4315a6afe728ff28580a4c7ef798c47ccd7a438bbf58e97aaffce26b837c7384

Analysis

max time kernel
144s
max time network
136s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sougou_setup.msi
Size

157.6MB
MD5

5f3ca4cafda845296871c4e81fba5816
SHA1

a0d2af0c912dc0205a1fcd853444f2fa1f643968
SHA256

4315a6afe728ff28580a4c7ef798c47ccd7a438bbf58e97aaffce26b837c7384
SHA512

e103c3abf292ca634a5713e1abe913b3d8c25cb95321dcbb80e8737b593edb46f56b4b62620a03f0d5e00d73d7f7e793fec983cd20430d9c69b38015667de625
SSDEEP

3145728:SM/Vo6HfuRAXjkxF9zS21RHzmbIadvPVkq8HlZ3R78/x865/PxzHMfSVCv4w:doeIATsFo0RHYFdvNkXlZ3R7gx861pz6

Score

8^/10

discovery execution persistence privilege_escalation upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
784	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	sougou.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	sougou.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	sougou.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	sougou.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2304-44-0x0000000000400000-0x00000000006DD000-memory.dmp	upx
behavioral1/memory/2304-223-0x0000000000400000-0x00000000006DD000-memory.dmp	upx

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File created	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe	MsiExec.exe
File created	C:\Program Files\DriveHumbleTechnician\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI	msiexec.exe
File created	C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe	MsiExec.exe
File created	C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe	msiexec.exe
File created	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File created	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File created	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File created	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs	yrjwPObnoqyg.exe
File created	C:\Program Files\DriveHumbleTechnician\sougou.exe	msiexec.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ	eaHeznmosyoOWAGglCKDwYQViYXayS.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76f853.msi	msiexec.exe
File created	C:\Windows\Installer\f76f854.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76f856.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76f853.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA18.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76f854.ipi	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
1808	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
1248	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
2344	yrjwPObnoqyg.exe
2304	sougou.exe

