f215a5aef06933198016846ca848e7726bce413397ab952bea339e3f7890ce63

Analysis

max time kernel
1480s
max time network
1496s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03/05/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MeshLab2023.12-windows.exe
Size

74.3MB
MD5

eb977945534fa36f3d219be3596a017e
SHA1

2a471afe37e8334194bdf23ad8d457f1a72f68bc
SHA256

f215a5aef06933198016846ca848e7726bce413397ab952bea339e3f7890ce63
SHA512

7d95874d802a4ba414ec841822dfb983c6d2898fa4544d77768791047ae4059713c9291acfdec160bdcbdc6dc23a135d657bedb4475d288873ab35d26ffe06d0
SSDEEP

1572864:Y+UObZPDNeCqh7HxHQLqzl4p0eMrEGghCD+5W4C+39xzXOS5Vag0TpCNDouUUkf/:YE7ZKx8qeMrEGE1WvI9x55Ag0TpcDUv/

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{1de5e707-82da-4db6-b810-5d140cc4cbb3} = "\"C:\\ProgramData\\Package Cache\\{1de5e707-82da-4db6-b810-5d140cc4cbb3}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	3224	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VCG\MeshLab\meshlab.png	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\imageformats\qtga.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\decorate_background.dll	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\edit_quality.dll	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\translations\qt_da.qm	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\gooch.gdp	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\reflexion_lines.frag	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\E57Format.dll	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\Qt5Core.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_plymc.dll	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\toon.frag	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\imageformats\qtiff.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\edit_manipulators.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\decorate_shadow\sm\depth.frag	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\decorate_shadow\vsm\objectVSM.frag	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\translations\qt_es.qm	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\edit_mutualcorrs.dll	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\translations\qt_ja.qm	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\Cook-Torrance.gdp	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\depthmap.frag	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\stripes2.gdp	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\decorate_shadow\vsm\depthVSM.frag	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\SEM.frag	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\xerces-c_3_2.dll	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_io_nxs.dll	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\electronic microscope.gdp	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\minnaert.vert	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\decorate_shadow\vsmb\objectVSM.vert	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_plymc.dll	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_voronoi.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\imageformats\qwebp.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\translations\qt_ar.qm	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\Oren-Nayar.gdp	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\ambient_occlusion.vert	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\splatpyramid\shader_analysis.vert	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\translations\qt_ru.qm	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\MeshLab.url	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_meshing.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\Cook-Torrance.gdp	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\decorate_shadow\vsmb\objectVSM.vert	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_layer.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\translations\qt_tr.qm	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\Hatch.frag	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\slicingplane.vert	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\styles\qwindowsvistastyle.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\translations\qt_ar.qm	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_camera.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_createiso.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\translations\qt_cs.qm	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\translations\qt_en.qm	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\stripes2.vert	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\splatpyramid\shader_analysis.frag	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\privacy.txt	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\imageformats\qwbmp.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_mls.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\translations\qt_lv.qm	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\translations\qt_fr.qm	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\translations\qt_sk.qm	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\embree4.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\iconengines\qsvgicon.dll	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\envmap.frag	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\stripes2.frag	MeshLab2023.12-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\edit_select.dll	MeshLab2023.12-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_colorproc.dll	MeshLab2023.12-windows.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58c2ce.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF161E19F4D5D537CB.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC669.tmp	msiexec.exe
File created	C:\Windows\Installer\e58c2e0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58c2e1.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA2FEF02E662DAC6D.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e58c2ce.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1CA7421F-A225-4A9C-B320-A36981A2B789}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF14B8ED8AA47B8CFA.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4FA7035AF3F5B7AC.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC996.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE358F1E0292AB712.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9A8798784C062D20.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9C9FFB95019E9023.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB3D.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4F1.tmp	msiexec.exe
File created	C:\Windows\Installer\e58c2e1.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE12D14FA3EC5A819.TMP	msiexec.exe
File created	C:\Windows\Installer\e58c2f6.msi	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
404	vc_redist.x64.exe
2492	vc_redist.x64.exe
532	VC_redist.x64.exe
1492	meshlab.exe

