a652ee8c16aec1d60c7b9c4dc2fb8accfda87992cf4e85a042e69d0fd18a44b9

Analysis

max time kernel
99s
max time network
165s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Beat Banger - SteamGG.NET/_Redist/install_all.bat
Size

1KB
MD5

eb55aae630088c91b88d2bfae4115ea0
SHA1

1495c69946edca474fe30c2b713aacb9f03bbf3a
SHA256

492ee4c16ac45a5483088583c9caa08252d3a1bb3922dbbec834d61673538f17
SHA512

48e4a3fa644b1859131cfec782641aaee9938c88f939ca0509df0f4120b922187753ce7cd7d912d2f90108526ba34d767baa28c9eeeb25d43fff77d38ddfd882

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

install.exeinstall.exeSetup.exeSetup.exe

pid process

2824 install.exe
4324 install.exe
3556 Setup.exe
1176 Setup.exe

pid	process
2824	install.exe
4324	install.exe
3556	Setup.exe
1176	Setup.exe

Loads dropped DLL 16 IoCs

Processes:

MsiExec.exeMsiExec.exeinstall.exeinstall.exeSetup.exeSetup.exevcredist2012_x86.exe

pid	process
4364	MsiExec.exe
4364	MsiExec.exe
4600	MsiExec.exe
2824	install.exe
4324	install.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
3720	vcredist2012_x86.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vcredist2005_x86.exevcredist2005_x64.exevcredist2012_x86.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist2005_x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist2005_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240902193350.log\" /passive /norestart ignored /burn.runonce"	vcredist2012_x86.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

3 3800 msiexec.exe

flow	pid	process
3	3800	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in System32 directory 36 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm100u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\atl100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm100u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcr100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\atl100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100chs.dll	msiexec.exe

Drops file in Program Files directory 6 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\WinSxS\InstallTemp\20240902193326845.0\mfc80ITA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337157.0\msvcr80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337267.0\mfc80ESP.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337267.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CE7.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326767.0\msvcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326798.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326798.0\mfc80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326845.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326923.1\8.0.50727.6195.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337142.0\ATL80.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\e5828e5.msp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326923.0\8.0.50727.6195.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326938.0\8.0.50727.6195.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240902193326798.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337142.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326735.0\ATL80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326767.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337157.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.cat	msiexec.exe
File created	C:\Windows\Installer\e5828ec.msp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326845.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326735.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.manifest	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240902193326938.1	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337345.1\8.0.50727.6195.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E3D.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337267.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337267.0\mfc80JPN.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326923.0\8.0.50727.6195.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240902193326923.0	msiexec.exe
File opened for modification	C:\Windows\Installer\e5828d5.msi	msiexec.exe
File created	C:\Windows\Installer\e5828d5.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337204.0\mfc80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337267.0\mfc80ITA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326845.0\mfc80JPN.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337329.0\8.0.50727.6195.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240902193326923.1	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337204.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326798.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337267.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240902193337204.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326938.1\8.0.50727.6195.policy	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326798.0\mfcm80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326845.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337329.1\8.0.50727.6195.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240902193337157.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326845.0\mfc80ENU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337157.0\msvcm80.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\e5828ec.msp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI825B.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326938.2\8.0.50727.6195.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240902193326938.2	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240902193337329.1	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240902193337345.1	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326938.2\8.0.50727.6195.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B8E.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326767.0\msvcp80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193326923.1\8.0.50727.6195.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337313.0\vcomp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337267.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240902193337267.0\mfc80ENU.dll	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 2 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exemsiexec.exe

pid process

3800 msiexec.exe
1208 msiexec.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5004 3720 WerFault.exe vcredist2012_x86.exe

pid	pid_target	process	target process
5004	3720	WerFault.exe	vcredist2012_x86.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

msiexec.exemsiexec.exeMsiExec.exeSetup.exevcredist2010_x64.exevcredist2005_x64.exevcredist2008_x86.exevcredist2010_x86.exeSetup.exevcredist2005_x86.exeinstall.exeMsiExec.exevcredist2008_x64.exevcredist2012_x86.exevcredist2012_x86.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2010_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2005_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2008_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2010_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2005_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2008_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2012_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2012_x86.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

msiexec.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1d	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1B	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1c	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFCLOC,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0027002a005b0069005b00320062006e004100340070006b0046005d006b004b0057007e005800300000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.ATL,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e004e002e004b004300300068004d0064007b00340060006d002b00380039004f002e002e003100540000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.ATL,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32" = 3600540043006c0046002e005f007400740035006200290038002100600024004b005a0046006d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800360034003e0049005b00280055004d0049005b007600260036006a006d005f004f0071005400570060004100370000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFCLOC,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32-policy" = 3600540043006c0046002e005f007400740035006200290038002100600024004b005a0046006d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800360034003e004d0059006800540068002a003300600053003300260021006b00460048006f00490055007600570000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\4D54076CED4F5BA32BBD3E5FAD1CD4C9\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E815EB96CCE9A53884E7857C57002F0\SourceList\Net\2 = "f:\\bbe19d3181f328979a264388\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67D6ECF5CD5FBA732B8B22BAC8DE1B4D\FT_VC_Redist_ATL_x64 = "VC_Redist_12222_amd64_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.ATL,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e00550029004600250024002a0025005a00370038002c005d007b002d007400430064004f003700310000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFC,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32" = 3600540043006c0046002e005f007400740035006200290038002100600024004b005a0046006d00460054005f00560043005f005200650064006900730074005f004d00460043005f007800360034003e00360057002e002700490055007a0028005000330071003f0064004c0051004e00440029002500290000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\Patches\Patches = 3400440035003400300037003600430045004400340046003500420041003300320042004200440033004500350046004100440031004300440034004300390000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList\LastUsedSource = "n;2;f:\\dcc1fad07d9e46cd70503a822f\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2549743 = "Servicing_Key"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.ATL,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32-policy" = 3600540043006c0046002e005f007400740035006200290038002100600024004b005a0046006d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800360034003e006a0068004f00670050007e006b003600580037002e00580036005000780024002e0028005f00530000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67D6ECF5CD5FBA732B8B22BAC8DE1B4D\FT_VC_Redist_MFCLOC_x64 = "VC_Redist_12222_amd64_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67D6ECF5CD5FBA732B8B22BAC8DE1B4D\FT_VC_Redist_OpenMP_x64 = "VC_Redist_12222_amd64_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\ProductName = "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67D6ECF5CD5FBA732B8B22BAC8DE1B4D\SourceList\LastUsedSource = "n;2;f:\\146c0fd1d85f94a44c4c3e28e5\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\FT_VCRedist_x86_KB2565063_Detection	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\c1c4f01781cc94c4c8fb1542c0981a2a	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\PackageCode = "C558A51006735C645AEE5A0FC6A310C9"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e0032005f0072002700710025004a006a004a0034007600780044002800660049004c0067005a00780000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32-policy" = 3600540043006c0046002e005f007400740035006200290038002100600024004b005a0046006d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800360034003e007900700040005500210076003f005400490037006c007a004c00450075005a003d005a003100730000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\FT_VC_Redist_OpenMP_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E815EB96CCE9A53884E7857C57002F0\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Version = "167812379"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList\LastUsedSource = "n;2;f:\\f5d3389bbbf4201e9ba767202c4e\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2544655 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\1af2a8da7e60d0b429d7e6453b3d0182	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32" = 3600540043006c0046002e005f007400740035006200290038002100600024004b005a0046006d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800360034003e0061005b0046005f0031006a0048006a005d003300680065005f004f005400590026006b003f00400000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2565063 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Patches\2D0058F6F08A743309184BE1178C95B2 = ":SP1.1;:#SP1.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F\KB2524860 = "Servicing_Key"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182	msiexec.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

