper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Output.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FluxusV1.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FluxusV1.lnk	XClient.exe

Executes dropped EXE 2 IoCs

Processes:

XClient.exeBootstrapper.exe

pid process

3556 XClient.exe
628 Bootstrapper.exe
Loads dropped DLL 9 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid process

760 MsiExec.exe
760 MsiExec.exe
4596 MsiExec.exe
4596 MsiExec.exe
4596 MsiExec.exe
4596 MsiExec.exe
4596 MsiExec.exe
4556 MsiExec.exe
4556 MsiExec.exe

pid	process
3556	XClient.exe
628	Bootstrapper.exe

pid	process
760	MsiExec.exe
760	MsiExec.exe
4596	MsiExec.exe
4596	MsiExec.exe
4596	MsiExec.exe
4596	MsiExec.exe
4596	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FluxusV1 = "C:\\Users\\Admin\\AppData\\Roaming\\FluxusV1.2"	XClient.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

46 1748 msiexec.exe
48 1748 msiexec.exe

flow	pid	process
46	1748	msiexec.exe
48	1748	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

66 pastebin.com
67 pastebin.com

flow	ioc
66	pastebin.com
67	pastebin.com

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff-apply\rollup.config.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\memoization.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-dist-tag.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-sized\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\npmrc	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\safe-buffer\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\lib\remote.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-filename\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\index.mjs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\lru-cache\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\http-proxy-agent\dist\agent.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-org.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man5\npmrc.5	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\satisfies.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\edge.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\cache\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-columns\color.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-bugs.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\utility.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\brace-expansion\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\CONTRIBUTING.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\link-mans.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\json-parse-even-better-errors\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-restart.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\example\basic.png	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\retry\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\removal.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\content\read.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\access.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\https-proxy-agent\dist\parse-proxy-response.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\oidc.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\transform.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\registry.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\set-blocking\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\which\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\graceful-fs\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\length.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-license\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\encoding\lib\encoding.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\convert\xml.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\check-response.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\shrinkwrap.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\tools\emacs\gyp-tests.el	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\API.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-publish.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\nopt\bin\nopt.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\lib\tag.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\log-shim.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\pnpx.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\.npmrc	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cmd-shim\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\has-unicode\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\smart-buffer\build\smartbuffer.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\docs\Updating-npm-bundled-node-gyp.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\.github\ISSUE_TEMPLATE.md	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIB95D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB98E.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID885.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC19.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC017.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC586.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC5C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID855.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID14.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b6ec.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b6ec.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB98D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wevtutil.exeMsiExec.exeMsiExec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1004 ipconfig.exe
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

1988 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings OpenWith.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5000 NOTEPAD.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4528 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

XClient.exeBootstrapper.exemsiexec.exe

pid process

3556 XClient.exe
628 Bootstrapper.exe
628 Bootstrapper.exe
628 Bootstrapper.exe
1748 msiexec.exe
1748 msiexec.exe

pid	process
1004	ipconfig.exe

pid	process
1988	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe

pid	process
5000	NOTEPAD.EXE

pid	process
4528	schtasks.exe

pid	process
3556	XClient.exe
628	Bootstrapper.exe
628	Bootstrapper.exe
628	Bootstrapper.exe
1748	msiexec.exe
1748	msiexec.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

XClient.exeBootstrapper.exemsiexec.exemsiexec.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	3556	XClient.exe
Token: SeDebugPrivilege	3556	XClient.exe
Token: SeDebugPrivilege	628	Bootstrapper.exe
Token: SeShutdownPrivilege	2832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2832	msiexec.exe
Token: SeSecurityPrivilege	1748	msiexec.exe
Token: SeCreateTokenPrivilege	2832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2832	msiexec.exe
Token: SeLockMemoryPrivilege	2832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2832	msiexec.exe
Token: SeMachineAccountPrivilege	2832	msiexec.exe
Token: SeTcbPrivilege	2832	msiexec.exe
Token: SeSecurityPrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe
Token: SeLoadDriverPrivilege	2832	msiexec.exe
Token: SeSystemProfilePrivilege	2832	msiexec.exe
Token: SeSystemtimePrivilege	2832	msiexec.exe
Token: SeProfSingleProcessPrivilege	2832	msiexec.exe
Token: SeIncBasePriorityPrivilege	2832	msiexec.exe
Token: SeCreatePagefilePrivilege	2832	msiexec.exe
Token: SeCreatePermanentPrivilege	2832	msiexec.exe
Token: SeBackupPrivilege	2832	msiexec.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeShutdownPrivilege	2832	msiexec.exe
Token: SeDebugPrivilege	2832	msiexec.exe
Token: SeAuditPrivilege	2832	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2832	msiexec.exe
Token: SeChangeNotifyPrivilege	2832	msiexec.exe
Token: SeRemoteShutdownPrivilege	2832	msiexec.exe
Token: SeUndockPrivilege	2832	msiexec.exe
Token: SeSyncAgentPrivilege	2832	msiexec.exe
Token: SeEnableDelegationPrivilege	2832	msiexec.exe
Token: SeManageVolumePrivilege	2832	msiexec.exe
Token: SeImpersonatePrivilege	2832	msiexec.exe
Token: SeCreateGlobalPrivilege	2832	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeSecurityPrivilege	3768	wevtutil.exe
Token: SeBackupPrivilege	3768	wevtutil.exe
Token: SeSecurityPrivilege	4324	wevtutil.exe
Token: SeBackupPrivilege	4324	wevtutil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

