da7a47b48ce813ad1cedfea4533d1cb1e2c06e8c407dfa952f15d363e72f96ce

Analysis

max time kernel
332s
max time network
333s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23/02/2024, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wakamarina Valley, NZ.zip
Size

820.0MB
MD5

80650a32f3affa8add6aacca783888e3
SHA1

3cc8a9741d561ac181136d4af47961985605107d
SHA256

da7a47b48ce813ad1cedfea4533d1cb1e2c06e8c407dfa952f15d363e72f96ce
SHA512

fb71507ea428e79bced6e4ce31d2cfd45fb64c2ea59528ebd51024343fb787b60656798be2ab2e055dc3359718c26d92d8c2a68e9a36c0fb293a5cc7d5a62c44
SSDEEP

25165824:VQZvsYnFsWQcluVKbMjRnhes7VHCDegRDMlZCaSAaw49x92zthTX9:iZvsYnFsWp3ERUsC1aSY492zz5

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 18 IoCs

pid	Process
3588	NewZealand.exe
5088	NewZealand.exe
4296	UE4PrereqSetup_x64.exe
3780	UE4PrereqSetup_x64.exe
4604	vcredist_x86.exe
2708	vcredist_x86.exe
4728	vcredist_x64.exe
960	vcredist_x64.exe
3192	DXSetup.exe
2816	infinst.exe
6052	infinst.exe
1520	infinst.exe
4776	infinst.exe
536	infinst.exe
4984	infinst.exe
5440	infinst.exe
5552	infinst.exe
4576	NewZealand-Win64-Shipping.exe

Loads dropped DLL 36 IoCs

pid	Process
3780	UE4PrereqSetup_x64.exe
2708	vcredist_x86.exe
960	vcredist_x64.exe
4432	MsiExec.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
3192	DXSetup.exe
3192	DXSetup.exe
3192	DXSetup.exe
3192	DXSetup.exe
3192	DXSetup.exe
5748	regsvr32.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe

Registers COM server for autorun 1 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0d995f46-317b-4b5f-bf3e-9f98bae9d339} = "\"C:\\ProgramData\\Package Cache\\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\\UE4PrereqSetup_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\UE4_Prerequisites_(x64)_20240223081601.log\" /burn.runonce"	UE4PrereqSetup_x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File created	C:\Windows\system32\SETE4A9.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SETE617.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SETE696.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\vcomp100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\SETE4A9.tmp	infinst.exe
File opened for modification	C:\Windows\system32\d3dcsx_43.dll	infinst.exe
File opened for modification	C:\Windows\system32\SETE5E2.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SETE695.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\D3DX9_43.dll	infinst.exe
File created	C:\Windows\system32\SETE4E8.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\d3dcsx_43.dll	DXSetup.exe
File created	C:\Windows\system32\SETE5E2.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SETE70B.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SETE390.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\X3DAudio1_7.dll	DXSetup.exe
File created	C:\Windows\SysWOW64\SETE41F.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SETE4CB.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SETE4CB.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SETE53B.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SETE41F.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\D3DX9_43.dll	DXSetup.exe
File created	C:\Windows\SysWOW64\SETE617.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SETE695.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\SETE71B.tmp	infinst.exe
File created	C:\Windows\SysWOW64\SETE390.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\xinput1_3.dll	infinst.exe
File opened for modification	C:\Windows\system32\SETE4E8.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SETE4FB.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SETE53B.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\SETE64F.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SETE3C0.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SETE3C0.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\X3DAudio1_7.dll	infinst.exe
File created	C:\Windows\system32\SETE3FD.tmp	infinst.exe
File created	C:\Windows\SysWOW64\SETE4FB.tmp	DXSetup.exe
File created	C:\Windows\system32\SETE70B.tmp	infinst.exe
File opened for modification	C:\Windows\system32\D3DCompiler_43.dll	infinst.exe
File opened for modification	C:\Windows\system32\SETE3AF.tmp	infinst.exe
File opened for modification	C:\Windows\system32\d3dx11_43.dll	infinst.exe
File opened for modification	C:\Windows\SysWOW64\XAudio2_7.dll	DXSetup.exe
File opened for modification	C:\Windows\system32\XAudio2_7.dll	infinst.exe
File created	C:\Windows\system32\SETE71B.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\xinput1_3.dll	DXSetup.exe
File opened for modification	C:\Windows\system32\d3dx10_43.dll	infinst.exe
File opened for modification	C:\Windows\SysWOW64\XAPOFX1_5.dll	DXSetup.exe
File opened for modification	C:\Windows\system32\SETE517.tmp	infinst.exe
File created	C:\Windows\system32\SETE517.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\D3DCompiler_43.dll	DXSetup.exe
File opened for modification	C:\Windows\system32\vcomp110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\d3dx11_43.dll	DXSetup.exe
File created	C:\Windows\system32\SETE3AF.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SETE3FD.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\d3dx10_43.dll	DXSetup.exe
File created	C:\Windows\system32\SETE64F.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SETE696.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\XAPOFX1_5.dll	infinst.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Jun2010_D3DCompiler_43_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File created	C:\Windows\SystemTemp\~DFC5BB0E429A0929B9.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Feb2010_X3DAudio_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Jun2010_XAudio_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\APR2007_xinput_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Jun2010_d3dcsx_43_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Jun2010_d3dx10_43_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Logs\DirectX.log	DXSetup.exe
File opened for modification	C:\Windows\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Installer\e59da0a.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File created	C:\Windows\Installer\e59da0e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\SystemTemp\~DF2076700E16830A7A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\DXSETUP.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Jun2010_d3dx9_43_x86.cab	rundll32.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\dsetup32.dll	rundll32.exe
File created	C:\Windows\SystemTemp\~DFAA2E063C3BBFFECF.TMP	msiexec.exe
File created	C:\Windows\Installer\e59da0a.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\CustomAction.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Jun2010_D3DCompiler_43_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File created	C:\Windows\Installer\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Setup.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Feb2010_X3DAudio_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Jun2010_d3dcsx_43_x86.cab	rundll32.exe
File created	C:\Windows\SystemTemp\~DFDBE0AE005168D6BF.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\dxdllreg_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF0D.tmp-\Jun2010_d3dx11_43_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000239892d157dd5a9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000239892d10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900239892d1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d239892d1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000239892d100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DXSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1"	DXSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DXSetup.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DXSetup.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DXSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	DXSetup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Version = "16777230"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\ = "AudioVolumeMeter"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\ = "AudioVolumeMeter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Dependents	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\Dependents\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}	UE4PrereqSetup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Version = "1.0.14.0"	UE4PrereqSetup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}v1.0.14.0\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\ProductName = "UE4 Prerequisites (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\PackageName = "UE4PrereqSetup_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D195B7D190100A40A3B35104CE5D515\VCRedist	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06160A3C31624122A971135BA0D60E46\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\ = "XAudio2"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\ = "AudioReverb"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\DisplayName = "UE4 Prerequisites (x64)"	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\ProductIcon = "C:\\Windows\\Installer\\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\\Setup.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Dependents\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\ = "{0d995f46-317b-4b5f-bf3e-9f98bae9d339}"	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}v1.0.14.0\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\ = "AudioReverb"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\PackageCode = "58B2C1A7070C8C44ABD5ABFD86427F57"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both"	DXSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\ = "XAudio2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\DisplayName = "UE4 Prerequisites (x64)"	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\Version = "1.0.14.0"	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\Dependents	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06160A3C31624122A971135BA0D60E46	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\AuthorizedLUAApp = "0"	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	UE4PrereqSetup_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	UE4PrereqSetup_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	UE4PrereqSetup_x64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3332	msiexec.exe
3332	msiexec.exe
4576	NewZealand-Win64-Shipping.exe
4576	NewZealand-Win64-Shipping.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2344	7zG.exe
Token: 35	2344	7zG.exe
Token: SeSecurityPrivilege	2344	7zG.exe
Token: SeSecurityPrivilege	2344	7zG.exe
Token: SeBackupPrivilege	4972	vssvc.exe
Token: SeRestorePrivilege	4972	vssvc.exe
Token: SeAuditPrivilege	4972	vssvc.exe
Token: SeBackupPrivilege	3584	srtasks.exe
Token: SeRestorePrivilege	3584	srtasks.exe
Token: SeSecurityPrivilege	3584	srtasks.exe
Token: SeTakeOwnershipPrivilege	3584	srtasks.exe
Token: SeBackupPrivilege	3584	srtasks.exe
Token: SeRestorePrivilege	3584	srtasks.exe
Token: SeSecurityPrivilege	3584	srtasks.exe
Token: SeTakeOwnershipPrivilege	3584	srtasks.exe
Token: SeShutdownPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeIncreaseQuotaPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeSecurityPrivilege	3332	msiexec.exe
Token: SeCreateTokenPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeAssignPrimaryTokenPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeLockMemoryPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeIncreaseQuotaPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeMachineAccountPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeTcbPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeSecurityPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeTakeOwnershipPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeLoadDriverPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeSystemProfilePrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeSystemtimePrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeProfSingleProcessPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeIncBasePriorityPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeCreatePagefilePrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeCreatePermanentPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeBackupPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeRestorePrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeShutdownPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeDebugPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeAuditPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeSystemEnvironmentPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeChangeNotifyPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeRemoteShutdownPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeUndockPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeSyncAgentPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeEnableDelegationPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeManageVolumePrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeImpersonatePrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeCreateGlobalPrivilege	4296	UE4PrereqSetup_x64.exe
Token: SeRestorePrivilege	3332	msiexec.exe
Token: SeTakeOwnershipPrivilege	3332	msiexec.exe
Token: SeRestorePrivilege	3332	msiexec.exe
Token: SeTakeOwnershipPrivilege	3332	msiexec.exe
Token: SeRestorePrivilege	3332	msiexec.exe
Token: SeTakeOwnershipPrivilege	3332	msiexec.exe
Token: SeRestorePrivilege	3332	msiexec.exe
Token: SeTakeOwnershipPrivilege	3332	msiexec.exe
Token: SeRestorePrivilege	3332	msiexec.exe
Token: SeTakeOwnershipPrivilege	3332	msiexec.exe
Token: SeRestorePrivilege	3332	msiexec.exe
Token: SeTakeOwnershipPrivilege	3332	msiexec.exe
Token: SeRestorePrivilege	3332	msiexec.exe
Token: SeTakeOwnershipPrivilege	3332	msiexec.exe
Token: SeRestorePrivilege	3332	msiexec.exe
Token: SeTakeOwnershipPrivilege	3332	msiexec.exe
Token: SeRestorePrivilege	3332	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2344	7zG.exe
3780	UE4PrereqSetup_x64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4576	NewZealand-Win64-Shipping.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4296	5088	NewZealand.exe	87
PID 5088 wrote to memory of 4296	5088	NewZealand.exe	87
PID 5088 wrote to memory of 4296	5088	NewZealand.exe	87
PID 4296 wrote to memory of 3780	4296	UE4PrereqSetup_x64.exe	88
PID 4296 wrote to memory of 3780	4296	UE4PrereqSetup_x64.exe	88
PID 4296 wrote to memory of 3780	4296	UE4PrereqSetup_x64.exe	88
PID 4296 wrote to memory of 4604	4296	UE4PrereqSetup_x64.exe	95
PID 4296 wrote to memory of 4604	4296	UE4PrereqSetup_x64.exe	95
PID 4296 wrote to memory of 4604	4296	UE4PrereqSetup_x64.exe	95
PID 4604 wrote to memory of 2708	4604	vcredist_x86.exe	96
PID 4604 wrote to memory of 2708	4604	vcredist_x86.exe	96
PID 4604 wrote to memory of 2708	4604	vcredist_x86.exe	96
PID 4296 wrote to memory of 4728	4296	UE4PrereqSetup_x64.exe	97
PID 4296 wrote to memory of 4728	4296	UE4PrereqSetup_x64.exe	97
PID 4296 wrote to memory of 4728	4296	UE4PrereqSetup_x64.exe	97
PID 4728 wrote to memory of 960	4728	vcredist_x64.exe	98
PID 4728 wrote to memory of 960	4728	vcredist_x64.exe	98
PID 4728 wrote to memory of 960	4728	vcredist_x64.exe	98
PID 3332 wrote to memory of 4432	3332	msiexec.exe	100
PID 3332 wrote to memory of 4432	3332	msiexec.exe	100
PID 4432 wrote to memory of 1388	4432	MsiExec.exe	101
PID 4432 wrote to memory of 1388	4432	MsiExec.exe	101
PID 1388 wrote to memory of 3192	1388	rundll32.exe	102
PID 1388 wrote to memory of 3192	1388	rundll32.exe	102
PID 1388 wrote to memory of 3192	1388	rundll32.exe	102
PID 3192 wrote to memory of 2816	3192	DXSetup.exe	104
PID 3192 wrote to memory of 2816	3192	DXSetup.exe	104
PID 3192 wrote to memory of 6052	3192	DXSetup.exe	105
PID 3192 wrote to memory of 6052	3192	DXSetup.exe	105
PID 3192 wrote to memory of 1520	3192	DXSetup.exe	106
PID 3192 wrote to memory of 1520	3192	DXSetup.exe	106
PID 3192 wrote to memory of 4776	3192	DXSetup.exe	107
PID 3192 wrote to memory of 4776	3192	DXSetup.exe	107
PID 3192 wrote to memory of 536	3192	DXSetup.exe	108
PID 3192 wrote to memory of 536	3192	DXSetup.exe	108
PID 3192 wrote to memory of 4984	3192	DXSetup.exe	109
PID 3192 wrote to memory of 4984	3192	DXSetup.exe	109
PID 3192 wrote to memory of 5440	3192	DXSetup.exe	110
PID 3192 wrote to memory of 5440	3192	DXSetup.exe	110
PID 3192 wrote to memory of 5552	3192	DXSetup.exe	111
PID 3192 wrote to memory of 5552	3192	DXSetup.exe	111
PID 3192 wrote to memory of 5748	3192	DXSetup.exe	112
PID 3192 wrote to memory of 5748	3192	DXSetup.exe	112
PID 5088 wrote to memory of 4576	5088	NewZealand.exe	114
PID 5088 wrote to memory of 4576	5088	NewZealand.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Wakamarina Valley, NZ.zip"
1⤵
PID:2116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1524

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Wakamarina Valley, NZ\" -spe -an -ai#7zMap20337:122:7zEvent27134
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2344

C:\Users\Admin\Desktop\Wakamarina Valley, NZ\NewZealand.exe
"C:\Users\Admin\Desktop\Wakamarina Valley, NZ\NewZealand.exe"
1⤵
- Executes dropped EXE
PID:3588