msiexec.exeSetup.exeSetup.exe

pid	process
432	msiexec.exe
432	msiexec.exe
432	msiexec.exe
432	msiexec.exe
432	msiexec.exe
432	msiexec.exe
432	msiexec.exe
432	msiexec.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
3556	Setup.exe
432	msiexec.exe
432	msiexec.exe
432	msiexec.exe
432	msiexec.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
1176	Setup.exe
432	msiexec.exe
432	msiexec.exe
432	msiexec.exe
432	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	3800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3800	msiexec.exe
Token: SeSecurityPrivilege	432	msiexec.exe
Token: SeCreateTokenPrivilege	3800	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3800	msiexec.exe
Token: SeLockMemoryPrivilege	3800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3800	msiexec.exe
Token: SeMachineAccountPrivilege	3800	msiexec.exe
Token: SeTcbPrivilege	3800	msiexec.exe
Token: SeSecurityPrivilege	3800	msiexec.exe
Token: SeTakeOwnershipPrivilege	3800	msiexec.exe
Token: SeLoadDriverPrivilege	3800	msiexec.exe
Token: SeSystemProfilePrivilege	3800	msiexec.exe
Token: SeSystemtimePrivilege	3800	msiexec.exe
Token: SeProfSingleProcessPrivilege	3800	msiexec.exe
Token: SeIncBasePriorityPrivilege	3800	msiexec.exe
Token: SeCreatePagefilePrivilege	3800	msiexec.exe
Token: SeCreatePermanentPrivilege	3800	msiexec.exe
Token: SeBackupPrivilege	3800	msiexec.exe
Token: SeRestorePrivilege	3800	msiexec.exe
Token: SeShutdownPrivilege	3800	msiexec.exe
Token: SeDebugPrivilege	3800	msiexec.exe
Token: SeAuditPrivilege	3800	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3800	msiexec.exe
Token: SeChangeNotifyPrivilege	3800	msiexec.exe
Token: SeRemoteShutdownPrivilege	3800	msiexec.exe
Token: SeUndockPrivilege	3800	msiexec.exe
Token: SeSyncAgentPrivilege	3800	msiexec.exe
Token: SeEnableDelegationPrivilege	3800	msiexec.exe
Token: SeManageVolumePrivilege	3800	msiexec.exe
Token: SeImpersonatePrivilege	3800	msiexec.exe
Token: SeCreateGlobalPrivilege	3800	msiexec.exe
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeBackupPrivilege	432	msiexec.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeBackupPrivilege	4032	srtasks.exe
Token: SeRestorePrivilege	4032	srtasks.exe
Token: SeSecurityPrivilege	4032	srtasks.exe
Token: SeTakeOwnershipPrivilege	4032	srtasks.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeBackupPrivilege	4032	srtasks.exe
Token: SeRestorePrivilege	4032	srtasks.exe
Token: SeSecurityPrivilege	4032	srtasks.exe
Token: SeTakeOwnershipPrivilege	4032	srtasks.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeRestorePrivilege	432	msiexec.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

msiexec.exemsiexec.exeinstall.exeinstall.exevcredist2012_x86.exe

pid	process
3800	msiexec.exe
3800	msiexec.exe
1208	msiexec.exe
1208	msiexec.exe
2824	install.exe
2824	install.exe
4324	install.exe
4324	install.exe
3720	vcredist2012_x86.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

cmd.exevcredist2005_x86.exemsiexec.exevcredist2005_x64.exevcredist2008_x86.exevcredist2008_x64.exevcredist2010_x86.exevcredist2010_x64.exevcredist2012_x86.exe