Loads dropped DLL 64 IoCs

pid	Process
1172	MeshLab2023.12-windows.exe
1172	MeshLab2023.12-windows.exe
2492	vc_redist.x64.exe
3312	VC_redist.x64.exe
1172	MeshLab2023.12-windows.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000043984a9237dda2db0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000043984a920000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090043984a92000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d43984a92000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000043984a9200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OFF File\shell\edit\command	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.obj\ = "OBJ File"	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VMI File\shell\open\command	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VMI File\shell\edit\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FBX File\DefaultIcon	MeshLab2023.12-windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QOBJ File\shell\ = "open"	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vmi	MeshLab2023.12-windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OBJ File\shell\edit\command	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\shell\open\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\PackageCode = "2C7C7BC2C76DA7344888641520BBF8D6"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QOBJ File\DefaultIcon\ = "C:\\Program Files\\VCG\\MeshLab\\meshlab.exe,0"	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VMI File\shell\edit\ = "Edit VMI File"	MeshLab2023.12-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{1de5e707-82da-4db6-b810-5d140cc4cbb3}	VC_redist.x64.exe
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\.stl	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.off\ = "OFF File"	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OFF File\ = "OFF File"	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VMI File\shell\open\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FBX File\DefaultIcon\ = "C:\\Program Files\\VCG\\MeshLab\\meshlab.exe,0"	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\shell\edit\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{1de5e707-82da-4db6-b810-5d140cc4cbb3}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OBJ File\shell\edit	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\DefaultIcon\ = "C:\\Program Files\\VCG\\MeshLab\\meshlab.exe,0"	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\shell\edit	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.off	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FBX File	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OFF File\DefaultIcon\ = "C:\\Program Files\\VCG\\MeshLab\\meshlab.exe,0"	MeshLab2023.12-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STL File\shell	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OFF File	MeshLab2023.12-windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\shell\open	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OFF File\shell\open\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BD77713C1C1591B4F90883FEC5D1C798\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\shell	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STL File\shell\open	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QOBJ File\shell\edit\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PTX File\shell\open\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FBX File\shell\ = "open"	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BD77713C1C1591B4F90883FEC5D1C798\VC_Runtime_Additional	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\.ply	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\shell\edit\ = "Edit PLY File"	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OBJ File\shell\ = "open"	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\ = "PLY File"	MeshLab2023.12-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PTX File\DefaultIcon	MeshLab2023.12-windows.exe
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\.fbx	MeshLab2023.12-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Version = "14.38.33130.0"	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1492	meshlab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe
3224	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1492	meshlab.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1100	vssvc.exe
Token: SeRestorePrivilege	1100	vssvc.exe
Token: SeAuditPrivilege	1100	vssvc.exe
Token: SeShutdownPrivilege	532	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	532	VC_redist.x64.exe
Token: SeSecurityPrivilege	3224	msiexec.exe
Token: SeCreateTokenPrivilege	532	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	532	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	532	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	532	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	532	VC_redist.x64.exe
Token: SeTcbPrivilege	532	VC_redist.x64.exe
Token: SeSecurityPrivilege	532	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	532	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	532	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	532	VC_redist.x64.exe
Token: SeSystemtimePrivilege	532	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	532	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	532	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	532	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	532	VC_redist.x64.exe
Token: SeBackupPrivilege	532	VC_redist.x64.exe
Token: SeRestorePrivilege	532	VC_redist.x64.exe
Token: SeShutdownPrivilege	532	VC_redist.x64.exe
Token: SeDebugPrivilege	532	VC_redist.x64.exe
Token: SeAuditPrivilege	532	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	532	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	532	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	532	VC_redist.x64.exe
Token: SeUndockPrivilege	532	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	532	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	532	VC_redist.x64.exe
Token: SeManageVolumePrivilege	532	VC_redist.x64.exe
Token: SeImpersonatePrivilege	532	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	532	VC_redist.x64.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1492	meshlab.exe
1492	meshlab.exe
1492	meshlab.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 404	1172	MeshLab2023.12-windows.exe	82
PID 1172 wrote to memory of 404	1172	MeshLab2023.12-windows.exe	82
PID 1172 wrote to memory of 404	1172	MeshLab2023.12-windows.exe	82
PID 404 wrote to memory of 2492	404	vc_redist.x64.exe	83
PID 404 wrote to memory of 2492	404	vc_redist.x64.exe	83
PID 404 wrote to memory of 2492	404	vc_redist.x64.exe	83
PID 2492 wrote to memory of 532	2492	vc_redist.x64.exe	84
PID 2492 wrote to memory of 532	2492	vc_redist.x64.exe	84
PID 2492 wrote to memory of 532	2492	vc_redist.x64.exe	84
PID 532 wrote to memory of 656	532	VC_redist.x64.exe	94
PID 532 wrote to memory of 656	532	VC_redist.x64.exe	94
PID 532 wrote to memory of 656	532	VC_redist.x64.exe	94
PID 656 wrote to memory of 3312	656	VC_redist.x64.exe	95
PID 656 wrote to memory of 3312	656	VC_redist.x64.exe	95
PID 656 wrote to memory of 3312	656	VC_redist.x64.exe	95
PID 3312 wrote to memory of 3964	3312	VC_redist.x64.exe	96
PID 3312 wrote to memory of 3964	3312	VC_redist.x64.exe	96
PID 3312 wrote to memory of 3964	3312	VC_redist.x64.exe	96
PID 1172 wrote to memory of 1492	1172	MeshLab2023.12-windows.exe	97
PID 1172 wrote to memory of 1492	1172	MeshLab2023.12-windows.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MeshLab2023.12-windows.exe
"C:\Users\Admin\AppData\Local\Temp\MeshLab2023.12-windows.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Program Files\VCG\MeshLab\vc_redist.x64.exe
  "C:\Program Files\VCG\MeshLab\vc_redist.x64.exe" /q /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\Temp\{0F59A5BE-E086-4A81-AF67-C84664C4B4D3}\.cr\vc_redist.x64.exe
    "C:\Windows\Temp\{0F59A5BE-E086-4A81-AF67-C84664C4B4D3}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\VCG\MeshLab\vc_redist.x64.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\Temp\{A8FCED3A-8CF7-4931-B703-95F8ECC526BC}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{A8FCED3A-8CF7-4931-B703-95F8ECC526BC}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{5E0352D2-6FD5-4F25-999A-5CCC34DD9E5B} {654D8806-24C5-4899-969E-BB4E349EA3E2} 2492
      4⤵
      Adds Run key to start application
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=956 -burn.embedded BurnPipe.{B1343DDA-A9DF-423E-841D-828D75B6D6DE} {D0D7377F-7C5F-49AD-B6EC-1EAC4348FE61} 532
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=956 -burn.embedded BurnPipe.{B1343DDA-A9DF-423E-841D-828D75B6D6DE} {D0D7377F-7C5F-49AD-B6EC-1EAC4348FE61} 532
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{C4F1F6B9-5E16-484D-87D4-989766F2FF5E} {22603776-92CB-4620-B440-9B2B9DCBDEAA} 3312
        7⤵
        Modifies registry class
        