Loads dropped DLL 6 IoCs

pid	Process
2304	sougou.exe
2304	sougou.exe
2304	sougou.exe
2304	sougou.exe
2304	sougou.exe
2304	sougou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1888	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yrjwPObnoqyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sougou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaHeznmosyoOWAGglCKDwYQViYXayS.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2840	cmd.exe
2064	PING.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C04103A3-8000-47DA-B923-A65D328C266E}	sougou.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	sougou.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000701b63ac7639db01	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d07c65ac7639db01	sougou.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-dc-9b-fc-96-c8\WpadDecisionReason = "1"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C04103A3-8000-47DA-B923-A65D328C266E}\ea-dc-9b-fc-96-c8	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	sougou.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0d0b9a57639db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-dc-9b-fc-96-c8	sougou.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-dc-9b-fc-96-c8\WpadDecisionTime = a0f047ae7639db01	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	sougou.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C04103A3-8000-47DA-B923-A65D328C266E}\WpadDecisionReason = "1"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	sougou.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\PackageCode = "F8186EA320B6B324B8DC596BDF338BDD"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\85CFF785A28B007498F9AABC4CA11EB4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\85CFF785A28B007498F9AABC4CA11EB4\C259A3F8E2816124C91D684BAC99461D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C259A3F8E2816124C91D684BAC99461D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\ProductName = "DriveHumbleTechnician"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Version = "117571589"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\PackageName = "sougou_setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C259A3F8E2816124C91D684BAC99461D\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Assignment = "1"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2064	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
1808	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
1248	eaHeznmosyoOWAGglCKDwYQViYXayS.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2296	msiexec.exe
2296	msiexec.exe
784	powershell.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2344	yrjwPObnoqyg.exe
2304	sougou.exe
2304	sougou.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	2296	msiexec.exe
Token: SeTakeOwnershipPrivilege	2296	msiexec.exe
Token: SeSecurityPrivilege	2296	msiexec.exe
Token: SeCreateTokenPrivilege	1888	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1888	msiexec.exe
Token: SeLockMemoryPrivilege	1888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1888	msiexec.exe
Token: SeMachineAccountPrivilege	1888	msiexec.exe
Token: SeTcbPrivilege	1888	msiexec.exe
Token: SeSecurityPrivilege	1888	msiexec.exe
Token: SeTakeOwnershipPrivilege	1888	msiexec.exe
Token: SeLoadDriverPrivilege	1888	msiexec.exe
Token: SeSystemProfilePrivilege	1888	msiexec.exe
Token: SeSystemtimePrivilege	1888	msiexec.exe
Token: SeProfSingleProcessPrivilege	1888	msiexec.exe
Token: SeIncBasePriorityPrivilege	1888	msiexec.exe
Token: SeCreatePagefilePrivilege	1888	msiexec.exe
Token: SeCreatePermanentPrivilege	1888	msiexec.exe
Token: SeBackupPrivilege	1888	msiexec.exe
Token: SeRestorePrivilege	1888	msiexec.exe
Token: SeShutdownPrivilege	1888	msiexec.exe
Token: SeDebugPrivilege	1888	msiexec.exe
Token: SeAuditPrivilege	1888	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1888	msiexec.exe
Token: SeChangeNotifyPrivilege	1888	msiexec.exe
Token: SeRemoteShutdownPrivilege	1888	msiexec.exe
Token: SeUndockPrivilege	1888	msiexec.exe
Token: SeSyncAgentPrivilege	1888	msiexec.exe
Token: SeEnableDelegationPrivilege	1888	msiexec.exe
Token: SeManageVolumePrivilege	1888	msiexec.exe
Token: SeImpersonatePrivilege	1888	msiexec.exe
Token: SeCreateGlobalPrivilege	1888	msiexec.exe
Token: SeBackupPrivilege	2324	vssvc.exe
Token: SeRestorePrivilege	2324	vssvc.exe
Token: SeAuditPrivilege	2324	vssvc.exe
Token: SeBackupPrivilege	2296	msiexec.exe
Token: SeRestorePrivilege	2296	msiexec.exe
Token: SeRestorePrivilege	1504	DrvInst.exe
Token: SeRestorePrivilege	1504	DrvInst.exe
Token: SeRestorePrivilege	1504	DrvInst.exe
Token: SeRestorePrivilege	1504	DrvInst.exe
Token: SeRestorePrivilege	1504	DrvInst.exe
Token: SeRestorePrivilege	1504	DrvInst.exe
Token: SeRestorePrivilege	1504	DrvInst.exe
Token: SeLoadDriverPrivilege	1504	DrvInst.exe
Token: SeLoadDriverPrivilege	1504	DrvInst.exe
Token: SeLoadDriverPrivilege	1504	DrvInst.exe
Token: SeRestorePrivilege	2296	msiexec.exe
Token: SeTakeOwnershipPrivilege	2296	msiexec.exe
Token: SeRestorePrivilege	2296	msiexec.exe
Token: SeTakeOwnershipPrivilege	2296	msiexec.exe
Token: SeRestorePrivilege	2296	msiexec.exe
Token: SeTakeOwnershipPrivilege	2296	msiexec.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeRestorePrivilege	1808	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: 35	1808	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeSecurityPrivilege	1808	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeSecurityPrivilege	1808	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeRestorePrivilege	1248	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: 35	1248	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeSecurityPrivilege	1248	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeSecurityPrivilege	1248	eaHeznmosyoOWAGglCKDwYQViYXayS.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1888	msiexec.exe
1888	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 548	2296	msiexec.exe	35
PID 2296 wrote to memory of 548	2296	msiexec.exe	35
PID 2296 wrote to memory of 548	2296	msiexec.exe	35
PID 2296 wrote to memory of 548	2296	msiexec.exe	35
PID 2296 wrote to memory of 548	2296	msiexec.exe	35
PID 548 wrote to memory of 784	548	MsiExec.exe	37
PID 548 wrote to memory of 784	548	MsiExec.exe	37
PID 548 wrote to memory of 784	548	MsiExec.exe	37
PID 548 wrote to memory of 2840	548	MsiExec.exe	39
PID 548 wrote to memory of 2840	548	MsiExec.exe	39
PID 548 wrote to memory of 2840	548	MsiExec.exe	39
PID 2840 wrote to memory of 1808	2840	cmd.exe	41
PID 2840 wrote to memory of 1808	2840	cmd.exe	41
PID 2840 wrote to memory of 1808	2840	cmd.exe	41
PID 2840 wrote to memory of 1808	2840	cmd.exe	41
PID 2840 wrote to memory of 2064	2840	cmd.exe	42
PID 2840 wrote to memory of 2064	2840	cmd.exe	42
PID 2840 wrote to memory of 2064	2840	cmd.exe	42
PID 2840 wrote to memory of 1248	2840	cmd.exe	44
PID 2840 wrote to memory of 1248	2840	cmd.exe	44
PID 2840 wrote to memory of 1248	2840	cmd.exe	44
PID 2840 wrote to memory of 1248	2840	cmd.exe	44
PID 548 wrote to memory of 2344	548	MsiExec.exe	46
PID 548 wrote to memory of 2344	548	MsiExec.exe	46
PID 548 wrote to memory of 2344	548	MsiExec.exe	46
PID 548 wrote to memory of 2344	548	MsiExec.exe	46
PID 548 wrote to memory of 2304	548	MsiExec.exe	48
PID 548 wrote to memory of 2304	548	MsiExec.exe	48
PID 548 wrote to memory of 2304	548	MsiExec.exe	48
PID 548 wrote to memory of 2304	548	MsiExec.exe	48