description	pid	process	target process
PID 3432 wrote to memory of 3956	3432	cmd.exe	vcredist2005_x86.exe
PID 3432 wrote to memory of 3956	3432	cmd.exe	vcredist2005_x86.exe
PID 3432 wrote to memory of 3956	3432	cmd.exe	vcredist2005_x86.exe
PID 3956 wrote to memory of 3800	3956	vcredist2005_x86.exe	msiexec.exe
PID 3956 wrote to memory of 3800	3956	vcredist2005_x86.exe	msiexec.exe
PID 3956 wrote to memory of 3800	3956	vcredist2005_x86.exe	msiexec.exe
PID 432 wrote to memory of 4032	432	msiexec.exe	srtasks.exe
PID 432 wrote to memory of 4032	432	msiexec.exe	srtasks.exe
PID 432 wrote to memory of 4364	432	msiexec.exe	MsiExec.exe
PID 432 wrote to memory of 4364	432	msiexec.exe	MsiExec.exe
PID 432 wrote to memory of 4364	432	msiexec.exe	MsiExec.exe
PID 3432 wrote to memory of 2668	3432	cmd.exe	vcredist2005_x64.exe
PID 3432 wrote to memory of 2668	3432	cmd.exe	vcredist2005_x64.exe
PID 3432 wrote to memory of 2668	3432	cmd.exe	vcredist2005_x64.exe
PID 2668 wrote to memory of 1208	2668	vcredist2005_x64.exe	msiexec.exe
PID 2668 wrote to memory of 1208	2668	vcredist2005_x64.exe	msiexec.exe
PID 2668 wrote to memory of 1208	2668	vcredist2005_x64.exe	msiexec.exe
PID 432 wrote to memory of 4600	432	msiexec.exe	MsiExec.exe
PID 432 wrote to memory of 4600	432	msiexec.exe	MsiExec.exe
PID 432 wrote to memory of 4600	432	msiexec.exe	MsiExec.exe
PID 3432 wrote to memory of 1108	3432	cmd.exe	vcredist2008_x86.exe
PID 3432 wrote to memory of 1108	3432	cmd.exe	vcredist2008_x86.exe
PID 3432 wrote to memory of 1108	3432	cmd.exe	vcredist2008_x86.exe
PID 1108 wrote to memory of 2824	1108	vcredist2008_x86.exe	install.exe
PID 1108 wrote to memory of 2824	1108	vcredist2008_x86.exe	install.exe
PID 1108 wrote to memory of 2824	1108	vcredist2008_x86.exe	install.exe
PID 3432 wrote to memory of 1884	3432	cmd.exe	vcredist2008_x64.exe
PID 3432 wrote to memory of 1884	3432	cmd.exe	vcredist2008_x64.exe
PID 3432 wrote to memory of 1884	3432	cmd.exe	vcredist2008_x64.exe
PID 1884 wrote to memory of 4324	1884	vcredist2008_x64.exe	install.exe
PID 1884 wrote to memory of 4324	1884	vcredist2008_x64.exe	install.exe
PID 3432 wrote to memory of 920	3432	cmd.exe	vcredist2010_x86.exe
PID 3432 wrote to memory of 920	3432	cmd.exe	vcredist2010_x86.exe
PID 3432 wrote to memory of 920	3432	cmd.exe	vcredist2010_x86.exe
PID 920 wrote to memory of 3556	920	vcredist2010_x86.exe	Setup.exe
PID 920 wrote to memory of 3556	920	vcredist2010_x86.exe	Setup.exe
PID 920 wrote to memory of 3556	920	vcredist2010_x86.exe	Setup.exe
PID 3432 wrote to memory of 3756	3432	cmd.exe	vcredist2010_x64.exe
PID 3432 wrote to memory of 3756	3432	cmd.exe	vcredist2010_x64.exe
PID 3432 wrote to memory of 3756	3432	cmd.exe	vcredist2010_x64.exe
PID 3756 wrote to memory of 1176	3756	vcredist2010_x64.exe	Setup.exe
PID 3756 wrote to memory of 1176	3756	vcredist2010_x64.exe	Setup.exe
PID 3756 wrote to memory of 1176	3756	vcredist2010_x64.exe	Setup.exe
PID 3432 wrote to memory of 808	3432	cmd.exe	vcredist2012_x86.exe
PID 3432 wrote to memory of 808	3432	cmd.exe	vcredist2012_x86.exe
PID 3432 wrote to memory of 808	3432	cmd.exe	vcredist2012_x86.exe
PID 808 wrote to memory of 3720	808	vcredist2012_x86.exe	vcredist2012_x86.exe
PID 808 wrote to memory of 3720	808	vcredist2012_x86.exe	vcredist2012_x86.exe
PID 808 wrote to memory of 3720	808	vcredist2012_x86.exe	vcredist2012_x86.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\_Redist\install_all.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\_Redist\vcredist2005_x86.exe
vcredist2005_x86.exe /q
2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3800

C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\_Redist\vcredist2005_x64.exe
vcredist2005_x64.exe /q
2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
3⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1208

C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\_Redist\vcredist2008_x86.exe
vcredist2008_x86.exe /qb
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108

\??\f:\bbe19d3181f328979a264388\install.exe
f:\bbe19d3181f328979a264388\.\install.exe /qb
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2824

C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\_Redist\vcredist2008_x64.exe
vcredist2008_x64.exe /qb
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884

\??\f:\146c0fd1d85f94a44c4c3e28e5\install.exe
f:\146c0fd1d85f94a44c4c3e28e5\.\install.exe /qb
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4324

C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\_Redist\vcredist2010_x86.exe
vcredist2010_x86.exe /passive /norestart
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920

\??\f:\f5d3389bbbf4201e9ba767202c4e\Setup.exe
f:\f5d3389bbbf4201e9ba767202c4e\Setup.exe /passive /norestart
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3556

C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\_Redist\vcredist2010_x64.exe
vcredist2010_x64.exe /passive /norestart
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756

\??\f:\dcc1fad07d9e46cd70503a822f\Setup.exe
f:\dcc1fad07d9e46cd70503a822f\Setup.exe /passive /norestart
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1176

C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\_Redist\vcredist2012_x86.exe
vcredist2012_x86.exe /passive /norestart
2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\_Redist\vcredist2012_x86.exe
"C:\Users\Admin\AppData\Local\Temp\Beat Banger - SteamGG.NET\_Redist\vcredist2012_x86.exe" /passive /norestart -burn.unelevated BurnPipe.{0F728FCC-AF00-4781-AB7F-7AEA15DF14A0} {DBEA78D7-694E-404F-81F1-05BEB6E84137} 808
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 984
4⤵
- Program crash
PID:5004

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B4ECB20773E2BF2497AB9D2095E30882
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4364