        PID:3964
- C:\Program Files\VCG\MeshLab\meshlab.exe
  "C:\Program Files\VCG\MeshLab\meshlab.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:1156

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D4
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58c2d3.rbs

Filesize
19KB

MD5
708ccf88d32b8191ff3d33afd5e927ac

SHA1
efad52ea8a57d74cc20b2727e41d189fd631acbf

SHA256
928a6c62a2edfe17d119b87be47d7b3256079081bc87bbb91f925510727953e3

SHA512
ddecfcbc2e6c2a62b656fc4f9eb549070a2e3eb1d68cc58f2c188c4dd2b1de77bf43a9c0dd32dad2f4675ae890a77583493ee96182e0bbadebfaea17d0943389

Download Submit
C:\Config.Msi\e58c2df.rbs

Filesize
19KB

MD5
fca1e3ded095a58154763bcbc3fdcd69

SHA1
df16360f592ce636ba615aafcdae2ee5189d5300

SHA256
4750e5bb66c52266a2f23a0213473b2b7d26d628b53806a87ee64cef1d9c618f

SHA512
28826c673cb17e783f8422b328a2e7cb59523c0050a62ea8908432b915301833a8a8690a2bd08d7f792a2995ece0bed785968239d4f250cd5b6fd6924d81a1d0

Download Submit
C:\Config.Msi\e58c2e6.rbs

Filesize
21KB

MD5
4ce35866cc80a5d36855eb7d1b5ede15

SHA1
487dee89787667f11e187e0c7c490433b3ecd5a8

SHA256
8063513ee42c209b8552d415acf5f1cc3694c50aa0b99a1e4fa9790b0ac551fe

SHA512
83190869e923f90d6b2550dd1180c10217408eacdd8249ab7068c766ade6388f7466d23aac97402226042faa7cffe7ead7b25eeb83b96dc5d3c3cb68b1849216

Download Submit
C:\Config.Msi\e58c2f5.rbs

Filesize
21KB

MD5
c53a183cec04ac955e2826e767a917c3

SHA1
751882a02dad33f0a5f9771ff26151edd0611ba3

SHA256
ca82ba8dd2f711cd99b5bd6474e42d9e91dc771ce84d97f16fd95e6b7fe87ebf

SHA512
54e58167cfd18d5a3c1abffac75d272072e03454ea74b7ae9043a42f4cb98bf1e22a0c2b1455f80ba89c64be6093ae63d8f2d65845981c6096b6983ad7a817f2

Download Submit
C:\Program Files\VCG\MeshLab\Qt5Core.dll

Filesize
5.7MB

MD5
70574698da8bf4ef806cbcdeba2af3c9

SHA1
8d45ff472a5df443b76b566c2681647c124b389f

SHA256
26cf6a5120498870345344d39bf498deb305bbfaadb20c9c986d8b322df85014

SHA512
ede8c09356493c721e7c90d50e25b53d17a4c94ef0b0aca2061c2db53d5f6b087ee74258cd0ba85988b9abf95d602c02289380519577f57d251ec807ca302465

Download Submit
C:\Program Files\VCG\MeshLab\Qt5Gui.dll

Filesize
6.7MB

MD5
85390c12f32ed124a53820faba905db1

SHA1
2ed013d7de15607cf792fdfdf4c4be78033279b0

SHA256
145116c2517edf4346a73798c570e0ebccd9aa4b274f1d1b39c4da9d6a36341d

SHA512
c78e672eb6345e34460763fc9dd1d93d4055cc638dc8c9a283b63b5f619cede4005204371cf985b679bc874177aa0b48ddc49f79f9ae3afabd62970f29c56bf3

Download Submit
C:\Program Files\VCG\MeshLab\Qt5Network.dll

Filesize
1.3MB

MD5
af00d063fff428bd64c41b984b297e23

SHA1
4c6b407df7705fc71453d3819a87518275e3157a

SHA256
919b3bae67723e1f4be5b1d959944a693b040c79becc6e8387f57375fca92365

SHA512
c0d58b4eed3247f0c5591ec577c53740d93c28acf63a2dd891fb79529541869fd6225a63efc60b21291f65541dfa7cff8cdd900e6feda87cda2c966afa8200c1

Download Submit
C:\Program Files\VCG\MeshLab\Qt5OpenGL.dll

Filesize
314KB

MD5
8b8c369d1fc2fe653bf4cbdc705dce83

SHA1
6b5e21e3b9b501faa45b4cf7eaa60a0392a3d65e

SHA256
93211aa7c4b098a15ffa19016a31f0bdb9b880f84ebf06e07cbb3a2d26ae6771

SHA512
adea5f327f24317b4d57188cbe42cf6aad258d15d25ee62422a826ceddf09f93868fa2d4a9087d1f10e7af2233150d5f46a6cde7e47dea1abd16790bcc347af2

Download Submit
C:\Program Files\VCG\MeshLab\Qt5Widgets.dll

Filesize
5.2MB

MD5
4eed3fad426472da7b6fa2b6243cee82

SHA1
354752db1ced78bff2b688e8c3ddc291c1a3d4a3

SHA256
21d857687777bbb0e8c85e270bc1272cb845c320ef2982b39601484c61e2cb06

SHA512
6aacb9660bb870f523416d286487ae90ac6516afa09ffe0f3562046269d56ec45920ab1adbeaf98dab372d086e453397e7f80d9cf637cafb89d7e5f6dcdb3fb1

Download Submit
C:\Program Files\VCG\MeshLab\Qt5Xml.dll

Filesize
209KB

MD5
17e0b69b758c3d99be89fc55cf4c46ef

SHA1
d12593aeb932274b050e82db2dcce94ce5e58c28

SHA256
dd642014afdbebc5bf2a41c837059df94720f8a5d54fad25ca5507bd2ecab585

SHA512
9ef4c728f020695c2608472ae8ccf7540803ac5e2f3b36cd5c224e9c1807eca335baeb6cd0dcc55d3379d9ff6a2ceb38b8c789e453ce801033204552c8667551

Download Submit
C:\Program Files\VCG\MeshLab\bearer\qgenericbearer.dll

Filesize
53KB

MD5
154a4d60f7caf82365d1724a05fc9921

SHA1
ef3aa2dfd5655d192135824c7f02ed8d12d28f98

SHA256
ea49d701c93f21b79ae234fc732a381ff7c3dbfe6f89689f6a865d2a1bdbcb39

SHA512
91e319f1b16c900052c778003547adb5b7858762378d6665a290d94eaf18b861d2915345456ec8ff96298afc1ab5ac766d491d968dcddcbec5ec64af94442a2d

Download Submit
C:\Program Files\VCG\MeshLab\external-glew.dll

Filesize
496KB

MD5
1bedc25c28039bde74c5f79a53222878

SHA1
5aa60566e6920c9dcdf3278180989a43289e0261

SHA256
d857d8db4e7436856c3428bc617f17d7a33ad05ed7e98f32965b2db047d98e7c

SHA512
5e27324c8ffa3af5426cdd0eeaa4c7973ad9e2a578be8a0903e110e2ffeb589acb4e19785a7431c0d621b4ed2f273113c049f3610aa1f579fde3818ae1966669

Download Submit
C:\Program Files\VCG\MeshLab\iconengines\qsvgicon.dll

Filesize
42KB

MD5
70a7945cab2a9840f9248e9496d3d599

SHA1
cedf14a1fc63f216947eee8fa673e4285232f28a

SHA256
a5fa1a83711884b8cbcde6a6220209bb62c92f8bbec864cd75d6b8eee82b3a60

SHA512
464f2117f95169688900a610a287f5e1057746e63845eb2c2660833a78fc4db3603f3eb7f2eefbf0e037445d4b95a73394957d23cd8113887947a72bc8bcadb5

Download Submit
C:\Program Files\VCG\MeshLab\meshlab-common-gui.dll

Filesize
360KB

MD5
c038f6f32e01eeb9ed4a9b335bf4c247

SHA1
b9ef857a48dc8c43e13af29336f31c4973eae1ee

SHA256
e68215d783c0a3a4db2d7034295b39262bbe0b99b56e6fe0ac1530c22f658ba8

SHA512
87272808bd353a82eb6cbb176add19c692b691dc84ae614bb567c497ea75bc4cd0a5205d4ac443d3378c102eecdaee39a65435df6db4bb2ca2ffceb74ef32f78

Download Submit
C:\Program Files\VCG\MeshLab\meshlab-common.dll

Filesize
2.0MB

MD5
0c322372bddf603887daaa9adcfa31e3

SHA1
0c72fad2c9bd7530a6e37026460facfb7ad0c73e

SHA256
a23c51972aa43e2a9e2656feac1f92493188dfec55555054e97c03ef3f700979

SHA512
5028f6fe73dacc5aaa4acf0a7cbea09f6e560cbf72ba04977361b87ad6fe93d28566eb96bfc2cf6a4b312bf866905916fca9c157a821ee74bf7ee4ba894b07aa

Download Submit
C:\Program Files\VCG\MeshLab\meshlab.exe

Filesize
1.3MB

MD5
cbad2c0e3d175b49ff4b142ee771f07e

SHA1
968a5a8070d3316743fb25a59505f5bc66d4eefc

SHA256
20c624c26bc5fcf5ae48bb6d05a157f5b3eff69c18f19384716105c63dba020f

SHA512
a82b6f583effc7f5d9f041fad512dc8bb392ab274456161c111ed4ac4cbffe712ea3ea3578d6def027b0c395531ea7ba0c214eed410708a28167ae6e814589e1

Download Submit
C:\Program Files\VCG\MeshLab\platforms\qwindows.dll

Filesize
1.4MB

MD5
17a0330fb69c8877a6fb9c8676b71ddd

SHA1
82df37a7ea7f717456277903cb729d3eb9232bf2

SHA256
07696c680e161918ad0c40f58e20e3f30f2bf468fe7083290e099cdd7dad2f92

SHA512
4049a844e6ea318292350742cb8adb4aa0b910cdea6a93f542dbc009cefe26b639daac1e7687b53a562e3d83ab484e5fa407e29b51a4a27d67c8942ac7107975

Download Submit
C:\Program Files\VCG\MeshLab\plugins\bearer\qgenericbearer.dll

Filesize
53KB

MD5
6487ba9b4730dd2cb3cdf2da5074b64b

SHA1
5bffa8678561655cfba396b8f75a0f97525008f4

SHA256
a0b5fd99e20773aa4e9a72fb16e693dad40f195b2d189eb6be0c578ee999f058

SHA512
1f9a81c8f29d479a5896ac90f8aaad6950bda1635c9a7393ce7d8878d403ba82a2beb5308b903ba8a7d3064b250bea6e66f76f98ab7e29fbe0060ea8d4ea9066

Download Submit
C:\Program Files\VCG\MeshLab\plugins\iconengines\qsvgicon.dll

Filesize
42KB

MD5
1f0def96f5c7641c286eee35d0f68a4a

SHA1
926f879dbe0f9abe8200b08036b27cd9608f137b

SHA256
402004f449714687c70e3dc6c5cd9a1583fa24b8644ed5a034c9d7d93dbf4da2

SHA512
507248d6a3c40560fb8742e4e67ad24a2835bc4286ec7e82065937acf28070147fa78a0b897504a1339caf3911e99657c861e7a103ee5387bec8fc4cf9fe9af6

Download Submit
C:\Program Files\VCG\MeshLab\plugins\imageformats\qgif.dll

Filesize
39KB

MD5
a2fe07779bc637b3386bd16814d59d76

SHA1
46a26243ae3e7d2e4223c1980499162c4a2d9800

SHA256
1ee61af5e3cab04d2d8594375babcb92852b07fd25c0cc4f363402c1ac0d01f9

SHA512
af3bdb497f7e44e10cec5db8624e6c9539d4560a47931cf7c96bcfbd67a496e7397b2c6e2a977aa287dbf99f6dbd379e8520691a0d276e04f96f801918a13006

