0e1b2ed27b426a09a35e60e8d79413c6fee4e98646fefca8f7aa319a2a493180

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

htpe7.exe
Size

3.0MB
MD5

29a0694490619235ade01ffc130865ff
SHA1

fc0c4ad65e13694f9af4ca8a800ee1931dfc83ac
SHA256

0e1b2ed27b426a09a35e60e8d79413c6fee4e98646fefca8f7aa319a2a493180
SHA512

92a2716841b154eac696b97ad6985cf400b813bf0dc4cddbd7651507ea08d62ecd7e3471242720874841983cd528aeec27e203bdf7d0fae2f3a3110e6161c60e
SSDEEP

98304:1zu6XHdupzYD+bVxDRTYe1hpnTvwk5siFT:1zu6X98TbVbLf9UXQ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	htpe7.exe

Executes dropped EXE 4 IoCs

pid	Process
4408	VCREDI~1.EXE
2624	install.exe
3740	HyperTrm.exe
4576	HyperTrm.exe

Loads dropped DLL 28 IoCs

pid	Process
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2624	install.exe
3740	HyperTrm.exe
3740	HyperTrm.exe
3740	HyperTrm.exe
3740	HyperTrm.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
2800	htpe7.exe
4576	HyperTrm.exe
4576	HyperTrm.exe
4576	HyperTrm.exe
4576	HyperTrm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~GLH000a.TMP	htpe7.exe
File opened for modification	C:\Windows\SysWOW64\UNWISE32.EXE	htpe7.exe
File created	C:\Windows\SysWOW64\GLBSINST.%$D	htpe7.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\PROGRA~2\HYPERT~1\INSTALL.LOG	htpe7.exe
File created	C:\Program Files (x86)\HyperTerminal\~GLH0001.TMP	htpe7.exe
File opened for modification	C:\Program Files (x86)\HyperTerminal\ReadMe.HTM	htpe7.exe
File opened for modification	C:\Program Files (x86)\HyperTerminal\WordPad ReadMe.DOC	htpe7.exe
File opened for modification	C:\Program Files (x86)\HyperTerminal\image1.gif	htpe7.exe
File opened for modification	C:\Program Files (x86)\HyperTerminal\Hypertrm.dll	htpe7.exe
File created	C:\Program Files (x86)\HyperTerminal\~GLH0002.TMP	htpe7.exe
File created	C:\Program Files (x86)\HyperTerminal\~GLH0003.TMP	htpe7.exe
File created	C:\Program Files (x86)\HyperTerminal\~GLH0006.TMP	htpe7.exe
File opened for modification	C:\Program Files (x86)\HyperTerminal\Hticons.dll	htpe7.exe
File created	C:\Program Files (x86)\HyperTerminal\~GLH0007.TMP	htpe7.exe
File created	C:\Program Files (x86)\HyperTerminal\~GLH0008.TMP	htpe7.exe
File opened for modification	C:\Program Files (x86)\HyperTerminal\htrn_jis.dll	htpe7.exe
File created	C:\Program Files (x86)\HyperTerminal\~GLH0009.TMP	htpe7.exe
File opened for modification	C:\PROGRA~2\HYPERT~1\INSTALL.LOG	htpe7.exe
File opened for modification	C:\Program Files (x86)\HyperTerminal\vcredist_x86.exe	htpe7.exe
File opened for modification	C:\Program Files (x86)\HyperTerminal\HyperTrm.exe	htpe7.exe
File created	C:\Program Files (x86)\HyperTerminal\~GLH0004.TMP	htpe7.exe
File created	C:\Program Files (x86)\HyperTerminal\~GLH0005.TMP	htpe7.exe
File opened for modification	C:\Program Files (x86)\HyperTerminal\HG30t.dll	htpe7.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\InstallTemp\20240627044823733.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_312cf0e9.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.2\mfc90ita.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823781.0\9.0.21022.8.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\6F9E66FF7E38E3A3FA41D89E8A906A4A\9.0.21022	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240627044823796.0	msiexec.exe
File opened for modification	C:\Windows\Help\HypertrmPE.hlp	htpe7.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823781.2\9.0.21022.8.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.2\mfc90fra.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.2\mfc90jpn.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.0\msvcm90.dll	msiexec.exe
File created	C:\Windows\Installer\e57ab57.msi	msiexec.exe
File created	C:\Windows\Fonts\GLBSINST.%$D	htpe7.exe
File opened for modification	C:\Windows\Installer\e57ab53.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.3\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823781.3\9.0.21022.8.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240627044823733.0	msiexec.exe
File created	C:\Windows\Fonts\~GLH000e.TMP	htpe7.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240627044823764.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240627044823781.2	msiexec.exe
File created	C:\Windows\Help\~GLH000c.TMP	htpe7.exe
File created	C:\Windows\Fonts\~GLH000f.TMP	htpe7.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823781.1\9.0.21022.8.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823733.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_312cf0e9.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823781.1\9.0.21022.8.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.2\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.1\mfc90.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADF3.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.2\mfc90kor.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.2\mfc90esn.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.0\msvcp90.dll	msiexec.exe
File opened for modification	C:\Windows\Help\Hypertrm.chm	htpe7.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.1\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.2\mfc90chs.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.2\mfc90enu.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823796.0\9.0.21022.8.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240627044823781.0	msiexec.exe
File opened for modification	C:\Windows\Fonts\Arialals.ttf	htpe7.exe
File created	C:\Windows\Installer\e57ab53.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.1\mfcm90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.2\mfc90esp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.1\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823781.2\9.0.21022.8.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\6F9E66FF7E38E3A3FA41D89E8A906A4A	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240627044823764.3	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823733.0\atl90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.3\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823781.3\9.0.21022.8.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240627044823781.1	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823796.0\9.0.21022.8.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.0\msvcr90.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240627044823764.1	msiexec.exe