C:\Users\Admin\Desktop\Wakamarina Valley, NZ\NewZealand.exe
"C:\Users\Admin\Desktop\Wakamarina Valley, NZ\NewZealand.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\Desktop\Wakamarina Valley, NZ\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe
  "C:\Users\Admin\Desktop\Wakamarina Valley, NZ\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Users\Admin\Desktop\Wakamarina Valley, NZ\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe
    "C:\Users\Admin\Desktop\Wakamarina Valley, NZ\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe" -burn.unelevated BurnPipe.{45876660-CABA-431E-AC53-1B90E7FCC5CA} {E6CDD56C-D9DA-49C7-824E-E18DB7B1B1BD} 4296
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:3780
- - C:\ProgramData\Package Cache\AFA5BADCE64EE67290ADD24E0DC3D8210954AC6C\vcredist_x86.exe
    "C:\ProgramData\Package Cache\AFA5BADCE64EE67290ADD24E0DC3D8210954AC6C\vcredist_x86.exe" /quiet /norestart -burn.embedded BurnPipe.{5B9627E0-4727-498E-AEF3-2AD9257C4B14} {0FC0BE1F-3B18-4AB2-A8A7-31D50050D6F9} 4296
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\Temp\{99B5E22D-59B9-40D6-9E1E-192EE506180A}\.cr\vcredist_x86.exe
      "C:\Windows\Temp\{99B5E22D-59B9-40D6-9E1E-192EE506180A}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\AFA5BADCE64EE67290ADD24E0DC3D8210954AC6C\vcredist_x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /quiet /norestart -burn.embedded BurnPipe.{5B9627E0-4727-498E-AEF3-2AD9257C4B14} {0FC0BE1F-3B18-4AB2-A8A7-31D50050D6F9} 4296
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2708
- - C:\ProgramData\Package Cache\B87C38D093872D7BE7E191F01107B39C87888A5A\vcredist_x64.exe
    "C:\ProgramData\Package Cache\B87C38D093872D7BE7E191F01107B39C87888A5A\vcredist_x64.exe" /quiet /norestart -burn.embedded BurnPipe.{D5144ED2-3717-46F0-90F2-2D56FEEFE3E4} {73D49AC0-2DBC-4F41-A6A8-0821D8F4914E} 4296
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\Temp\{7672BB55-E548-43CE-9FD0-0C2BB3D317F5}\.cr\vcredist_x64.exe
      "C:\Windows\Temp\{7672BB55-E548-43CE-9FD0-0C2BB3D317F5}\.cr\vcredist_x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\B87C38D093872D7BE7E191F01107B39C87888A5A\vcredist_x64.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /quiet /norestart -burn.embedded BurnPipe.{D5144ED2-3717-46F0-90F2-2D56FEEFE3E4} {73D49AC0-2DBC-4F41-A6A8-0821D8F4914E} 4296
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:960
- C:\Users\Admin\Desktop\Wakamarina Valley, NZ\NewZealand\Binaries\Win64\NewZealand-Win64-Shipping.exe
  "C:\Users\Admin\Desktop\Wakamarina Valley, NZ\NewZealand\Binaries\Win64\NewZealand-Win64-Shipping.exe" NewZealand
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B8042FD05694F0970206D49131B040FC E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIDF0D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240770890 2 CustomAction!CustomAction.CustomActions.InstallDirectX
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\Installer\MSIDF0D.tmp-\DXSetup.exe
      "C:\Windows\Installer\MSIDF0D.tmp-\DXSetup.exe" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe xinput1_3_x64.inf, Install_Driver
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe X3DAudio1_7_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:6052
    - - C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe D3DX9_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe d3dx10_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4776
    - - C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe d3dx11_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:536
    - - C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe d3dcsx_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4984
    - - C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe D3DCompiler_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:5440
    - - C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe XAudio2_7_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:5552
    - - C:\Windows\system32\regsvr32.exe
        
        C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_7.dll
        5⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C4
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59da0d.rbs

Filesize
22KB

MD5
b14c0a2c035e5be80c4e550a7eb810b9

SHA1
e209a76915f4c59d6b4e6d6587d6c603979eb13c

SHA256
5641dcecb659a3aeb3059a5460c90c309c8b63de3674e5430757253becfa0baa

SHA512
2f938f1cd34c9d485a2748a3e512cd1b8852080d2b8e42a90aa0ca2c19b345cef48bd604fc0a0097c8935ff6843bc473ef87319a1e3235baed0061929c5b0780

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
9b1f6b70bda69a1103260c6951aa560f

SHA1
121da6f9d62998913f09dedbb4b23efdc2d509c2

SHA256
fb69fd0d9babc979c3b479a20301fb658b23ccab1b0377925423860439dda4d5

SHA512
3ab2380733ec7c1e1bdf2252cecaf4b5d50aff8b887184de127b0849016a19dd332dc9d392254f4dcca71c730f17bb9d1a57b1fe47e32adc78a1021d433448d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BEF5BD13CF5F13F6FF3D15BBADC93CE5

Filesize
1KB

MD5
8beb43b37577e49250e35dfaf0692f59

SHA1
2c84038807080a5ce6a8a8492062830acca65aa3

SHA256
5a1a171d640561a861d656ad8ecdc0bd8e39b5af9ce948be605f85bec9ce93bc

SHA512
5bece25a7e642b48a14c3a773fdbf1d43a0260abd6629db439cd75c1df5fba4ad0c723707a88e17cd25c52403cab656ba4b89e29676a4a714b9e92c2ecee9d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
06c8d9a907383df2bcbef1d899569665

SHA1
12328256091b5f3d9627429b74742a81394781db

SHA256
d4c8842890395656451f9b15019f3f45a4850236eda1f562daa15a98b7bcb7cf

SHA512
75aa91c13ca2ea38a8c3b53214e5c58fa3ee51e29825d1f5eb71c713c2f7ba38e4905c52518b45aef39ec6662d2eea37465906178005d8037497e745e06dc5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
3f1fc7178fa69aa2bd90da449e10f27e

SHA1
2b602354f134195c6bbecee2838755c22592f76e

SHA256
62a20b8f309db2720a287136b7e0590a638fee332acfe286590d575dee591a84

SHA512
63e8174711bf64bd85b271c830041cc66950cfa0a8b0df0bb6fd37beb05e4a48fd6b5bb1b2c31de7080f7551f8c66c6cd0658fbbca2e3cb519cc940df7efcf35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BEF5BD13CF5F13F6FF3D15BBADC93CE5

Filesize
402B

MD5
b1a48ba9f4d4f422e1017b6023ebacf8

SHA1
5c7b082de724fc8fbd5fbb37bf9a91e5b82c81a3

SHA256
2f0b23453c1a682f2a4b2a2a29aa23988a719b089cb32b24e047b0f5d86583ca

SHA512
d4915a9b4fab4eb6108c818da954f6bf3575cadfc5d23c6eb00d794f837ec10a3d18e329049f985672d461797a197db47d123b69ea066dc372aa344e63b8f3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\D3DCompiler_43.dll

Filesize
2.0MB

MD5
1c9b45e87528b8bb8cfa884ea0099a85

SHA1
98be17e1d324790a5b206e1ea1cc4e64fbe21240

SHA256
2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c

SHA512
b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\FEB2010_X3DAudio_x64.inf

Filesize
815B

MD5
49460e9297b0faab5a5d73e7aa2caa67

SHA1
a7e211f3d4ae808f67a798924c4d3314183df873

SHA256
68351f03f4ef83e4b8c359e3e130441081690a1866b838a1b35d64674ef3abbf

SHA512
92c4c0751e9123e1eb09da312bc44041d13262e26cefb807dcd1b354c5bd12c0d7197f1d3d457ddef89714b77ffe45db9c717332963c6daa507ae02a6d5fc941

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\FEB2010_X3DAudio_x86.inf

Filesize
1KB

MD5
e84adf38d499ae39090ad60fd76d76e3

SHA1
6af4d58bc04aac2723e8b97649f1b35fb1aca84c

SHA256
d4da3e530982812d1e2a31570b80af541fac1b13c72997d2aad7ea3bfeaf4a4a

SHA512
6714992e7aee7bd0798fbec68f92c97ee502127580e21e1b6693ed6737312b44dbc9fd9ef579fe552590e9e5a4904df94e4116334265a34699a04aa76ab87c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_D3DCompiler_43_x64.inf

Filesize
830B

MD5
6494a3b568760c8248b42d2b6e4df657

SHA1
700f27ee4c74e9b9914f80b067079e09ec7c6a7f

SHA256
3e779533a273e3395109c7efac13ba1c804c01b3ddb16938406fbdf90d851216

SHA512
2bf68b123d7823ad7182e132d9e55f8de7580229e8e1b3b40030da50bb9bdeaf67bb9727ce2171fa83b7f804c24d9728ffabb44cb5017b16b771bb19e62b1b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_D3DCompiler_43_x86.inf

