188698d10b1f7b9710061ec95e0aec55a0cb2239e622fa4f7fdd5d360d00a007

Resubmissions

13/01/2025, 20:22

250113-y51mqawqc1 7

13/01/2025, 19:33

250113-x9me8avmfs 10

Analysis

max time kernel
53s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows11InstallationAssistant.exe
Size

4.0MB
MD5

73c8041e8b532d9791ef3987f82d73c2
SHA1

0ad458c01db820fa808d41d38e282cf962806910
SHA256

188698d10b1f7b9710061ec95e0aec55a0cb2239e622fa4f7fdd5d360d00a007
SHA512

a5402ec7871867d579d1a9c8142ebce31c23153ec4395e746474e524531dd58781a0644cccd869333c044a41e61fef48e118f4ed46860bc8cb7b90fc60925304
SSDEEP

98304:HgqIctyETh4cCpI0kwJF4vY5SK63dzBEZht5f/LyXtcH/AU:Aqtyih9Cawjr/6NAjyXa

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Windows11InstallationAssistant.exe

Executes dropped EXE 1 IoCs

pid	Process
3944	Windows10UpgraderApp.exe

Loads dropped DLL 1 IoCs

pid	Process
3944	Windows10UpgraderApp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fr-ca.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentDeploy.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_el-gr.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_hr-hr.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_hu-hu.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sl-si.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_th-th.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_uk-ua.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\ui-dark.css	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows11InstallationAssistant.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\ESDHelper.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ca-es.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_es-mx.htm	Windows11InstallationAssistant.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini	Windows10UpgraderApp.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_en-gb.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_germany_region.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pt-pt.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_zh-cn.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\block.png	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sk-sk.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\WinDlp.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_nb-no.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ro-ro.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sr-latn-rs.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\base.js	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fi-fi.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fr-fr.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_it-it.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_zh-tw.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentRollback.EXE	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\bullet.png	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_he-il.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pl-pl.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\eula.css	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_tr-tr.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_en-us.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_eu-es.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_gl-es.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ko-kr.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_da-dk.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_et-ee.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_lt-lt.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ru-ru.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sv-se.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_es-es.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.css	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\pass.png	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_de-de.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_lv-lv.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_nl-nl.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktop.css	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentOOBE.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ar-sa.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_cs-cz.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pt-br.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\ui.js	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\downloader.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ja-jp.htm	Windows11InstallationAssistant.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3316	3944	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows11InstallationAssistant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows10UpgraderApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\IESettingSync	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Windows10UpgraderApp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	964	Windows11InstallationAssistant.exe
Token: SeRestorePrivilege	964	Windows11InstallationAssistant.exe
Token: SeShutdownPrivilege	4044	wmplayer.exe
Token: SeCreatePagefilePrivilege	4044	wmplayer.exe
Token: SeShutdownPrivilege	3144	unregmp2.exe
Token: SeCreatePagefilePrivilege	3144	unregmp2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4044	wmplayer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3944	Windows10UpgraderApp.exe
3944	Windows10UpgraderApp.exe
3944	Windows10UpgraderApp.exe
3944	Windows10UpgraderApp.exe
3944	Windows10UpgraderApp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 3944	964	Windows11InstallationAssistant.exe	84
PID 964 wrote to memory of 3944	964	Windows11InstallationAssistant.exe	84
PID 964 wrote to memory of 3944	964	Windows11InstallationAssistant.exe	84
PID 4044 wrote to memory of 4080	4044	wmplayer.exe	105
PID 4044 wrote to memory of 4080	4044	wmplayer.exe	105
PID 4044 wrote to memory of 4080	4044	wmplayer.exe	105
PID 4080 wrote to memory of 3144	4080	unregmp2.exe	106
PID 4080 wrote to memory of 3144	4080	unregmp2.exe	106