XClient.exeOpenWith.exe

pid process

3556 XClient.exe
4708 OpenWith.exe

pid	process
3556	XClient.exe
4708	OpenWith.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

Output.exeBootstrapper.execmd.exeXClient.exemsiexec.exeMsiExec.exewevtutil.exe

description	pid	process	target process
PID 3588 wrote to memory of 3556	3588	Output.exe	XClient.exe
PID 3588 wrote to memory of 3556	3588	Output.exe	XClient.exe
PID 3588 wrote to memory of 628	3588	Output.exe	Bootstrapper.exe
PID 3588 wrote to memory of 628	3588	Output.exe	Bootstrapper.exe
PID 628 wrote to memory of 4868	628	Bootstrapper.exe	cmd.exe
PID 628 wrote to memory of 4868	628	Bootstrapper.exe	cmd.exe
PID 4868 wrote to memory of 1004	4868	cmd.exe	ipconfig.exe
PID 4868 wrote to memory of 1004	4868	cmd.exe	ipconfig.exe
PID 3556 wrote to memory of 4528	3556	XClient.exe	schtasks.exe
PID 3556 wrote to memory of 4528	3556	XClient.exe	schtasks.exe
PID 628 wrote to memory of 2832	628	Bootstrapper.exe	msiexec.exe
PID 628 wrote to memory of 2832	628	Bootstrapper.exe	msiexec.exe
PID 1748 wrote to memory of 760	1748	msiexec.exe	MsiExec.exe
PID 1748 wrote to memory of 760	1748	msiexec.exe	MsiExec.exe
PID 1748 wrote to memory of 4596	1748	msiexec.exe	MsiExec.exe
PID 1748 wrote to memory of 4596	1748	msiexec.exe	MsiExec.exe
PID 1748 wrote to memory of 4596	1748	msiexec.exe	MsiExec.exe
PID 1748 wrote to memory of 4556	1748	msiexec.exe	MsiExec.exe
PID 1748 wrote to memory of 4556	1748	msiexec.exe	MsiExec.exe
PID 1748 wrote to memory of 4556	1748	msiexec.exe	MsiExec.exe
PID 4556 wrote to memory of 3768	4556	MsiExec.exe	wevtutil.exe
PID 4556 wrote to memory of 3768	4556	MsiExec.exe	wevtutil.exe
PID 4556 wrote to memory of 3768	4556	MsiExec.exe	wevtutil.exe
PID 3768 wrote to memory of 4324	3768	wevtutil.exe	wevtutil.exe
PID 3768 wrote to memory of 4324	3768	wevtutil.exe	wevtutil.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FluxusV1" /tr "C:\Users\Admin\AppData\Roaming\FluxusV1.2"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4528
- - C:\Users\Admin\AppData\Local\Temp\bjpdgm.exe
    "C:\Users\Admin\AppData\Local\Temp\bjpdgm.exe"
    3⤵
    PID:1364
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      PID:2544
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        
        PID:2772
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:1988
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:3320
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:5000
- C:\Users\Admin\AppData\Roaming\Bootstrapper.exe
  "C:\Users\Admin\AppData\Roaming\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1004
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\ProgramData\Solara\Solara.exe
    "C:\ProgramData\Solara\Solara.exe"
    3⤵
    PID:2676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E34D5AF6EF19968ADCAD27B99D7EAB3E
  2⤵
  - Loads dropped DLL
  PID:760
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 92CF49163857A2CF5C3DAD52705B8A37
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DC2670FABA143873C182B87D6B08979F E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe "C:\Users\Admin\AppData\Roaming\FluxusV1.2"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:1000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe "C:\Users\Admin\AppData\Roaming\FluxusV1.2"
1⤵
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b6ef.rbs

Filesize
1.0MB

MD5
0d9a382369cb98051a9035088fb2f471

SHA1
9a26691256aeb893ded97e693c6ba1e7af8a49ee

SHA256
40c93a27091f5fedfb40e74ce36cad7e97158ade6b34c627ad593172402469ea

SHA512
43178e047a2267d7b506a2dc107577ea14d83e47d63ff1554a3103421a50ab378b3fed7e01bbd867f68d613c52d9583b1580c7970a667a9d24219de6bcdfc1b7