Filesize
1KB

MD5
1a86443fc4e07e0945904da7efe2149d

SHA1
37a6627dbf3b43aca104eb55f9f37e14947838ce

SHA256
5dd568919e1b3cbcb23ab21d0f2d6c1a065070848aba5d2a896da39e55c6cbbf

SHA512
c9faa6bb9485b1a0f8356df42c1efe1711a77efa566eee3eb0c8031ece10ffa045d35adb63e5e8b2f79f26bf3596c54c0bd23fea1642faae11baf2e97b73cf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_XAudio_x64.inf

Filesize
923B

MD5
dd987135dcbe7f21c973077787b1f4f8

SHA1
ed8c2426c46c4516e37b5f9aac30549916360f7e

SHA256
1a0f1b929724f8b71d5ce922f19b9d539d2d804c89af947d5927b049ef0fd3d8

SHA512
f0469c94219b4df99d7b9b693161a736fa8eec88a3f6c7f2cf92fab2ade048dfe61fcde3a4cf4f7a2aaf841d079a46b17259dea22cfb02831983f55bd7f61899

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_XAudio_x86.inf

Filesize
1KB

MD5
31d8732ac2f0a5c053b279adc025619f

SHA1
c8d6d2e88b13581b6638002e6f7f0c3a165fff3c

SHA256
d786d06a709d5dc26067132b9735fc317763fcf8064442d6f77f65012ba179da

SHA512
abc37922307f081a1ffdc956ce59598c19ad1939ecfb6ea3280aa6aa7a99c3eba5462731586ca262f7d7257d7d2a74ff57a45abf6b93521eb6f1c9f22f8eb244

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_d3dcsx_43_x64.inf

Filesize
815B

MD5
e1f150f570b3fc5208f3020c815474c8

SHA1
7c75fc0cf3e3c4fd5045a94b624171d4e0d3b25c

SHA256
5289b5ad22146d7cc0c35cdb2c9662742693550de8f013d1ec40e944288d155a

SHA512
a53618ed6ebcd50ef074b320eb3ebd38af4770a82caa808e47cba6a81982ced46cf954a1c5a383f171006e727d8211b4fce54c9faf27b4c14a770a45a09037b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_d3dcsx_43_x86.inf

Filesize
1KB

MD5
cf70b3dd13a8c636db00bd4332996d1a

SHA1
48dd8fc6fa3dae23cb6ca8113bc7ad837b4570d7

SHA256
d5200b332caf4fff25eb3d224527a3944878c5c3849512779a2afcfeae4c3ca1

SHA512
ae31a9e20743a2052deec5d696a555460a03d400720679ed103759241b25d55e2fbc247170da3c0c0891f32b131ab6a6845de56c2d3387ad233aa11db970b313

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_d3dx10_43_x64.inf

Filesize
815B

MD5
13c1907a2cd55e31b7d8fb03f48027ec

SHA1
ca37872b9372543f1dbe09b8aa4e0e211a8e2303

SHA256
a65f370a741d62c2be0ca588758d089dd976092cb910bb6b1b7d008741e18377

SHA512
545aaf268d141e2aae6800e095a1ae4eafe6bfe492d95dfe03789ccb245cc3ef3f50f43b10a41a3b0efdc7f8c63621b437323e133ba881f90a3b940095b80208

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_d3dx10_43_x86.inf

Filesize
1KB

MD5
53a24faee760e18821ef0960c767ab04

SHA1
4548db4234dbacbfb726784b907d08d953496ff9

SHA256
4d4263cbb11858c727824c4a071f992909675719be3076b4a47852bf6affd862

SHA512
8371471624f54db0aca3ea051235937fc28575c0f533b89f7d2204c776814d4cd09ee1a37b41163239885e878fb193133ad397fe3c18232ad3469626af2d2ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_d3dx11_43_x64.inf

Filesize
815B

MD5
590fe1ea1837b4bfb80dc8cb09e7815f

SHA1
792b5b0521c34c6b723a379dd6b3acf82f8afb1f

SHA256
2c4cf75b76203cba6378693668c8c00b564871c8bfd7fbda01e1e841477b2a3b

SHA512
80bee8f1ad5bfaba6b3ac5a39302a1427dbaa5919d76c89b279dc753170ec443924eadf454746ce331a6682ee729ab79bd390a5d3b55db8d08fd6f4869101f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_d3dx11_43_x86.inf

Filesize
1KB

MD5
fb5d27c88b52dcbdbc226f66f0537573

SHA1
2cbf1012fbdcbbd17643f7466f986ecd3ce2688a

SHA256
3925c924eb4ec4f5a643b2d14d2eda603341fbbd22118cdd8ae04aaa96f443c0

SHA512
8aa2200f91eca91d7ee3221bc7c8f2a9c8d913a5d633aa00835d5fb243d9cb8afa60fe34a4c3daa0731a21914bc52266d05d6b80bfc30b2a255d7acdf0d18eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_d3dx9_43_x64.inf

Filesize
812B

MD5
ce097963fc345e9baa1c3b42f4bfa449

SHA1
e7624afc3a7718b02533b44edfe4f90d1afda62a

SHA256
272650a2d9b1cfea17021f4bf941b21f2206791e279070d4e906ce0ce56ac16f

SHA512
f3c4f00eebd9d465bc2415d59c417bca0f5a07c8e13880b28704f770763609a653d4b06f53d98325b66c2c7094895190900c47980f81463215e919f00966ee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\JUN2010_d3dx9_43_x86.inf

Filesize
1KB

MD5
a11deb327119b65bacce49735edc4605

SHA1
0be2d7fa6254b138aa53d9146cda8fedbba93764

SHA256
6b33d32da02f664092d44b05237990f825b4062c105a063badcf978648b5e95b

SHA512
b0134a3d6f2d576e5fafb601014ab66fef91d661013acc8a7a9129940369a1d9ed5c0f228bb1666a4e891f09b4b18e83f0cb2080047aa84fa45ab663e5739a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\X3DAudio1_7.dll

Filesize
21KB

MD5
c811e70c8804cfff719038250a43b464

SHA1
ec48da45888ccea388da1425d5322f5ee9285282

SHA256
288c701bdedf1d45c63dd0b7d424a752f8819f90feb5088c582f76bc98970ba3

SHA512
09f2f4d412485ef69aceacc90637c90fad25874f534433811c5ed88225285559db1d981a3ab7bc3a20336e96fb43b4801b4b48a3668c64c21436ee3ea3c32f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\X3DAudio1_7_x64.inf

Filesize
689B

MD5
d2f7a179d3b79547d18a4157f71666ef

SHA1
9b83f1dd7fabf1982cf0f317061d24a52c6fd2f9

SHA256
1da8585eb518801a26ce5a535620ad7bb4177dfccc8e468c8a003db064849d04

SHA512
5976d6ac22745a61b726426c65768594282af5b560575f718b588609c8f4fe02b0c1426297b775df241f4110f2bb1f37e2df30e94489a3d957319bc738262cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\XAPOFX1_5.dll

Filesize
72KB

MD5
8a4cebf34370d689e198e6673c1f2c40

SHA1
b7e3d60f62d8655a68e2faf26c0c04394c214f20

SHA256
becfdcd6b16523573cb52df87aa7d993f1b345ba903d0618c3b36535c3800197

SHA512
d612e2d8a164408ab2d6b962f1b6d3531aed8a0b1aba73291fa5155a6022d078b353512fb3f6fff97ee369918b1802a6103b31316b03db4fa3010b1bf31f35fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\XAudio2_7.dll

Filesize
514KB

MD5
81dfddfb401d663ba7e6ad1c80364216

SHA1
c32d682767df128cd8e819cb5571ed89ab734961

SHA256
d1690b602cb317f7f1e1e13e3fc5819ad8b5b38a92d812078afb1b408ccc4b69

SHA512
7267db764f23ad67e9f171cf07ff919c70681f3bf365331ae29d979164392c6bc6723441b04b98ab99c7724274b270557e75b814fb12c421188fb164b8ca837c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\apr2007_xinput_x64.inf