C:\Users\Admin\AppData\Local\Temp\Windows11InstallationAssistant.exe
"C:\Users\Admin\AppData\Local\Temp\Windows11InstallationAssistant.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
  "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe" /SkipSelfUpdate /SunValley
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 1856
    3⤵
    - Program crash
    PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3944 -ip 3944
1⤵
PID:1932

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
3.5MB

MD5
45d00e80581a224f60ee62e5a0a9f253

SHA1
a1016580c15d3eaffce1dd548db1dd927f9f8422

SHA256
a3dcca311b836b0644a465ed48ef726217ef530ffdb296cedeb8069776281c01

SHA512
1c1365bbf018caae353f511ca2bb4fdd404c28d3de29141325e0b52751b040729ef2f21a7c845f4708e64d8a7946bcc649f0489a6b58bd8ac86253246a7d4e35

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\downloader.dll

Filesize
197KB

MD5
49b42f4e7c5f4b290aba92258fb81348

SHA1
41bbe19d3af1e62b9c85bee3b6232de4db1a3231

SHA256
9de477066c8ac228f050892e1ddc6e2ecbc8ead0d82e0f3be9c8e9caae8b581c

SHA512
18a7860eec7a2c1bf7c13fa7edb95f775614ecb19eccea5a3dd246093b83eca534da7083b85d51e174902e3dc1b13fb10d1bbcc68003f3a92d677e10b907304e

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA.css

Filesize
82B

MD5
b81d1e97c529ac3d7f5a699afce27080

SHA1
0a981264db289afd71695b4d6849672187e8120f

SHA256
35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

SHA512
e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css

Filesize
5KB

MD5
7f5fcac447cc2150ac90020f8dc8c98b

SHA1
5710398d65fba59bd91d603fc340bf2a101df40a

SHA256
453d8ca4f52fb8fd40d5b4596596911b9fb0794bb89fbf9b60dc27af3eaa2850

SHA512
b9fb315fdcf93d028423f49438b1eff40216b377d8c3bc866a20914c17e00bef58a18228bebb8b33c8a64fcaaa34bee84064bb24a525b4c9ac2f26e384edb1ff

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm

Filesize
54KB

MD5
66b63e270cc9186f7186b316606f541f

SHA1
35468eeefc8d878f843bbf0bb0b4b1d43b843cdf

SHA256
00f8f3e4534146858326d6d2524f3360dfc9e5d149e207d61cabac17ad7a5f9f

SHA512
b9d1b4b201cabf087a44d958584ecb1c110807b9bd9865f1e76bf9d989d7d000ee84f07558bcae5e05d11f7121fe2c402fcf916b00ff5d8eac7eaf05e21a29f2

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif

Filesize
16KB

MD5
1a276cb116bdece96adf8e32c4af4fee

SHA1
6bc30738fcd0c04370436f4d3340d460d25b788f

SHA256
9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

SHA512
5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png

Filesize
2KB

MD5
afeed45df4d74d93c260a86e71e09102

SHA1
2cc520e3d23f6b371c288645649a482a5db7ccd9

SHA256
f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

SHA512
778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
a5550e16cf120c5ab60a82f1fd04ccfe

SHA1
face2d881e1925d0cd91d3562fc5812f2cbe57ad

SHA256
35a6e105c2f52185d20fb4f2e70a5b4c9c9e66ff491bea1def348fc7d51e105b

SHA512
bfbf93b4c7e3fa264dfb682b4edc3989073127fcd8080b00688ccd8877932230e57336e2212ba3890e21f3e2dcc059bc4e0694b613690938e98dc3edab00980f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
52cc3ce6c083a0b36ff73d0e4e67a2d2

SHA1
1e399fcf6d5d42ab932fb47d613006af79c73881

SHA256
022f6f2ffddbe4b8f8b1e7a54c580045a77c8aa33c3e5d126d9d9d3bdad2d863

SHA512
5da0797cc8c903b4ab32cdfb2e5747591be9742fb1a44db990e6a88d0cf4a8b030a24a3fb77d4ee1eddd0c2a68fd66ec5b65703c6d848f521bb671560044c254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU8482.tmp\appraiserxp.dll

Filesize
364KB

MD5
9d4f6fc6fd8dbe8e7b498651e0af16c7

SHA1
29cb40c374a35220b72bfa3ea9ed4ffa1b76efc3

SHA256
2acab73e737e9eafa7c74ca3c9b0762a9386016be7cc1ce0c090b00b793a7157

SHA512
7db4d7e0d4ca4c6cc2e2d1bb21915cc240656e94547bb3c3363bc068c0ce490f9e0916bb8745762053e05f1f7e8752a8cb1d83916a71e3a098333b32ede504fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU8482.tmp\resources\ux\EULA\EULA_en-gb.htm

Filesize
68KB

MD5
05627bc6899f8853de9a63f304d1937a

SHA1
11ccb451025a9b3d1f58b44b730521a7652fdb74

SHA256
49aa5fe536281681d0bf933c59622910753c0ee4eb26d96f548cf4b2d752129f

SHA512
2a0c6569b1dbf7a6754cb870325eefc028f69a758ca44c78da9ac77b03f60feba862e1bdd230ab6b78efb64e0da056917a50b18dd9adadd7e79f1fbb164eef9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU8482.tmp\resources\ux\EULA\EULA_es-es.htm

Filesize
78KB

MD5
75c32dd12eb6a303f16b4561aa4a3720

SHA1
628b9c1504abc72296821575f769a14d4635841f

SHA256
2cd165a4c0828c814c27b1ce07c3e4d8f254cda4eb2e91cf87b242c53002f312

SHA512
b6759d223f0bef67f36ca74bd519e3f2cbf8dbb97ff218fb2f236cf41facaa08cdd6e8949adb4e22c75a00dd19e048c7d2fb68ef3d9d7f790ab7b49ba44b42f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU8482.tmp\resources\ux\EULA\EULA_fr-ca.htm

Filesize
82KB

MD5
b0bbf69d2d7a34f86e0acea9bd678ea7

SHA1
c0343796308bdfe623eb1f0caf99538eb58b76fb

SHA256
531ae3e6ae92c7d173415fb7a3a95fdf61fb3e3fcb703a4606c9590225f03aca

SHA512
7bc0b314cf4eb625aa56e6134f1cd544ce1f38b84c7a478ba2f34a484ab41328f820a1601a8d0f5ee602a59ace1e496f69c2820ce472b8d57a5dfa5fc8be69be

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU8482.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktop.css

Filesize
39KB

MD5
5ad8ceea06e280b9b42e1b8df4b8b407

SHA1
693ea7ac3f9fed186e0165e7667d2c41376c5d61

SHA256
03a724309e738786023766fde298d17b6ccfcc3d2dbbf5c41725cf93eb891feb

SHA512
1694fa3b9102771eef8a42b367d076c691b002de81eb4334ac6bd7befde747b168e7ed8f94f1c8f8877280f51c44adb69947fc1d899943d25b679a1be71dec84

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
15313c8dccf64fb5b848bb804c087081

SHA1
6e520c0def59861491ae0c2c677b879eeccd5efe

SHA256
539416204ac6cc76dd759e8a092e864eda7556930494ae584e83aebfababd52c

SHA512
09b268702e76fb1d10d3598a4b6dda77b0541bb96bcc9f82c9260e957b6de2584d37ea380b1c4bac2b36fc25470ef58d2a26ba8b0e402c979d2d910ec974673f

Download Submit
memory/4044-380-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-395-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/4044-381-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-384-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-379-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-382-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-377-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-376-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-388-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/4044-391-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-394-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-378-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-396-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/4044-397-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/4044-398-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/4044-400-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/4044-399-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-401-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-403-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-402-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-404-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download
memory/4044-405-0x0000000009E80000-0x0000000009E90000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads