f783b6aeaa26edf1dc04f7b2e3458c13fa569fdfa26593bf6267bc185dc86b27

Analysis

max time kernel
68s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pcsx2-v2.0.2-windows-x64-installer.exe
Size

42.7MB
MD5

dc169e636f62b1eec51b4886af075c5d
SHA1

445b6d8c59fb11eb7d8d30ec51129572468a4473
SHA256

f783b6aeaa26edf1dc04f7b2e3458c13fa569fdfa26593bf6267bc185dc86b27
SHA512

105f8560252b93346b565159797c804c5c4c9848c892bf635565cfc85434c87cc88a247fda1e29707e52130b3371cf1ea6007ef712f203a08b72c264e6e176d3
SSDEEP

786432:2kCJgErixt5nQMbuoGAp0T+NmMr+KOgwQ+435XhtaHLvdgUwtTPZ:2WlnBzGApDNmMaKO8+U5RYHLv0PZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	pcsx2-qt.exe

Executes dropped EXE 5 IoCs

pid	Process
4596	pcsx2-v2.0.2-windows-x64-installer.tmp
3608	VC_redist.x64.exe
4764	VC_redist.x64.exe
1564	VC_redist.x64.exe
4084	pcsx2-qt.exe

Loads dropped DLL 33 IoCs

pid	Process
4764	VC_redist.x64.exe
5116	VC_redist.x64.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe
4084	pcsx2-qt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5af95fd8-a22e-458f-acee-c61bd787178e} = "\"C:\\ProgramData\\Package Cache\\{5af95fd8-a22e-458f-acee-c61bd787178e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFFC.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57fbf4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e57fbf4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE26.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}	msiexec.exe
File created	C:\Windows\Installer\e57fc06.msi	msiexec.exe
File created	C:\Windows\Installer\e57fc07.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57fc07.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI443.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI686.tmp	msiexec.exe
File created	C:\Windows\Installer\e57fc1c.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcsx2-v2.0.2-windows-x64-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcsx2-v2.0.2-windows-x64-installer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	pcsx2-qt.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	pcsx2-qt.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005d98d1691ddd1b040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005d98d1690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005d98d169000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5d98d169000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005d98d16900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	pcsx2-qt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	pcsx2-qt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.40.33810"	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}v14.40.33810\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\VC_Runtime_Additional	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Version = "237536274"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}v14.40.33810\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Version = "237536274"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\VC_Runtime_Minimum	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Provider	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Version = "14.40.33810.0"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}v14.40.33810\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\PackageCode = "0F1976868EAF8784585CF1DB265C6A81"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4084	pcsx2-qt.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4596	pcsx2-v2.0.2-windows-x64-installer.tmp
4596	pcsx2-v2.0.2-windows-x64-installer.tmp
3480	msiexec.exe
3480	msiexec.exe
3480	msiexec.exe
3480	msiexec.exe
3480	msiexec.exe
3480	msiexec.exe
3480	msiexec.exe
3480	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4084	pcsx2-qt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	436	vssvc.exe
Token: SeRestorePrivilege	436	vssvc.exe
Token: SeAuditPrivilege	436	vssvc.exe
Token: SeShutdownPrivilege	1564	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1564	VC_redist.x64.exe
Token: SeSecurityPrivilege	3480	msiexec.exe
Token: SeCreateTokenPrivilege	1564	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	1564	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	1564	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1564	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	1564	VC_redist.x64.exe
Token: SeTcbPrivilege	1564	VC_redist.x64.exe
Token: SeSecurityPrivilege	1564	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	1564	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	1564	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	1564	VC_redist.x64.exe
Token: SeSystemtimePrivilege	1564	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	1564	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	1564	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	1564	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	1564	VC_redist.x64.exe
Token: SeBackupPrivilege	1564	VC_redist.x64.exe
Token: SeRestorePrivilege	1564	VC_redist.x64.exe
Token: SeShutdownPrivilege	1564	VC_redist.x64.exe
Token: SeDebugPrivilege	1564	VC_redist.x64.exe
Token: SeAuditPrivilege	1564	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	1564	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	1564	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	1564	VC_redist.x64.exe
Token: SeUndockPrivilege	1564	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	1564	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	1564	VC_redist.x64.exe
Token: SeManageVolumePrivilege	1564	VC_redist.x64.exe
Token: SeImpersonatePrivilege	1564	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	1564	VC_redist.x64.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4596	pcsx2-v2.0.2-windows-x64-installer.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4084	pcsx2-qt.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 4596	764	pcsx2-v2.0.2-windows-x64-installer.exe	87
PID 764 wrote to memory of 4596	764	pcsx2-v2.0.2-windows-x64-installer.exe	87
PID 764 wrote to memory of 4596	764	pcsx2-v2.0.2-windows-x64-installer.exe	87
PID 4596 wrote to memory of 3608	4596	pcsx2-v2.0.2-windows-x64-installer.tmp	96
PID 4596 wrote to memory of 3608	4596	pcsx2-v2.0.2-windows-x64-installer.tmp	96
PID 4596 wrote to memory of 3608	4596	pcsx2-v2.0.2-windows-x64-installer.tmp	96
PID 3608 wrote to memory of 4764	3608	VC_redist.x64.exe	98
PID 3608 wrote to memory of 4764	3608	VC_redist.x64.exe	98
PID 3608 wrote to memory of 4764	3608	VC_redist.x64.exe	98
PID 4764 wrote to memory of 1564	4764	VC_redist.x64.exe	99
PID 4764 wrote to memory of 1564	4764	VC_redist.x64.exe	99
PID 4764 wrote to memory of 1564	4764	VC_redist.x64.exe	99
PID 1564 wrote to memory of 2480	1564	VC_redist.x64.exe	109
PID 1564 wrote to memory of 2480	1564	VC_redist.x64.exe	109
PID 1564 wrote to memory of 2480	1564	VC_redist.x64.exe	109
PID 2480 wrote to memory of 5116	2480	VC_redist.x64.exe	110
PID 2480 wrote to memory of 5116	2480	VC_redist.x64.exe	110
PID 2480 wrote to memory of 5116	2480	VC_redist.x64.exe	110
PID 5116 wrote to memory of 2412	5116	VC_redist.x64.exe	111
PID 5116 wrote to memory of 2412	5116	VC_redist.x64.exe	111
PID 5116 wrote to memory of 2412	5116	VC_redist.x64.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\pcsx2-v2.0.2-windows-x64-installer.exe
"C:\Users\Admin\AppData\Local\Temp\pcsx2-v2.0.2-windows-x64-installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\is-AUO9B.tmp\pcsx2-v2.0.2-windows-x64-installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AUO9B.tmp\pcsx2-v2.0.2-windows-x64-installer.tmp" /SL5="$6028A,43912770,787968,C:\Users\Admin\AppData\Local\Temp\pcsx2-v2.0.2-windows-x64-installer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\is-FDU02.tmp\VC_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FDU02.tmp\VC_redist.x64.exe" /q /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\Temp\{02709114-F4DD-4B5C-89CC-5ED246FBCD73}\.cr\VC_redist.x64.exe
      "C:\Windows\Temp\{02709114-F4DD-4B5C-89CC-5ED246FBCD73}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-FDU02.tmp\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=548 /q /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\Temp\{B4C1965C-5632-4571-BE3F-24D940A40D4E}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{B4C1965C-5632-4571-BE3F-24D940A40D4E}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{AE929141-879C-4ACC-8579-2D2249A82304} {31E065F6-E202-4687-93FE-B85DD58416FC} 4764
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=992 -burn.embedded BurnPipe.{888C7EEF-D4F5-4E8B-A1E7-BEF7077D3DED} {979EEB11-F1E5-4C2D-801E-398703A95AA3} 1564
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=992 -burn.embedded BurnPipe.{888C7EEF-D4F5-4E8B-A1E7-BEF7077D3DED} {979EEB11-F1E5-4C2D-801E-398703A95AA3} 1564
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{E52461A3-E396-4174-A8E1-2DB320B01092} {829273EE-5C08-4116-ABC1-62E73C8873B3} 5116
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\PCSX2\pcsx2-qt.exe
"C:\PCSX2\pcsx2-qt.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57fbf9.rbs

Filesize
19KB

MD5
0e1aa8a7d35101a232e325ea137614e2

SHA1
7eb7d9f9a0b17f664ec1ac72ab887d05f2978139

SHA256
3a79a7c7803a9c8fe3f12761fd6bbfe46376e6eb8eee35f638a09d938a545213

SHA512
e4fdc0d3a18460460c7ec4b2d9208b119533eb59e700b99e9360482f4349ce1ba0aa9fa43289cced631bf9354e2df45d27ed2b2123208f9cc298e409a4221e5c

Download Submit
C:\Config.Msi\e57fc05.rbs

Filesize
19KB

MD5
305730ac7f623dfb427fe315bafb4c16

SHA1
9f3c5a843bdc5cc3bfb9298bb05aa555e2d977b7

SHA256
e8eb977fa83c74502029be6a30f34a51bdf841c09d7f54ffff4b6335f05580b6

SHA512
f698e79d638cb33f1fd4af62b860f5142679b981c510060295ed2923ff058ccbdd981127e877f1ee1ebdb23eb88f7cd8ea8d1b36bb16ec055a66892331f7cc30

Download Submit
C:\Config.Msi\e57fc0c.rbs

Filesize
21KB

MD5
ad7336ac1bbaacebf8a7d367f5891d27

SHA1
3ddcf428968b8f1aabbe64204d3eb28228172352

SHA256
603fac642a0355b1bcb48e5fa1ccff77ebb8731189416873b64b6f9552051b51

SHA512
d8646cdf1dc9299bbf470873d6b981a5922ec8a4afd7460324f96ff9a59fa8a70dc73fff84ec92c862fd52505cd7d0667e0f1b1adebddfc048424c3790388e9a

Download Submit
C:\Config.Msi\e57fc1b.rbs

Filesize
21KB

MD5
fbaed5fb3985a6fc50bf868ad044dfa0

SHA1
60e5f22692953d9832cde211d9e81a296b7879d9

SHA256
a83a53ac12b52c7f523fbe34e0e31482384b07b5677b85fd25488ee5ae55635e

SHA512
68042100d7fbe7dd7a1d763cd8a4afb4c32832f430114ea3fb9bc296039ab02791d56c7b4ea21405e89eb4e5086a9d3e77d3315fd8bc6cbe66a1429cb02c6f71

Download Submit
C:\PCSX2\Qt6Core.dll

Filesize
5.6MB

MD5
97eb6c7667d5ab6c2ee274f9dcb8e21c

SHA1
9994af4f3463a673c6c33ab67d59cc517d2dd682

SHA256
8474b11782bc7effd12c512f7d7f4ad0659ca63e7255b6cfc94eb008505a2abb

SHA512
a46cbb70055f3441f605dfbdf5683167cf9b30430c1db58ac443f1ddd6717c3dd43e84c016ff7c6a74609f3b3a2c780f0c07b0e331176da70be58dea67d1d613

Download Submit
C:\PCSX2\Qt6Gui.dll

Filesize
6.8MB

MD5
794d9be66971441cc401b55d48ea200c

SHA1
3ef7d98f0669fbc090c29695801d6fa6fe807f88

SHA256
f8282a32842fabecec41c630baac27f072b7659aa7c4d4fbde44020ca4307196

SHA512
ff0a1b520ea291557a5999e657f0d7ec924f54d317efdc41bcb519fd96c765f60458012d46480b10e3196f48361c0266122c723fb5cd120d1353a5f3d9b2f127

Download Submit
C:\PCSX2\Qt6Widgets.dll

Filesize
6.2MB

MD5
16e112be741e52a0a35fe8b3f083b6b2

SHA1
64a354e03f53406999832de152691660642a4c81

SHA256
f6be2011f10c6fad324600f52e950fc1c37cd099431baca36768d5a206d556e0

SHA512
093549e290669e6cbfaddd64f46e2de3a9937174ef7c5ef5c5e42246641a38c8d06b4f81ef1cc33bc59b743b67a1c39fad4e548e794a13c1c73ed1f119b205e7

Download Submit
C:\PCSX2\QtPlugins\iconengines\qsvgicon.dll

Filesize
62KB

MD5
af50abf12749bd4a9eaf435f61c95b14

SHA1
111f78a2275ff8f3e42b5201855884b46342ced7

SHA256
217788101fffa65f04c613a0f654f9a27f070dbda027551eca1508a39f781e7d

SHA512
8279d95c5f0f6502b9066a3b214fe12bc4b96f1726251fa228ac497ff6dd87461fd5161edc95044be79c2cccece971d3e108ccaa89092d912391baa78c3fc53a

Download Submit
C:\PCSX2\QtPlugins\imageformats\qgif.dll

Filesize
35KB

MD5
8ed7b973394c7e866613e61907d126df

SHA1
4fa1d0d9cf29444ccc46ff07bdf1dfb883439c08

SHA256
601e728868ce8f94db76b220abcb37005a35fe76abea093dc606935f517c6133

SHA512
f9e7c969c60560c4cc2519eaefcd7c85406c38e1e1d767474e077a58a5938499fcf27b38aebed5352bf9a196fbd90eca39a271ab1f2633aba16282b1c279d036

Download Submit
C:\PCSX2\QtPlugins\platforms\qwindows.dll

Filesize
860KB

MD5
d7a2933d4d6e2ce3e9e0edf27f1948c1

SHA1
3b7c3295da2ce04a279d728869d8e68952620fa1

SHA256
2350703eb0d78f95a962a477ea4d8a0787e4cae14041fc4091081fdeb08f2ec0

SHA512
b554e5c4f61883be094ae279c2bf60ff1fdd6c735deb159d44e17bfb824c018a601e32eaf0926734f017268de2c095edee638707f53d23d57c11d33be0573765

Download Submit
C:\PCSX2\QtPlugins\styles\qmodernwindowsstyle.dll

Filesize
189KB

MD5
3a8e3ab46779064c88c096b90acbdfa6

SHA1
7a81775610398a1b73d030962d6f042242092983

SHA256
d472eafe44d621967130528632562632b4977fda299130212b25c13e1a62e800

SHA512
add1480c6cb8297448286fbbeb1a8ec6be2d4334b319899c95732242a4a405cce7367d8d2408d85681e41c784980cff194490f5609915654a37d059e52d3a578

Download Submit
C:\PCSX2\SDL2.dll

Filesize
3.0MB

MD5
667151d5f33d0fce8c591f94757eb96c

SHA1
aaf8991e9a94c8613ee6eba27926bf045338a613

SHA256
0e24a8ebccb31b8e05393d622f9f0fa1e4cd53f5e3215589bc2beab1190e2353

SHA512
6fd493e7bccba8643ebc7cbb95e26e20626e0ba89639f67d505fba9a0ea72eb99feb5b8b68f5ba4ddc85b854db369d5faf90bcb33ecdfe815a3e9451736816ba

Download Submit
C:\PCSX2\freetype.dll

Filesize
662KB

MD5
14f5faf21b8bba7bfa1406e64a61f275

SHA1
bf99cc59befae3f06b86edf0b1ece65e343bc305

SHA256
dc241988ebdb624c5e848df5aa076ec7b5b46e4f9351852fa7ca52e6bc1c498c

SHA512
f3578f4fba4b9685d07bc421676de0739b2bfc8b33d4736076301d9b77e3d3565c9b28a35688d638e0b9051314e563911916bd791a4d09785eddc372b7df3806

Download Submit
C:\PCSX2\harfbuzz.dll

Filesize
1010KB

MD5
b040b0a0d915feb5cddca321d2a8bf92

SHA1
0af653b0dbf09a238373a9e2fec7053feb8d10e5

SHA256
074e141f56d98726230230fd1f6850384003c8a7828d39d8e4958252458161a1

SHA512
1f52c5a38f67e1bba10bc014d608e17c11973f45d4b3daed99d91d79f8486734c1449274c784a4ae516b2f34e9da2a92801376116689fe428f40a4f0ab1be30e

Download Submit
C:\PCSX2\libjpeg.dll

Filesize
268KB

MD5
ed10d31a14b37983e121fcfb9b0d38f3

SHA1
a5dcffa434543bd5ea131d03edc11fefddd9530e

SHA256
8a70aab77156c13063b26a99ce099afd16748a3e909f6bc583dd7e71c0f14a6b

SHA512
4ad5264b1894543b4fb39d7e6cab3766576076bf89cc3bda13c5df01378c2ca8a26aab1a8131724cbf9d0f32ffd1fe6ccb0367e9fd84cc3eda06b075e4709701

Download Submit
C:\PCSX2\libpng16.dll

Filesize
197KB

MD5
8f43807e9d66f639c86de18bef714210

SHA1
c4bace37c0e2e8a2c1da3196bef665cd14168415

SHA256
136164b0954b240f21a21d436aa4f94b6c026a1ef908ec0e55fdabe2e5db9685

SHA512
9bc6bbcd14ba2184c31540d9a4d0afcedb5f96ec452c62a3c6fc84bd78f5710c7a78bfc6b186353cb5b676db98440ba3ddba6df0ce766e33a5776544bb12fc92

Download Submit
C:\PCSX2\libsharpyuv.dll

Filesize
25KB

MD5
9d5ae4a748046e3c441c3742c6f9b296

SHA1
0994980d1e28a551198223ddd593c36a1bc154e2

SHA256
94037e6859f10db614c2f92d42a69b1594df76926b2b7612bfca2509b367e13c

SHA512
bf756738177b36d862a72ae2b6eb9241cb28da250db7613a1e7ff3a02249c1960fae2bf75ce4da0f8649ddd83e4881048bf1e5e0837f84d1c55d6898a6d0a8f0

Download Submit
C:\PCSX2\libwebp.dll

Filesize
364KB

MD5
1fb6aa119b78477b8a86da4d50f527a3

SHA1
fc7caf3868c1f479566abb763e026179099bba1e

SHA256
fe9a33b8c5c47bfcc7288cc530f04dcaebc90bb085697d4892bd3b3b60e75e7e

SHA512
03b6931cc0f0e162af7049b64d095f82c39d58e08a10e863e534bb7452a6bf42e291fbe5a02686c95d8572fa3786428697a97e999ad655a92528354c5bfb7904

Download Submit
C:\PCSX2\lz4.dll

Filesize
122KB

MD5
6dc93432fad44e244a9b68c6412d4bfc

SHA1
7ecc65dc88ae131dfd4ebe79ab25190ac120eb58

SHA256
05a03311b3d8cc5b64ffc64ef86d39d916c9ea37d0656da7aec66d7d67c02859

SHA512
e04c288842760b88d5cd42930c00bdad1c6b594782da5626a343aa309cccd38a9497aaa0e20a1e88151a259f34e3bebf9b8dc00011f2766c3c54a7dbfebb7ce3

Download Submit
C:\PCSX2\pcsx2-qt.exe

Filesize
12.4MB

MD5
ed9b41932bf885464f4fd38d4e2c7b4f

SHA1
3bb25c6b7e1fe64dcbd5a2933659fb54dd4e6096

SHA256
0435dc7317d4ad294fe7139ec1a86902d75cd1fc19549de577adfad872575b2c

SHA512
2685d919e2a5d82cbd65706c8ff9fa9e71f0aee8f99ccc8052ea6f4ab68f22d09a048b7bb23de429067aa2cca96b80b9950fc8736421d3f231b1157f71f31156

Download Submit
C:\PCSX2\qt.conf

Filesize
30B

MD5
4785a110d3ebf963d103833748d50a47

SHA1
e30a239480b2c81fd3999ca95710e828f3266964

SHA256
da31ed085667c6c5ee067916cfd9dedfa1d414a0cfa3fcfd441196d94579f393

SHA512
b839503ef638f6c69e87511a9f0bf82dc105b55eaf43157e2566c6a54f3fbb5b4160f2a725fade73dfac803efcec1f3779720dea0e6bbf3bd911b5ec6364a969

Download Submit
C:\PCSX2\translations\pcsx2-qt_en-US.qm

Filesize
1KB

MD5
d6d74e7ad42f99156f8a8b8b7c6a135c

SHA1
d3c2d14caa18791227b42954db8de7d885d384f9

SHA256
3cf80f8b6c401ae7d283fce860df396e7979f3aa81b5001b3493016be04d1f90

SHA512
1d9a1ec194698a4df3c79cfeea5e255e3470850e34fc05e918fa9c059385a5bc86bac1e8f9d5680187675832d0349bb4782a541e6a804c3fa14331a50cbc2ef3

Download Submit
C:\PCSX2\translations\qt_en.qm

Filesize
33B

MD5
aaea7ba475c961f941d0a23488457beb

SHA1
2bf0054002c8f7d85dd080df332553bf9b3a8e26

SHA256
494ac9a2b2cb2fdeced353f4a9f898ed8dcf616e9bc667438c62681e3f7f79cf

SHA512
5b408c36c8f93f71e73e3d3b1c0c2ad699e92a6088604b8adf8e588e8a75fc3fc92828199b7f00f5b05b224ae819220d07e56d610a76a267594870bec77172be

Download Submit
C:\PCSX2\zlib1.dll

Filesize
88KB

MD5
c520b8e0455346d8c139bfeb2b118b65

SHA1
d68634f1cdd8d662868f8d45f3bf383c470a20bf

SHA256
a1856126c93b896f5d91fd51add266d40c951872fa2fe45a628b8c13d15a1425

SHA512
a8879832eae9ecc4080cf2b4886c872bcfb9c95fb289a84abc52a1bd4368430c4b248ae5e50acdcf6e4ac46491171fdade9057ebd872624388007d49197f935c

Download Submit
C:\PCSX2\zstd.dll

Filesize
638KB

MD5
714a420f8c5bf838a44bba7fd3ee1f85

SHA1
01bc83e1907fc04901c02212ad82ae51625505d6

SHA256
1e379c53e04292b1b667cba6e7e7286f0b347153bffc403fb323f9188bac0d7a

SHA512
79af8a176343c2bc5276db96595dede0cd1df0903c21fc54e5b8c0cf9668713c092a4e541a507de02ebc3fae39efae9d8c52f9c6bf028be7f9fa581dcfdd634d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240925053850_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
cb5316f86ec093f825cfadbcf624fb04

SHA1
ecc485137da39e3bfc845584ba8206fb6d2f69a3

SHA256
b3bd336020945b7c73fbac45004132dacd48668c0d22dc403e0c4caa466215f1

SHA512
8f0ad4179ec628102cb96e47952c050619a727463afc154e61c54799978f3acc5464ff733761143a2c1638b2d38fea025705a3b6735c072c50ad14f89f2b9079

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240925053850_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
c2853a5f1b852f1630873bf5fe80f856

SHA1
edc23502148f18f70e91c6a742ad88134c62771e

SHA256
ead94d13b2f3cef480ea45157b2eb7ed632ab66f32bda08813a3b982d9392335

SHA512
ffa0c366119090f15b5d861c7fecccf61063da6701bce1ed42563edd63a56fe3b9b0082026a315586d40a84bebc489b6e805b59cfaf85c451a3a85c241a4ed69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AUO9B.tmp\pcsx2-v2.0.2-windows-x64-installer.tmp

Filesize
3.0MB

MD5
413ec02bcdfc01b22b79dd3d560a8d0e

SHA1
2aac1e84b721bd4a7f828f1ba4e8b362f09fb129

SHA256
40ddf02539bb953b673a36228693813ca0ea0711133681cbefd7cfde7938e0fe

SHA512
cc6c27f8be32f028de038ffff0b20d71cac746280c8f0bb143dd7320e6fd7fbe59f327cb39976797dd45e03fe0d572829e09fb99e0ac1fc06f9b972ba8680f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FDU02.tmp\VC_redist.x64.exe

Filesize
24.2MB

MD5
1d545507009cc4ec7409c1bc6e93b17b

SHA1
84c61fadf8cd38016fb7632969b3ace9e54b763a

SHA256
3642e3f95d50cc193e4b5a0b0ffbf7fe2c08801517758b4c8aeb7105a091208a

SHA512
5935b69f5138ac3fbc33813c74da853269ba079f910936aefa95e230c6092b92f6225bffb594e5dd35ff29bf260e4b35f91adede90fdf5f062030d8666fd0104

Download Submit
C:\Windows\System32\msvcp140.dll

Filesize
561KB

MD5
72f3d84384e888bf0d38852eb863026b

SHA1
8e6a0257591eb913ae7d0e975c56306b3f680b3f

SHA256
a4c2229bdc2a2a630acdc095b4d86008e5c3e3bc7773174354f3da4f5beb9cde

SHA512
6d53634bc51bd383358e0d55988d70aee6ed3897bc6ae5e0d2413bed27ecff4c8092020682cd089859023b02d9a1858ac42e64d59c38ba90fbaf89b656c539a6

Download Submit
C:\Windows\System32\msvcp140_1.dll

Filesize
34KB

MD5
34a0ee0318a6be3f4a17826e5c17f8e3

SHA1
5b252d10138d6666892ca9da1e1d95af24de1097

SHA256
91cd05c16c61c39788c47434602a59c17f5b08dbb3eee04ce85f8d5b70e8e604

SHA512
ffd28202e3dd91b89b7d3161f33243e52e8a0b59d31d917c3cd0005c1e97cc818d1ebba9a4971e602164d31b42448c8fef8d0204618ef4134255876c7bd7fe5b

Download Submit
C:\Windows\System32\msvcp140_2.dll

Filesize
262KB

MD5
0c462afe7502e3646086ea7783022c11

SHA1
b5a6f2d00b7903cf8f4d2ff26980e2ae612ade1e

SHA256
713f17b253d802d283d306ce75647e37d83a546aeb1a881e5d9e529e856c007e

SHA512
6b30815c46bd54778e649aea48f8de64b4b7c49123060737a0cbdb13888669672aeef244a1e16c7c8c8e0d1d2a480309f30d51d2ab11c4debb3ea67f9337e0d6

Download Submit
C:\Windows\System32\vcruntime140.dll

Filesize
117KB

MD5
caf9edded91c1f6c0022b278c16679aa

SHA1
4812da5eb86a93fb0adc5bb60a4980ee8b0ad33a

SHA256
02c6aa0e6e624411a9f19b0360a7865ab15908e26024510e5c38a9c08362c35a

SHA512
32ac84642a9656609c45a6b649b222829be572b5fdeb6d5d93acea203e02816cf6c06063334470e8106871bdc9f2f3c7f0d1d3e554da1832ba1490f644e18362

Download Submit
C:\Windows\System32\vcruntime140_1.dll

Filesize
48KB

MD5
2bd576cbc5cb712935eb1b10e4d312f5

SHA1
dfa7a46012483837f47d8c870973a2dea786d9ff

SHA256
7dd9aa02e271c68ca6d5f18d651d23a15d7259715af43326578f7dde27f37637

SHA512
abbd3eb628d5b7809f49ae08e2436af3d1b69f8a38de71ede3d0cb6e771c7758e35986a0dc0743b763ad91fd8190084ee5a5fbe1ac6159eb03690ccc14c64542

Download Submit
C:\Windows\Temp\{02709114-F4DD-4B5C-89CC-5ED246FBCD73}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
ae0540106cfd901b091d3d241e5cb4b0

SHA1
97f93b6e00a5069155a52aa5551e381b6b4221eb

SHA256
8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c

SHA512
29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177

Download Submit
C:\Windows\Temp\{B4C1965C-5632-4571-BE3F-24D940A40D4E}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{B4C1965C-5632-4571-BE3F-24D940A40D4E}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{B4C1965C-5632-4571-BE3F-24D940A40D4E}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
d5a3fd8ad806f66d33d652d5913a95b3

SHA1
7b1bb6cdbe700acc2434dc52c40cdd96a6462a17

SHA256
cc001c20f85e16015e0d23eb0c3a9bc3c3cdcc1adda53f88ac77dd29705ba01a

SHA512
594d710133f44049546c62c3c89614415ad776c24f3ada0a8d1724e6daf27f941eba43a05a096d90cdf51ad51c02462edd6308e2aa393cb8325fde256ed77037

Download Submit
C:\Windows\Temp\{B4C1965C-5632-4571-BE3F-24D940A40D4E}\cab5046A8AB272BF37297BB7928664C9503

Filesize
962KB

MD5
8eccd85b6c4273a28a54b0687feb6a96

SHA1
be791128af5713d407df2f7436ea8de1a80ca725

SHA256
8fafd6d0754ee53125902df1b67ef2db86eb7af4c097522f2fb58443501fecdd

SHA512
9fdcb359a5748d0d920e1e12cf31de42fa224840fd11e5878f7caff7c4495b4facacf1a58cdaf0caadd0d9a3af871870b755245d2c1af33f07f3229b85101da0

Download Submit
C:\Windows\Temp\{B4C1965C-5632-4571-BE3F-24D940A40D4E}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
5fc68510b7425822a9d0928567ffbd1b

SHA1
f506d97ceac3c435ce6bafda7c47d9a35fc57714

SHA256
7489cdde6a0c8aadb3253f22c460c2dc8099ba677f42d46b277f7040327c9b28

SHA512
4dd4d99ace30eb1add9ae225f159f68636d42d1899acb50f616717f05045e402a2bbb76e4d86569a08ae74bb161b3911a73910fcc7044429da34159cf6b9f473

Download Submit
C:\Windows\Temp\{B4C1965C-5632-4571-BE3F-24D940A40D4E}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
0d00edf7e9ad7cfa74f32a524a54f117

SHA1
eea03c0439475a8e4e8e9a9b271faaa554539e18

SHA256
e55a6c147daab01c66aed5e6be0c990bbed0cb78f1c0898373713343ef8556cd

SHA512
0b6730fa8d484466a1ee2a9594572fa40fb8eea4ec70b5d67f5910436ee1d07c80a029cf1f8e488a251439ac1121fd0a76a726836e4cb72dd0fe531ce9692f6a

Download Submit
memory/764-8-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/764-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/764-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/764-724-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2412-644-0x0000000000540000-0x00000000005B7000-memory.dmp

Filesize
476KB

Download
memory/2480-682-0x0000000000540000-0x00000000005B7000-memory.dmp

Filesize
476KB

Download
memory/4084-764-0x00007FF73D2E0000-0x00007FF73E2E0000-memory.dmp

Filesize
16.0MB

Download
memory/4084-763-0x00007FFBF9A20000-0x00007FFBFA04E000-memory.dmp

Filesize
6.2MB

Download
memory/4084-765-0x00007FF73D2E0000-0x00007FF73E2E0000-memory.dmp

Filesize
16.0MB

Download
memory/4596-9-0x0000000000400000-0x0000000000702000-memory.dmp

Filesize
3.0MB

Download
memory/4596-10-0x0000000000400000-0x0000000000702000-memory.dmp

Filesize
3.0MB

Download
memory/4596-500-0x0000000000400000-0x0000000000702000-memory.dmp

Filesize
3.0MB

Download
memory/4596-6-0x0000000000400000-0x0000000000702000-memory.dmp

Filesize
3.0MB

Download
memory/4596-723-0x0000000000400000-0x0000000000702000-memory.dmp

Filesize
3.0MB

Download
memory/5116-681-0x0000000000540000-0x00000000005B7000-memory.dmp

Filesize
476KB

Download