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
133KB

MD5
c6f770cbb24248537558c1f06f7ff855

SHA1
fdc2aaae292c32a58ea4d9974a31ece26628fdd7

SHA256
d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b

SHA512
cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjpdgm.exe

Filesize
23KB

MD5
c6eb3aad7a5ba437d2e39c44d645aed2

SHA1
87b24045539b8db9ead35e462aef513602743ded

SHA256
78529452630857c2edc60a55dd41771617d0c9e99d2cf276e39a5288f55160c8

SHA512
cede2ff722843666b0f8cfcc3aa12f1f946b430d0db813afff326a1b4d9df9568e6843913bd9ee8497f312b3cad67f21e538786196e443239d2b8eb5efe92127

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\AppData\Roaming\Bootstrapper.exe

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FluxusV1.lnk

Filesize
766B

MD5
b8ca4606b39a303f3c0d6ba8584f10a0

SHA1
cdd8fba038a3a3cc93dfeed53c75468477f1652f

SHA256
678cb6fdc0083ff31a61bed41f036d0617ceed034c35bb70c1e24ce5ff57541e

SHA512
18209f2a01f094902db9b39f23f0fb4ad0620afc4acf0a97ef2d09268f9bf6d2d69be9c050e635e501070b3fdb1e31a3d6ca8d82bf131801ae21596b72e1a6bd

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
73KB

MD5
06df71794e08473f20b46aa17c389269

SHA1
149aaa1816a59e05d55806ec88adb75e7ccf079a

SHA256
c0d08afc1dbcf3572160019c5074e5c58010205d158c9b2da1b2b7e86a465321

SHA512
f772aab2f848914e19bb6061a52fdaf3da2ccd5d3baabd6ed99c52edc73cdafc6fc0bbcd91e9cb17083da51bcba1f4f5b8a5005531141ce0c04d414aa0b018b0

Download Submit
C:\Users\Admin\Documents\read_it.txt

Filesize
965B

MD5
8405ca5488c5d8321e070794dd06f485

SHA1
104adc71cd3ca7924ccdc36a8d607eb8b45f0bf8

SHA256
e4cf6fbdc212d4b92cf3503cc1c38dd72eed77221b28e1e43b0fa5e8128dc2bf

SHA512
b24b0e14b09a1e7b796292b550b367e8e1bde7be9fcb4c7715f70bdb7b519d0fd6b2a8e780fdb71c219d2cb1818cc2856678c93f6e648e588236f4247ccd8e96

Download Submit
C:\Windows\Installer\MSIB98D.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSIB98E.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIC586.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
C:\Windows\Installer\e57b6f0.msi

Filesize
16.3MB

MD5
b29d15eb1d5208c5a9c048ceece4d894

SHA1
ab14539dfdfdf8f0431c3d0407843b9ac6d58651

SHA256
fda260ebff7ee48977ac5a8bceab6dcf35f034d9da77b1674e0db1547cbe2700

SHA512
0f36bc010ad6f754aa6d0adae0da0718a5f2f97113fba30fcee02c7b8e5eb4137f532bd4843f50b0d37209d2acc60c2ba843cc67ef369684d5136bb3ea5af4b6

Download Submit
memory/628-2416-0x000001C0D3A80000-0x000001C0D3A8A000-memory.dmp

Filesize
40KB

Download
memory/628-2841-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/628-27-0x000001C0B91B0000-0x000001C0B927E000-memory.dmp

Filesize
824KB

Download
memory/628-28-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/628-36-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/628-35-0x000001C0D3A30000-0x000001C0D3A52000-memory.dmp

Filesize
136KB

Download
memory/628-2418-0x000001C0D5880000-0x000001C0D5892000-memory.dmp

Filesize
72KB

Download
memory/1364-2855-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download
memory/2676-2837-0x000001FC4EDC0000-0x000001FC4EE7A000-memory.dmp

Filesize
744KB

Download
memory/2676-2836-0x000001FC4F210000-0x000001FC4F74C000-memory.dmp

Filesize
5.2MB

Download
memory/2676-2834-0x000001FC345E0000-0x000001FC34604000-memory.dmp

Filesize
144KB

Download
memory/2676-2840-0x000001FC4EE80000-0x000001FC4EF32000-memory.dmp

Filesize
712KB

Download
memory/3556-38-0x000000001ADC0000-0x000000001ADCC000-memory.dmp

Filesize
48KB

Download
memory/3556-37-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/3556-32-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/3556-80-0x000000001C260000-0x000000001C26E000-memory.dmp

Filesize
56KB

Download
memory/3556-2842-0x000000001C040000-0x000000001C04C000-memory.dmp

Filesize
48KB

Download
memory/3556-34-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/3556-26-0x00007FFD146C0000-0x00007FFD15181000-memory.dmp

Filesize
10.8MB

Download
memory/3556-24-0x00000000001D0000-0x00000000001E8000-memory.dmp

Filesize
96KB

Download
memory/3588-0-0x00007FFD146C3000-0x00007FFD146C5000-memory.dmp

Filesize
8KB

Download
memory/3588-1-0x0000000000CD0000-0x0000000000DB4000-memory.dmp

Filesize
912KB

Download