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sougou_setup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B6ADDCA3DC46E9811B74AD24C15685C9 M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DriveHumbleTechnician'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI" -o"C:\Program Files\DriveHumbleTechnician\" -p"37709OJvgn~xO.H..>S=" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"182119:SRG:B.Wa.ph~}" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
      "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI" -o"C:\Program Files\DriveHumbleTechnician\" -p"37709OJvgn~xO.H..>S=" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1808
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2064
  - - C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
      "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"182119:SRG:B.Wa.ph~}" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1248
- - C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
    "C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 288 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2344
- - C:\Program Files\DriveHumbleTechnician\sougou.exe
    "C:\Program Files\DriveHumbleTechnician\sougou.exe"
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "000000000000056C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76f855.rbs

Filesize
7KB

MD5
a867029638936132e144882cd32dae56

SHA1
628603e946e35062d7746d2cb3b8610fc45ea804

SHA256
dee97df76ba2f8000953e20aa26e5b90533ee6070f98729afc342d7b14d49cc2

SHA512
ba1b8d52a1038c58396b44ff2d277e997a01dec14986351903a8d1054377c9b23868addef99179d89c8b8be81c5bc5de785c521523fda787c90d81ffd91d78ea

Download Submit
C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe

Filesize
2.1MB

MD5
d9a41a6ce1809032f7e409a79766fbe6

SHA1
c011b1122fb750ce3b393fc35df623d7fb21ebaa

SHA256
0099f9e565c7bb368d24fa3e497fb6cad33463ef13a02017f8d072bfb7185520

SHA512
23d324a40aca1ecc022a42646826632d43c67496722004fe155df7d76e1175a02a3a69595606d452834ad61cbc119fa4fe8c98b7a39845b4fefaece34d4a92e1

Download Submit
C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI

Filesize
1.5MB

MD5
96b8cac1192eacf6ca4f258a8668c410

SHA1
a92f95201110d3aabad4aeb29ae3c12abbdb5066

SHA256
f3d900a4ec1b331e7f29d56d6fb1617d5a8ad606cc9b0264d63961dbea99fb44

SHA512
147fd5be2a731fb5f2edb9b0d00300daf12d476db068918c98c7c71ed022b0a22d9fee6a70183e6afc541e3cad9a86da9f54811a328713eb0698eebdbfee0f19

Download Submit
C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ

Filesize
1.5MB

MD5
362ccedbb2427712ed515c837ad28813

SHA1
95340d7edd1c26fd7ea3f3ff5a41921c29be7190

SHA256
f881d7523aaec5dd3d96e2e9c6439ff703d57722d4061073b7321eda37c02329

SHA512
2d037cafb48c69bcc91c712a82110a4b2820f1ae1cba76011673f8159e283b98a2f7c59278c26cc8349b4b1c1a28e6711702f159ac316e138b1816908f92d75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D76.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1D33.tmp\ioSpecial.ini

Filesize
958B

MD5
9957dcb6bcaf80c86b8fb98a4f0ab602

SHA1
ddb345fc11df63a42d175f8983eed1d6f9e828e1

SHA256
5ffa062d01bdd3c4e32fac89b67d1179e13e1d35e83f01e3b725e527b16b5e2b

SHA512
39578502c8c576712814c2762c2b0cf706486aa575211c105bfe3a29e60c109b00eae5c7f9bda334aa116071fdba7b15baa934016548124fc62a5a5f66d1abca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1D33.tmp\validate.ini