Filesize
860B

MD5
94563a3b9affb41d2bfd41a94b81e08d

SHA1
17cad981ef428e132aa1d571e0c77091e750e0dd

SHA256
0d6e1c0e961d878b319ac30d3439056883448dcf26774003b73920f3377ecac8

SHA512
53cac179d7e11c74772e7b9bd7dd94ffbc810cfc25e28326e4d0844f3f59fd10d9089b44a88358ac6dbd09fb8b456a0937778f78ecc442645764f693ccd620b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\apr2007_xinput_x86.inf

Filesize
1KB

MD5
e188f534500688cec2e894d3533997b4

SHA1
f073f8515b94cb23b703ab5cdb3a5cfcc10b3333

SHA256
1c798cb80e9e46ce03356ea7316e1eff5d3a88ccdd7cbfbfcdce73cded23b4e5

SHA512
332ccb25c5ed92ae48c5805a330534d985d6b41f9220af0844d407b2019396fcefea7076b409439f5ab8a9ca6819b65c07ada7bd3aa1222429966dc5a440d4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\d3dcsx_43.dll

Filesize
1.8MB

MD5
83eba442f07aab8d6375d2eec945c46c

SHA1
c29c20da6bb30be7d9dda40241ca48f069123bd9

SHA256
b46a44b6fce8f141c9e02798645db2ee0da5c69ea71195e29f83a91a355fa2ca

SHA512
288906c8aa8eb4d62440fe84deaa25e7f362dc3644dafc1227e45a71f6d915acf885314531db4757a9bf2e6cb12eaf43b54e9ff0f6a7e3239cabb697b07c25ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\d3dx10_43.dll

Filesize
459KB

MD5
20c835843fcec4dedfcd7bffa3b91641

SHA1
5dd1d5b42a0b58d708d112694394a9a23691c283

SHA256
56fcd13650fd1f075743154e8c48465dd68a236ab8960667d75373139d2631bf

SHA512
561eb2bb3a7e562bab0de6372e824f65b310d96d840cdaa3c391969018af6afba225665d07139fc938dcff03f4f8dae7f19de61c9a0eae7c658a32800dc9d123

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\d3dx11_43.dll

Filesize
242KB

MD5
8e0bb968ff41d80e5f2c747c04db79ae

SHA1
69b332d78020177a9b3f60cb672ec47578003c0d

SHA256
492e960cb3ccfc8c25fc83f7c464ba77c86a20411347a1a9b3e5d3e8c9180a8d

SHA512
7d71cb5411f239696e77fe57a272c675fe15d32456ce7befb0c2cf3fc567dce5d38a45f4b004577e3dec283904f42ae17a290105d8ab8ef6b70bad4e15c9d506

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\dxdllreg_x86.inf

Filesize
724B

MD5
8272579b6d88f2ee435aeea19ec7603d

SHA1
6d141721b4b3a50612b4068670d9d10c1a08b4ac

SHA256
54e098294ef0ad3b14b9c77642838b5992fe4573099d8397a1ef566d9e36da40

SHA512
9f1311803db1607e079b037f49d8643daa43b59ce6eafb173b18d5a40239a5515091c92b244ffe9cfef2da20530fb15deb6cf5937633b434c3262e765d5a3b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\dxupdate.dll

Filesize
168KB

MD5
94202f25810812f72953938552255fb8

SHA1
c1e88f196935d8affc1783ccf8b8954d7f2bfb62

SHA256
6dcad858cc3ff78d58c1dae5e93caf7d8bacb4f2fcf9e71bccb250bf32c7f564

SHA512
65b66d07ef68e0d1e79f236a4800c857e991ee3ff80ece4cfdd0b5f6083ea16f8a52d351c3af721cb05c06394ec91b4b5e3cfa4b0f0879f7549f3e3ed035e79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\dxupdate.inf

Filesize
12KB

MD5
e6a74342f328afa559d5b0544e113571

SHA1
a08b053dfd061391942d359c70f9dd406a968b7d

SHA256
93f5589499ee4ee2812d73c0d8feacbbcfe8c47b6d98572486bc0eff3c5906ca

SHA512
1e35e5bdff1d551da6c1220a1a228c657a56a70dedf5be2d9273fc540f9c9f0bb73469595309ea1ff561be7480ee92d16f7acbbd597136f4fc5f9b8b65ecdfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe

Filesize
74KB

MD5
bc28813c31c30e57c1deb826d3a16983

SHA1
f022f389a03d13b31f8d534ad89830bb755875cd

SHA256
132c7d71f0ee5d5f9a3e94b6d86377b390a1f9dfac34b0fbcc39c918a82cb575

SHA512
b05f789408e41bee05e599edd56e2a432fbe2070dc8baca1552d1cfdb92e0dfee1357ed447b216ef43586981a955e8065d84c15f0c33b8aa2ff73dd234f6075e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe

Filesize
74KB

MD5
730e5493910e5693499485e352381c6a

SHA1
2871488c24d069e677868e0a590e7e74f1f19b12

SHA256
d808bb408a4bd695a9793e70b1c61637e008ac11174dbe1373481e2bdb0c9299

SHA512
62fb2a2ddfd62d48ca8a709426c07e1cda0e66df5b977c3bfdc3b191d15c3a139a5c6180ed7a66b2418a5436273d713f2af1cb21f7dc77df78e0743d6a18e176

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\infinst.exe

Filesize
81KB

MD5
a7ba8b723b327985ded1152113970819

SHA1
50be557a29f3d2d7300b71ab0ed4831669edd848

SHA256
8c62fe8466d9a24a0f1924de37b05d672a826454804086cddc7ed87c020e67ff

SHA512
60702f08fb621bf256b1032e572a842a141cf4219b22f98b27cb1da058b19b44cc37fb8386019463a7469961ca71f48a3347aaf1c74c3636e38d2aea3bca9967

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\xinput1_3.dll

Filesize
79KB

MD5
77f595dee5ffacea72b135b1fce1312e

SHA1
d2a710b332de3ef7a576e0aed27b0ae66892b7e9

SHA256
8d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7

SHA512
a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\xinput1_3.dll

Filesize
104KB

MD5
bfb3091b167550ec6e6454813d3db244

SHA1
87e86a7c783f607697a4880e7e063ab87bf63034

SHA256
756cad002e1553cfa1a91ebe8c1b9380ffabe0b4b1916c4a4db802396ddfbef8

SHA512
ce2ead2480a3942081af4df4baee32de18862b5f0288169b9e8135cc710eb128f9a2b8a36bda87212c53fd4317359349c94d38b5da082638230dcb5669efede9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXE15D.tmp\xinput1_3_x64.inf

Filesize
669B

MD5
c9635b7617d68d95f9113282472218c9

SHA1
e3da3f2600a0f5cd0e28722ee313e04fc29dfc60

SHA256
0d411d9424128f19fed2daa95a2983b4b29197f022a754f59d0c7740ad654cca

SHA512
0481e008619d3b3a45d0a90825b576e4c03f27668b0792762cb9165b15955645667392f23eac5e5c4eb8a7fe6fa47cae4c319323b02225289af0cffaf1ca8c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\UE4_Prerequisites_(x64)_20240223081601_2_PrereqSetup.log

Filesize
1KB

MD5
a2079f81bbdb3e98ad282d3ab012ae6a

SHA1
154263ddf0501cf7e4a696c26399884706308ee9

SHA256
cb72780636be11c9d1e6ddbfdf40c87eab5e74d47f772b22d45ef10c4324f74f

SHA512
31f6db0e597c6320862d0a14c65f6b0191f8fcd8b419270d5983e6bf2ea864fb67d02da600556d76a8d04ca846a21b82885785cbcf3798e7510549a31d5b6fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.ba1\Banner.bmp