Download Submit
C:\Program Files\VCG\MeshLab\plugins\imageformats\qicns.dll

Filesize
45KB

MD5
1cd4ad0da54a99feed03b9913222b37c

SHA1
41237a0a92602b179b11f8049423203b32e8a134

SHA256
072e67252253049950c0d344f657121ccb499f71e4eadd65ee3cc4f27a23bb0d

SHA512
efe751c202fd667e390b765e10eaa19589ed3e6f366c7ba94b369fc597233d463fb8ab4f50e8ab3e1a68867d9728504b416baee3f6b81f9bf7bf80799031a0d2

Download Submit
C:\Program Files\VCG\MeshLab\plugins\imageformats\qico.dll

Filesize
38KB

MD5
780e5054061a9fd0f99f8e8c205d6926

SHA1
f07dba30807328df648e55a4fddfef2703f2c9c8

SHA256
483ebf94e97aea285296ff18f67298f42b005500168bc2c9da269f85049c7152

SHA512
edf51ac79c6d0bca6046f838b0ce2e9d611af76c54045107d843f81faa77652eaac204adb831de9360a3846281f391008035dcd6c88c1dd979d1295fcd3c7a34

Download Submit
C:\Program Files\VCG\MeshLab\plugins\imageformats\qjpeg.dll

Filesize
412KB

MD5
df13af0ca78f9d28f31e40c2d6aa33a7

SHA1
41a93d6eb2baefda7d44419df12171bea63e3cd9

SHA256
d336b62b78ed59133c99e32ca56a940ebca9c1af18610a83ee6d624d2dcfe395

SHA512
c5323c95215c90f415534a7b799e28bb67a00d40dfe4069a37f965bd7f93b9b88082389a7c9375cc4f66554f410e0ba41d5fa000b4f08484f19856358fa3fcb5

Download Submit
C:\Program Files\VCG\MeshLab\plugins\imageformats\qsvg.dll

Filesize
32KB

MD5
eb706a693da703e9e816226710567b2f

SHA1
67902bf7e40042fdbec3cb208420a032d0700033

SHA256
8c945217be3e0baae842bb8333f05b9000324a22e3ba4854a457b7625891ceb5

SHA512
4a88c4915fc3eccb966f2947b1f0345928d976949304cb688d2c57c855f004a2f292c94b98089f4f232b251cc67a82443098ea62da647617cac4bfbf3d7e9e46

Download Submit
C:\Program Files\VCG\MeshLab\plugins\imageformats\qtga.dll

Filesize
32KB

MD5
e4669c17468471e37ff1f9b3c4919ba7

SHA1
48d270556eeb455f72d519430a472486d41ca4c4

SHA256
8781160e6878e8ff791c103dda9669cbaf7f17b0eb3ee3a79b92734f7c65a134

SHA512
6ca90ef0f594555da6ff721a71ff81619ef64cdcd537b5a86ddd382b337da127d6a89bed9ab6872b45da8d3544920df58e63a5467aaae87a9e10ef746174547e

Download Submit
C:\Program Files\VCG\MeshLab\plugins\imageformats\qtiff.dll

Filesize
382KB

MD5
0ba193db4052a3baa2a7fd15ab8cbf51

SHA1
8b6235b300d2c785ff0f78453ccda5638adbdce2

SHA256
44e8b1cddca876cc38ce125798bc25741e0b105b2ea79bf639f37b1e721a3494

SHA512
25ab670b41abe420ff849e4e96dad0684086fb733f6ac86efd729afef01656581980c95f1eaa5917f252e07556e44897e1fd14197d39eb452da1ecf547856199

Download Submit
C:\Program Files\VCG\MeshLab\plugins\platforms\qwindows.dll

Filesize
1.4MB

MD5
819b0efa378195acce842eafd860a557

SHA1
0183e5bf9a3a298cc1f472404d40c5902cad9f18

SHA256
973833a528a94663f9d66b23304f6547de88be99cf1988800bb6d747d6cf32e7

SHA512
08dcf012c33803642c75d337f091842e6e80517e11726823b3aff4a143752617364ad10e17d0fe7cf7270474f6a54cb5923e30de417569f51be94e8a65ad3a12

Download Submit
C:\Program Files\VCG\MeshLab\plugins\styles\qwindowsvistastyle.dll

Filesize
142KB

MD5
9df11a28958bdb63d1cdd1dfab70f781

SHA1
4126708f9e7ea86ddacdecc534274355d5e6c6af

SHA256
365e29978386c14da30b71469c8f4d255a74b211e6edfa22242360b5bf512e9b

SHA512
f78313b40fea8e0127489d61f391cc4895793c14860b9a6d65a07262b22280d93715d70207333d31b009ba3fb0407b95017db95fee3823913f6c735be6d9a181