File opened for modification	C:\Windows\Help\HypertrmPE.cnt	htpe7.exe
File created	C:\Windows\Help\~GLH000d.TMP	htpe7.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\6F9E66FF7E38E3A3FA41D89E8A906A4A\9.0.21022\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\6F9E66FF7E38E3A3FA41D89E8A906A4A\9.0.21022\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240627044823781.3	msiexec.exe
File opened for modification	C:\Windows\Fonts\Arialalt.ttf	htpe7.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823764.1\mfc90u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240627044823781.0\9.0.21022.8.cat	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a1a8d825d9cc14480000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a1a8d8250000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a1a8d825000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da1a8d825000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a1a8d82500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.ATL,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 7000550041002a007b006200350032006600360064004a004600280074007b004f00240077005d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e004a007000550032004e0072005600370042003500710079005f005b0054002c00280034002c006a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.CRT,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 7000550041002a007b006200350032006600360064004a004600280074007b004f00240077005d00460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e004600420042006f0063004b005700470031003800280071002d004e003d007500590077007100370000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFCLOC,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 7000550041002a007b006200350032006600360064004a004600280074007b004f00240077005d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e004700340078002c0028007500720062006200370029003600530074005a004d00760078006200700000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shellex\IconHandler\ = "{88895560-9AA2-1069-930E-00AA0030EBC8}"	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88895560-9AA2-1069-930E-00AA0030EBC8}\InProcServer32\ = "C:\\PROGRA~2\\HYPERT~1\\hticons.dll"	htpe7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\Version = "151015966"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\ = "HyperTerminal File"	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shell\ = "connect"	htpe7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shell\open\command	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shell\open\command\ = "C:\\PROGRA~2\\HYPERT~1\\hypertrm.exe %1"	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shellex\PropertySheetHandlers\TermPage\ = "{1B53F360-9A1B-1069-930C-00AA0030EBC8}"	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9E66FF7E38E3A3FA41D89E8A906A4A\FT_VC_Redist_CRT_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\telnet\shell\open\command	HyperTrm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.OpenMP,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 7000550041002a007b006200350032006600360064004a004600280074007b004f00240077005d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e004d004f00700050006d00360078002b0044003400700061006d006600580031006f00390032007a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\SourceList\LastUsedSource = "n;1;f:\\fd1ac522d84d8685e64d4a717acc\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\DefaultIcon\ = "%1"	htpe7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B53F360-9A1B-1069-930C-00AA0030EBC8}\InProcServer32	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\SourceList\Media\1 = ";1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shellex	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88895560-9AA2-1069-930E-00AA0030EBC8}\InProcServer32\ThreadingModel = "Apartment"	htpe7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.OpenMP,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 7000550041002a007b006200350032006600360064004a004600280074007b004f00240077005d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e004d0039002c004f005500350063004d0078003400660069003f00660040007b00300021004400480000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9E66FF7E38E3A3FA41D89E8A906A4A\FT_VC_Redist_ATL_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shellex\IconHandler	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88895560-9AA2-1069-930E-00AA0030EBC8}\ = "HyperTerminal Icon Ext"	htpe7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFCLOC,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 7000550041002a007b006200350032006600360064004a004600280074007b004f00240077005d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0074004d00470024007b0053002a007500250034004e0047002d0076004600380050004e0021005f0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011\6F9E66FF7E38E3A3FA41D89E8A906A4A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\SourceList\PackageName = "vc_red.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shell\open	htpe7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shellex\PropertySheetHandlers	htpe7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ht	htpe7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88895560-9AA2-1069-930E-00AA0030EBC8}	htpe7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9E66FF7E38E3A3FA41D89E8A906A4A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shell	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile\shell\connect\command\ = "C:\\PROGRA~2\\HYPERT~1\\hypertrm.exe /d %1"	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B53F360-9A1B-1069-930C-00AA0030EBC8}\ = "HyperTerminal Connection Page Ext"	htpe7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.CRT,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 7000550041002a007b006200350032006600360064004a004600280074007b004f00240077005d00460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e00690063003f00670029004f0026005200530034002500710035005d0056004c00510072005b00530000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFC,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 