Filesize
87B

MD5
59da6b50ff42da1a3230fbca1bd90e11

SHA1
6870be998befa4bf02e8824e0a101303fe76ef4f

SHA256
5f60c14e1d82e49f4dd48c648c31bd572adf7a6e236aa7b2a8854bbc90d21c4a

SHA512
e3e7061e1ca6d8ce0ebca216d88988247cb6b824b19fe2ed1fd4dfb19bdbb9d231655b378d0990cc51b3df82183cbb28818f60d2efb9cb40daf58ef183ba2a19

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
\Users\Admin\AppData\Local\Temp\nst1D33.tmp\HWSignature.dll

Filesize
138KB

MD5
154aea6ca8875fe8023f5f0554adbe60

SHA1
54a6c770e4ab3aef95782f1bc647ab664163d42f

SHA256
e035633d5a97dbc492d125a379a198ddadb09547d4b576552016e690a573e339

SHA512
93063a15acf077e0de9634eef68d21a3243be36a3a02f44065cac7c279ddc06a9a9e2ea5ef8f5d70662d6b9a710f988a0455b78aa8f8092155acfd359ae976ec

Download Submit
\Users\Admin\AppData\Local\Temp\nst1D33.tmp\ImageMagik.dll

Filesize
5.9MB

MD5
745007cd039d16bbbe05e308c223c8b0

SHA1
f3fc435a325118cbb4af4219bc41755c245afe54

SHA256
b550ed8935bbc51571aabfb5c3130d295909df89e7c4c1e204f219d88a652332

SHA512
40d1146fd001f138d0ecd0516078364947f180431bec36a689e03e5fadd4851ec5b6cd5862fc1702231c5a442c1be4bf6c0d759ca333f939cd74d55fc64cad74

Download Submit
\Users\Admin\AppData\Local\Temp\nst1D33.tmp\InstallOptions.dll

Filesize
15KB

MD5
34d24e6ecdfb6859096816436c5875da

SHA1
a4504b5eccc48ce867623dd1d081a760ab70a12f

SHA256
734d6299964cab87eeeb5f8c7e5bdf6aa8c3e29d938fdd1ada6addcd5006de28

SHA512
cf163ef71ed297259371d5bb352f8b0ef5e8bab9ad2168a26714e2d9f9037af87ec48b7e983b9fa9dc3f478c02cc0775583d52aca7604f3ac1e4a8882b3ecad9

Download Submit
\Users\Admin\AppData\Local\Temp\nst1D33.tmp\SetupLib.dll

Filesize
6.0MB

MD5
b713d9c939fe455aea4be2eb94215730

SHA1
c51af6b0be8452f77056d7a4a8554c8cb21c6ddb

SHA256
7dd85f1d4725ff05c35b6c0632992523a3f1cadb6294f516ef2528738b3a53af

SHA512
1185b1002c85aa832f380e81a45d50b0a6b44d9b87eefc1a0325c0dfbf921d2b9f531c81d564723874f555a10e2516fa1e6bd91a7e473893083998a57b8e2fed

Download Submit
\Users\Admin\AppData\Local\Temp\nst1D33.tmp\SetupLibNew.dll

Filesize
3.9MB

MD5
72fb079823f0e6c80caff804cf626ca9

SHA1
464ae7293affcadd0aafec8a52635bcc92047e55

SHA256
23a25b73fd5d66aef3abc0c90b1eeff2fd3921a7d49aa69891e926139969b31e

SHA512
431d0e3469785981760185b38813148154fecb82abe37431c0591873e462ad597ad1449c29f3619b10f4435c08bbe231877f8debf9c48a26f258c5fef16b52c4

Download Submit
\Users\Admin\AppData\Local\Temp\nst1D33.tmp\System.dll

Filesize
11KB

MD5
c51fc979c1c3e17bece7bd194aeb6ea2

SHA1
9a5d000d6393f2980062b4cc6e8f543493b1be8f

SHA256
93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61

SHA512
716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

Download Submit
memory/548-12-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/784-17-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/784-18-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2304-77-0x00000000034C0000-0x00000000038B6000-memory.dmp

Filesize
4.0MB

Download
memory/2304-84-0x000000006F300000-0x000000006F310000-memory.dmp

Filesize
64KB

Download
memory/2304-91-0x0000000003350000-0x0000000003375000-memory.dmp

Filesize
148KB

Download
memory/2304-71-0x000000006F310000-0x000000006F320000-memory.dmp

Filesize
64KB

Download
memory/2304-44-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2304-223-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/2344-58-0x0000000001E70000-0x0000000001E9F000-memory.dmp

Filesize
188KB

Download