8102a634bf29b3a5971bc662e5f09793f6ace8185aae6299c29cde3be98fb74c

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 19:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ElectricPublicSetup.exe
Size

340KB
MD5

3d377d00f508a3aa2e8b1e55bac904ca
SHA1

ebd28496f42d9df709f6954912669cdd08d6a5da
SHA256

8102a634bf29b3a5971bc662e5f09793f6ace8185aae6299c29cde3be98fb74c
SHA512

41d11d2b2e6b2aef1d494c532c74590d722bc749f2a597dd1ce2aa3f2bedd18bd8fcf94fa041d1e7066213d55e118f525d899e73962eadc15c8e7440d5a4159a
SSDEEP

6144:ZCg2th6NJmqk0ctVviL2XgTbDItR1MMlf+jqq5hcfmxAWDR:kNtoNJ7kZVKL+gTb85Mo+GMk/

Score

9^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1264	bcdedit.exe

Downloads MZ/PE file

Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	VC_redist.x86.exe

Executes dropped EXE 6 IoCs

pid	Process
4272	VC_redist.x64.exe
388	VC_redist.x64.exe
116	VC_redist.x64.exe
3044	VC_redist.x86.exe
4540	VC_redist.x86.exe
5000	VC_redist.x86.exe

Loads dropped DLL 4 IoCs

pid	Process
388	VC_redist.x64.exe
4840	VC_redist.x64.exe
4540	VC_redist.x86.exe
1840	VC_redist.x86.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5af95fd8-a22e-458f-acee-c61bd787178e} = "\"C:\\ProgramData\\Package Cache\\{5af95fd8-a22e-458f-acee-c61bd787178e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{47109d57-d746-4f8b-9618-ed6a17cc922b} = "\"C:\\ProgramData\\Package Cache\\{47109d57-d746-4f8b-9618-ed6a17cc922b}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe

Boot or Logon Autostart Execution: Time Providers 1 TTPs 62 IoCs

The Windows Time service (W32Time) enables time synchronization across and within domains.

persistence

Time Providers

T1547.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\Enabled = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainEntryTimeout = "16"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\Enabled = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\InputProvider = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\EventLogFlags = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxEntries = "128"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainLoggingRate = "30"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\RequireSecureTimeSyncRequests = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\Enabled = "0"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer	w32tm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "32768"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed = "1"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxEntries = "128"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "32768"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\EventLogFlags = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\Enabled = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\EventLogFlags = "1"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainDisable = "0"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainDisable = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\RequireSecureTimeSyncRequests = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainLoggingRate = "30"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\EventLogFlags = "0"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\InputProvider = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainEntryTimeout = "16"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxHostEntries = "4"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxHostEntries = "4"	w32tm.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\VC_redist.x86.exe	ElectricPublicSetup.exe
File opened for modification	C:\Windows\Installer\e584fa2.msi	msiexec.exe
File created	C:\Windows\Installer\e584fb4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5735.tmp	msiexec.exe
File created	C:\Windows\Installer\e584fdc.msi	msiexec.exe
File created	C:\Windows\VC_redist.x64.exe	ElectricPublicSetup.exe
File opened for modification	C:\Windows\Installer\MSI537B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI71E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e584fdd.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}	msiexec.exe
File opened for modification	C:\Windows\Installer\e584fb5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI592A.tmp	msiexec.exe
File created	C:\Windows\Installer\e584fcb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584fcb.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e584fca.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0C3457A0-3DCE-4A33-BEF0-9B528C557771}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E4A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI737D.tmp	msiexec.exe
File created	C:\Windows\Installer\e584ff2.msi	msiexec.exe
File created	C:\Windows\Installer\e584fa2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51C5.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e584fdd.msi	msiexec.exe
File created	C:\Windows\Installer\e584fb5.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe

System Time Discovery 1 TTPs 6 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
4020	cmd.exe
3736	net.exe
876	net1.exe
2448	cmd.exe
3204	net.exe
3528	net1.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9aa8484b1ca68e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9aa84840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9aa8484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9aa8484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9aa848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\PackageName = "vc_runtimeMinimum_x86.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\ = "{5af95fd8-a22e-458f-acee-c61bd787178e}"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Dependents	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\899C6AE5CA5D9DE4983CF9521BC7DCD3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Version = "14.40.33810.0"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}v14.40.33810\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}v14.40.33810\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}v14.40.33810\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{47109d57-d746-4f8b-9618-ed6a17cc922b}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{5EA6C998-D5AC-4ED9-89C3-9F25B17CCD3D}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Language = "1033"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\PackageName = "vc_runtimeAdditional_x86.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0C3457A0-3DCE-4A33-BEF0-9B528C557771}v14.40.33810\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\PackageCode = "0F1976868EAF8784585CF1DB265C6A81"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717\VC_Runtime_Minimum	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Version = "237536274"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Version = "237536274"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Version = "237536274"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\PackageCode = "56C1F3EFF13FBC94887129B2E83EB575"	msiexec.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2936	msedge.exe
2936	msedge.exe
4824	msedge.exe
4824	msedge.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe
1168	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3604	WMIC.exe
Token: SeSecurityPrivilege	3604	WMIC.exe
Token: SeTakeOwnershipPrivilege	3604	WMIC.exe
Token: SeLoadDriverPrivilege	3604	WMIC.exe
Token: SeSystemProfilePrivilege	3604	WMIC.exe
Token: SeSystemtimePrivilege	3604	WMIC.exe
Token: SeProfSingleProcessPrivilege	3604	WMIC.exe
Token: SeIncBasePriorityPrivilege	3604	WMIC.exe
Token: SeCreatePagefilePrivilege	3604	WMIC.exe
Token: SeBackupPrivilege	3604	WMIC.exe
Token: SeRestorePrivilege	3604	WMIC.exe
Token: SeShutdownPrivilege	3604	WMIC.exe
Token: SeDebugPrivilege	3604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3604	WMIC.exe
Token: SeRemoteShutdownPrivilege	3604	WMIC.exe
Token: SeUndockPrivilege	3604	WMIC.exe
Token: SeManageVolumePrivilege	3604	WMIC.exe
Token: 33	3604	WMIC.exe
Token: 34	3604	WMIC.exe
Token: 35	3604	WMIC.exe
Token: 36	3604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3604	WMIC.exe
Token: SeSecurityPrivilege	3604	WMIC.exe
Token: SeTakeOwnershipPrivilege	3604	WMIC.exe
Token: SeLoadDriverPrivilege	3604	WMIC.exe
Token: SeSystemProfilePrivilege	3604	WMIC.exe
Token: SeSystemtimePrivilege	3604	WMIC.exe
Token: SeProfSingleProcessPrivilege	3604	WMIC.exe
Token: SeIncBasePriorityPrivilege	3604	WMIC.exe
Token: SeCreatePagefilePrivilege	3604	WMIC.exe
Token: SeBackupPrivilege	3604	WMIC.exe
Token: SeRestorePrivilege	3604	WMIC.exe
Token: SeShutdownPrivilege	3604	WMIC.exe
Token: SeDebugPrivilege	3604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3604	WMIC.exe
Token: SeRemoteShutdownPrivilege	3604	WMIC.exe
Token: SeUndockPrivilege	3604	WMIC.exe
Token: SeManageVolumePrivilege	3604	WMIC.exe
Token: 33	3604	WMIC.exe
Token: 34	3604	WMIC.exe
Token: 35	3604	WMIC.exe
Token: 36	3604	WMIC.exe
Token: SeBackupPrivilege	3000	vssvc.exe
Token: SeRestorePrivilege	3000	vssvc.exe
Token: SeAuditPrivilege	3000	vssvc.exe
Token: SeShutdownPrivilege	116	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	116	VC_redist.x64.exe
Token: SeSecurityPrivilege	1168	msiexec.exe
Token: SeCreateTokenPrivilege	116	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	116	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	116	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	116	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	116	VC_redist.x64.exe
Token: SeTcbPrivilege	116	VC_redist.x64.exe
Token: SeSecurityPrivilege	116	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	116	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	116	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	116	VC_redist.x64.exe
Token: SeSystemtimePrivilege	116	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	116	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	116	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	116	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	116	VC_redist.x64.exe
Token: SeBackupPrivilege	116	VC_redist.x64.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 3980	1744	ElectricPublicSetup.exe	89
PID 1744 wrote to memory of 3980	1744	ElectricPublicSetup.exe	89
PID 3980 wrote to memory of 4824	3980	cmd.exe	90
PID 3980 wrote to memory of 4824	3980	cmd.exe	90
PID 1744 wrote to memory of 4764	1744	ElectricPublicSetup.exe	92
PID 1744 wrote to memory of 4764	1744	ElectricPublicSetup.exe	92
PID 4824 wrote to memory of 968	4824	msedge.exe	93
PID 4824 wrote to memory of 968	4824	msedge.exe	93
PID 4764 wrote to memory of 3604	4764	cmd.exe	94
PID 4764 wrote to memory of 3604	4764	cmd.exe	94
PID 1744 wrote to memory of 4680	1744	ElectricPublicSetup.exe	95
PID 1744 wrote to memory of 4680	1744	ElectricPublicSetup.exe	95
PID 4680 wrote to memory of 1264	4680	cmd.exe	96
PID 4680 wrote to memory of 1264	4680	cmd.exe	96
PID 1744 wrote to memory of 4624	1744	ElectricPublicSetup.exe	97
PID 1744 wrote to memory of 4624	1744	ElectricPublicSetup.exe	97
PID 4624 wrote to memory of 2060	4624	cmd.exe	98
PID 4624 wrote to memory of 2060	4624	cmd.exe	98
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 3300	4824	msedge.exe	99
PID 4824 wrote to memory of 2936	4824	msedge.exe	100
PID 4824 wrote to memory of 2936	4824	msedge.exe	100
PID 4824 wrote to memory of 1760	4824	msedge.exe	101
PID 4824 wrote to memory of 1760	4824	msedge.exe	101
PID 4824 wrote to memory of 1760	4824	msedge.exe	101
PID 4824 wrote to memory of 1760	4824	msedge.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ElectricPublicSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ElectricPublicSetup.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://www.sordum.org/9480/defender-control-v2-1/ 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.sordum.org/9480/defender-control-v2-1/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe7f0746f8,0x7ffe7f074708,0x7ffe7f074718
      4⤵
      PID:968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4052326567212856002,10685676313215388183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:3300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4052326567212856002,10685676313215388183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4052326567212856002,10685676313215388183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
      4⤵
      PID:1760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4052326567212856002,10685676313215388183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:2512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4052326567212856002,10685676313215388183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype auto 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set hypervisorlaunchtype auto
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sfc /scannow 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\system32\sfc.exe
    sfc /scannow
    3⤵
    PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\VC_redist.x64.exe /setup /q /norestart 2>nul
  2⤵
  PID:4292
- - C:\Windows\VC_redist.x64.exe
    C:\Windows\VC_redist.x64.exe /setup /q /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4272
  - - C:\Windows\Temp\{9DD7E603-C49E-470C-8CE0-EFD49F59EDB5}\.cr\VC_redist.x64.exe
      "C:\Windows\Temp\{9DD7E603-C49E-470C-8CE0-EFD49F59EDB5}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Windows\VC_redist.x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560 /setup /q /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:388
    - - C:\Windows\Temp\{584BBD9F-18F1-4D85-9EED-6C4D89308AE6}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{584BBD9F-18F1-4D85-9EED-6C4D89308AE6}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{A852EA08-0C89-4693-8132-76972074C128} {3093E914-177C-48BC-BD78-EC864FE30E16} 388
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1052 -burn.embedded BurnPipe.{CB70E85C-4BAB-430C-8753-2C5A66C833C1} {683E276E-7579-4FBE-82C5-51CB1B51AF36} 116
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1052 -burn.embedded BurnPipe.{CB70E85C-4BAB-430C-8753-2C5A66C833C1} {683E276E-7579-4FBE-82C5-51CB1B51AF36} 116
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{D4E78B4E-D211-4589-9E16-22643EBC1A52} {804BBC5E-DCB4-4FB6-9F1D-3E2C2C9A4E0A} 4840
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\VC_redist.x86.exe /setup /q /norestart 2>nul
  2⤵
  PID:2936
- - C:\Windows\VC_redist.x86.exe
    C:\Windows\VC_redist.x86.exe /setup /q /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3044
  - - C:\Windows\Temp\{8313514E-E221-44B0-A63B-ABFF6179B310}\.cr\VC_redist.x86.exe
      "C:\Windows\Temp\{8313514E-E221-44B0-A63B-ABFF6179B310}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Windows\VC_redist.x86.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560 /setup /q /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4540
    - - C:\Windows\Temp\{D3C4A426-91B2-4417-81A4-58CEE014CD11}\.be\VC_redist.x86.exe
        