7000550041002a007b006200350032006600360064004a004600280074007b004f00240077005d00460054005f00560043005f005200650064006900730074005f004d00460043005f007800380036003e004b003000710064006800330043003000650037006e0021002e005f004c003d0048002e0036004f0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9E66FF7E38E3A3FA41D89E8A906A4A\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9E66FF7E38E3A3FA41D89E8A906A4A\VC_Redist_12222_x86_enu	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9E66FF7E38E3A3FA41D89E8A906A4A\FT_VC_Redist_MFCLOC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\AuthorizedLUAApp = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ht\ = "htfile"	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9E66FF7E38E3A3FA41D89E8A906A4A\FT_VC_Redist_OpenMP_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9E66FF7E38E3A3FA41D89E8A906A4A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B53F360-9A1B-1069-930C-00AA0030EBC8}\InProcServer32\ = "C:\\PROGRA~2\\HYPERT~1\\hypertrm.dll"	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B53F360-9A1B-1069-930C-00AA0030EBC8}\InProcServer32\ThreadingModel = "Apartment"	htpe7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFC,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 7000550041002a007b006200350032006600360064004a004600280074007b004f00240077005d00460054005f00560043005f005200650064006900730074005f004d00460043005f007800380036003e0075004c007d0064004a00350068004c002b00340045002b0066002c00310071004a00280064002d0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9E66FF7E38E3A3FA41D89E8A906A4A\FT_VC_Redist_MFC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B53F360-9A1B-1069-930C-00AA0030EBC8}	htpe7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.ATL,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 7000550041002a007b006200350032006600360064004a004600280074007b004f00240077005d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e007200240066004a005e005900430054006a003300560039002500590027007d002a0027002e00290000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htfile	htpe7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9E66FF7E38E3A3FA41D89E8A906A4A\VC_RED_enu_x86_net_SETUP	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5104	msiexec.exe
5104	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1716	vssvc.exe
Token: SeRestorePrivilege	1716	vssvc.exe
Token: SeAuditPrivilege	1716	vssvc.exe
Token: SeBackupPrivilege	3588	srtasks.exe
Token: SeRestorePrivilege	3588	srtasks.exe
Token: SeSecurityPrivilege	3588	srtasks.exe
Token: SeTakeOwnershipPrivilege	3588	srtasks.exe
Token: SeBackupPrivilege	3588	srtasks.exe
Token: SeRestorePrivilege	3588	srtasks.exe
Token: SeSecurityPrivilege	3588	srtasks.exe
Token: SeTakeOwnershipPrivilege	3588	srtasks.exe
Token: SeShutdownPrivilege	2624	install.exe
Token: SeIncreaseQuotaPrivilege	2624	install.exe
Token: SeSecurityPrivilege	5104	msiexec.exe
Token: SeCreateTokenPrivilege	2624	install.exe
Token: SeAssignPrimaryTokenPrivilege	2624	install.exe
Token: SeLockMemoryPrivilege	2624	install.exe
Token: SeIncreaseQuotaPrivilege	2624	install.exe
Token: SeMachineAccountPrivilege	2624	install.exe
Token: SeTcbPrivilege	2624	install.exe
Token: SeSecurityPrivilege	2624	install.exe
Token: SeTakeOwnershipPrivilege	2624	install.exe
Token: SeLoadDriverPrivilege	2624	install.exe
Token: SeSystemProfilePrivilege	2624	install.exe
Token: SeSystemtimePrivilege	2624	install.exe
Token: SeProfSingleProcessPrivilege	2624	install.exe
Token: SeIncBasePriorityPrivilege	2624	install.exe
Token: SeCreatePagefilePrivilege	2624	install.exe
Token: SeCreatePermanentPrivilege	2624	install.exe
Token: SeBackupPrivilege	2624	install.exe
Token: SeRestorePrivilege	2624	install.exe
Token: SeShutdownPrivilege	2624	install.exe
Token: SeDebugPrivilege	2624	install.exe
Token: SeAuditPrivilege	2624	install.exe
Token: SeSystemEnvironmentPrivilege	2624	install.exe
Token: SeChangeNotifyPrivilege	2624	install.exe
Token: SeRemoteShutdownPrivilege	2624	install.exe
Token: SeUndockPrivilege	2624	install.exe
Token: SeSyncAgentPrivilege	2624	install.exe
Token: SeEnableDelegationPrivilege	2624	install.exe
Token: SeManageVolumePrivilege	2624	install.exe
Token: SeImpersonatePrivilege	2624	install.exe
Token: SeCreateGlobalPrivilege	2624	install.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4408	VCREDI~1.EXE
2624	install.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4408	2800	htpe7.exe	100
PID 2800 wrote to memory of 4408	2800	htpe7.exe	100
PID 2800 wrote to memory of 4408	2800	htpe7.exe	100
PID 4408 wrote to memory of 2624	4408	VCREDI~1.EXE	102
PID 4408 wrote to memory of 2624	4408	VCREDI~1.EXE	102
PID 4408 wrote to memory of 2624	4408	VCREDI~1.EXE	102
PID 2800 wrote to memory of 4080	2800	htpe7.exe	106
PID 2800 wrote to memory of 4080	2800	htpe7.exe	106
PID 2800 wrote to memory of 4080	2800	htpe7.exe	106
PID 2800 wrote to memory of 3740	2800	htpe7.exe	108
PID 2800 wrote to memory of 3740	2800	htpe7.exe	108
PID 2800 wrote to memory of 3740	2800	htpe7.exe	108
PID 2800 wrote to memory of 4824	2800	htpe7.exe	111
PID 2800 wrote to memory of 4824	2800	htpe7.exe	111
PID 2800 wrote to memory of 4824	2800	htpe7.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\htpe7.exe
"C:\Users\Admin\AppData\Local\Temp\htpe7.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800
- C:\PROGRA~2\HYPERT~1\VCREDI~1.EXE
  "C:\PROGRA~2\HYPERT~1\VCREDI~1.EXE" /q:a
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4408
- - \??\f:\fd1ac522d84d8685e64d4a717acc\install.exe
    f:\fd1ac522d84d8685e64d4a717acc\.\install.exe /q:a
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2624
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" "C:\Program Files (x86)\HyperTerminal" /E /G Users:F
  2⤵
  PID:4080
- C:\PROGRA~2\HYPERT~1\HyperTrm.exe
  "C:\PROGRA~2\HYPERT~1\HyperTrm.exe" -initializeTrial
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3740
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" hg_dbh.lic /E /G Users:W
  2⤵
  PID:4824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Program Files (x86)\HyperTerminal\HyperTrm.exe
"C:\Program Files (x86)\HyperTerminal\HyperTrm.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ab56.rbs