Filesize
123KB

MD5
461fa4877514f318a0d5cbc602daf7df

SHA1
5d2ed3abc96bb1fb419828e3de3fc75a6292536a

SHA256
638d5bfc987b45d28a308e8a4d68bd7c0a82d21e615e534fbfaa3cd0ad53889e

SHA512
c4def63dfde38cb2e35d75c7e61428cb9df2429af799e3e0b29c7bc1d9c60e8e32f18cc0e7b55e177d95bdb333a7a0d1f4369b02f5c574b6688047e01e9f98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.ba1\LogoSide.png

Filesize
43KB

MD5
63c9775d703ec8bdc9703f80d52ffc24

SHA1
1a5f3fa1fc4ee2a7e08506f8178d769cdcd7ec62

SHA256
8f03c6e8ce5f4898cc230e04d485e0e0744eb7ee180a3d8bb154f2fc9c7a93e5

SHA512
b2d9d18a3d6a1df401ede41e35af7167c6f253f54c290d1db64db212b5a2e9a2534e86e031e1e5499b2ce11bb952afc6bcd8f85aca351d49867c77dd4edba458

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.ba1\wixstdba.dll

Filesize
135KB

MD5
36b53c5299a3b39e5c9cdbbd28a09506

SHA1
9f4c767ef7ea887a88a698bcd66e4ba691e1c17a

SHA256
97f1901e7c928b9231e503cd3a1315f0d8449356b9f25e7eb4c2cebeee72012a

SHA512
af4c7cea8bebe0f125b59eed11fa0053178dd546784f68ad7a642eb128ed0d05dd6ccfe685b912381b61becf9c336dcbbc8c4ce56884a511f3f0a69826d8de83

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.be\UE4PrereqSetup_x64.exe

Filesize
786KB

MD5
ddf7b1641565da963c4b5fa54da0c6fb

SHA1
06e78b6490aa53b0aadd69689767b900559b1aad

SHA256
62182da08e543edb383be4cccba214e30f1dcd73395f461af3a142a69893f254

SHA512
194490ea8b440841924a2e453c4e660ec781d7959620118504b16ea7ad799107eab26eab765d8378509d6a6f67fed3e5673ad362789245f46a67a8c81b07076a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\PrereqSetup

Filesize
11.7MB

MD5
4cc0e85424b8c7ec50c29554637e5c14

SHA1
5ee1bdf3f72b16a1780cabb6288bb97db7eb4a12

SHA256
6e3f68b3f747899b658a5946b1bdc4cb5a8956c93e54cc1fd7dae454e4fa1d22

SHA512
49768efd40965167fa5e7c87b2c885f73eb4e9808b1fe923ad212d49c8b9c58efb8d2ac7ea9de4a2019b6d548aaac82290127beb1f711fb23cf32d038326ce45

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\VC140_X86

Filesize
13.7MB

MD5
24e8177b25c072f4fb0d37496ccdbb34

SHA1
afa5badce64ee67290add24e0dc3d8210954ac6c

SHA256
e59ae3e886bd4571a811fe31a47959ae5c40d87c583f786816c60440252cd7ec

SHA512
2fda8abc77b6ed9e98a2b120628e4e3b9458f2b18998c836eec1de82642244fe55234c7e52d6036d8b75c4b707a24f12fa639cc92d4234e94ed604a259d651e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\vc140_X64

Filesize
14.4MB

MD5
be433764fa9bbe0f2f9c654f6512c9e0

SHA1
b87c38d093872d7be7e191f01107b39c87888a5a

SHA256
40ea2955391c9eae3e35619c4c24b5aaf3d17aeaa6d09424ee9672aa9372aeed

SHA512
8a050ebd392654ce5981af3d0bf99107bfa576529bce8325a7ccc46f92917515744026a2d0ea49afb72bbc4e4278638a0677c6596ad96b7019e47c250e438191

Download Submit
C:\Users\Admin\Desktop\Wakamarina Valley, NZ\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe

Filesize
23.1MB

MD5
a00ecd386571df42489881545184bb1f

SHA1
40044335499b3c7b4dbfaebe1457e7438476451f

SHA256
1f85cb8b597258c0a1dc770924565da2771bcd9c6f84cf4e682ef148b840909d

SHA512
e2ba63bd41973feccfd99238cce2fb83b5cb51358132a7b06b425a7bbbc019c12f3636153f2281bb1b8246614f8f8f998d2504a4c90457519bbc29e717e2dee2

Download Submit
C:\Users\Admin\Desktop\Wakamarina Valley, NZ\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe

Filesize
19.9MB

MD5
e90a51c201272a2337b258f6feb57358

SHA1
4632667eabc6f658264f467d6597d7dfacec4369

SHA256
a39a9fde090e81fbc69bfce45748689af77d8d93971799453553dc1dd3c731fe

SHA512
0443e2400a202a416eb6b1507145cb463c11f6d4f46d19bc86e65d6404c7be12030a1b541d01e8951214eab18535762acd4226d64fb896cb89402593e4a3324c

Download Submit
C:\Users\Admin\Desktop\Wakamarina Valley, NZ\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe

Filesize
16.7MB

MD5
e3e6461d5976a2eb7358f5d1b4fd0ced

SHA1
c8aedffebcd43430b0bd140bdf2dcc205691fc12

SHA256
e6cd7fbed2032d48aaecf1b112730b54eaf8eaa330b4767ef08ee743b7b8ebb0

SHA512
0a947b2cc2ce0947c14705cd7b918579e02621cda8a3cb5b4c7749df9bf1fc3f158ffd0e2690e12a9678ec8d440ab26a09a6f2ffdbe3114ec6a3b58917e528d5

Download Submit
C:\Users\Admin\Desktop\Wakamarina Valley, NZ\NewZealand.exe

Filesize
185KB

MD5
f9abc082c4a34af24d16e43a0370c6d2

SHA1
37b6a3e4dd3da94b7e447f9fcc5815837735b8cf

SHA256
0e9d5678fa5f168bc75df51a0b5a6d818e8989f72ad96216f117fa3b41504579

SHA512
9d4850ee1b80577d83ca849fe0ce7d46f1aeed5250356aa38fcedaffdab40aa8ed631954a02334d937feff52266efd58128e5cdcfcf71ab7df40b9282df6ed06

Download Submit
C:\Windows\Installer\MSIDF0D.tmp

Filesize
5.6MB

MD5
f93289da67caec49b8c034dc244c916c

SHA1
4b574461b6e94de4d598151e5bccbf59df0cfda4

SHA256
20c73e7a43427c60c902e12cb3c9eee56495f5eed6ab57a2a7e0b9db3eeed2a7

SHA512
fea8ca4615131ea69e1701bbc113c93a9b55d1d0099a0016fbc0b89413b91beaf29b09ffe5cfa7a1fcc61b0c5cb0e4d7b1a9021990697ca4f362c23788505d58

Download Submit
C:\Windows\Installer\MSIDF0D.tmp

Filesize
5.1MB

MD5
895afc317d7d59eddef8fc94319b5bfa

SHA1
61107b771d448426fa93788b699009a43c506b58

SHA256
cc961d468739f05453a684b4313ea398df940d898c0bbe00e85ef18b06501383

SHA512
3a765151d7e50987507801591451059a980e25ae5ad9d78b0effb7b8b81b629df23b1daaa7db2744cc79c9d49c4712d2096339551af77b27ce18cd0afd4229d5

Download Submit
C:\Windows\Installer\MSIDF0D.tmp

Filesize
4.8MB

MD5
50329297e7f32490ae31c288e9fec6d8

SHA1
f3b843fa543f81fe588cba2ab5958b91587d787f

SHA256
76e4b012f6bd87b8d905608e6c398efe7c6d4a0fcaf10d6a439df62ddd963d94

SHA512
d257c7c446524f7d9c2816cdb9a5fb3b1f1b8c3111c8ed6e279ded90a6f9351a849abbdfbe8a4a9962cb55b39c74b1788ff8880a6edf83f2925b972547330f9f

Download Submit
C:\Windows\Installer\MSIDF0D.tmp-\CustomAction.dll

Filesize
4KB

MD5
6a9a48dc9f4a240a947b957ff14e7070

SHA1
1568c161a338e8afd6db1d1fdea8d2de72df6334

SHA256
7b64f279feee5e8b350dac6c1e3bddaeb110a16b4839f7167667975abf987be1

SHA512
5bddb9dfcaf36fa4ce1faa20812500ed8995ab3f86ec0b44edab912a185688842f0e0d2ec01e6abf48d863da783fe4db193c3581347810a0bfae15083d3cc148

Download Submit
C:\Windows\Installer\MSIDF0D.tmp-\DSETUP.dll

Filesize
87KB

MD5
9e0711bed229b60a853bcc5d10deaafc

SHA1
2bea53988bd35c5df5c9edcef0bc234c37289477

SHA256
def6f245762be36cf18b435ba8b7ebc224b9c21d1a1db606a8e8fafdaa97bba0

SHA512
c0b31872e52c8f4270d991c70d1a1c9ef9a4bbee4807c54c05a449cd1607506ab16ff1e74b378651b36e3276322c86cd843565c8a1aa33a49c47322ef4df0185

Download Submit
C:\Windows\Installer\MSIDF0D.tmp-\DXSETUP.exe

Filesize
524KB

MD5
ddce338bb173b32024679d61fb4f2ba6

SHA1
50e51f7c8802559dd9787b0aebc85f192b7e2563

SHA256
046041aba6ba77534c36bb0c2496408d23c6a09f930c46b392f1edc70dfd66de

SHA512
7a63925278332c8e7949555383b410d8848a7834b85f34d659e351ba78cbe4d2ec09caccb2178d801b9b68725c9cbae48a6a1f07f0804a0c41eb51df79b7eca4

Download Submit
C:\Windows\Installer\MSIDF0D.tmp-\dsetup32.dll

Filesize
1.7MB

MD5
0f58ccd58a29827b5d406874360e4c08

SHA1
ba804292580be6186774e7f92e6dfb104e46bf25

SHA256
642d9e7db6d4fc15129f011dce2ea087bf7f7fb015aececf82bf84ff6634a6fb

SHA512
3e3d4f2de5dc5addc86765a2f888487ea0c9ee0208fac60187ddaa9a2bfd73cfd7734836d32805fa43222470c8f6cb9a10e2a099aef72c67ad7c789096e57ce4

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Apr2007_xinput_x64.cab

Filesize
94KB

MD5
743b333c2db3d4cf190fb39c29f3c346

SHA1
26b3616d7321978bd45656391a75ee231196a4a2

SHA256
e7a09f8235cc587cc63f583e39fbc75008d9677c8bb4dcc11cb8d0178a5153ac

SHA512
77fbdb86c79d7228bca2982a3285a417a365af980488a5ac2d470b532fa59fcc15e0e8dbee6eb1a3a5256fc29e0e3391529cd2ac13e0f72987ee0da136000957

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Apr2007_xinput_x86.cab

Filesize
52KB

MD5
c234df417c9b12e2d31c7fd1e17e4786

SHA1
92f32e74944e5166db72d3bfe8e6401d9f7521dd

SHA256
2acea6c8b9f6f7f89ec51365a1e49fbd0d8c42c53418bd0783dbf3f74a744e6d

SHA512
6cbae19794533ad9401f92b10bd9549638ba20ce38375de4f9d0e20af20d78819e46856151cc6818325af9ac774b8128e18fbebd2da5da4efbd417fc2af51dab

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Feb2010_X3DAudio_x64.cab

Filesize
53KB

MD5
db47136a200e326174ce790359596eb6

SHA1
fabca8c0aa28164ef4fdb7ee4ae8942a275b1713

SHA256
832b6d48e169b4725ae482ea4d1c3360a09631a89b2fac3aba81a50805a50adc

SHA512
f3b04168ca14ad4586493ea985417cce43ee11f37aa1856e714f44e132a31dbb84934943b947cf0b2aa39344e183cba8b6f49431b4471bd0e623926def94cb8f

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Feb2010_X3DAudio_x86.cab

Filesize
20KB

MD5
88dfbb4c1876e80a1864265c61c7a7fd

SHA1
c6ee8cff225019a93308c896146d94b00fd5417e

SHA256
acba5c4d4ac90e1df1c8404be5ff780e24238153cb410af909cd4364d213f2a9

SHA512
35e564aeeb6e462221a36cfa680e7e932333b0b92b0115ce5306ff59784abb13b8f7527fdd686737170425f2719f2d3a6901dc9822af4d537d9b5377b6bf89e4

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_D3DCompiler_43_x64.cab

Filesize
768KB

MD5
19905e90adcc6755b480650c07c714f3

SHA1
e6e7421a54be1d4378c474afc7e072c5dc75fa72

SHA256
f3fc07b92c69c6a5dfcafa3ca0b9a5b9fcf092c70363f9d85846795b7eacb17d

SHA512
bcacd956e7efb5af58c8da38413f6197951e43afda6a78366b3262d13a3f91a7345df9b469ae31b4fe33a63615babb8e2a4b9df7bbfe0589ba840ddd3e786dec

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_D3DCompiler_43_x86.cab

Filesize
896KB

MD5
1e0361afd1d4b5e8dca614207a32f65e

SHA1
db0b3c23ffa2bb21aa6f95bbf706d522e4fe8778

SHA256
148ef6438821cba37dbaf4af112d9362c8fd2b55fad520340b810ebed34b5e50

SHA512
6ce47280dbce2ffb121143d972f7460b83ccd3f99341326c077fa40e13922c9fe6a1037a08ddcec5e0c776c456e7c53781adbf4e8b4d30ffbb4d476a9b8a9c12

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_XAudio_x64.cab

Filesize
270KB

MD5
edeb828a8e54a9f3851007d80bc8dd6e

SHA1
358e429ac3b125cc7fe4f9ea46cdca4583cbb1a9

SHA256
51500283f69e97f5beddb073ba2a9017de3d30379c0dcc4d11dd2236ce07b317

SHA512
8cf68e1a09c257f7fc29991331a128c159634ea86e36b6be8c2a0caf5ef1fda8e1c79639f099ba32650a9fcb26478f113227ee7ead84bfbd728665eb1a522537

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_XAudio_x86.cab

Filesize
271KB

MD5
9d2da3b1055120af7c2995896f5d51ed

SHA1
2df40d48c69d7cfb4e0c19f07a019f5f123303fa

SHA256
7b4332207563beba1103744b6db5399ad150e9e6838f9d5a71497e7eb3645ebf

SHA512
deb76247b3003fc59c0a95cc2a47d6dd56e2d75aec81c3ab6ca6c0c513fb054e8025c871e97b7d7f2c823df54a2fe8202f4c0caf677251070b8bce40d2db70f5

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_d3dcsx_43_x64.cab

Filesize
735KB

MD5
850aafddfefea671a2e1bbf1b65f2a8e

SHA1
9679e7f294ca9de945b6f4f3d775d739dc2f8cd1

SHA256
cdbec7e3a5a0fef016eb294b036f93c75e45c6ead8d99397f859a32d23fe20cc

SHA512
d87d8d123700e02caa6562c9f22a90e86b2d8277b20089ab9d77a885094aef22bb69d60405b366ebf8cbf74f4b53a17095c3cc93b8bd3766cef7eb02bc47397b

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_d3dcsx_43_x86.cab

Filesize
744KB

MD5
44dba9557f956787b66f285776c3dccb

SHA1
4560c64f8b6bbdeedd85398f2e18404c389e4d8b

SHA256
e2c5a2cbba7f211b6ca72ff8e5f69cba1f83be06357311b19e64f582fd3d14e4

SHA512
25fbc95346bac890fee8d2a0805015af1eda5e0bb17b12d4eef52ca446775d08898fe5c13239e983a0f8c8dd13f8f2a5247a70e8e785e2bae42ff5ab1cca4156

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_d3dx10_43_x64.cab

Filesize
230KB

MD5
2d9586b276a561924ff2335fccaee914

SHA1
3b8114a8820a8df9df2321d6c4da8ea155ce736f

SHA256
efce48d425c07f1faad4a55d7061a01ed6245aac17f43163cf2a23cbc9a3054b

SHA512
d78ad87685eb71d2eb8c68e1e2c7fd5a90250f04059dd0016e4c8ca01bf53c02dea01998fe6de9ae3a3f76b2964d14a61e694546a2e6844bb304c315ae5b80e2

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_d3dx10_43_x86.cab

Filesize
192KB

MD5
a89b98ab89e0d4ff9dae412d49e27c51

SHA1
18803d4bcc83ad39f25ff9f899baf136c89c10f1

SHA256
a8cf71ffb80b683616d0621be96d3795b0ffda3877ed2d80cd958bfa393ddcfc

SHA512
0b96a04663d2fbfb21901af832a5362785fb0270d1be0ef136549f07e2625653f8facd129889a5f3489fc8a1270abe474e4f1626ea630a3185a36812545b4dfd

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_d3dx11_43_x64.cab

Filesize
134KB

MD5
96e7847a914afcb489194940b06a5c23

SHA1
9439907a1000b9dcb8989ffbd828e6294c277fba

SHA256
c1d0d56b83bfb09a5e1a89e1898bb74446a847b30a968f3664ec2d87368eb63e

SHA512
638485084884fab9d8952af17b24c4aef16dd026c75256026859bfe4f24d7f11fd2240cde8c5de0dab8968885a6d344da7335be257570e947bf5da8ac06f61ad

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_d3dx11_43_x86.cab

Filesize
106KB

MD5
758c5a459978cb2c68a300a60da153be

SHA1
66d12509137f2b5e1a668df39e6ccce6402822c3

SHA256
a58cefe822e371d078eaf89319f832693352ba7d62079320074397f0f3425961

SHA512
f33d6fd3354310e6cc4b483eae955a9652e7f71ceef7c444bdef84251ffa6ec0b89886a2344d18e0a1ad5285123ad808904372289e1e1c8d14242483f0426588

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_d3dx9_43_x64.cab

Filesize
915KB

MD5
063fa6f7061324eac1c4de0350c20e80

SHA1
daccf01b4b7493b88f04f9e50fe37c03846335ad

SHA256
9b98a1269af7f3a0007bfdc73206a47a6ee158d34ba8a87009396c18186bb06a

SHA512
3ad31100cbca4da52e46518e577dca94b595f9d47a3e9552cd764905ffc2876f9127b69a97bac44dbd754021e14ddec65480b7628a3768f03e53de8fbb08c547

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\Jun2010_d3dx9_43_x86.cab

Filesize
750KB

MD5
7749862c307e527366b6868326db8198

SHA1
bce9f21cdb1e101c7223c9e62eca61ec22d6bb81

SHA256
fcc6cf0966b4853d6fa3d32ab299cde5a9824feaecb0d4f34ea452fb9fd1c867

SHA512
b65a84535b749ade0f8ea1a8ab6239df8e82ad59cbdb07487fdbfcfcf57a565f493f56378e216859a081d23ddf7c671636f53ef821289d66452f09218080f02b

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\dxdllreg_x86.cab

Filesize
41KB

MD5
a025c67403dc2c2bcd709aa9435faeb1

SHA1
0433ee289e96a0d83a0c66ec35cf906a3e063884

SHA256
8ad77a4d9c76f65cd62337588f847cc1e0ca6ca9735937f3a781f7395e9566a1

SHA512
56bced81de59d413238b01396fafa6442ef6db0afaf237a699966df4753ed1a0b555450fa308f6965689a67f9fb5efb5d377d5f602a8d453ecceddca41072b45

Download Submit
C:\Windows\Installer\MSIDF0~1.TMP\dxupdate.cab

Filesize
91KB

MD5
8adf5a3c4bd187052bfa92b34220f4e7

SHA1
b52be74c4489159bd343d3c647f28da1fd13d9b9

SHA256
13393a91201e69e70a9f68d21428453fff3951535dec88f879270269cfe54d6f

SHA512
3e2f2fe4b5742a4cf6ee2f6b8c0ca734fd0b3c5431dff112c907231846dd3eebee7b9b8117f0256119614282cc7a4896474a199563078481d48a1204ca96f92d

Download Submit
C:\Windows\Installer\e59da0e.msi

Filesize
7.8MB

MD5
dfc3f3a2956ebeeba0054031997959a2

SHA1
7bfe6fec10b67c6b29da07e91400e2a0283e33d8

SHA256
8867ff1b5a7ed689dac48abf31944cc8ff027c08cd57079346d6d831e4111e8b

SHA512
f3af85a46f14079f2c301ce66bb4e4d7df36feda417c45b343116fe3ecfe6e5ec3304424d756abb200ceca7ad49f984b52af078a1411a95e49f266fd51886b2c

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
68KB

MD5
ebce933955b033e09e61afcf9e89023b

SHA1
10e37764045c7c452c0b695a67c22cee5992607e

SHA256
99fd4f245fe737c36a891cebd5b8926615baa2baafdbfd17114804ea3c7ff678

SHA512
80bd86ff4585fb551b77508075a794a44b1a67534f17c3eb57dc1a2f8f2646394b95303f354baa27ca34e51f3c9b2336ff0fa71f38d27eebb446f50cab94d7ab

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
27KB

MD5
8ae057c7324f06dfdc1fa133a70a2fe7

SHA1
8fa5fb0c2df7b94bfa1734604d061e8e334c9835

SHA256
4f9de20637c24e142fd6a05e9bbc7338f07ae81c14500a94305afa5ede0c31bb

SHA512
c138c97be923f7389b82ccb1a10a7e27bf25766fe66c5b38c3aa59670e0390e13cf4946b0042e090faa1ed21ca900cca8540f2f14a267c613293299d02a0ca36

Download Submit
C:\Windows\Temp\{331EB159-1464-47CC-A3A4-0AFB612A1B8A}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{331EB159-1464-47CC-A3A4-0AFB612A1B8A}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{7672BB55-E548-43CE-9FD0-0C2BB3D317F5}\.cr\vcredist_x64.exe

Filesize
632KB

MD5
94970fc3a8ed7b9de44f4117419ce829

SHA1
aa1292f049c4173e2ab60b59b62f267fd884d21a

SHA256
de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e

SHA512
b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

Download Submit
C:\Windows\Temp\{99B5E22D-59B9-40D6-9E1E-192EE506180A}\.cr\vcredist_x86.exe

Filesize
632KB

MD5
c9d95472a5627c6c455e74c8b8fef5be

SHA1
34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82

SHA256
4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b

SHA512
989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

Download Submit
memory/1388-519-0x00000179E1480000-0x00000179E1490000-memory.dmp

Filesize
64KB

Download
memory/1388-518-0x00000179E1480000-0x00000179E1490000-memory.dmp

Filesize
64KB

Download
memory/1388-517-0x00000179E1480000-0x00000179E1490000-memory.dmp

Filesize
64KB

Download
memory/1388-516-0x00000179E1480000-0x00000179E1490000-memory.dmp

Filesize
64KB

Download
memory/1388-515-0x00007FF933A90000-0x00007FF934552000-memory.dmp

Filesize
10.8MB

Download
memory/1388-514-0x00000179C8E70000-0x00000179C8E76000-memory.dmp

Filesize
24KB

Download
memory/1388-2256-0x00007FF933A90000-0x00007FF934552000-memory.dmp

Filesize
10.8MB

Download
memory/1388-510-0x00000179E1390000-0x00000179E13C0000-memory.dmp

Filesize
192KB

Download