        "C:\Windows\Temp\{D3C4A426-91B2-4417-81A4-58CEE014CD11}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{C68A0A30-A426-4FE8-82AC-23FA50856142} {54A7C384-7E35-486E-A6DF-ED8917437CA8} 4540
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
      - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=980 -burn.embedded BurnPipe.{358A810D-ED18-4B82-9CC7-1DC7FA8DBA1B} {393A7FCD-48FF-4BB6-BFBD-02C773834EB3} 5000
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=980 -burn.embedded BurnPipe.{358A810D-ED18-4B82-9CC7-1DC7FA8DBA1B} {393A7FCD-48FF-4BB6-BFBD-02C773834EB3} 5000
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{3104980A-7350-48C0-8B4F-5679BEE66D75} {50282E23-7812-43DD-A375-8FAC2D16C695} 1840
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /register 2>nul
  2⤵
  PID:2012
- - C:\Windows\system32\w32tm.exe
    w32tm /register
    3⤵
    - Server Software Component: Terminal Services DLL
    - Boot or Logon Autostart Execution: Time Providers
    PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop w32time 2>nul
  2⤵
  - System Time Discovery
  PID:2448
- - C:\Windows\system32\net.exe
    net stop w32time
    3⤵
    - System Time Discovery
    PID:3204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop w32time
      4⤵
      System Time Discovery
      PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /unregister 2>nul
  2⤵
  PID:3816
- - C:\Windows\system32\w32tm.exe
    w32tm /unregister
    3⤵
    PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /register 2>nul
  2⤵
  PID:1508
- - C:\Windows\system32\w32tm.exe
    w32tm /register
    3⤵
    - Server Software Component: Terminal Services DLL
    - Boot or Logon Autostart Execution: Time Providers
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start w32time 2>nul
  2⤵
  - System Time Discovery
  PID:4020
- - C:\Windows\system32\net.exe
    net start w32time
    3⤵
    - System Time Discovery
    PID:3736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start w32time
      4⤵
      System Time Discovery
      PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /resync 2>nul
  2⤵
  PID:716
- - C:\Windows\system32\w32tm.exe
    w32tm /resync
    3⤵
    PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get version | findstr /R "[0-9]\.[0-9]\.[0-9]"
  2⤵
  PID:2680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get version
    3⤵
    PID:2912
- - C:\Windows\system32\findstr.exe
    findstr /R "[0-9]\.[0-9]\.[0-9]"
    3⤵
    PID:4252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s w32time
1⤵
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Time Providers