Download Submit
C:\Program Files\VCG\MeshLab\styles\qwindowsvistastyle.dll

Filesize
142KB

MD5
010b8656a0c71b44f8822d1568a378f9

SHA1
7a0e57fa34c36aa76e5cef06d78be7f4f1661d82

SHA256
74a4f3aef0e3b7bbdd57cd4047123fc9a22cc5599a09cbd3c6aca838babccc38

SHA512
7345c459619622a7d18a7356a5f27e2eb535897deff5f2a2f97c768b81400ed35a7ff43271236ef1ff31b6ea277a44094c33283b850d066eb1094ca6a4873e2e

Download Submit
C:\Program Files\VCG\MeshLab\vc_redist.x64.exe

Filesize
24.2MB

MD5
69960c62391177713eadbc012fc72ffb

SHA1
af776917ece02824932856806d3b936585eea65a

SHA256
4c2656110e7d8238d8fc645511ca44ff685bc7d5a645e1a8142c80e109c1e665

SHA512
599b272571b9bde45f58113b5e84f712f711e23ceaf63ca0056ba485b98ceb6fda26969177b6effcb59727dde3e20ae4b508341eeb6e5fb6e1e07bc46601a8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240503095540_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
da91ea77bb9099416ec35ed6aa283389

SHA1
e0f188d22d103519eba523b3daf2a8e185d6383a

SHA256
7da04b7caa76f241971420482e7916b4b046474ca43c5d556d5ff61ef075f7e9

SHA512
83a3355b8a52ad653813683167389883ca38bf9471ea7453a00d3b232affeba19684d22cfdc60775ddb04e2295c8d5d4553bef6504a79afaa809bb2e698f6bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240503095540_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
f3fd26957d61a9471ca19bebab05fee7

SHA1
1f186010c77d3402e511c7efe52f6dd5923be783

SHA256
64fe8598baf52f92926b61d676f06f7fbb6b5fa7fa59e4b5c01fe7f76c25b5fe

SHA512
7933c5006d5309e7b6f88e969a7b238d07260cf7e644a4ddb678467c5d017af50897d1a05d580a0dd8a0a31a58b1d7fc2fa6922221218563b6114a30dcab677b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf5506.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf5506.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf5506.tmp\ioSpecial.ini

Filesize
1KB

MD5
c135f5a9c25dc3d407254a339d315eda

SHA1
e25b889e1866f80cc5d34734555aef09e477c73e

SHA256
ba018e306216aa31b2d358e26944b87f3166a7d9c096bf65fd470197f1c11ac9

SHA512
7618def478ad8c3ce9fbb54e9ed4fd46048b2e473bb1eaecd5c07d184c62d159c7cb784f8bcec285d3b165e894cfae03930c2ab902ec3147fd3aacdeae13a494

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf5506.tmp\ioSpecial.ini

Filesize
1KB

MD5
a41be88c8b6d9bfa7600220715b1c8ef

SHA1
c5e787e56a98832e65c2c41e3c4cf71d7197d1fb

SHA256
d6b21095ee1976083ebf1dc01e929634407e1a5e36d418ad175795c0e22b4b3e

SHA512
a9b2c295a5ea55fadc205489174af0671a368e66ce34f033afb04b766e5d55dd11a666d34034217f18d48b7aac66d9121109079bcba64be6cd0ec6f9e80cb1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf5506.tmp\ioSpecial.ini

Filesize
1KB

MD5
d65ec5f32a386f867dd2cc8d31cc80f6

SHA1
bebc2066cbc0c5d8554cc79de944a3f2ffc0539c

SHA256
19e76739aefadb974b122526133db0caa86cbf976c7fbfcc64f7f44804b32970

SHA512
9a38baed8ff63d399ce2c31a2a9f52210616c8491149179e371129b2c02681598e7676206f8cfd311eba81e580b8d1c4dcc452d9227cf4e5186a170777bcc8bb

Download Submit
C:\Windows\System32\msvcp140.dll

Filesize
559KB

MD5
ebf8072a3c5c586979313f76e503aabf

SHA1
2fd9609f099a8f42b1b7ae40ad35be1569c0390e

SHA256
a030dc2dfd2eca28a9375c92989adf4daf161f988db5e16b9e10678eb0dff4c7

SHA512
438c2db953606818b843e42c04240d510b5e398617e8e5539498264f93cf1893ae9a6b6b02ee35b169ae60b0e3b5621d7d9f7e2945d0f1e7c2e7e0c1e9e3c1de

Download Submit
C:\Windows\System32\msvcp140_1.dll

Filesize
35KB

MD5
11d5d26552c1730ccc440f13a1fce188

SHA1
4c534eb613cb05455809b6471d38e1e0976aa919

SHA256
edfbcb2ced712f23842525cb076ee2c09cc7b811a389cf37922d04ef1985e10f

SHA512
2428c4257ac8349035ebb286dec236a25acdbf23178aaa80fd5461b2ed3101c0a67574bf7db8728d0c101d92f45dc72e7bc578049d5b18fac367bdfb44ecfbf2

Download Submit
C:\Windows\System32\vcruntime140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\Windows\System32\vcruntime140_1.dll

Filesize
48KB

MD5
9410ee0771ff1c2007d9087a8c316a4b

SHA1
3f31b301b5a99a13486ddec08d25646d5ad510db

SHA256
e4e85eea1106d361923995e53a0b961a28d4fb58555f40945003f35e5bf2c273

SHA512
434a32ca6c4fdd8ffeb45d1bdb4d9f3c1b1259a1260ae66eb241f8bd63524cd1a3ec29d5eefa2d2f266dd740273e69b6bb8a7771badb77e781dc789dc18de2c9

Download Submit
C:\Windows\Temp\{0F59A5BE-E086-4A81-AF67-C84664C4B4D3}\.cr\vc_redist.x64.exe

Filesize
635KB

MD5
53e9222bc438cbd8b7320f800bef2e78

SHA1
c4f295d8855b4b16c7450a4a9150eb95046f6390

SHA256
0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888

SHA512
7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

Download Submit
C:\Windows\Temp\{A8FCED3A-8CF7-4931-B703-95F8ECC526BC}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{A8FCED3A-8CF7-4931-B703-95F8ECC526BC}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{A8FCED3A-8CF7-4931-B703-95F8ECC526BC}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
e181a4fd7fc6a5a35d355efccb2c02d2

SHA1
762ded20d790e9342119f7578a4453ac512a0285

SHA256
e792f561821e193991fcc0c98038f0b0b905b0b0c67b55aaa1040d18652c6225

SHA512
8a8f04f5a044cfd126da9fafbdc86e74c7dc1624b241ed527e11bcdc389b8d9756c9fa6217b220e9aa49fb604285d8fb8c0dead91a7e456937e8b474000e32fe

Download Submit
C:\Windows\Temp\{A8FCED3A-8CF7-4931-B703-95F8ECC526BC}\cab5046A8AB272BF37297BB7928664C9503

Filesize
958KB

MD5
b9c44fa1b63f24db5f63e4d5992428bc

SHA1
4b6b0db14c7444009b71a20cba406b27a03edaac

SHA256
dc862c89bccaeeb3b7ae04895377a6156dd81e0e1ff460b692f6cec51b865f4f

SHA512
0ce0612d528a237691d860c11a6f37555185871e80667a99ef23229496c87ddfeba13ef492eb330f3a75206e645e683617ff9d3b2a756d544af4d34ee8e3cd46

Download Submit
C:\Windows\Temp\{A8FCED3A-8CF7-4931-B703-95F8ECC526BC}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
ea980cf567e11691d1e4476eb46cf0b9

SHA1
a0520000ad102411c041fc44e333fa298e72b38f

SHA256
98c9604efcba36d02387a570ddf9697951fb8f625c5ce2471a2d4a573e962d23

SHA512
b07184932de406cc1df8ae3599d0418211f3b3f40711f743aa7534d06757794aa9f1b61f6b7fa85cd604f5e6eca7d08a04ec2d2c78c80fff5bdec2b772f5656d

Download Submit
C:\Windows\Temp\{A8FCED3A-8CF7-4931-B703-95F8ECC526BC}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
cde169db3e6657e49a923413bec65774

SHA1
6c57b389c08a0a3bd3c8919c2b546fb9e1ea7003

SHA256
6cf659c5d73f2ce102b60a64f820f57d598efbfb1e1a0f393a5df7f11bbc35c3

SHA512
d32b32ec275ea7befe7c63977cd300887bc88460d56c4fb848447c87006ead29fdb41c60688186d18bfac6ff6f0c8a441d1fb91765a4fda93824d4b61a4ae627

Download Submit
memory/656-895-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1492-1097-0x000002E57DEA0000-0x000002E57DEA1000-memory.dmp

Filesize
4KB

Download
memory/1492-1078-0x00007FF7CCEE0000-0x00007FF7CD030000-memory.dmp

Filesize
1.3MB

Download
memory/1492-1077-0x00007FFA09490000-0x00007FFA099D1000-memory.dmp

Filesize
5.3MB

Download
memory/3312-894-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/3964-857-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download