Filesize
25KB

MD5
beec89a0ea62836d46b4ea6c20e8c507

SHA1
60d7e36d39cf166726ffd4301c45fd944a305cdb

SHA256
3fccab58e4618829089ef63b4503b0ebc0e43a414da5c32f04fb50cb15c1dca9

SHA512
6cc469c05db9a23c2ae9324a4696e8622c39d1f8d28b4f46b1213fe76aaa0d2b838e130da07745e4df9e5a9f89ca40e4f448a34b81c4a6b5bc798e093550a70b

Download Submit
C:\PROGRA~2\HYPERT~1\HG30t.dll

Filesize
651KB

MD5
32b2fa30381406407bd750b197e20e18

SHA1
335c8b20b15ee6b6f307d30c3205579ab3a69424

SHA256
e8d93b0edcf4958065f99df215b130f50b52849a21f26d47c41253a86d96a9dd

SHA512
cd511d276f1123aad3a787aefc25249e15d3a575356a652fccfa2686f3fb4d8538ee94d1738c7d2056244f4fa7af5e6c5e8f33872122c14e8258bd2de4b5f919

Download Submit
C:\PROGRA~2\HYPERT~1\Hticons.dll

Filesize
47KB

MD5
1f638951409f6f8cdda6b7604ff20bc4

SHA1
b745dedd1377f3f2481f1bd181410cf6d6b1597d

SHA256
d8e0bc74babf5607739c80cc60f43cb25c2e12193f7e71161ceb9b8d8e6f03eb

SHA512
93d8e06b7039532e42a5320ceebf6ebecf2f8ef941c72775264acfd8d70bcd27c6d12091b0ebbbf90ba13f7602e9d88d6bda9ab95011df142aaf020f26aec1d8