T1547.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Time Providers

T1547.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e584fa7.rbs

Filesize
19KB

MD5
a7aee0afca95fb0cc83b0d3ac14a54ce

SHA1
944e33a13be67b5ea8810ec07e005457d317638e

SHA256
2aa2bec8b3c8496b54e202e4234ab1077ce97e0d8bafa98aff0744f6acde5900

SHA512
251f3a6dd1dff059126258bd1317dbd4fb41bcca134637d014460620f5f2649c60a1c9266237210e53a8d071947a7b0508ba003484d9f936f703ebcab0a7fd3d

Download Submit
C:\Config.Msi\e584fb3.rbs

Filesize
19KB

MD5
0c0f59cc4991e4e5a1094bbd90bfafcf

SHA1
81d81ab41aa60de4e0ece4e3bc06e2b2772002ef

SHA256
a9f3172919b854fcf3665d57cf06f527e2d952ef6b8b5a6a1f7fa8b888b0f941

SHA512
e3ba42ea3bfaa4b1b0bd7e152cb37df96fa3b2f3fd6089a0bbbd1f3c644c110f3b6ca3b38cbd3e691a10d29f57ddda98457312c3798654e1e31bb41621c97655

Download Submit
C:\Config.Msi\e584fba.rbs

Filesize
21KB

MD5
aa1dc423480999d9bf177416530ad592

SHA1
f0e5e7df4e50168568adbb034191ae399c9b7570

SHA256
c56dc2a8b1c6cbdf9053d55655d16ab2de8f0aff1e41f92758072cf072e7f503

SHA512
b9cf4087a8ddb9307bcdd0e72af2db34cb7d1483509bf3915eed4e16f5226cbbfb7f565aef1d22c5ab1294e93c08dd7438d62a9ae92e5d4b0e941a7f7794e9a7