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1C848D40F88B4CB9E6F0B1A2E9DB1179
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5828dc.rbs

Filesize
29KB

MD5
e9b82fab3d1b62be164846617afc68a3

SHA1
b88f2c3d8e8d52354fc1ae00160c5af123ee720c

SHA256
6c4f7e5a22a3ddd39dc937f23b02403acfa06db1a6c889c712aeb60306cfd4fc

SHA512
65f7389e89ae8b4075d72bbcfeb5b55c6f6fd596fb912ede54ef0e61bce1c86de3a93ba98c97cd26c6f5f744e3c1118aab67337ae11436e222d095db8684f1c7

Download Submit
C:\Config.Msi\e5828e0.rbs

Filesize
29KB

MD5
bfbf2b4f850970dd38edef023ca16adc

SHA1
dcafece3d4509df6de2914c844021161cc7540ad

SHA256
a8b1781eac42e9fe407c941865c4d9209b62529cafc068a49d17144408b07e70

SHA512
9f5626f1d7ea9b4dd06679b5bd94a0a7e01b5033d0865099e04aeb423852770c5a571cb476c9169a248b508c729ba9481dfc627a1c1eaed36fcd1aadeeee7240

Download Submit
C:\Config.Msi\e5828e4.rbs

Filesize
4KB

MD5
d84e36a6874474ba4e39691ff9c456d0

SHA1
2118e4cf65aa84dad5f2b069be209917d82c9df1

SHA256
6a9c5ec2f585adb29cc419dc37a6f589f3388982411216be2b20bef234ee9f27

SHA512
361791ee08b16464522ed6021f63505f4d572e3e9e76da51271cea941f47fa9c86a0a92ed288eec0c6d407808f1f5d19514a316b737d8bf6497c45f04cb93a33

Download Submit
C:\Config.Msi\e5828e8.rbs

Filesize
29KB

MD5
99b4e3799e8af54d08d60f997dc0fc76

SHA1
e915e22cbcdeb81c863c09913f7e3afb50535004

SHA256
cb576ec6fa275881bbf3326a794016d2026f99d942dc3ed2b836bad6549bf732

SHA512
11bd0be82d36e32c29435d13f0d891cbdc02a9d29b3b974bb6f166988cd419b727b3f7cbd2031926675d9d13e72a17cdde4ef6c68592eda4659542915982bb99

Download Submit
C:\Config.Msi\e5828eb.rbs

Filesize
4KB

MD5
5be2fd6cb5ec9223b16453e30893e6f9

SHA1
6cfb2c83a6145ee0240793f6e2ca455633d7bd0a

SHA256
f44a07ac8094068917c35f1f25ac5c133d9875b450e3f4b8e9e2bc6422a9964d

SHA512
bafb93a9706cc087fe5f2c71ebb8995122ac756a63606834ef1e4f44a42b13bbb1c55dc7d824803c8f033ee8f228d1dd4f8c7d4d28c2ae16ec963ec3d1f5951c

Download Submit
C:\Config.Msi\e5828ef.rbs

Filesize
29KB

MD5
323631757d1f685da41db19bfa45ce63

SHA1
7f744f2a0fc6611e06cfdf3c99c302cd0f3f1211

SHA256
c81167680f61ffb0838cc4d09937b0d651a72073d4511193c3587303434643d1

SHA512
a6d192cfbce32f775b1e1f66dffa79d1c2cc907f06da1d5305cf464d34bf86f3b7a5b24cdec87f1fa18bc864854d952ab5b0febcb25f7634a2db35b47f46013f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
247KB

MD5
cc064d4b81619991de8131a86ad77681

SHA1
88d80d86cc20c27d7d2a872af719300bd2bb73f9

SHA256
913ee5a1cae3e5a1872b3a5efaaa00c58e4beb692492b138f76967da671b0477

SHA512
5aff0eb26cfc187bf58721b2b6d73357d9f1e66d1ac5340ad9ddc08b40ad0eda27a144cb3b650604637a7476c282ded83ed890de98a73ccaf0cc021da3a9eb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
312KB

MD5
77a9bff5af149160775741e204734d47

SHA1
7b5126af69b5a79593f39db94180f1ff11b0e39d

SHA256
20a26ed9a1edf7763a9b515522c5e29720048a482c7fbc8b7ff6bbdd27e61038

SHA512
bb0440f58f07e113bddd9a0afb5aab8af6493218784fe5fa6f4032e3a37088f91b7e766dee87cec4a9ea11d425d27b3b536430de3a52222e8bca3e0247d81e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
2.6MB

MD5
b20bbeb818222b657df49a9cfe4fed79

SHA1
3f6508e880b86502773a3275bc9527f046d45502

SHA256
91bdd063f6c53126737791c9eccf0b2f4cf44927831527245bc89a0be06c0cb4

SHA512
f534bc7bf1597e728940e6c3b77f864adfaa413bb1e080458326b692b0f96bddf4fbd294eeed36d7764a3578e6c8e919488bbf63b8fe2d4355ab3efd685424a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
3.0MB

MD5
6dbdf338a0a25cdb236d43ea3ca2395e

SHA1
685b6ea61e574e628392eaac8b10aff4309f1081

SHA256
200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb

SHA512
6b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_20240902_193342813.html

Filesize
17KB

MD5
2b10c17ff24bf15f84b6c2d37840cfff

SHA1
e7a21fa8d25ed46a62b09e94c7dc36d5b19fac60

SHA256
e761d45cb819f0fb2f0fa94d65836b2eb7199a33f619e3786de0a5b7d276f5ed

SHA512
00f4697cce7b748480fab0fd725ef0426837e314d924edd3daac59abbcf83b15850a4901a1c97d8fde18619c437aaa53f152c1f60a76695d9c555fdbf054426c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWL6F30.tmp

Filesize
392B

MD5
fe35c6dff79dec66b2e9fb55209b78db

SHA1
0a0e8fcbf5b4bf71fd3a2f9b5f3ae2d93e72a51a

SHA256
82fa101c39eb8c799f24ebd09d9c440d27e16b387b605f27f61a94ef48be396e

SHA512
d6e6e6fcd14fcd47667794a29ead488694edb26868c2748abc51944271812185906b01927009f58d53a681a0d018e2ebd996f1c8b6fe66855adaa3ce5e745599

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWL7598.tmp

Filesize
392B

MD5
312ad0895283c19d790628a9ed5e7dc4

SHA1
1b845b54ec935840f5aed9876e2af70c501e7bd4

SHA256
d75895039eb5cb0aa12db46d7552ae4a8f8c0e89b90edd28827a3b1d4aab0e4b

SHA512
05e763e1bcfc7a790292a155d5581ed60f72ce7e2325b3c7513aa526fdb783d83acbffc196ac383635487e8b64772c0d54c8c7609f97a4488ec99b5e59b960df

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI61EE.txt

Filesize
2KB

MD5
e8a8ccc26546995167030aa35a852f7b

SHA1
50590ed44e84bb8daefae9af067b9bd134fdf739

SHA256
070471ea9e852d7f8182979f020d82c1594c64eb783da4dbba28d9c88594312b

SHA512
8064ccf12da6361d685ca36ae6102c4d58e52fd3a0c55e7c822c825ca1272b7b77dd761938898ec85179b3457596e9171d049c645aee86742bc2e81577181a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI61F1.txt

Filesize
2KB

MD5
12ca61866a5e8fc47abda935facae05b

SHA1
1f0e9545a3c35a18d556c84c2c366b9117aa2bb3

SHA256
81c6f34868c892f6587896c76489a9b009c1444fc0f1385ca9aa12619585e74b

SHA512
96dfebdb308bbae37a27e42b8df5687c6b03e8fb5be1cf1e47091f7affdeb8521654320e80ff2306a2eeb8d242edfcbfd824298d454a92a6fa1813de2d05af6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Installer\MSI2CE7.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
F:\146c0fd1d85f94a44c4c3e28e5\install.exe

Filesize
834KB

MD5
f0995d5ebde916fa146f51d324cf410c

SHA1
6a03e96a663051683b82601b5c7be72d72ecdb1c

SHA256
f0110ab02e8a531e3e7d196c03f907c659e6262c75861dc0c8d05f6a3ccbdd6b

SHA512
8a2ca604c06077a1c5a7ac9782ff6815a4ea1b152502707120cf5a8edddcda7c8d1a71e16c80305a3fa098acb6ecf158c770e6d0a9cb2e57a9d875fb935664b8

Download Submit
F:\bbe19d3181f328979a264388\install.exe

Filesize
547KB

MD5
4138c31964fbcb3b7418e086933324c3

SHA1
97cc6f58fb064ab6c4a2f02fb665fef77d30532f

SHA256
b72056fc3df6f46069294c243fe5006879bf4a9d8eef388369a590ca41745f29

SHA512
40cf2f35c3a944fca93d58d66465f0308197f5485381ff07d3065e0f59e94fc3834313068e4e5e5da395413ff2d3d1c3ff6fa050f2256e118972bf21a5643557

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
94fe6a57370aa2c05f0e9d5c3674ca31

SHA1
daf8483a20de2602b92c8565f728e07050947488

SHA256
3b07493ec532f0c561fd95c3c001019f9a1e512d6aefaf0460bd6e67ecb37096

SHA512
4e248b0eda0701400f634e4ab0bfd4bc2be51886603a4e274cb19fa2925b56c6aafe7da529fdb2cfae2856fa027405f9600fe07a2967e65ab96e172998639305

Download Submit
\??\Volume{38fc7460-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9fddf072-c750-47fe-ac78-a409838d6b3a}_OnDiskSnapshotProp

Filesize
5KB

MD5
7495ee5443569656576a133a98b65da2

SHA1
86bfc4c53e4411a202c2944e0d793485948bbe44

SHA256
a5dc93fa0783b825d87bd00c1ad1b8c80a2c9060ae0add8572a4be48f9a8d3b4

SHA512
144c065f5f49e66352fc3db7f35d6af573df6854addcb71a6fc0673b69ae6e51f83174486987aa59208cb7de4b77d6755465f98e706b903b9b274666ef3b42aa

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\install.res.1028.dll

Filesize
70KB

MD5
d75cebdd99c3c2562ae2cbbb6a8b62e0

SHA1
0dcc32820df90db71429e6e91f962d94584313c4

SHA256
3b603f4847c32f21b4dfc949052ebadb0b191f6caac373e4936e47b27b96cd7a

SHA512
aad9ce212700b0135f230f4f8b48c2abf2516502b01c2a428f8e4177df1dbbd77e904892202fd257a9c8f97039c1caedb6f72103089ce2402a7868465729f58f

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\install.res.1031.dll

Filesize
89KB

MD5
f937d452e3f75ea9c9983b5674793275

SHA1
2d6e30b23ccec84f0754cfc4c90ae909768f14bd

SHA256
a2b2334a1dcfd2eefdda5a1c357ca0a256c55c92a94f84204f8e2d6ca4e0bd82

SHA512
65a0753be4dc25be41eebcf3d55dfdae1dc8d69132d8c02bd0d5cea2c8e963e3bfdc562b6182f8ddadb72801bfb5d911314a292a47269e9c51ec2d7bb34abbfc

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\install.res.1033.dll

Filesize
84KB

MD5
e8ed5b7797472df6f5e1dae87c123e5e

SHA1
71e203899c3faf5e9eb5543bfd0eb748b78da566

SHA256
6ad479dd35201c74092068cccd6d12fd84a45d2c04e927b39901a9126f9e06dd

SHA512
dfdd6bba404753f6afbc804551550bdc771eccc034c01f4c5149beb6d98424cf7b86fc63aac361a1840df9bc8365c726baab672055534620db70ca2c0e2e1b3e

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\install.res.1036.dll

Filesize
90KB

MD5
b129551419e06befddaa3c38354ffc2a

SHA1
9896b9d778911e6f8bf5896160a5ce322b1e7b62

SHA256
87700397b469cb0ea59ae6534370218c42c9b9fba636741612a5300dd72ff530

SHA512
15de906c4a70b47bbcc0bcd5ab9dab9eabd746207b40957c00cba4fe328a310672d04868672a9e70986befe00f393e4b21420ea2cbccd1c18e1fa97a3d74b9b5

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\install.res.1040.dll

Filesize
88KB

MD5
21b98229cf651ae83f213b6bf55f9660

SHA1
3a1a5e800194bf0889a2fb73f9f08f815d036556

SHA256
128b2be768e20129142af7f319cf7a761ead35ff311623d128a7b372033b9122

SHA512
0a1b8ca0469e322b9fdc0dbe4de8bb45ced13ff97ef156d3c84787cfbcb6264ccb46ef26fd135bfb848425aa77e3430a91b8753c8e1af1778880eddc3ff0b0fc

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\install.res.1041.dll

Filesize
75KB

MD5
7cec13259a3b49959bef5856c3985458

SHA1
42f7a813a9175a4ea7e64800affc3a2043f1c201

SHA256
58a7d64dd55d6057e19c039abb1508920f6a33940f4612ac55a90fb74dfca28a

SHA512
13b272a062173f76a5c8b4c193abe67cb1c066e8a7f030177f4b26043c8f3824ba6da9c2cd9bb779330fc72c535d893f668fa186bf395864f1fcc021ae3f9dc8

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\install.res.1042.dll

Filesize
73KB

MD5
37723237b2d38c4a4c996a91fd2da0a5

SHA1
b6f267299e309d0a39b359c19296598e4c23f93c

SHA256
05e79bf81fe87ba3db89950cea02ae78e3b7b1c2d6575f19df47c4f5d7888566

SHA512
9c4ac383f60829a56c1e2fc77b92db0325658b048271269eea7bf5a552a21222757852776b79b17b190d2961c0306ee2f9d8ad3a51aa58d1daca842ea6975d8c

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\install.res.1049.dll

Filesize
86KB

MD5
9536e2675dde8f2d6ea8c8e26b232f23

SHA1
4efa83f14458e3514a3ac3b1cdc2ae388bc78430

SHA256
386f3b2c5b6316963f353cf2bb3dba69ff6e82e2166c010a87813dd54637a49c

SHA512
e31ea9444263833ceedcc9f036cff5eab88f710716b7ddf2d25c98aa088454258c3f34fc664b39da084b2650aade89ff1369e240d1935697bb6949af828a5542

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\install.res.2052.dll

Filesize
69KB

MD5
d442fdaee21df6d1f8d3f5b37fce69a3

SHA1
978b32638c9a88f47b55ca6b52f510ed7babc1d6

SHA256
8eb88b40484b34fc712fae8a31a5e35042712ae57c9dddefd1e5746d949d5a03

SHA512
bbe32be6853400a9afb649a536b0a16524b06fdd6d8e5455ec387e3eced02172a9f5494b431deb90feb16ce73e67d3c11b56b43148c2936ed39e35077eb0bd15

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\install.res.3082.dll

Filesize
89KB

MD5
cc0e0618dcd3275de406316091806f77

SHA1
1ee7e9c4515ff276e2e91777b61e10d7fd74b6b3

SHA256
847bb5d0992fdbcfb90e00ba66fbe8992926d5d5b9b03f3cf1888ee8af600cf8

SHA512
140684e5e7541e40384441917f3d727f4385b5b4552821ed2e766b7abe4660c9c94084a0a1da1aa95afac83ca1b465b1363640eaef0e905a402aad88f09f8072

Download Submit
\??\f:\146c0fd1d85f94a44c4c3e28e5\vc_red.msi

Filesize
230KB

MD5
4aa5bbddbf6b2d1cf509c566312f1203

SHA1
0557e25cf4c2aa1bcb170707cd282ae864d93d17

SHA256
017e62a7a046acf00f5565e60f8eed4c5f409913e7ddc2f431d4236bbfdabab8

SHA512
e32fad32aefb70592eec56c55eaf65d6a6ed33939a6cabe7ff0ec33f91c4687001a41575ccfcac448c4739b2af4e309c2ec9e526104fb292d04aa8746dfad8f9

Download Submit
\??\f:\bbe19d3181f328979a264388\VC_RED.cab

Filesize
3.7MB

MD5
0ee84ab717bc400c5e96c8d9d329fbb0

SHA1
be4ba7bbb068c7256b70f4fd7634eaeb2ad04d0a

SHA256
461d575bc1a07f64c14f1da885d2f310bd282cbbedcd0a5cf8ffa7057411805d

SHA512
4a6b0619f471a51df09fb6c1eff4ed166cdb7ef57f79ffdf709fa952a7c2a176c338084689c8ace1a94024a24579e9ee0ab6d411c25a1b42b0f517c57749d1a2

Download Submit
\??\f:\bbe19d3181f328979a264388\eula.1028.txt

Filesize
3KB

MD5
f187c4924020065b61ec9ef8eb482415

SHA1
280fc99fb90f10a41461a8ee33dbfba5f02d059d

SHA256
cfa4f2c6c2a8f86896c5a6f9a16e81932734136c3dfde6b4ed44735e9c8115c2

SHA512
1d5a8e80fb6805577258f87c4efd7c26a9ac1c69f7dea1553d6f26bcc462d2d9c01d4b94077f70110a33b39648c9aa3bb685e10534f19ba832d475e9ee6aa743

Download Submit
\??\f:\bbe19d3181f328979a264388\eula.1031.txt

Filesize
15KB

MD5
3168ed3b48c1dc8d373c2abc036574cf

SHA1
7ffbcfb6cd9b262a0e9a55853d76055693f60c60

SHA256
3e4d78fcc11eecb23af12a4eaa316114bb36d39561f6062a3921c08a43261321

SHA512
9465640705c382bb736e468a2ffb303ecfb2637c55ddca759d1fb190279b98103def64a8c599deaa1439e58c41d7b2c2809332c2a5f18945e9ee3d6c046a5197

Download Submit
\??\f:\bbe19d3181f328979a264388\eula.1033.txt

Filesize
9KB

MD5
162fc8231b1bd62f1d24024bb70140d5

SHA1
7fa4601390f1a69b4824ee1334bee772c2941a24

SHA256
c68a0fd93e8c64139a42af4fcd4670c6faea3a5d5d1e9dd35b197f7d5268d92b

SHA512
a707b5ef0e914ba61e815be5224831441922ed8d933f7a2ffe8aecf41f5a1790a1e45981f19d86aa5eab5ea73d03b0c8e2ab6b9f398ab0154d1c828da6f6beda

Download Submit
\??\f:\bbe19d3181f328979a264388\eula.1036.txt

Filesize
11KB

MD5
c360851dfdf51b6ddc9cfcc62c584898

SHA1
f8fbe6b98039d01700dc49eb454bb1c1d8cc4aa6

SHA256
3456ebc9c6decef8b27b10d97f7f6d30a73b5da0024e1b8a0657e3b9a1cc93d9

SHA512
a340a7d98b4b6f925a803805224e733433e76230a36c4ab17e28f9d5951b81280d776153414701b29bb05b496b726932683e35fb603587d7ff5b716a88fece8d

Download Submit
\??\f:\bbe19d3181f328979a264388\eula.1040.txt

Filesize
13KB

MD5
04b833156f39fcc4cee4ae7a0e7224a1

SHA1
2ffa9577a21962532c26819f9f1e8cd71ab396bd

SHA256
ebafaeb37464ed00e579dab5b573908e026cd0e3444079f398aada13fa9a6f66

SHA512
8d3f6a900ebd63a3af74ab41ac54d3041de5fe47331a5e0d442d1707f72a8f557d93d2f527bbb857fb1c67dd8332961fd69acc87de81ba4f2006c37b575f9608

Download Submit
\??\f:\bbe19d3181f328979a264388\eula.1041.txt

Filesize
5KB

MD5
031fab3fb14a85334e7e49d62a5179fe

SHA1
12370185ef938a791609602245372e3e70db31be

SHA256
467773ddffdb3f31027595313b70d1ea934c828b124d1063a4aa4dbe90f15961

SHA512
7424a52bbb18a006816ee544d47f660e086557d13bb587d765631307da96aba56d8b9cd3d4e7d50c2a791815273910cef95ebe928bc03dd9c540b97ac7a86447

Download Submit
\??\f:\bbe19d3181f328979a264388\eula.1042.txt

Filesize
5KB

MD5
6fcd6b5ef928a75655d6be51555288c7

SHA1
eafdcc178343780b83f1280dad9d517aaedab9e4

SHA256
3d45f022996cd6d9ebb659a202fbfd099795f9a39ed4e6bbd62ac6f6ed5f8c7b

SHA512
635ba44d8d8ecfbdb83a88688126f68c9c607e452e67d19247dfe7c307c341dad9b1d2dc3eae56311c4b3e9617ab1ee2bd2a908570df632af6de1e1fa08bf905

Download Submit
\??\f:\bbe19d3181f328979a264388\eula.1049.txt

Filesize
13KB

MD5
bc3a8865b60ec692293679e3e400fd58

SHA1
2b43b69e6158f307fb60c47a70a606cd7e295341

SHA256
f82bca639841fa7387ae9bbf9eca33295fab20fade57496e458152068c06f8a3

SHA512
0d9820416802623e7cd5539d75871447f665481b81758c08f392f412bc0fd2ef12008be0960c108d1c1ce6f26422f1b16161705104d7a582df6a1006b0d1b610

Download Submit
\??\f:\bbe19d3181f328979a264388\eula.2052.txt

Filesize
3KB

MD5
ec4b365a67e7d7db46f095f1b3dcb046

SHA1
d4506530b132ef4aad51fcbc0315dadc110c9b81

SHA256
744275c515354ece1a997dd510f0b3ea607147bbf2b7d73f8fca61839675ba27

SHA512
5e5d1e196fc6ac194589bc6c6ab24e259aed8cbd856999390495fd5ec4211f212c6898e1b63538bfbb4401a5b4da08f3a2e09bca1cfb2e9c2cee38e63190b2a2

Download Submit
\??\f:\bbe19d3181f328979a264388\eula.3082.txt

Filesize
12KB

MD5
c2d1221cd1c783b5d58b150f2d51aebf

SHA1
3bc9b6419a5f9dcf9064ae9ef3a76c699e750a60

SHA256
c79ff7b9e67aed57f939343a3d5fd4fb01aa7412530693464571148b893b7132

SHA512
c4ec596814b408e3c0aaf98864e2769c6175dba020f3014dd79f0190d81812020c932afca449e6b8b35233f36f2ab2efad0dc8d0d68dccdb40f6715fb1d050b4

Download Submit
\??\f:\bbe19d3181f328979a264388\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\f:\bbe19d3181f328979a264388\install.ini

Filesize
841B

MD5
f8f6c0e030cb622f065fe47d61da91d7

SHA1
cf6fa99747de8f35c6aea52df234c9c57583baa3

SHA256
c16727881c47a40077dc5a1f1ea71cbb28e3f4e156c0ae7074c6d7f5ecece21d

SHA512
b70c6d67dac5e6a0dbd17e3bcf570a95914482abad20d0304c02da22231070b4bc887720dbae972bc5066457e1273b68fde0805f1c1791e9466a5ca343485cde

Download Submit
\??\f:\bbe19d3181f328979a264388\install.res.1028.dll

Filesize
71KB

MD5
8c2c1df03574e935277addc6e151bdbe

SHA1
33f7eae718d6704ea99d7c7803207dbe0d1ea3a0

SHA256
1074252f76e72e59a9da9d7e109c80ab131d53554c49cb3d69a180729bffc18e

SHA512
735c438da7fd3e4e0e4738ac11c87a73ce3cacbaa24b21994ec76868e70fc485469337eb6e067e20bb92210995ffb3c385677fcc986c4c34f24bfde6b91ba0c8

Download Submit
\??\f:\bbe19d3181f328979a264388\install.res.1031.dll

Filesize
90KB

MD5
6f22a8ecc5a917c61f1478ef4ad53949

SHA1
180c370698091e53f203d23eb6c839467deebfb9

SHA256
2c5fa53e6eb07bddc22c7c5203ff7bbe707c4cf8803f144ceb031384b59831aa

SHA512
8513f09da143983d436368c6067a62f1829d5d66776a168026f7562f8337d8e1bc8df2ff9ab421f4cc7d75757a0e9b8a75f3761c9e8aba7d0785d2fcb1b00a93

Download Submit
\??\f:\bbe19d3181f328979a264388\install.res.1033.dll

Filesize
85KB

MD5
ff6003014eefc9c30abe20e3e1f5fbe8

SHA1
4a5bd05f94545f01efc10232385b8fecad300678

SHA256
a522c5ea3250cdd538a9ce7b4a06dfd5123e7eb05eef67509f2b975a8e1d3067

SHA512
3adc5c705bab7fa7b50517a5eb3301491f5150b56e1088ed436590458e963da204cd1875af75db89742403476a56a94c3f425c05327767bdb4bbee4859667ac2

Download Submit
\??\f:\bbe19d3181f328979a264388\install.res.1036.dll

Filesize
91KB

MD5
4d431f94a7d0945f4a7f13b7988632aa

SHA1
61461b14b57382eebb3bf4621b7dadb0cb2475b3

SHA256
cb38381c0afdcb3465f71699addad7534ffd72702907b017708eba463dbc68b6

SHA512
e4197801c20dfce7dc14d5d74aa572de18954dceaaca77a75bf989427c6ff7d5889085e5c325376a993ad290ee43ab25e0f6bea074fed3d5158e0fd4c785aeca

Download Submit
\??\f:\bbe19d3181f328979a264388\install.res.1040.dll

Filesize
89KB

MD5
ef1ccfe8572cdaaefb1940efbbff6d80

SHA1
b1d587c8fdb3ca82c320d08379ca7bd781253e3f

SHA256
709ab0139c643b78c2dace7a35b9801e1a4b4e4c4e176c0d00f1b55a2a71d7a8

SHA512
98538c82d56b6e0e9f0ca7cf47a6ce57e0acd18b2a64b90304a95a3c7270920efb835731272200afa16e45dfd461df94f95da04f39c2436915dc6969a4a0ebce

Download Submit
\??\f:\bbe19d3181f328979a264388\install.res.1041.dll

Filesize
76KB

MD5
6bfb58958d58bf38e9242b2056392b8c

SHA1
f4c4653e061eb903ddae29f0d6a798db6ab5bdf4

SHA256
f74006aaa2a19777fb0c3b81321aabf00d87107dc23ba0d2282092502e5cd332

SHA512
672727552812c7d7b775896096d556851d6990b2d9c24c0e2c728f6c720b47c156d2ec2ce7ef23126fd222178969aff848f06568f695d154d6f7836ecf222d88

Download Submit
\??\f:\bbe19d3181f328979a264388\install.res.1042.dll

Filesize
74KB

MD5
ba91e387d54b94689644ebd23ff264ba

SHA1
267b0af1774b6440cac00fad6524f277fde09457

SHA256
16fed8f279b0240f63dd90925150cd37782e9395af32a2693bdc0533c0809767

SHA512
79e818ffc57880a9881d771c0ea607d64a2cbdad29b28a270138d4d03edb8b026e7536e89396968c8454c56c740d198e67a75cac3e2447ca120b7cffefa4c0bd

Download Submit
\??\f:\bbe19d3181f328979a264388\install.res.1049.dll

Filesize
87KB

MD5
9aac6ce2ad6c7aee5481e46ddb0ad0dd

SHA1
dabd5e299a4595b1341f47313ac26c663d79a7c4

SHA256
3de25f7b3fd91a8d5b7f7dd8eccf44e24b33b66133fc89519d21a426b489374e

SHA512
97e00a50d3e8c8954854cc44f36049d63d8f1860e547a511feccf4214ff0560079b5512053aea4c2a40769d58738934d69c1a45186092ff11af1b907395dd126

Download Submit
\??\f:\bbe19d3181f328979a264388\install.res.2052.dll

Filesize
70KB

MD5
208f1260b7145b19434a8c95ff7c0474

SHA1
6a0a74affdc8f988873841b7073f428056a8aa5d

SHA256
f6d949f493cb9b1ba5ee053acc7363bc9675b9e8b3f25258080092001036e6f4

SHA512
2e9cf1ed7944a6246a2f3febee99d0a36759191664e83aee3c14424b64785a134fe9c50e9e5deaaab1095ae298a2f49aac2037f64a127d250af973a077a7e03a

Download Submit
\??\f:\bbe19d3181f328979a264388\install.res.3082.dll

Filesize
90KB

MD5
dbbe392a7536c76ec60a21e211eb3210

SHA1
e1cead8b1e0fd41e9ed79f4921c5e40c2d739dda

SHA256
8de447ae460de91144ec92381c8315a125b25020ac7601bbb721d56a92d0fd0f

SHA512
f725bc786076947874cc58b9591445064b3f133c75865bb1d661e95f29f1a9556447ee3f385a38f9438561e35e6cfa8208dbc938d3304c415cc25ed85c29f15d

Download Submit
\??\f:\bbe19d3181f328979a264388\vc_red.msi

Filesize
222KB

MD5
7e641e6a0b456271745c20c3bb8a18f9

SHA1
ae6cedcb81dc443611a310140ae4671789dbbf3a

SHA256
34c5e7d7ea270ee67f92d34843d89603d6d3b6d9ef5247b43ae3c59c909d380d

SHA512
f67d6bf69d094edcc93541332f31b326131ff89672edb30fd349def6952ad8bfd07dc2f0ca5967b48a7589eee5b7a14b9a2c1ebe0cba4ae2324f7957090ea903

Download Submit
\??\f:\bbe19d3181f328979a264388\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit