cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Size

98.1MB
MD5

709fe898fefc144f66d577990c43b967
SHA1

74e5212106ef6c54b356ac790e6e61bfbd91208a
SHA256

cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495
SHA512

bcc7ce19707cd89701c37cac022f48e3e2225f79fbdf730b92e37fc08f2f1f8b3d81f18f35a5bb45443ef131ad4b50009d084bd98db556eacd8ed1b6ddaa9f0c
SSDEEP

3145728:UyzRWHu7ls89w01ohn8o4mhguUSl86qR:tgP89sKmmuU886

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	1cv8s.exe

Executes dropped EXE 2 IoCs

pid	Process
2636	1cestart.exe
1892	1cv8s.exe

Loads dropped DLL 64 IoCs

pid	Process
2820	MsiExec.exe
2820	MsiExec.exe
2820	MsiExec.exe
2820	MsiExec.exe
2820	MsiExec.exe
2820	MsiExec.exe
2820	MsiExec.exe
2820	MsiExec.exe
2820	MsiExec.exe
2820	MsiExec.exe
2852	MsiExec.exe
2852	MsiExec.exe
2852	MsiExec.exe
2852	MsiExec.exe
2852	MsiExec.exe
2852	MsiExec.exe
2852	MsiExec.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe
1892	1cv8s.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\gtk\Warning.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Models\CollectionTypes.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\VisualStyleBackgroundPicker.css	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\[email protected]	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\gtk\Plus13.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\ConsoleGroup.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\HeapSnapshotInstancesContentView.css	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\VisualStyleDetailsPanel.css	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Models\CSSStyleSheet.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Protocol\RuntimeObserver.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\gtk\InstructionPointer.png	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Models\TimelineRecord.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\addncom.dll	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\dbeng8.dll	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\DOMTreeUpdater.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\frame_root.res	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\NavigationItemCurleyBraces.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\gtk\TimelineRecordStyle.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Models\ResourceTimingData.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\Table.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\SliderThumb.png	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\gtk\ClippingJS.png	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\Stroke.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\TimelineTreeElement.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\IndeterminateProgressSpinner5.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\Minus.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Models\CSSSelector.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\HeapAllocationsTimelineOverviewGraph.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Base\Setting.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\gtk\Close.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\DOMTreeDataGridNode.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\ScriptTimelineOverviewGraph.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\[email protected]	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\StepOut.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\External\three.js\LICENSE	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\CallTrees.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\[email protected]	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\gtk\Resources.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Models\LineWidget.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\DatabaseContentView.css	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\licenses\3rd_party\libuuid.txt	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\Toolbar.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Controllers\CodeMirrorDragToAdjustNumberController.css	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\FolderGeneric.png	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\gtk\PseudoElement.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Protocol\InspectorBackend.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\MemoryCategoryView.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\MemoryTimelineView.css	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\ecscore_root.res	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\Stopwatch.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Models\Revision.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\DOMStorageIcons.css	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\Slider.css	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\SourceCodeTimelineTimelineDataGridNode.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Controllers\BreakpointPopoverController.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\[email protected]	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\WebSocketLarge.png	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Images\gtk\TextTransformUppercase.svg	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\GoToLineDialog.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\IssueTreeElement.js	msiexec.exe
File created	C:\Program Files (x86)\1cv8\8.3.18.1363\bin\WebKit.resources\WebInspectorUI\Views\LayoutTimelineDataGridNode.js	msiexec.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID08E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\ShortCut_EnterprSt_2A5C6DCB39B64D1EB6762C6FA47A7631.exe	msiexec.exe
File created	C:\Windows\Installer\e57cde4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE715.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID100.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\_2B2F6F1E_C4E2_4EB4_9C46_DC0B34EA2F86	msiexec.exe
File created	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\ShortCut_ThinStarter.exe	msiexec.exe
File created	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\1033.mst	msiexec.exe
File created	C:\Windows\Installer\e57cde0.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID26D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID482.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\ShortCut_EnterprSt_2A5C6DCB39B64D1EB6762C6FA47A7631.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE705.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cde0.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\ShortCut_EnterprSt_69CA8B344D80493E9786A5867468FF09.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\ShortCut_ThinStarter.exe	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID101.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID462.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\_2B2F6F1E_C4E2_4EB4_9C46_DC0B34EA2F86	msiexec.exe
File created	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\_4D4A2089_5A01_4C52_8926_E79477E8B198	msiexec.exe
File created	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\DesktopShortCut_En_EDED4A527DC24E21BFB7BD8DFDF40134.exe	msiexec.exe
File created	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\ShortCut_EnterprSt_69CA8B344D80493E9786A5867468FF09.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\1033.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID111.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID25D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID54F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\_4D4A2089_5A01_4C52_8926_E79477E8B198	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\DesktopShortCut_En_EDED4A527DC24E21BFB7BD8DFDF40134.exe	msiexec.exe
File created	C:\Windows\Installer\e57cddf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cddf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0EF.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6D4.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cestart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cv8s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseListLink\shell\Open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseListLink\shell\ = "Open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27665EFC-55CA-4885-B491-6B90F04D6257}\InprocHandler32\ = "ole32.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{27665EFC-55CA-4885-B491-6B90F04D6257}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\Readme	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\ThinClient_RO = "\x06RO"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DD60EFE0752D3F49AE9D29309D7D655\ProductName = "1C:Enterprise 8 Thin client (8.3.18.1363)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseList\shell\Open\command\ = "\"C:\\Program Files (x86)\\1cv8\\common\\1cestart.exe\" /RunShortcut \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DD60EFE0752D3F49AE9D29309D7D655\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{27665EFC-55CA-4885-B491-6B90F04D6257}\InprocHandler32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_BG = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_LT = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\ThinClient_LT = "\x06LT"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\34D9CCAEA18725A4DBD2A34E796E4251\9DD60EFE0752D3F49AE9D29309D7D655	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.v8i\V82.InfoBaseList\ShellNew	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{27665EFC-55CA-4885-B491-6B90F04D6257}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\ThinClient_DE = "\x06DE"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DD60EFE0752D3F49AE9D29309D7D655\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DD60EFE0752D3F49AE9D29309D7D655\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseList\shell\Open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_HU = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_RO = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\ThinClient_EN = "\x06EN"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\ThinClient	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\34D9CCAEA18725A4DBD2A34E796E4251	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DE = "\x06Languages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_auto = "DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\VI = "\x06Languages"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DD60EFE0752D3F49AE9D29309D7D655\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.v8l	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseListLink\DefaultIcon\ = "C:\\Windows\\Installer\\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\\_4D4A2089_5A01_4C52_8926_E79477E8B198,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_KA = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_TR = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\ThinClient_KK = "\x06KK"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\ThinClient_UK = "\x06UK"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DD60EFE0752D3F49AE9D29309D7D655\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseListLink\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_VI = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DefLanguages	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseList\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\V83C.Application.1\CLSID\ = "{27665EFC-55CA-4885-B491-6B90F04D6257}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\HY = "\x06Languages"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseList\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_UK = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\ThinClient_IT = "\x06IT"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DD60EFE0752D3F49AE9D29309D7D655\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_AZ = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseList\ = "1C:Enterprise 8 infobase list"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_DE = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\ThinClient_RU = "\x06RU"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseList\shell\ = "Open"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.v8l\V82.InfoBaseListLink	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\V83C.Application\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{27665EFC-55CA-4885-B491-6B90F04D6257}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\V83C.Application\CurVer\ = "V83C.Application.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_HY = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\DEF_LV = "\x06DefLanguages"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\KK = "\x06Languages"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseListLink\shell\Open\command\command = 4000290032002b0076004a00240066004f004100270071002600480036004e0032006c004e0043005400680069006e0043006c00690065006e0074003e00690077004c007b0045006e00610032006000410057003d0029005800250037005400380073004a0020002f00520075006e00530068006f00720074006300750074002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DD60EFE0752D3F49AE9D29309D7D655\PackageCode = "F79DFDD1FE5EFF34289A964B4A2D8DBD"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\ThinClient_LV = "\x06LV"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\V82.InfoBaseList\DefaultIcon\ = "C:\\Windows\\Installer\\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\\_2B2F6F1E_C4E2_4EB4_9C46_DC0B34EA2F86,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9DD60EFE0752D3F49AE9D29309D7D655\EN = "\x06Languages"	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1892	1cv8s.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5020	msiexec.exe
5020	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeIncreaseQuotaPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeSecurityPrivilege	5020	msiexec.exe
Token: SeCreateTokenPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeAssignPrimaryTokenPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeLockMemoryPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeIncreaseQuotaPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeMachineAccountPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeTcbPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeSecurityPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeTakeOwnershipPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeLoadDriverPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeSystemProfilePrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeSystemtimePrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeProfSingleProcessPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeIncBasePriorityPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeCreatePagefilePrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeCreatePermanentPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeBackupPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeRestorePrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeShutdownPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeDebugPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeAuditPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeSystemEnvironmentPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeChangeNotifyPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeRemoteShutdownPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeUndockPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeSyncAgentPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeEnableDelegationPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeManageVolumePrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeImpersonatePrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeCreateGlobalPrivilege	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
Token: SeBackupPrivilege	4992	vssvc.exe
Token: SeRestorePrivilege	4992	vssvc.exe
Token: SeAuditPrivilege	4992	vssvc.exe
Token: SeBackupPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeBackupPrivilege	3168	srtasks.exe
Token: SeRestorePrivilege	3168	srtasks.exe
Token: SeSecurityPrivilege	3168	srtasks.exe
Token: SeTakeOwnershipPrivilege	3168	srtasks.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe
Token: SeTakeOwnershipPrivilege	5020	msiexec.exe
Token: SeRestorePrivilege	5020	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1892	1cv8s.exe
1892	1cv8s.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3168	5020	msiexec.exe	101
PID 5020 wrote to memory of 3168	5020	msiexec.exe	101
PID 5020 wrote to memory of 2820	5020	msiexec.exe	105
PID 5020 wrote to memory of 2820	5020	msiexec.exe	105
PID 5020 wrote to memory of 2820	5020	msiexec.exe	105
PID 5020 wrote to memory of 2852	5020	msiexec.exe	106
PID 5020 wrote to memory of 2852	5020	msiexec.exe	106
PID 5020 wrote to memory of 2852	5020	msiexec.exe	106
PID 4680 wrote to memory of 2636	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe	107
PID 4680 wrote to memory of 2636	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe	107
PID 4680 wrote to memory of 2636	4680	cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe	107
PID 2636 wrote to memory of 1892	2636	1cestart.exe	108
PID 2636 wrote to memory of 1892	2636	1cestart.exe	108
PID 2636 wrote to memory of 1892	2636	1cestart.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe
"C:\Users\Admin\AppData\Local\Temp\cd01bf96b49446999cf0fc8074a9c544a19ec0f5b52282edbdcdc87e499c0495.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Program Files (x86)\1cv8\common\1cestart.exe
  "C:\Program Files (x86)\1cv8\common\1cestart.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Program Files (x86)\1cv8\8.3.18.1363\bin\1cv8s.exe
    "C:\Program Files (x86)\1cv8\8.3.18.1363\bin\1cv8s.exe" /AppAutoCheckVersion /AppAutoInstallLastVersion+
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EE6D0CD622CF83F843785F2B3750EF75
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E48A87B029A7C8961727AFFD7E59DF79 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cde3.rbs

Filesize
232KB

MD5
f5cccdf84642a1176c4a55f9fc0a3f77

SHA1
884986525f081324d9269943fa034a72d3ffdf0e

SHA256
0e1ba539eb6a105c44182776de4d24884304270a98570fe34db7e3c3acf706d4

SHA512
63e70d6552a4787114db48c9cdfed41fa5751381c47488fb9d3db59d00830a13677fa1d336f54a9955d9ab813c73fd6a3b01964751e59a77c7c796012f2c8987

Download Submit
C:\Program Files (x86)\1cv8\8.3.18.1363\bin\1cv8s.exe

Filesize
1.0MB

MD5
000b41ce81a37a990b3c09009581e8b7

SHA1
321435288e30c1acb9a43bb446357ec708b83629

SHA256
3563b92430e5356fcaecbac6de0641d5bda99889489b31dc8aa25949f6673cf5

SHA512
149ff63da469d77b8f8270000513f6b3ae34cc22db73bbd88b085756c74df38dcbb5974a01baa7c3b3c61c0e1b59498e11c6966ea2db7410b53e1b7b15cdd20e

Download Submit
C:\Program Files (x86)\1cv8\8.3.18.1363\bin\VCRUNTIME140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\1cv8\8.3.18.1363\bin\conf\conf.cfg

Filesize
48B

MD5
ea160fc2cd6c8be9027a6ff6a28713df

SHA1
b57694f1da9307a0f6bdc0d0487b762bd4db7220

SHA256
230e6f54e06135bf79e2757083f29c1c25375ec92de24e1c0b49a1d4991dbb88

SHA512
4af0afe32140fb5caf07c7219963ac415f67fa8b60e1138fde03f7510cc1e09eaee07fcae058de3c60d62a3e8eaacbc268e737fe360bbdc9700358f3883f80eb

Download Submit
C:\Program Files (x86)\1cv8\8.3.18.1363\bin\core83.dll

Filesize
3.7MB

MD5
8a4d4ddd27a916faade0d7daa768d641

SHA1
51c3020909963b73546ba7a508937473b91b37f9

SHA256
b9dfb6e7e9d1bde9aefe2fed98e82b5a1bd256825fa6f6c8e567f009e7930a70

SHA512
5516d059eb754ed50f5e34c8809b5251f0849e543b513fdb4791f26df2c4b8bb7a38915f0ea9b67faa2553cf6d721e4f47e0ad164d9355d9fd88d4dec7ff9e86

Download Submit
C:\Program Files (x86)\1cv8\8.3.18.1363\bin\icuin46.dll

Filesize
1.3MB

MD5
ba1bd5e6fdcba19c74809ececcb802c1

SHA1
5e1831a25629299da5b6ba36747e2cbf4a28cc05

SHA256
83e22071a8d87987d3fad0f11ea668965afd67fe7d2d27ec720a0fa5a9415153

SHA512
7343e3109ee1214515783e636f077068a1bcb701ec19a1a9a05dc76be10a84f45f151984e714ebce69e3d5a8268e531484c887f05e6aca7226c6aaf64e5b2400

Download Submit
C:\Program Files (x86)\1cv8\8.3.18.1363\bin\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Program Files (x86)\1cv8\8.3.18.1363\bin\nuke83.dll

Filesize
52KB

MD5
08b69deab8f6dd29f4bf09af0cda7735

SHA1
c3f5b4e8c06a6dd500163eef559b9d88a2a7c1ff

SHA256
42db13885e05987ed0340b8bd5f8b75f44ac41b900282fc7a122b29c4473d539

SHA512
a6b066f606ef31e62696601c262d5de9f001ac2ba996b08449252c2ebe3c6ea83b79e0ed22d58e98c5644350ee809e29cef37c9692fdd0a7b9380cc90a0fd427

Download Submit
C:\Program Files (x86)\1cv8\8.3.18.1363\bin\wbase83.dll

Filesize
326KB

MD5
f2b392ce7579aeb6a280c40848702464

SHA1
f919b2f593d3f17b4a297aa0294261c52320a0e1

SHA256
d8d8f033ff13cbccb6701a59079a58fc98ace4c80f61eb94085bc4ae6273ce36

SHA512
f778823b1c9b3c04f490b9b8a7a9a356541b91a20ede7c53f65c19bf015494a9b90453d1f6dd76305f4fb9dbcfcb3569d01d861b26890cd60d6280685096bd1c

Download Submit
C:\Program Files (x86)\1cv8\common\1cestart.exe

Filesize
467KB

MD5
f99b6af8620a945f395963fc1be27f0d

SHA1
0531c46e581f1cf324ca17cfd5017196a2546812

SHA256
6cc8be68c9ee55315968dc55f9e92c5965ff2f61f7f66890c07feb3a420f3395

SHA512
4c5ffbfa50768a54318e00678ee9028e2c66df7443d412cc8568b98b6eab5c62cd23251aadc915ea8ebf02ef089efc04abef500fc351d69a521688e53fe18114

Download Submit
C:\ProgramData\1C\1CEStart\1cestart.cfg

Filesize
194B

MD5
88e43ca119ccf4842bca01eb2e935ce0

SHA1
58a0dc42d0d1acfb4946457dcca6c153b4bdbdb4

SHA256
d07db575239b1a2a03b2973d165d8cbd3246992f583fa1e05e3e0e2f0654aff0

SHA512
3d1c17911000ec8958d8efa5b4aaa19dd12456c2907ab269a7521bf0c78dd3e366555ca7afa03dc32d3d1164325fe4f2d1c8cf0c2ddb0e989871d5946caf121a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\1C Enterprise.lnk

Filesize
2KB

MD5
44155c12ad87800e881e00314a266053

SHA1
c8243bee52a08d24ad9b6ea8ff95f5bd3747eda5

SHA256
c0804701f7e47bbeb7ca1491f5442ad925beb037e1f3e6241ea4a5f22323be2a

SHA512
bac1d1b79e35d079a202e3afcf3de759c37bdd626d4de63075d743647837360d19b4d5d8385f1943f26921788dddaa25c88c5be2b0995dcddfe3a17d9fb131ce

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\1C Enterprise.lnk~RFe57e6c6.TMP

Filesize
2KB

MD5
d409943e45e4dc78c621294bf126f911

SHA1
b74b08b5aca43019e4ba870cb6630550ff781993

SHA256
ae51d8ebb045f94e7b79180fab69335eb6c7cf73637fa958e71ff60cb9b925f5

SHA512
a2ad9702c945a956cc25a7265eedb9217e72f4f153009c147305250b277b6c8527bdc462c7e466922383cdaee2fb90495ee548f0437f562b14fddeb8121b810d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
543ff9c4bb3fd6f4d35c0a80ba5533fc

SHA1
e318b6209faeffe8cde2dba71f226d2b161729af

SHA256
40c04d540c3d7d80564f34af3a512036bdd8e17b4ca74ba3b7e45d6d93466bcd

SHA512
6257994ac1ec8b99edcf0d666838a9874031a500adac9383d9b4242edc6c6ffec48f230740d443c1088aa911a36de26e7ce3b97313e3d36b00aede5352a8cf5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_AE0845C64E81176955AA376CEACA6886

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4

Filesize
92KB

MD5
c582f6786a4c6ad7a58d3060bd224ff6

SHA1
2c447b0c9491b32fd7f548e46a57ea26f9dd7804

SHA256
d9635ff5f78db580a46162f558f3baf893589cc4238f03ec48a038478418809c

SHA512
609e54d5caf9bd1f1736d5c3e2cd7c20b45b07aaec2885b259728ef48fdb8f9712292827a85fbcbbf992d7782e9102b748038e5175757855872ea913232203e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
e219e3da92e905f341a5911e0676a2b9

SHA1
b8465987f407d9d44ca63c850c9026a4082fe0f2

SHA256
979b1bd91ddc99e54282fa16e49ada8e84ea8fbfdd715ffcb73656454b042184

SHA512
32d442b5938174bf048c018fd6b0408b7b2f77260a7ff644fc84a548ef4ca5b3715137cda85f1dacd5138305b2ee58a653a8790e93d55bffe8b6016dfc867c71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
31bb0aeba731eb70ecc8797d2c794d33

SHA1
f50666298b2a62dfdfa0d52b5e355272f00dccd2

SHA256
35ebf11c47c436f986e592d5235afe46db2f2dc3c700533758a1417fa0d38dea

SHA512
59319293ab053bf03e6d424bdfc17778fe4d7b1ef051c666d0c3701ba688b8ef56ce15a625fbed8cec112c33aebd2f68b88cddec2261eceb33db8361599c44c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_AE0845C64E81176955AA376CEACA6886

Filesize
398B

MD5
3e27635d699766f1df8d05c60738db6d

SHA1
2723389a3b28a25689913acf827088127335ae89

SHA256
8d53b800dfbf2819b2a3aff23638c1fb316cd0d02482270e95683206151a6562

SHA512
508d38bdf9e79335e941fc7882d8c73c5501324b9397b91926a0b5839ccaebcf07a6236b50214a017be2965d3383e2dce40d63a3aa19c1cbb258ab39ef752af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4

Filesize
170B

MD5
4132bcf5a1c99055de2a2cdbd58f4028

SHA1
108b73db3669a82a27216a83183521bb026ad50d

SHA256
65f71e164a5e7ca5296eb281cf1e0a762d4fdf587e3d021286532682b59df6cb

SHA512
9657ec4f536e076390b04c0f61210b00c2cdc67ecb9e43e4264ba3637816d7bd7a5dd8a823821f31ccbf9e5383725643a957292f049f935e83871b956838d5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1026.mst

Filesize
160KB

MD5
f02cf059d06602ccb81d5a417204c845

SHA1
19beb7dee7949f35fb30546c75fb5d807c0c11bb

SHA256
5dd43c716bcbdf40c7370fd44d376ea9d2903a52a8322b044ccb882aac1e3b8d

SHA512
671acfa432d2fa914b0b092950ae96ccd96682429823e7cc35d058098fe9c85f6f22415290898b2cc5f06cc7c3f20911ce950a910653976b6f64150436776b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1032.mst

Filesize
172KB

MD5
2f5b4e441c0bcdd4ea5fe1161d0830eb

SHA1
f7d3a1bc4d97d1eac2621785753aaab2fc41ea1a

SHA256
b6eb58a5500eb9ff3a5b563afc5ef05fef45613b509c658728c14ec3e4ad3c66

SHA512
b452354e8cea09ba36bfb096b60339eb3660b259624516973cc00b5349bcb466448260c46c6a6c05f22589cfe75d0119018144dd845e37226799e2f2b3844337

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1032_xp.mst

Filesize
116KB

MD5
0761c0c2fc28867b04404cd65d2cd7df

SHA1
7448473dc4654624ca011476e76c250ee9dd84c8

SHA256
9d81e7566d8a7c427f8dff50250465a3d766a673ae8d8e3ced149a75f9100d44

SHA512
f6f30e02fa07d451b9c27f339885cdfd9dbc370c42284760b11d85168864fa543bbd504086f2c4965ea8bcb77f3f99179107fb5928dc359f36e48e75cf23e88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1033.mst

Filesize
28KB

MD5
799d13b66236ec91f0f9930330a13ab9

SHA1
c9fe93b84fcabe158e82dbd1bd116fba4a5fe08e

SHA256
8f8ce8e5979dcbde159fa4c50e90ac7ad63bfe8888234039a140a09904022c43

SHA512
ad2005e0791abf3322e7baf65c724d95df0807519284a7bc2ab34f30cef4605475a3839f619585f064b336931080a077f15e4a6f25d443bc6110c7c839bde842

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1034_xp.mst

Filesize
112KB

MD5
93e9cb5e81f3e7f7df9ae24e7e380a73

SHA1
5c3fc900b5d00d3bca1381bcd24a320b47a6cd7a

SHA256
7ed8e389fba72fb258e8ca006541072dbc4b440f0d3296ede6c5748bec757ff7

SHA512
48f8371a277405478c76cce10545d4e01e79557541d8e9882abfb68f35b4ec5af337ace0f6a42bf0c7d861d95d762d1c4658cd5a40e0b5d61c893a42538a2fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1036.mst

Filesize
124KB

MD5
aea92a0691e1038df2fa89fcb1fb925b

SHA1
ae78e352961fa35633c8b67319dda393eec66f2e

SHA256
db8996cba0fcbea6455ccacacbe35da345c1e89565045840b0c035d59d286b11

SHA512
cda5dedcbad127e1ba1026573a36d85794199465ea00c3dbf38db32ca7f2f8b5471be5ad3962332cb1f732a64d6fd5d7050df4015947377ccb561480db8cd6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1049.mst

Filesize
156KB

MD5
534e45827979dab2aa05884b37f7e24d

SHA1
99cbb78d0261c533c2185a67e4aaaccdc6535646

SHA256
397e274529db6a6bc836a3b9e0ec9afe2aab3e0fe6443d46e5bab1a9d8720828

SHA512
79ad0f870b6d21cec176ece160b7c7b73007a8e180c9d86813a546a563f5eabb5c238e01e61e9c31270553da6510935be6d419528b0857b42e5535919da2968f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1055_xp.mst

Filesize
104KB

MD5
c55f105506b191eef340f18969e95f05

SHA1
1afe2a30bffc009b6e6f2f763a811b70dc954530

SHA256
df2be0e5ec656aef2fc029d9c07c1c1386f0dc099c5f70524fa3a43ef6d3e779

SHA512
c495be1a99c94f6d00b24f31d3a7dff581689b8cf774485988af17c1f1dfd1464c372f3d8a514fe443602325f2ca3ae2e9940aa4df8bdde070e0713c32a05794

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1058.mst

Filesize
152KB

MD5
bc04bed271ad488b38b34b41d49bb0a8

SHA1
a4ee9b78a5143796c94a3f47ff60f3e08f010ea2

SHA256
b53e0f4f47497a26fdbf9d76a1645e4d14c01fad018f1de4eab4d329d3554cd8

SHA512
51f048faaf5f17678fbfa6579d23904377a11e65d2b4aa9f71803ba3193208469ef53b71b29e2e72c88b1533b4dac7332353ebe94a14edc2da82f6caf18d5deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1062.mst

Filesize
112KB

MD5
f336e2053c99ee4778904994bc4f1211

SHA1
baeffff907121a8fd5da4985ddaf13149fac1959

SHA256
6997b5e718afbc6d82ef5b93eef75be42ccaa25142b03632cdadb214d313657e

SHA512
2ec11e935138a600941c5c1a6660f8e90d811f6e365f2555fcb45e952484cf6c113ad8c399c04a8291cecb1407d338a2b72040c3944eca00ce6d60d19f493efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\1CEnterprise 8 Thin client.msi

Filesize
3.4MB

MD5
b64a17d1610f2821afd1e01f28d87beb

SHA1
149142cf4ba4aa643b5cca6362195fd8fb57c10b

SHA256
1756573fd4e985d3717dc29c3fc436f3b238a409ab0715792dff6e3547e60364

SHA512
4519725320830f4faa7b8aa89f3d3dfe5bb1ef4aa401613af7535883d70d90b1f32ba7ccf47d4105d4e055ccac143f9012922989008dc3494db5b82e3a01c0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\2052.mst

Filesize
100KB

MD5
4813d4c9a1582629263015c812de9f8a

SHA1
7e86675b22a714bc1127e0ffafb787fc85a60e01

SHA256
46e33d6a4e6b5acf1a2b7c8f8e8b27e6f3aeda14cdb6a5a9f52d6f76ac691e6c

SHA512
49293070fdd4d7c9e41c80c3bec9ebebd5af37ac8d2cfdb11101d141d61f5d196cd753246d5bf624672f119ee1fcaa17c7e88640140da5c6421a296b2523603f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\2052_xp.mst

Filesize
84KB

MD5
35a745b1b06b2eeb33b1f05ed07fc6d5

SHA1
1e08998eff86b497408664804d2d9d6def9d2039

SHA256
e97d50de48cae132f0a264c882e08b3fe909966b6aef0abb926069feaf8ea16c

SHA512
6a0959f75472d98cf8d1781e2f02714cfdb09bb42f5caefbb15d5064e8fbdc545e0da739b8316bf16260a3bdfdf33f1898d03ae34247d011fc3b653ec317fa58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\adminstallrelogon.mst

Filesize
10KB

MD5
5fcb5ca7ac028474c5f801e450a3b475

SHA1
8a3ddd39c670c679259b23fb67030809aa9ffb2d

SHA256
a9bf0150476c9bd33be3f7bcd4fc3306e3e4c0a2203a2b5d8fb1165efc2297cf

SHA512
257e647b3c4e03ebbbf2bd799aafca8e984fda76151523262d085123ae64361affdace60fb2b3147414560fca9fb759cd2f2efa48df1504de3458f191489455e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ci973F.tmp\adminstallrestart.mst

Filesize
10KB

MD5
4f657f1bdd2d567d4725645dc10dd297

SHA1
7ff4481e8c2958def32a714045bb00cb895bc4a8

SHA256
b65a759c493f6d06c0389ffe93eec1d7744cdcb9e5d63f35b4d875e56f97b8ff

SHA512
c46ae00c547e4926bee5de8ab2f2ac00448295a0e316c93085515b2ca5809e1f0589e0704722fa02cf7ba9fc451a234b6d11bad8466321e59527aea34fda5f23

Download Submit
C:\Users\Admin\AppData\Roaming\1C\1CEStart\1cestart.cfg

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\1C\1CEStart\ibases.v8i

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Users\Public\Desktop\1C Enterprise.lnk

Filesize
2KB

MD5
7eb28d663b2a30b06f32c510782823c3

SHA1
a76122373c5c71aefcf7e3d97efff5804fa6fd69

SHA256
53ddd8f6ef65703d2a7e790a3e2517b6b3d7f915eb8ce541d3d0cf3e6f68d669

SHA512
9d1079f3f1f3d5aa79584bb12756a0e4f866d82b5e4665d44097d1078758d8d17b6e9ddb6317a7c6b076c5fbdcc7a8aa37962f60057cd07c32c493f72ea853d2

Download Submit
C:\Users\Public\Desktop\1C Enterprise.lnk~RFe57e6a7.TMP

Filesize
2KB

MD5
4b8915d4afc22a1d12211773d008b708

SHA1
b98643e821cdeb72a6b3bc82c4ddaa37bcc69f8c

SHA256
e781740654c53e11e01bc7e85ce164fbee1282d9940931d27184a50128a6be92

SHA512
74f74933589e06c0dcadd9de4f6603bb0572aae56020cf2326e0fce9468ffcd7dc06a585297ba22a329ec14d09dc64d022011fb963ab4a09a1b544ff36c1fd81

Download Submit
C:\Windows\Installer\MSID08E.tmp

Filesize
293KB

MD5
fbf0db03e875282f4faa848adfc5fd14

SHA1
e9058dac74d7ff7b5bc552eb2aa1dd8e553d617a

SHA256
3d2bc478f6aeebec54dab434b338221d3636fa61e023facfd75524d9fa4f71c0

SHA512
73d1cde2a55db2d8596d19c95284bb63e1eb8be367cf6237811e8feee08f7662585abdfcbc36ed2eef07227754a1d922c396a8a6becfd5de9954d3b01f25837f

Download Submit
C:\Windows\Installer\{EFE06DD9-2570-4F3D-A99E-2D39907D6D55}\DesktopShortCut_En_EDED4A527DC24E21BFB7BD8DFDF40134.exe

Filesize
152KB

MD5
f33b8a5b335dd6450525e5524d4efe65

SHA1
41c62ed0b4d42b241eef913aed4d1bd5c2787bc5

SHA256
61d5c0ea29b7637308a0f847b01e7011e0581a5f4d546770a8aec7c8af755214

SHA512
16a1338fe484364177ddf247e1f15a03fb7643d83a4ec85e9ebffad70fb2c9c1610d16c007e0b86b08b8bd5867f95c621b016c697aa387067f6bd7cc84f99597

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
81002008dd21216cc458133e831473c3

SHA1
6b668bc9310e0982118c7d4b95c10bc1bc2a5fd2

SHA256
1e306ef58c90ad98eee949ade921da8da0d88726ca690891fb1924a4c1bdf90c

SHA512
288923298366eef0c63797d5fa9fb1e3b16a75aeb3870d25c97befba1f57f19532ae14136c24faa02ed7ef574340012e1f149170b051b0c85fa4adb36fec91ce

Download Submit
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bc37874b-4ae9-43ad-b470-38568986fbed}_OnDiskSnapshotProp

Filesize
6KB

MD5
43e662481d1ee79db03491d75d8ef3eb

SHA1
a94bb8a236a4e4882fae7842807bdea8b61fcfb4

SHA256
8a2b680873106aca85dfe1a0929796289064880632260b8b9fd6ebf60f6bac54

SHA512
59fe79ae3c5029dff2dcb875625c72e6943311d40a9f7daac6b8963d22a1b6dc2d05ea4c69064312495e535ef4e90a0047b7898fe32769354e6a08d2ef973658

Download Submit
memory/1892-2048-0x0000000000CC0000-0x0000000000CDE000-memory.dmp

Filesize
120KB

Download
memory/1892-2046-0x0000000000A70000-0x0000000000B73000-memory.dmp

Filesize
1.0MB

Download