Download Submit
C:\Config.Msi\e584fc9.rbs

Filesize
21KB

MD5
985c2c16917337deb0127a508f848c15

SHA1
1f89e24a54154cb38784e0338ab9abec50844604

SHA256
9c2ff4b1a4f77e3e65e51b5508781fd693de9241c41e3510a30123e40acfa9cc

SHA512
ff5d2e87633e86c721394957eaef5a8a8d0c92affb42ca654f484dd5aced87a8c4f9fd5c11802884c66d8fb0ab5be33126f566cb8115c429e0081c1c26c893c9

Download Submit
C:\Config.Msi\e584fd0.rbs

Filesize
16KB

MD5
0cf68188ed6df32345031e43970e4568

SHA1
e15b20a166755243079269db7aacd65726cc6a29

SHA256
83e7af144df6c0b2f48e4914a7e2b3b6db78b6ac7857fcae772651c5cb07d843

SHA512
50b18a2048f17345475302da0bb45310b32ad3c7641f194210a806dbd9ea524f2618eb04ff2f2b68c070a84cfbe934b0c685c85728a70cadc56f5251f6844352

Download Submit
C:\Config.Msi\e584fd5.rbs

Filesize
18KB

MD5
3456bc712b0206fabae30298ad2e9464

SHA1
f83f3edad0c0f000f289694e02d22ac3a4ca1101

SHA256
dabe310d26ebcf8910dc4d3e75485c9a1811139c76bfaf076c3543b40849a97b

SHA512
da0b662a574c777678fad49ab1a3a0f9209760dbce5373418fff1027e3cd85e20787342f85a395278500f5013137dc2e0ec1e676aa5962232169c4b0654aaced

Download Submit
C:\Config.Msi\e584fe2.rbs

Filesize
20KB

MD5
7a17eb48f7f8300a76061668af398b43

SHA1
c6d8e68219742284401e784616ffdffa43d82673

SHA256
e31687573f1cf29bf5770a7f556f679d276cd2e6e4ea6f1cd145f7a803f041aa

SHA512
ed0a78397458dbc6a696621b82ecf09da6970dc814f6395b977692fa19cddb8419048a00d268f77a57e42a8ea774bd6fe0b06b27cf01a09257b08d66af761014

Download Submit
C:\Config.Msi\e584ff1.rbs

Filesize
19KB

MD5
cb905e6ef47f9635bd896e31d89005c9

SHA1
b3e9d4041c77f5ef1bcf48284f5111416ec73077

SHA256
b2fc99f95ad54cc7128cf37d7750bf836d7c80b291a23116c3ffaa1c7a68d643

SHA512
4caf9ad849e3f800917cb21787d2f9ad2668e12c83a3430410d60d83ac666894f1d0cdd82c199436fc661d75ac5dfda8553fee105f522f276ec2a842641e4427

Download Submit
C:\ProgramData\Package Cache\{5af95fd8-a22e-458f-acee-c61bd787178e}\state.rsm

Filesize
820B

MD5
8fb0f7b82fd7c06e0f150548c7bb15c7

SHA1
f43fb5a64809556dbd7919725efa1c4091be8621

SHA256
e6e2cefa71de0c75fd79f59bfa04a99b18734541ad5a824478a7bf6c68260393

SHA512
93332ea148ebbab0de94003b186e53ae7ccb07eac33c4951cf36040b3c35fb53d8464ab2f895510c478200bb03c79a2a2491e015ead5807b24f1d6fc0edf79af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
d836ca02a524f178f9c1c15731a75c66

SHA1
f53bd381fbc492a8b5d445ed385ca828566ec29a

SHA256
83d0dca397aaa52de556ea81532d2f8a23169693b5de5e7bad7cb12db2302667

SHA512
09e6b26a9db6b20bbe8cd44848139d39d0a93f4f1b301ee47be47ab55ef6ae25bd0c2a41cbc9082705153b2adf4e5c7eb883d17781ddbdd3b4bf908ab351abf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
16dddf3e8ddd35b6cb722eb29b0f2e78

SHA1
fa0ad23c75a1cf433946166dab94aefeb25efdba

SHA256
62e8be136255cdfcf0c365f6ae914eeb17e84183580c76946e7dc63718deaa85

SHA512
2e8539821ca4e8981ccfd02003dfde3938e243380082762ef8d29293251a7c76a7ec63d42ab072faa29686e2125cec80ac43bb513ab673e62ca8a214e19b8d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
802be7b42da967895ba7186fb2000799

SHA1
c4c1560bd6a3ade5eb5433b529bf15634ac79458

SHA256
9b9e551caa981963de73018a9e03b97de53a30e588c33a14e7f7057263692a1e

SHA512
808504eafead3cb1544767b775880aee54f9c81dd47585b1301c221192afbc9b4095151071800913a24dc5d168b1d73fac1d0aa77b46fedef0d1187fe98e9618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
586cc27afcbf4cd39ae2398cfcb1e388

SHA1
9b228666da05caa23d6e4ad887dac47678220994

SHA256
ca86b75876ee0d2787a71dd44ec141e8583fc5fe94d45283b06967feef7f6d57

SHA512
ca90d123a3d087b1d29f6d931cf74078bc019296d5c3360e49bcfe7550c5d8682925bab227f97fea8a5d54c01b43070fc14ea1da3985461ce9754f3a9e07ac2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8608d0e7ff5922ce3bf1cf0209e6f8ee

SHA1
c98141082906422560275b77f59fccccbebb29a9

SHA256
82f5145cfe2711ca1215d102fe2b0fe455db5dbf28a37cd4aec40b8af5003247

SHA512
51f275521812a7fd3bcafb84f2c4e04789166097b01a308dd463fea8a0638219027a365def3c557106cc5ccd0307eb2260d87f3ba676a04be067fb8fe344a557

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240808195945_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
fbb00889913eb83960e29800952a7991

SHA1
1c8d41c937cccbbd263f25f9d743e902b45eab7d

SHA256
dffe472a101dcab056acee280d1f5e05fdb30f00a1ce3a63453b6ec15d32fefc

SHA512
ad858ea333d4b4e82c6bf64bd8bcb386c6fe72659b0271ae4788b656249c019cefe4eb656e25bbf6ec70571f55af5756bb06795f5bebe2573a129bfeb6f5509b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240808195945_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
531a23e92b48956ac614aa72b10b525e

SHA1
2389b8eef9311dbdf8622239352b5f9d99d076d1

SHA256
c181129167cd29f60d54109a5ff4fe688f5fa09dedb44a5bcd0e75a3cc9dcb75

SHA512
c328170aaf86675801caa02582d18e69bd13550bc8e4adb7dff7f78752389db7b2914a207310204d7ca6772f74ac3fb45b3787f596f2d4fd2741a3bc839210d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240808200000_000_vcRuntimeMinimum_x86.log

Filesize
2KB

MD5
5ee3ee3c1b1d6c837c8c4baa1d79e601

SHA1
cfbe1d48248289347d95c1fc62459e8e78131852

SHA256
67d402f54136fae0ac9b14898356308f7a3f601a26b8c1746370560ffd4be00d

SHA512
2e2210429b775b6c0cdb8da1dcc86eeaba4f3add987356e5f15bb6e9a9314e0756113032983cb86bf1345d9903370bfd3ee671fef4103e1c5f4a69e78ac6c95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240808200000_001_vcRuntimeAdditional_x86.log

Filesize
2KB

MD5
5b9b75fe0d7141443eb7e69d055533b2

SHA1
a4b4106ebed73d9f1a3fb87d7ae50ddde09c21a3

SHA256
f70acbf76e8fc40dfa898013b9dae042e14947a41c073d64e3103772efc82b3e

SHA512
bf1a0cd051a7f9678041ddb471f6db6734a1064aaae4b877b41a423bce641e592d7e07ba71835ae436c79dced360d171ec7c6b1889e79eca82664acc33131179

Download Submit
C:\Windows\Temp\{584BBD9F-18F1-4D85-9EED-6C4D89308AE6}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{584BBD9F-18F1-4D85-9EED-6C4D89308AE6}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{584BBD9F-18F1-4D85-9EED-6C4D89308AE6}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
d5a3fd8ad806f66d33d652d5913a95b3

SHA1
7b1bb6cdbe700acc2434dc52c40cdd96a6462a17

SHA256
cc001c20f85e16015e0d23eb0c3a9bc3c3cdcc1adda53f88ac77dd29705ba01a

SHA512
594d710133f44049546c62c3c89614415ad776c24f3ada0a8d1724e6daf27f941eba43a05a096d90cdf51ad51c02462edd6308e2aa393cb8325fde256ed77037

Download Submit
C:\Windows\Temp\{584BBD9F-18F1-4D85-9EED-6C4D89308AE6}\cab5046A8AB272BF37297BB7928664C9503

Filesize
962KB

MD5
8eccd85b6c4273a28a54b0687feb6a96

SHA1
be791128af5713d407df2f7436ea8de1a80ca725

SHA256
8fafd6d0754ee53125902df1b67ef2db86eb7af4c097522f2fb58443501fecdd

SHA512
9fdcb359a5748d0d920e1e12cf31de42fa224840fd11e5878f7caff7c4495b4facacf1a58cdaf0caadd0d9a3af871870b755245d2c1af33f07f3229b85101da0

Download Submit
C:\Windows\Temp\{584BBD9F-18F1-4D85-9EED-6C4D89308AE6}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
5fc68510b7425822a9d0928567ffbd1b

SHA1
f506d97ceac3c435ce6bafda7c47d9a35fc57714

SHA256
7489cdde6a0c8aadb3253f22c460c2dc8099ba677f42d46b277f7040327c9b28

SHA512
4dd4d99ace30eb1add9ae225f159f68636d42d1899acb50f616717f05045e402a2bbb76e4d86569a08ae74bb161b3911a73910fcc7044429da34159cf6b9f473

Download Submit
C:\Windows\Temp\{584BBD9F-18F1-4D85-9EED-6C4D89308AE6}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
0d00edf7e9ad7cfa74f32a524a54f117

SHA1
eea03c0439475a8e4e8e9a9b271faaa554539e18

SHA256
e55a6c147daab01c66aed5e6be0c990bbed0cb78f1c0898373713343ef8556cd

SHA512
0b6730fa8d484466a1ee2a9594572fa40fb8eea4ec70b5d67f5910436ee1d07c80a029cf1f8e488a251439ac1121fd0a76a726836e4cb72dd0fe531ce9692f6a

Download Submit
C:\Windows\Temp\{8313514E-E221-44B0-A63B-ABFF6179B310}\.cr\VC_redist.x86.exe

Filesize
634KB

MD5
337b547d2771fdad56de13ac94e6b528

SHA1
3aeecc5933e7d8977e7a3623e8e44d4c3d0b4286

SHA256
81873c2f6c8bc4acaad66423a1b4d90e70214e59710ea7f11c8aeb069acd4cd0

SHA512
0d0102fafb7f471a6836708d81952f2c90c2b126ad1b575f2e2e996540c99f7275ebd1f570cafcc945d26700debb1e86b19b090ae5cdec2326dd0a6a918b7a36

Download Submit
C:\Windows\Temp\{9DD7E603-C49E-470C-8CE0-EFD49F59EDB5}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
ae0540106cfd901b091d3d241e5cb4b0

SHA1
97f93b6e00a5069155a52aa5551e381b6b4221eb

SHA256
8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c

SHA512
29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177

Download Submit
C:\Windows\Temp\{D3C4A426-91B2-4417-81A4-58CEE014CD11}\.ba\license.rtf

Filesize
9KB

MD5
04b33f0a9081c10e85d0e495a1294f83

SHA1
1efe2fb2d014a731b752672745f9ffecdd716412

SHA256
8099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b

SHA512
d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685

Download Submit
C:\Windows\Temp\{D3C4A426-91B2-4417-81A4-58CEE014CD11}\.ba\thm.wxl

Filesize
2KB

MD5
fbfcbc4dacc566a3c426f43ce10907b6

SHA1
63c45f9a771161740e100faf710f30eed017d723

SHA256
70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce

SHA512
063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

Download Submit
C:\Windows\Temp\{D3C4A426-91B2-4417-81A4-58CEE014CD11}\.ba\thm.xml

Filesize
8KB

MD5
f62729c6d2540015e072514226c121c7

SHA1
c1e189d693f41ac2eafcc363f7890fc0fea6979c

SHA256
f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916

SHA512
cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471

Download Submit
C:\Windows\Temp\{D3C4A426-91B2-4417-81A4-58CEE014CD11}\cab54A5CABBE7274D8A22EB58060AAB7623

Filesize
822KB

MD5
25bd21af44d3968a692e9b8a85f5c11d

SHA1
d805d1624553199529a82151f23a1330ac596888

SHA256
f4576ef2e843c282d2a932f7c55d71cc3fcbb35b0a17a0a640eb5f21731cc809

SHA512
ed3660183bf4e0d39e4f43a643007afc143b1d4ec0b45f0fdce28d8e896f646ec24a2a7a5429e8b10f4379cb4ffd1572adba10fc426990d05c0cafefdd87a4fb

Download Submit
C:\Windows\Temp\{D3C4A426-91B2-4417-81A4-58CEE014CD11}\cabB3E1576D1FEFBB979E13B1A5379E0B16

Filesize
4.9MB

MD5
3a7979fbe74502ddc0a9087ee9ca0bdf

SHA1
3c63238363807c2f254163769d0a582528e115af

SHA256
7327d37634cc8e966342f478168b8850bea36a126d002c38c7438a7bd557c4ca

SHA512
6435db0f210ad317f4cd00bb3300eb41fb86649f7a0e3a05e0f64f8d0163ab53dbdb3c98f99a15102ce09fcd437a148347bab7bfd4afe4c90ff2ea05bb4febff

Download Submit
C:\Windows\Temp\{D3C4A426-91B2-4417-81A4-58CEE014CD11}\vcRuntimeAdditional_x86

Filesize
180KB

MD5
2ba51e907b5ee6b2aef6dfe5914ae3e3

SHA1
6cc2c49734bf9965fe0f3977705a417ed8548718

SHA256
be137dc2b1ec7e85ae7a003a09537d3706605e34059361404ea3110874895e3a

SHA512
e3ba5aa8f366e3b1a92d8258daa74f327248fb21f168b7472b035f8d38f549f5f556eb9093eb8483ca51b78e9a77ee6e5b6e52378381cce50918d81e8e982d47

Download Submit
C:\Windows\Temp\{D3C4A426-91B2-4417-81A4-58CEE014CD11}\vcRuntimeMinimum_x86

Filesize
180KB

MD5
828f217e9513cfff708ffe62d238cfc5

SHA1
9fb65d4edb892bf940399d5fd6ae3a4b15c2e4ba

SHA256
a2ad58d741be5d40af708e15bf0dd5e488187bf28f0b699d391a9ef96f899886

SHA512
ffc72b92f1431bbd07889e28b55d14ea11f8401e2d0b180e43a898914209893941affacc0a4ea34eeefc9b0ca4bc84a3045591cd98aae6bdb11ae831dc6bb121

Download Submit
C:\Windows\VC_redist.x64.exe

Filesize
24.2MB

MD5
1d545507009cc4ec7409c1bc6e93b17b

SHA1
84c61fadf8cd38016fb7632969b3ace9e54b763a

SHA256
3642e3f95d50cc193e4b5a0b0ffbf7fe2c08801517758b4c8aeb7105a091208a

SHA512
5935b69f5138ac3fbc33813c74da853269ba079f910936aefa95e230c6092b92f6225bffb594e5dd35ff29bf260e4b35f91adede90fdf5f062030d8666fd0104

Download Submit
C:\Windows\VC_redist.x86.exe

Filesize
13.2MB

MD5
8457542fd4be74cb2c3a92b3386ae8e9

SHA1
198722b4f5fc62721910569d9d926dce22730c22

SHA256
a32dd41eaab0c5e1eaa78be3c0bb73b48593de8d97a7510b97de3fd993538600

SHA512
91a6283f774f9e2338b65aa835156854e9e76aed32f821b13cfd070dd6c87e1542ce2d5845beb5e4af1ddb102314bb6e0ad6214d896bb3e387590a01eae0c182

Download Submit
memory/1012-372-0x0000000000920000-0x0000000000997000-memory.dmp

Filesize
476KB

Download
memory/1840-688-0x0000000000ED0000-0x0000000000F47000-memory.dmp

Filesize
476KB

Download
memory/2340-689-0x0000000000ED0000-0x0000000000F47000-memory.dmp

Filesize
476KB

Download
memory/4484-651-0x0000000000ED0000-0x0000000000F47000-memory.dmp

Filesize
476KB

Download
memory/4840-409-0x0000000000920000-0x0000000000997000-memory.dmp

Filesize
476KB

Download
memory/4844-410-0x0000000000920000-0x0000000000997000-memory.dmp

Filesize
476KB

Download