Download Submit
C:\PROGRA~2\HYPERT~1\HyperTrm.exe

Filesize
61KB

MD5
7e9ca44a5daa32a57a958bd1e53f6555

SHA1
785ef9ebaae9287a55396425eff961ad2f906a61

SHA256
d95d2585da5feecef1f547ed56716157d0444cf57620ba5e36d7da10ef1695a2

SHA512
86fa5a082d82a677ab0a0be01d9a09e2a40570ec6c365f3733eac2174a8c1cbae7191c7efa6ea0a9452ff13809a0120a8f46583456d560d3b333cac60a9f6590

Download Submit
C:\PROGRA~2\HYPERT~1\Hypertrm.dll

Filesize
1.0MB

MD5
4aa82fdbf4c5beba784824101dd46cf1

SHA1
5655c966470582ed4094ca574abf955b6c95d0a9

SHA256
930f523d49097953b14fad09ef62326c74d0eb86c908be549457d605d5ccf749

SHA512
a8b9b691a48ff39916852783f4b66cff29738d6642bd69822679d5237e87254807ee728c8830d5220239d492c34a8492df9a0b144a88f8e9cd226bc9d33ade83

Download Submit
C:\PROGRA~2\HYPERT~1\ReadMe.HTM

Filesize
63KB

MD5
418fe6783a60d31ec5e929733757b7e6

SHA1
05f3ca7a7c6f8e66a3c608b6a6e71858b1412d56

SHA256
5f3494080f6038857777a9b24f7aa02bd8885398d25d8c7e5def3d107e2631f8

SHA512
d06e14c229582497425b2453f7ed0bd1d253e9b636b37a89e632eb99496278cda446313f9fe77a6b408a00b1bcba2056dc21c5b5dc30505335d9345147241d69

Download Submit
C:\PROGRA~2\HYPERT~1\VCREDI~1.EXE

Filesize
1.7MB

MD5
b936f0f378b9a35489353e878154e899

SHA1
56719288ab6514c07ac2088119d8a87056eeb94a

SHA256
c6a7e484f4d84883bc1205bccea3114c0521025712922298ede9b2a1cd632357

SHA512
acdf7b464a258b3ae3015c808d0e08a697ba3209662faa9b18c1aee882bf236dc725f6c3425cb6f9e10d8ab5cbb82ac118ff947a4b9ec6f91c2e150b0beef70f

Download Submit
C:\PROGRA~2\HYPERT~1\WORDPA~1.DOC

Filesize
66KB

MD5
b9a60e18376ebd517687e7b1126eb114

SHA1
5342e9e9e01a66f401df967ab2438e540e7609dc

SHA256
b8c3e336a2857217b8988adaac0a7204d7de7fbd2a326d79ce04822ea23c2c91

SHA512
30253ce2e11e32c49b2808d56b5b4d8e63d90c99338c7ce611ba3c45051839dd748c868913cc2001ef8adfdba17715ad606f9fe23f741d6c933979954e32f9f9

Download Submit
C:\PROGRA~2\HYPERT~1\htrn_jis.dll

Filesize
11KB

MD5
9b7ac2154ac013cd1ab26186fd2f16ad

SHA1
e0ecea42528c0a83316f2053759dd4a82c382d43

SHA256
53638c52038df5c76a9661f5400d57465fb2ed1ced5dad077bfa0a006bab9a2b

SHA512
db7a362987507d1b51572a38a355b387244014eb0d4751802a892b447c48a60911cc5463aebd7d2c92d1b47e2f6482fb9d597b0847ebd9e7c52689fe213fff7f

Download Submit
C:\PROGRA~2\HYPERT~1\image1.gif

Filesize
2KB

MD5
0db2d662e7ba12b0614972f23abc7b19

SHA1
7d4adc49e162a66b899bb36992ff10066238aa99

SHA256
e126f4a660911aafdeea0719580991152ab9e3a7bc01f2aaf5deece8bb3b4184

SHA512
04643d202f6ff4d7dfe661d6a0a28b7af1ba126aa9285258bb633f1bbe19e09d3a6a45e27f305c5868977aa37ad5dce05d2241e9d4f79f8006ba55d9ab14dbde

Download Submit
C:\PROGRA~3\HYPERT~1\hg_dbh.lic

Filesize
64B

MD5
9acba743847aaf0046b5574c91d06a1f

SHA1
f6f8c44241c96ec83919cf440cf8f97a06e3921c

SHA256
6fff2d4c75e2641fc5bb0e53e2a255632bdb21c89b7eb44608ccf161c550c1a7

SHA512
d9d812ef1fc7ab34fa131ebe744458ecfb1458fa86141775a0d6c7d514837f5c7b974b69a9c2fc79e73f064647a5ee3fa774558cd936b29c75fe2ec48eb50f62

Download Submit
C:\ProgramData\HyperTerminal\hg_dbh.lic

Filesize
64B

MD5
6abea3dca0887a521f437121c7c6f563

SHA1
0b112982ff7e77c729e783bbdef36b3ab68380be

SHA256
a69c514729ea33cf964a0d74874ed2ee642f4b0d59f5ef62fe0aa8d84ba29777

SHA512
cbea96df908082dd8ea4e02803c0f8cea9d5fda78f40ee43fc6b4da445667a51c9b0843cfd746d45ad6b88c982d4e5754c7b243bb3e52430daddc2dd661ea7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC34DB.tmp

Filesize
161KB

MD5
09e59d00df5d2effd8dd9b30385cb9d2

SHA1
0fa0d3f6692f31fdabefb719b0f7a28cbf5d5415

SHA256
1c574eab5e83ccfe5a0bb7b59e028cc5fa2f4e77868051e305d83c709711ff77

SHA512
d73e3832777341a4176dbd9988002ec94a32f162492e869a8c03d9bb10f1833821f99e15710e9fc103a2820c862cf14a0b990d7c7c09150bb14618a7c93ca5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLF5F79.tmp

Filesize
10KB

MD5
9da8f742593d4bbca708b90725282ae2

SHA1
9aaa6ed98726e657252a098f2bf06066a8604d27

SHA256
e362a9815527869e0f71fdf766a1c3648e307145defda7a5279914e522bcb57c

SHA512
f8b4129dc4ab30e009cb4db8a80f06b16306c1a90a49e534befb925d6ce4d5713b98553a2107b40efa8b5abd025ff0556976cf46c3642ce8e372c34d105e36cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWLBB61.tmp

Filesize
392B

MD5
41a5a4ddea57baa1eba729e9a673b496

SHA1
e18905bed27605c4402394720996c3c87234b1b3

SHA256
542517b4485fd5d9ef700376740608862efa4716927dc0cd4b7535d5d0959bb0

SHA512
c6f3da0d179dccdd7fb46dbbfefc34b4dd545bc0df50e5252be230ffc6bf61bc4a97ca2e73e8d13d339a9c2d96b14235a3bb18f997e883d4f97e0679d865333e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4973.txt

Filesize
1KB

MD5
ccb254ce73691d77ed59d8f62a788053

SHA1
c91fbada94dbe684823c16b0e59ae2e382272732

SHA256
6d3ab7e0ae55d816689596fb283d32e019508b1b7e7bf9b78fd8fa97d24064ab

SHA512
383568dfd08cf88795de27dd9e6d87519d8ead161577026849896408ef69572fc87705417d6bdbefd2c4ac3b6929af9a856da6f0874efdfec7f0799581bc80c1

Download Submit
C:\Windows\Fonts\Arialals.ttf

Filesize
16KB

MD5
ef0033f1bd6b0787ff1b953a5b5e3304

SHA1
831dae0194839ec2ba82b346bd646f10a7613d8a

SHA256
9bf16e46ebedf659051a6956498d2557e835cb3692c1949b71bb829bf3a13733

SHA512
71bd19dbde60d5dd0115f4458765eb8b6925539a5b754dedde4a3576e5741ddd1ef2eb7f41a1267bcc00ab30edc7b5d6fe025e5d8cc30374b47036bcafb8a060

Download Submit
C:\Windows\Fonts\Arialalt.ttf

Filesize
23KB

MD5
6b6334f6999f4bb7ec08afb35aa20a40

SHA1
6a12b90c764888885f4fa21356610d88410a6b8b

SHA256
bcb0509a260f770e0177ca7d9aed176d011fd4b7e26602e7273de40f89ab6b76

SHA512
bc1cda4ff923a3329847821ab1aea15c182bb240d2c2edae9edb349f8e69674d12625d49c6ed31c76c5887ee42570dee097c725c43cb712b31a026552d087bc3

Download Submit
C:\Windows\Help\HYPERT~1.CNT

Filesize
971B

MD5
3f20b149d63ec40cf283fac5332d92d8

SHA1
8ddbbd1ccb7d05a738a972ed41da3197b8f50c5a

SHA256
6b363663887965fc8ed8d58764d7bb6c2bfb2c1d11acf67566ff437333230214

SHA512
45ca494f8e8a54e2c3190480e80b4ee248d2eac8dc07e4a50fca55f9f1c1c36b8d955557e5e2bfcd7c3babd0c2a6347d7e65499264d41464466028c44dbb37f8

Download Submit
C:\Windows\Help\HYPERT~1.HLP

Filesize
32KB

MD5
c2cbb6ed674e840ea73f777b0a7241cb

SHA1
ed0b9f5b1d59a3fb809ca977f57686109e56e010

SHA256
ef6144ad3f06e2ce95748b1f09b36326f3fe3df625c2cc5f0268f76de24bbda3

SHA512
f5f6cdad1dcae7c0efef3a8a965029cc2d103debdb40321f82ab0c7db9523a3218d7f0867f4057a8189e6b1dbf7ace65ededee053a067b19b4fc312274fff7ff

Download Submit
C:\Windows\Help\Hypertrm.chm

Filesize
18KB

MD5
5fe4f6f6067b4d3b1eec81a28386c5a8

SHA1
4db95a0be8c2cec1df896287a68fa4cdbb1acd41

SHA256
2d7848d4eab04e5b4e6e3c31e1b39ed4b28cea7acbe0fd48edc533c0275fef5f

SHA512
bb4928c48016709ac0a3e8a00f54620308d5437eca4ac81ee953116f1e825c8bf649f9e1742a5a7f2b1ab7a0a8c9e6571644fb6c3bb016996c47d07110795401

Download Submit
C:\Windows\SysWOW64\UNWISE32.EXE

Filesize
161KB

MD5
2b85fe26ca828485bff6a454b881a295

SHA1
fd448d4a9165bc848a1e6c579010a3ec21b4137e

SHA256
7128574752f0a7da1284d589c195aafe25c29f825d7028cebdb21a7ecc44dc00

SHA512
310ac39dd9f13d18d87320e1a10167ba206f01819c384dbda341ee8c63d57c6c6cd366f74fa26db94e90904ff5b98388e62905866ee761344f93d532e8f0b2dd

Download Submit
F:\fd1ac522d84d8685e64d4a717acc\eula.1031.txt

Filesize
17KB

MD5
9147a93f43d8e58218ebcb15fda888c9

SHA1
8277c722ba478be8606d8429de3772b5de4e5f09

SHA256
a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

SHA512
cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

Download Submit
F:\fd1ac522d84d8685e64d4a717acc\install.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\VC_RED.cab

Filesize
1.4MB

MD5
e10f2f6e6379e9185f71aec1421f37b4

SHA1
f344ce30310b5609a4dce0bdcdc44f4709cd8fd3

SHA256
9681bcfd73c610eb6a9538d872c1e7844548fca341f22fb66ccadb4d78530b4d

SHA512
34826d12d997ba1b96d9e720db3ed9d1626fbf8a7a51b1b20a7e54ab9b38692b8b456bad58592ca2db99817b99354e71cd6820ab65c9ca6bfba775c8da1503f3

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\eula.1033.txt

Filesize
9KB

MD5
99c22d4a31f4ead4351b71d6f4e5f6a1

SHA1
73207ebe59f6e1073c0d76c8835a312c367b6104

SHA256
93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

SHA512
47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\eula.1041.txt

Filesize
118B

MD5
9b15a3a055cc6e67ea191a1b7885649a

SHA1
e436256fdebb4bb321444e9fb1d84be9841931fe

SHA256
cac11bde0f7967389f9795dc2f2a5aa22b2c51d1a6ab0b0064df72dc3eb192ae

SHA512
945ac800a8d941de36a20ba46713bebfcd1a17f6ddf3b47207ed0f29faa933db93476f38cc433b1c480cf723cc7bfbcfdef52d594a4da101384ee07ef10379f0

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\install.ini

Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\install.res.1028.dll

Filesize
74KB

MD5
4151a4d07640863783f837e588235837

SHA1
549ab876ac211651e77a458fc72859b6b1c304cb

SHA256
58475a90250c6818f73763775eea6379e06da6c38e8d2cf0f54eb6112a0a6aee

SHA512
19c95b06a7b0c8cb690b8d0c66549ed523f0ef7aac058cc18ecee6dc3623a02ab01b2c4762ac12422a1386f03d76d415d23b30190e13c4613b3d7a4d2f45a094

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\install.res.1031.dll

Filesize
94KB

MD5
3b8a82e04238655eaef97e074fb29911

SHA1
9723b8595a326b38ecb31f64b3a67c1ed339bb60

SHA256
5e49c21b9a15c3a0fddde7ddc32fda220302ee57b8aff66f4f78b370e049410d

SHA512
ea0661e687183be31f54184fa33440e55d92bb26408dd9eea87b9a98352a2ab18bc7cc9f93c4d9b414bf618407805ffdd1e1ab65c6e474a9de610a50f485d15d

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\install.res.1033.dll

Filesize
89KB

MD5
9edeb8b1c5c0a4cd3a3016b85108127d

SHA1
9ec25485a7ff52d1211a28cca095950901669b34

SHA256
9bf7026a47daab7bb2948fd23e8cf42c06dd2e19ef8cdea0af7367453674a8f9

SHA512
aa2f6dde0aa6d804bcadc169b6d48aad6b485b8e669f1b0c3624848b27bcd37bd3dd9073bddc6bde5c0dd3bc565fd851e161edb0efe9fcaa4636cdcaaec966db

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\install.res.1036.dll

Filesize
95KB

MD5
5b6ff470cfa7087690e61f87e81ef78a

SHA1
0616cde3285284430679368575a5a4ed3672722d

SHA256
2d1c0a1b17266cff3be7d46cf3020b176e4a058fd7fc57f7b6b97e0760cc45db

SHA512
78018dd3ac7073d3fc7f205d973b41fcd35a08b45bb7f5fe2ccddc803c82e293dd98abd3405cfed9d64734c0bd79e9c7998c843086930a2c29607c6c036f14a3

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\install.res.1040.dll

Filesize
93KB

MD5
6310ab8fc9e3dbee80592fc453a34fee

SHA1
3b01aa2ce407d89ae218a4cd81d21e3f25077b5b

SHA256
7774f2436c96a70b0cdc8176883ee7a4614353f17ad61bfbd5a8d7a1906483d3

SHA512
15b284a9a5838656a1c5a0cf765555babfe70f33ddf3155829afb2c3b12cafc360fde3dc2939140f4862b2ede9a8c4d85b6bad13a8c2ee9deee3bc1b05ac22b9

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\install.res.1041.dll

Filesize
79KB

MD5
13ed4517152203de4bc52acc0255d952

SHA1
cc9d7d205f965659429b95dd2f317d9d4de8820b

SHA256
6183324fe24006bc3d8928029dcaccbdae517eb09727f5dd47ea5aaeed3ee26d

SHA512
6b4b9c546f8eec15ea76a36167fabf8908896fda1961e8a929ba04fd74a46ee112b6f3ab4261c27df27028a58a3821f1dc2f4481e16718b2945c0571813d9610

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\install.res.1042.dll

Filesize
78KB

MD5
0d4fb4095ea49c1ec89b9e8db0b936a3

SHA1
e263b6fb41e2984cdf8d23a25ef1c536f32c4ec3

SHA256
7d86f3ba0232c2ac4b4fce96e4cebb23700312a032d5d0db988ec6b358be1686

SHA512
f94a8fbec29e312692c61d42079ebbdd4affd7ac4a9ab4446e4a691fc3c2b5e12ea320e6bf247305b6b381a6bf2a578f1469c4b41f5354783c3bbd9b57d31642

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\install.res.2052.dll

Filesize
74KB

MD5
d7366b34e8afb605c39ef56e2201fe85

SHA1
24a1f8ff465746148bb82364713fb75297bc9656

SHA256
f7aa6ebf1413a6e4816bcad5b77c47b6bbe0cfc05cafde4aa872abe3fbd5e62b

SHA512
a36ebcc3203f419efda6de1296aa413a978ab491b041e8222ff279b98416fd98017e8777367bac20629250e2201443b1a52680848841b8d7298928387ddaca6d

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\install.res.3082.dll

Filesize
94KB

MD5
41bb37a347121f3e5e88d85100638b79

SHA1
9c57f09a4613b8f44c730511d3cca9121780b630

SHA256
320c305177ab4ec6e00883a2cf0886019b5d36557219e4a188cf9df3768f157f

SHA512
cce75b337e92e7b42a4683c9559970009492ee0d99c7bd75646d6b8b5341ab40a2bb3ba02ecb0e5455d46db6186ac1111263333b0da007c59ac17cbd68f65e63

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\vc_red.msi

Filesize
227KB

MD5
e0951d3cb1038eb2d2b2b2f336e1ab32

SHA1
500f832b1fcd869e390457ff3dc005ba5b8cca96

SHA256
507ac60e145057764f13cf1ad5366a7e15ddc0da5cc22216f69e3482697d5e88

SHA512
34b9c5ed9dd8f384ecf7589e824c3acc824f5f70a36517d35f6d79b0296fbccb699c3ec1e86e749d34643934bf2e20a9c384a5586d368af9887b7c2cede9bfb8

Download Submit
\??\f:\fd1ac522d84d8685e64d4a717acc\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit