c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1

Resubmissions

22-01-2025 14:45

250122-r45fys1mdw 6

22-01-2025 14:10

250122-rgyd5azlhy 6

11-12-2023 14:13

231211-rjk7ksacb3 7

Analysis

max time kernel
898s
max time network
900s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1.msi
Size

836KB
MD5

e79180380997a855c8d19be02d035b7f
SHA1

8fabc9d73f32c0c01083b438ffc6f0d3bee6e80e
SHA256

c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1
SHA512

356665d2b08c652f9bb0cc3c6b441d6bcfcb02bccef876ad6c79150641ad4aa83923338b7fd085b0296b622f746daefc1eeef93869cf0b407d384c689b2a309e
SSDEEP

24576:j2XSjbixTs21LN5w6yfygtF9M5ZXn3lftfsATt:y/42Yy8vs3ftfz

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OneNote Update = "\"C:\\Users\\Public\\VirtualFile\\OnesNotem.exe\" 999"	OnesNotem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneNote Update = "\"C:\\Users\\Public\\VirtualFile\\OnesNotem.exe\" 999"	OnesNotem.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76d386.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76d386.ipi	msiexec.exe
File created	C:\Windows\Installer\f76d388.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID47E.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76d385.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d385.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	OnesNotem.exe
1744	OnesNotem.exe

Loads dropped DLL 3 IoCs

pid	Process
2152	OnesNotem.exe
2152	OnesNotem.exe
1744	OnesNotem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
772	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OnesNotem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OnesNotem.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector	OnesNotem.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	OnesNotem.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\ms-pu	OnesNotem.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 38003200440033004400360041003500300039003600300038003300430031000000	OnesNotem.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2484	msiexec.exe
2484	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1968	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeSecurityPrivilege	2484	msiexec.exe
Token: SeCreateTokenPrivilege	772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	772	msiexec.exe
Token: SeLockMemoryPrivilege	772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	772	msiexec.exe
Token: SeMachineAccountPrivilege	772	msiexec.exe
Token: SeTcbPrivilege	772	msiexec.exe
Token: SeSecurityPrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeLoadDriverPrivilege	772	msiexec.exe
Token: SeSystemProfilePrivilege	772	msiexec.exe
Token: SeSystemtimePrivilege	772	msiexec.exe
Token: SeProfSingleProcessPrivilege	772	msiexec.exe
Token: SeIncBasePriorityPrivilege	772	msiexec.exe
Token: SeCreatePagefilePrivilege	772	msiexec.exe
Token: SeCreatePermanentPrivilege	772	msiexec.exe
Token: SeBackupPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeShutdownPrivilege	772	msiexec.exe
Token: SeDebugPrivilege	772	msiexec.exe
Token: SeAuditPrivilege	772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	772	msiexec.exe
Token: SeChangeNotifyPrivilege	772	msiexec.exe
Token: SeRemoteShutdownPrivilege	772	msiexec.exe
Token: SeUndockPrivilege	772	msiexec.exe
Token: SeSyncAgentPrivilege	772	msiexec.exe
Token: SeEnableDelegationPrivilege	772	msiexec.exe
Token: SeManageVolumePrivilege	772	msiexec.exe
Token: SeImpersonatePrivilege	772	msiexec.exe
Token: SeCreateGlobalPrivilege	772	msiexec.exe
Token: SeBackupPrivilege	3068	vssvc.exe
Token: SeRestorePrivilege	3068	vssvc.exe
Token: SeAuditPrivilege	3068	vssvc.exe
Token: SeBackupPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2972	DrvInst.exe
Token: SeLoadDriverPrivilege	2972	DrvInst.exe
Token: SeLoadDriverPrivilege	2972	DrvInst.exe
Token: SeLoadDriverPrivilege	2972	DrvInst.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
772	msiexec.exe
772	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1968	AcroRd32.exe
1968	AcroRd32.exe
1968	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2152	2484	msiexec.exe	35
PID 2484 wrote to memory of 2152	2484	msiexec.exe	35
PID 2484 wrote to memory of 2152	2484	msiexec.exe	35
PID 2484 wrote to memory of 2152	2484	msiexec.exe	35
PID 2152 wrote to memory of 1968	2152	OnesNotem.exe	36
PID 2152 wrote to memory of 1968	2152	OnesNotem.exe	36
PID 2152 wrote to memory of 1968	2152	OnesNotem.exe	36
PID 2152 wrote to memory of 1968	2152	OnesNotem.exe	36
PID 2152 wrote to memory of 1744	2152	OnesNotem.exe	37
PID 2152 wrote to memory of 1744	2152	OnesNotem.exe	37
PID 2152 wrote to memory of 1744	2152	OnesNotem.exe	37
PID 2152 wrote to memory of 1744	2152	OnesNotem.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe
  C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\郭台銘選擇賴佩霞為總統副手深層考量.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1968
- - C:\Users\Public\VirtualFile\OnesNotem.exe
    C:\Users\Public\VirtualFile\OnesNotem.exe 877
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E0" "0000000000000494"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d387.rbs

Filesize
8KB

MD5
003c825b1a323277661fea9d68a307b9

SHA1
7486ab34b5aa274e4807c5c06698b20fd036418a

SHA256
e4dea4c87ad8f8a213e6629ffd365f975f55806fd2bb9fc889c08fb4b6827cc0

SHA512
5ad7ef00c22ef5c97dc51041c82ec2e7cced831be9f9357a61f738280508d0227260cc85413cc7f995ebe962f630ea1fbc118f3af07e8555a22a3f949f02f067

Download Submit
C:\Users\Admin\AppData\Local\MUxPOTy\NoteLogger.dat

Filesize
718KB

MD5
b143e9814f3ce07fa7176ecdd4dfda89

SHA1
cb8314e9a25116f698ea74300cfdb35855f48905

SHA256
908ff3a80ef065ab4be1942e0d41583903f6aac02d97df6b4a92a07a633397a8

SHA512
038c5947f631e1143e3ffe6807d26755e7c39c8af7d5f95575859ab4841a1f4f1f1cc67ee7ab31b7a6f37667df32921cb1c12d6c0f53baa151fab66f350c032d

Download Submit
C:\Users\Admin\AppData\Local\MUxPOTy\OnesNotem.exe

Filesize
95KB

MD5
32c26797ab646074a2bb562f9d10adb5

SHA1
f478d70bc193f7c24da563e9eda7eb86239bbe12

SHA256
b9836265c6bfa17cd5e0265f32cedb1ced3b98e85990d000dc8e1298d5d25f93

SHA512
e68f541ef999a0ff91e24090ea80ace97e8e8a600e1f1063954cf575f431cada9b501fdab9c87b1b9da8cb779b5f351e36ccba998e24fb7c75ded387a913fe2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\郭台銘選擇賴佩霞為總統副手深層考量.pdf

Filesize
96KB

MD5
153f31b1dbe2d7b6a3aa41ba6338e129

SHA1
87731dff3f5aa93fbb9161cc51381b36d7824ed5

SHA256
c6ef220d0c6e9015bdfb7977ff15e7f2c4c0dbfcd3b28ffb3066fe6d21251322

SHA512
ac817f3e544bc1f2ac4784432ea12f948cafc4e4fbd9fd69d5c86b9116c72ff6d3652c851f5b8358e7c6ecb3d26d3bd856ea1d5124866ad1f4b42df15ef40d48

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8b82d8f9796b9e77671410232971f6e5

SHA1
b095fd5367e2ffc5ae3b3bb6908de887f5cd991c

SHA256
d563c432da76d9cd59e10782dc0f4ed9bad628613d612382a8e58f88d29b4c17

SHA512
5127d2ca0aaa2d718820f2505d009aca4527d37af0501e9ed1c2da821572e21b8b06ac06a3231db517ca5a900b382912cc97bfc34bd59fe5aa8cb92c88df076c

Download Submit
C:\Windows\Installer\f76d385.msi

Filesize
836KB

MD5
e79180380997a855c8d19be02d035b7f

SHA1
8fabc9d73f32c0c01083b438ffc6f0d3bee6e80e

SHA256
c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1

SHA512
356665d2b08c652f9bb0cc3c6b441d6bcfcb02bccef876ad6c79150641ad4aa83923338b7fd085b0296b622f746daefc1eeef93869cf0b407d384c689b2a309e

Download Submit
\Users\Admin\AppData\Local\MUxPOTy\msi.dll

Filesize
88KB

MD5
5f39a964af306f40536aa6ac57b66758

SHA1
b84a5a5837e8aa5e5c8181f4589f9ad490acb55f

SHA256
651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859

SHA512
9b33dd995ed714e490e564c6d8e1fe85c382d2e9f20e24adc831af3f390c3a52d3f3a53172e07d5461665fb3d092b230481cecaf19b8aa0ebc9b1b84c3581230

Download Submit
memory/1744-68-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-111-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-49-0x0000000002520000-0x00000000061C6000-memory.dmp

Filesize
60.6MB

Download
memory/1744-132-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-50-0x0000000002520000-0x00000000061C6000-memory.dmp

Filesize
60.6MB

Download
memory/1744-51-0x0000000002520000-0x00000000061C6000-memory.dmp

Filesize
60.6MB

Download
memory/1744-129-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-125-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-71-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-84-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-87-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-89-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-96-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-98-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-105-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-107-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-123-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-113-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/1744-116-0x0000000074380000-0x00000000743A6000-memory.dmp

Filesize
152KB

Download
memory/2152-48-0x00000000753D0000-0x00000000753F6000-memory.dmp

Filesize
152KB

Download
memory/2152-29-0x0000000002560000-0x0000000006206000-memory.dmp

Filesize
60.6MB

Download
memory/2152-30-0x0000000002560000-0x0000000006206000-memory.dmp

Filesize
60.6MB

Download
memory/2152-43-0x0000000002560000-0x0000000006206000-memory.dmp

Filesize
60.6MB

Download