73b6df0add9bc6b5792d274d316ecd70d636847db25ce6f3e63e77fb72369037

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
Size

28.7MB
MD5

a75bd304b668cfa64640b22e4c231349
SHA1

2a72f8bb89047305062d53337098c5e0573d9ff3
SHA256

595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e
SHA512

60f35560be97a8674c5c1e1916340655f619702dc6d95cfa32a4c7fad284e27b45a5dda5fc79a2ce0d8e0a87583ca1caa0ecae54ece10a1f5abdd5b9cdc41471
SSDEEP

786432:kxZADx6Nw9CJarloXOqTIzauR93oSQkNd:t6N9c2XRPC93oLkf

Score

7^/10

discovery evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

spiceworks_redist.exeinstall.exespiceworks.exespiceworks.exe

pid process

4912 spiceworks_redist.exe
4188 install.exe
636 spiceworks.exe
3640 spiceworks.exe

pid	process
4912	spiceworks_redist.exe
4188	install.exe
636	spiceworks.exe
3640	spiceworks.exe

Loads dropped DLL 64 IoCs

Processes:

595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exeinstall.exespiceworks.exe

pid	process
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
4188	install.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe
636	spiceworks.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spiceworks = "C:\\Program Files (x86)\\Spiceworks\\bin\\spicetray_silent.exe"	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe

description	ioc	process
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\activesupport-2.3.8\lib\active_support\vendor\tzinfo-0.3.12\tzinfo\definitions\America\Chicago.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_db-5.1.64998\migrate\20110217224604_remove_ticketable_from_purchase_reports.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\forms\buttons\small\read_more.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\small\voipdevice.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\lib\ruby\1.9.1\webrick\cgi.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\lib\ruby\1.9.1\rdoc\markup\list.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\mail-2.2.14\lib\mail\elements\message_ids_element.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\indicators\group_type_built_in.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\small\computer_missing.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\httpd\error\HTTP_FORBIDDEN.html.var	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\rails-2.3.8\lib\rails_generator\generators\components\helper\USAGE	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_db-5.1.64998\migrate\20100601212314_add_security_center_widget.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_db-5.1.64998\migrate\217_add_open_ticket_counter_to_ticketables.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\portal\user-content.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\httpd\icons\index.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\snmp-1.0.2\data\ruby\snmp\mibs\ATM-ACCOUNTING-INFORMATION-MIB.yaml	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks-5.1.64998\bulk_purchase_import.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_db-5.1.64998\migrate\075_add_ticket_mailman_templates.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_db-5.1.64998\migrate\20110218155723_supress_warranty_widget_notification.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\codemirror\js\parsecss.js	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\forms\buttons\ask_question_hover.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\oauth-0.4.1\lib\oauth\request_proxy\typhoeus_request.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\httpd\icons\f.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\lib\ruby\1.9.1\date\delta\parser.ry	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\soap4r-1.5.8\lib\soap\cgistub.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\forms\buttons\small\search_active.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\orange_round_close.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\layout\shadowAlpha.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\httpd\icons\a.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\prawn-core-0.8.4\data\fonts\Chalkboard.ttf	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_db-5.1.64998\migrate\194_create_mail_servers.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\forms\buttons\add_account.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\lib\ruby\1.9.1\rexml\encodings\SHIFT_JIS.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\oauth-plugin-0.3.14\oauth-plugin.gemspec	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_common-5.1.64998\vmware\internal_vim_25_api\VimClassesDriver.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\forms\buttons\close_request_disabled.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\large\dark\active_directory.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\layout\saving_text.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\javascripts\fckeditor\editor\dialog\fck_table.html	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_views-5.1.64998\purchases\graphs\_spiceworks_	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\lib\ruby\1.9.1\i386-mswin32_90\io\wait.so	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\specifications\color-1.4.0.gemspec	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\activesupport-2.3.8\lib\active_support\basic_object.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\color-tools-1.3.0\lib\color\grayscale.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\mail-2.2.14\lib\mail\fields\content_disposition_field.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\nokogiri-1.4.1\lib\nokogiri\ffi\html\document.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_db-5.1.64998\migrate\029_alter_manufacturer_names.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_db-5.1.64998\migrate\041_change_state_size.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\lib\ruby\1.9.1\drb\extservm.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\medium\purchase.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\small\trash.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\transparent\information.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\layout\gradients\medium.jpg	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\forms\buttons\next_hover.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\snmp-1.0.2\data\ruby\snmp\mibs\SNMP-COMMUNITY-MIB.yaml	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\iframe_example.html	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\delayed_job-2.0.7\lib\delayed\performable_method.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_plugins-5.1.64998\auto_complete\_spiceworks_	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_plugins-5.1.64998\iframe_form_remote\lib\_spiceworks_	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\forms\buttons\search_disabled.gif	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\medium\network_device.png	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\pkg\gems\oauth-0.4.1\lib\oauth\request_proxy\curb_request.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\lib\ruby\1.9.1\rexml\formatters\default.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
File created	C:\Program Files (x86)\Spiceworks\lib\ruby\1.9.1\rubygems\indexer.rb	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe

Drops file in Windows directory 62 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\WinSxS\InstallTemp\20241112062648653.0\atl90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.0\msvcm90.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.1\mfcm90u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648778.0\9.0.30729.1.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.1\mfc90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90chs.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.1\mfc90u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648685.0\9.0.21022.8.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241112062648653.0	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\e58871d.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.1\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648669.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90esp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.1\9.0.30729.1.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241112062648763.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241112062648747.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.1\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.1\mfcm90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90cht.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.0\msvcp90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648763.0\9.0.30729.1.policy	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A25302D-30C0-39D9-BD6F-21E6EC160475}	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90kor.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90rus.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648810.0\9.0.30729.1.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648669.0\vcomp90.dll	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241112062648685.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648653.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648778.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90jpn.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90deu.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.0\msvcr90.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241112062648747.1	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241112062648716.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648685.0\9.0.21022.8.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90ita.dll	msiexec.exe
File created	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241112062648810.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.1\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90esn.dll	msiexec.exe
File created	\??\c:\Windows\Installer\e588721.msi	msiexec.exe
File created	\??\c:\Windows\Installer\e58871d.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241112062648716.1	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241112062648669.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648669.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.cat	msiexec.exe
File opened for modification	\??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241112062648778.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648810.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648653.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648716.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90fra.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8901.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648763.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241112062648747.0\mfc90enu.dll	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

install.exenetstat.exespiceworks.exespiceworks.exe595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exenetstat.exespiceworks_redist.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netstat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spiceworks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spiceworks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netstat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spiceworks_redist.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

netstat.exenetstat.exe

pid process

4628 netstat.exe
4296 netstat.exe

pid	process
4628	netstat.exe
4296	netstat.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 41 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043005f007800380036003e0049004000790043006a0027006200720045003400710030004c0044006f0059004c007e006600580000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFCLOC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0063002e00410078003f007d0058003200710034003900530045006800470072004b0038007400360000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.ATL,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e006500720069002d002e003800540052004600340074006d00310053006a006d00350059005d00380000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\VC_RED_enu_x86_net_SETUP	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\PackageCode = "6C7E9C94F9A4F6E4EA39E910D4A1AC39"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Version = "151025673"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\VC_Redist_12222_x86_enu	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Net\1 = "c:\\d534a68ad1f11259ef2d922de691\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media\1 = ";1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.CRT,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e00390032002c002b004b006e00240039002e0037006d0024006f0066007000790021004b007400620000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.OpenMP,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e004d004f00700050006d00360078002b0044003400700061006d006600580031006f00390032007a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_ATL_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\AuthorizedLUAApp = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\PackageName = "vc_red.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.CRT,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e006b0027005600490037006f00520050007e00370055003d006f0029006d00730026002c003300420000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.OpenMP,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800380036003e004d0039002c004f005500350063004d0078003400660069003f00660040007b00300021004400480000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFCLOC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800380036003e0040006500650034004900600034006b0069003500590047006500590051006300340025007700780000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_CRT_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.ATL,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e007900590067002500610066004a005700640037003800700038006d007200570035002b004d00660000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFC,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004d00460043005f007800380036003e004d0072004e0075004700740065007d0054003400240066006f0062004f005000340040004d004d0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057\SourceList\LastUsedSource = "n;1;c:\\d534a68ad1f11259ef2d922de691\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_MFC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_MFCLOC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\FT_VC_Redist_OpenMP_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exemsiexec.exespiceworks.exe

pid	process
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
3776	msiexec.exe
3776	msiexec.exe
636	spiceworks.exe
636	spiceworks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

netstat.exeinstall.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4628	netstat.exe
Token: SeShutdownPrivilege	4188	install.exe
Token: SeIncreaseQuotaPrivilege	4188	install.exe
Token: SeSecurityPrivilege	3776	msiexec.exe
Token: SeCreateTokenPrivilege	4188	install.exe
Token: SeAssignPrimaryTokenPrivilege	4188	install.exe
Token: SeLockMemoryPrivilege	4188	install.exe
Token: SeIncreaseQuotaPrivilege	4188	install.exe
Token: SeMachineAccountPrivilege	4188	install.exe
Token: SeTcbPrivilege	4188	install.exe
Token: SeSecurityPrivilege	4188	install.exe
Token: SeTakeOwnershipPrivilege	4188	install.exe
Token: SeLoadDriverPrivilege	4188	install.exe
Token: SeSystemProfilePrivilege	4188	install.exe
Token: SeSystemtimePrivilege	4188	install.exe
Token: SeProfSingleProcessPrivilege	4188	install.exe
Token: SeIncBasePriorityPrivilege	4188	install.exe
Token: SeCreatePagefilePrivilege	4188	install.exe
Token: SeCreatePermanentPrivilege	4188	install.exe
Token: SeBackupPrivilege	4188	install.exe
Token: SeRestorePrivilege	4188	install.exe
Token: SeShutdownPrivilege	4188	install.exe
Token: SeDebugPrivilege	4188	install.exe
Token: SeAuditPrivilege	4188	install.exe
Token: SeSystemEnvironmentPrivilege	4188	install.exe
Token: SeChangeNotifyPrivilege	4188	install.exe
Token: SeRemoteShutdownPrivilege	4188	install.exe
Token: SeUndockPrivilege	4188	install.exe
Token: SeSyncAgentPrivilege	4188	install.exe
Token: SeEnableDelegationPrivilege	4188	install.exe
Token: SeManageVolumePrivilege	4188	install.exe
Token: SeImpersonatePrivilege	4188	install.exe
Token: SeCreateGlobalPrivilege	4188	install.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exespiceworks_redist.exe

description	pid	process	target process
PID 2664 wrote to memory of 4628	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	netstat.exe
PID 2664 wrote to memory of 4628	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	netstat.exe
PID 2664 wrote to memory of 4628	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	netstat.exe
PID 2664 wrote to memory of 4912	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	spiceworks_redist.exe
PID 2664 wrote to memory of 4912	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	spiceworks_redist.exe
PID 2664 wrote to memory of 4912	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	spiceworks_redist.exe
PID 4912 wrote to memory of 4188	4912	spiceworks_redist.exe	install.exe
PID 4912 wrote to memory of 4188	4912	spiceworks_redist.exe	install.exe
PID 4912 wrote to memory of 4188	4912	spiceworks_redist.exe	install.exe
PID 2664 wrote to memory of 4296	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	netstat.exe
PID 2664 wrote to memory of 4296	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	netstat.exe
PID 2664 wrote to memory of 4296	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	netstat.exe
PID 2664 wrote to memory of 636	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	spiceworks.exe
PID 2664 wrote to memory of 636	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	spiceworks.exe
PID 2664 wrote to memory of 636	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	spiceworks.exe
PID 2664 wrote to memory of 3640	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	spiceworks.exe
PID 2664 wrote to memory of 3640	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	spiceworks.exe
PID 2664 wrote to memory of 3640	2664	595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe	spiceworks.exe

C:\Users\Admin\AppData\Local\Temp\595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe
"C:\Users\Admin\AppData\Local\Temp\595539b2009fdf8e53a409f7a21b779e7a670ca61f0a8dc216b226d753a54e6e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\netstat.exe
  netstat -an
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\spiceworks_redist.exe
  "C:\Users\Admin\AppData\Local\Temp\spiceworks_redist.exe" /q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4912
- - \??\c:\d534a68ad1f11259ef2d922de691\install.exe
    c:\d534a68ad1f11259ef2d922de691\.\install.exe /q
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- C:\Windows\SysWOW64\netstat.exe
  netstat -an
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:4296
- C:\Program Files (x86)\Spiceworks\bin\spiceworks.exe
  "C:\Program Files (x86)\Spiceworks\bin\spiceworks.exe" httpdcert
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:636
- C:\Program Files (x86)\Spiceworks\bin\spiceworks.exe
  "C:\Program Files (x86)\Spiceworks\bin\spiceworks.exe" httpdconf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e588720.rbs

Filesize
25KB

MD5
4bf892160d2c79aa9e0b7c8da91912ff

SHA1
bb0708ecdfd7a441dd7453cfb65033380dbd25c0

SHA256
6a7474d99a980da6d612ef31dd81cdc57b3ef888d6c8660320f0fda88b99814c

SHA512
3e1bc98fc308c4fed5d56c82afbe363a46edf4cf282b866b795669efd9e65ef5454d6f53df83737f96597c907d6ca84fb6d21885c3a7378dbb0c86bf9fbddd2e

Download Submit
C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\large\dark\switch.png

Filesize
2KB

MD5
7188be64cbe9cf3add71b9bb55f71dfd

SHA1
5b9a79cf51d135cbcef3e95bd72a970df1d0a552

SHA256
5765140784f05edda05252fb5588d54614de4fc26adf4aa0e9472e792caea388

SHA512
dbdf484f20109034457bf65f2193db11093579a641146c0618f76f1eb9da978a2dd1dde0c32807c4d4c8b9f7da674df894cc74654f6c3780f983307b88181257

Download Submit
C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\medium\dark\switch.png

Filesize
1KB

MD5
615d2f8d277eec799de0de880604c293

SHA1
f46bf26187ebcdfcce6a68378650b57587e59b6e

SHA256
88736d644691094406ff0d87c87b53f8853625e951194e857005bfcab398d45b

SHA512
de0d4be7ea7f9e7d584b9c2402cf75da6ba36deb9f133fc976a2083a658af06f991c92d8d1d372255593ad43200823dbfc1d2003067505fd71807740169b9f3b

Download Submit
C:\Program Files (x86)\Spiceworks\pkg\gems\spiceworks_public-5.1.64998\images\icons\small\dark\switch.png

Filesize
625B

MD5
62ba0e4b3496d0897c41443f142be136

SHA1
c4e716ebcc27daaf01f73bfc39f2fc3fb04ba646

SHA256
fae985573e012588febb84b099deb4678ea9b68708b23c7f65be414452188481

SHA512
8ecf4aa38d8a80bb7d652b39c26708f8a8a41cad1b9b1aebdde23ff44543eb291edc19e1d597cc5419c5881d02507ff4d1d3cde53a2c508c4f0c0cf5a6619ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3321.txt

Filesize
1KB

MD5
de59c63af39264d935822d50d245216d

SHA1
5624883e970b7aacdad6ad3f424f6b1088d8eafe

SHA256
fe9d5d600f146a85380768036760c98a6202825d1bb9b0bd93adba2bcd48db84

SHA512
cbce259eb62a04cef491f34b56089967f4176dc7cf64942f22e74f8151dcf5e80f80a00bf259b2482c41ba8b37691dbc5baa920f70e7349465d0eff0c19f2b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\ioSpecial.ini

Filesize
370B

MD5
54edf9371817b090cd2d1cb84949a81b

SHA1
9a0a56d624b39d713bf4ca2aa4b3c7400eca63ce

SHA256
dda2a0b2c009f506c54ec4ca125c5406774594e03b6e4c7094a77f016e7d70a4

SHA512
5b21cf2659b92d2ebf996fd3980b6cbfaf97d53e55edd8c00dd11cb91f07c6fce7b633b2cfea99273d2ea3500e5c9178157f81cbd0b253dfdde43547a91ec195

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\ioSpecial.ini

Filesize
700B

MD5
81936aef29f2dc1b8e11ea4645d4be5f

SHA1
0a114660c07794d440b47fa417c269b5d646ed34

SHA256
677818b8c31262a9c15f12071c4561e31d365f6270342fcc62d28ceef7931d96

SHA512
70d4035048f19f2472bc51d1c8dda0883fa032167ef253c64f3ac60340f196d3862ce5c60e3c846356f3eb2b11bbe374c8c65b0240d18a61509e6a51f922d144

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\ioSpecial.ini

Filesize
789B

MD5
8644b70880eea293238ed161c33ddb2d

SHA1
171e36a9c9f337fdf0d88b21f7dc11c63a897498

SHA256
5ecef85358bf84dd8a18a48393bae5309878909bafa1ee4fe7540c6decddfd1f

SHA512
5a7b371ebdbaf7b7a11ad7cce70d4276f55f591a97f503362deefb72a646fd21b2f4d085aadf0553bf162076239bfc089a893f1f871d1dc4cedd750b0d2cb76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\ioSpecial.ini

Filesize
756B

MD5
b08bbbc03d4f61221c1d4e3ac9944da1

SHA1
136f0da8a4a3b7033fd95b3cc00608998d97dd79

SHA256
a15f262667b65905580b15410c3f9f015ea4ae8f02abc1d25bab08da3687f2ac

SHA512
7dd946340a11b6679a40903245bd36e60b4c38524f5cefc8be09992616f828219fe0a55491bdc942abe206d9f7225c637de6ade8077d940c7128921cf4e5d3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\ioSpecial.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\ioSpecial.ini

Filesize
1KB

MD5
cde579b9c6be2e2f788087101b0fc9fc

SHA1
3f6ac75c96537298021b8ef02b68d63e97a21c6b

SHA256
27c6ade19ec25068b4c14de715fa33dcee3b027927c262839c85e6b0f6218a41

SHA512
9370fbf74b9f990870f28f2fbfde7e8caeb08dbd5af94dfedcc32329fb84603c434f791eba64618e541f7d2f6042d3940fd149d696fb79246efd80be34dc5b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\loadlibrary.dll

Filesize
32KB

MD5
6544da0acb2327b8aa1bc56f13cd1d47

SHA1
a70391b3cc5c821224118813e995b52328d7f829

SHA256
bf2ea3338ee0be10faa4048e9addd028a6c56db33c6113588522ccaa55533602

SHA512
b83b5f9314409247eae8127697a0dd6cdabeb23192df84e8a9334ba1d0917ade242eb7ab8e384338fe9657146aa1329e1eabf80626352fd4c3c356f6ba7c7f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskB97E.tmp\spiceworksprocess.dll

Filesize
48KB

MD5
8b1adf175fa3cf7567a6f204b871b0cb

SHA1
07e0697e78bf4f03a1f5a071a82867c83e1d904c

SHA256
02b3327dbff567e4dd982fca38495542b73a438f96806b6e9bb09da56e5976e1

SHA512
368e200741d1fb2320a45b5f874de5bb1524c033efba376c23da765cd24da7ea4e592b6ed24a6333cf4b7fa1e36fca40c92bdf7b560ea1d802b784984fa4c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\spiceworks_redist.exe

Filesize
4.0MB

MD5
5689d43c3b201dd3810fa3bba4a6476a

SHA1
6939100e397cef26ec22e95e53fcd9fc979b7bc9

SHA256
41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b

SHA512
4875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b

Download Submit
C:\d534a68ad1f11259ef2d922de691\install.exe

Filesize
549KB

MD5
33c9213ff5849ef7346799cae4d8ac80

SHA1
5421169811570171e9d2d0a1cdca9665273e7b59

SHA256
3377e31d233ff41aea253e6221815820997763acdf40b005f8791400366cb8ff

SHA512
da0fc3f57156e06c0c37c1fb5176e1b147ce4aa21f519112123722496b04ad4bc3d366e2b51fd78de1ba0304d35bfd5e5fc95cabc2b3eb174f77636a8fa162a1

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\VC_RED.cab

Filesize
3.7MB

MD5
ecca3c1acb74cb73c600eabdd3f9c9d9

SHA1
f015759f623c377494a5996670204f1fcd0895e3

SHA256
43b7648183347374236296f2176c7c7da920da9c1a08adda761e12614efb299e

SHA512
2785b8e8cfc310ec114cee696c5b85900fc71186dcbf0c99a9c13f4f0fdcc9e9dd583c9d1fd82492a680efcd7071c3593b02b628bd947bc19b1302b931aca807

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\eula.1028.txt

Filesize
3KB

MD5
f187c4924020065b61ec9ef8eb482415

SHA1
280fc99fb90f10a41461a8ee33dbfba5f02d059d

SHA256
cfa4f2c6c2a8f86896c5a6f9a16e81932734136c3dfde6b4ed44735e9c8115c2

SHA512
1d5a8e80fb6805577258f87c4efd7c26a9ac1c69f7dea1553d6f26bcc462d2d9c01d4b94077f70110a33b39648c9aa3bb685e10534f19ba832d475e9ee6aa743

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\eula.1031.txt

Filesize
15KB

MD5
3168ed3b48c1dc8d373c2abc036574cf

SHA1
7ffbcfb6cd9b262a0e9a55853d76055693f60c60

SHA256
3e4d78fcc11eecb23af12a4eaa316114bb36d39561f6062a3921c08a43261321

SHA512
9465640705c382bb736e468a2ffb303ecfb2637c55ddca759d1fb190279b98103def64a8c599deaa1439e58c41d7b2c2809332c2a5f18945e9ee3d6c046a5197

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\eula.1033.txt

Filesize
9KB

MD5
162fc8231b1bd62f1d24024bb70140d5

SHA1
7fa4601390f1a69b4824ee1334bee772c2941a24

SHA256
c68a0fd93e8c64139a42af4fcd4670c6faea3a5d5d1e9dd35b197f7d5268d92b

SHA512
a707b5ef0e914ba61e815be5224831441922ed8d933f7a2ffe8aecf41f5a1790a1e45981f19d86aa5eab5ea73d03b0c8e2ab6b9f398ab0154d1c828da6f6beda

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\eula.1036.txt

Filesize
11KB

MD5
c360851dfdf51b6ddc9cfcc62c584898

SHA1
f8fbe6b98039d01700dc49eb454bb1c1d8cc4aa6

SHA256
3456ebc9c6decef8b27b10d97f7f6d30a73b5da0024e1b8a0657e3b9a1cc93d9

SHA512
a340a7d98b4b6f925a803805224e733433e76230a36c4ab17e28f9d5951b81280d776153414701b29bb05b496b726932683e35fb603587d7ff5b716a88fece8d

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\eula.1040.txt

Filesize
13KB

MD5
04b833156f39fcc4cee4ae7a0e7224a1

SHA1
2ffa9577a21962532c26819f9f1e8cd71ab396bd

SHA256
ebafaeb37464ed00e579dab5b573908e026cd0e3444079f398aada13fa9a6f66

SHA512
8d3f6a900ebd63a3af74ab41ac54d3041de5fe47331a5e0d442d1707f72a8f557d93d2f527bbb857fb1c67dd8332961fd69acc87de81ba4f2006c37b575f9608

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\eula.1041.txt

Filesize
5KB

MD5
031fab3fb14a85334e7e49d62a5179fe

SHA1
12370185ef938a791609602245372e3e70db31be

SHA256
467773ddffdb3f31027595313b70d1ea934c828b124d1063a4aa4dbe90f15961

SHA512
7424a52bbb18a006816ee544d47f660e086557d13bb587d765631307da96aba56d8b9cd3d4e7d50c2a791815273910cef95ebe928bc03dd9c540b97ac7a86447

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\eula.1042.txt

Filesize
5KB

MD5
6fcd6b5ef928a75655d6be51555288c7

SHA1
eafdcc178343780b83f1280dad9d517aaedab9e4

SHA256
3d45f022996cd6d9ebb659a202fbfd099795f9a39ed4e6bbd62ac6f6ed5f8c7b

SHA512
635ba44d8d8ecfbdb83a88688126f68c9c607e452e67d19247dfe7c307c341dad9b1d2dc3eae56311c4b3e9617ab1ee2bd2a908570df632af6de1e1fa08bf905

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\eula.1049.txt

Filesize
13KB

MD5
bc3a8865b60ec692293679e3e400fd58

SHA1
2b43b69e6158f307fb60c47a70a606cd7e295341

SHA256
f82bca639841fa7387ae9bbf9eca33295fab20fade57496e458152068c06f8a3

SHA512
0d9820416802623e7cd5539d75871447f665481b81758c08f392f412bc0fd2ef12008be0960c108d1c1ce6f26422f1b16161705104d7a582df6a1006b0d1b610

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\eula.2052.txt

Filesize
3KB

MD5
ec4b365a67e7d7db46f095f1b3dcb046

SHA1
d4506530b132ef4aad51fcbc0315dadc110c9b81

SHA256
744275c515354ece1a997dd510f0b3ea607147bbf2b7d73f8fca61839675ba27

SHA512
5e5d1e196fc6ac194589bc6c6ab24e259aed8cbd856999390495fd5ec4211f212c6898e1b63538bfbb4401a5b4da08f3a2e09bca1cfb2e9c2cee38e63190b2a2

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\eula.3082.txt

Filesize
12KB

MD5
c2d1221cd1c783b5d58b150f2d51aebf

SHA1
3bc9b6419a5f9dcf9064ae9ef3a76c699e750a60

SHA256
c79ff7b9e67aed57f939343a3d5fd4fb01aa7412530693464571148b893b7132

SHA512
c4ec596814b408e3c0aaf98864e2769c6175dba020f3014dd79f0190d81812020c932afca449e6b8b35233f36f2ab2efad0dc8d0d68dccdb40f6715fb1d050b4

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.ini

Filesize
844B

MD5
5feaa6a36fea7dfdb88c18d69ba6d6a9

SHA1
7afd91a7b046d68b6ee9fd367bcd7a4fec546216

SHA256
67a50ffbb8a1d500eaa4d9f0227d6a8595a2750154e6b31662fc4f51286e47fc

SHA512
6c8c0456f232a02a49d51b3f1a830a18b9078e621cd0dc3f4f76f79b83035e8affac67bce3af9a37fa9096a34a8499c59cf982b63a4b2400b9190d2db293e682

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.res.1028.dll

Filesize
74KB

MD5
5e7e93fb7b9d36665b10be97703dafe5

SHA1
17b42892768e9742920febf70e9214997e3f04ef

SHA256
b8f0f576199e32fd906538537c8da052ee666a91ef971c577a53fd715e544604

SHA512
8f2828606ae34a691be77cdc5dc20f3aeb641bb24742fac04860a6f847c42cdc8453b8e5f9722f7b016438849c2b57fc8ea9b41111b69ffed30624e16824a1d6

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.res.1031.dll

Filesize
94KB

MD5
a1157142485b86985c03e26add533201

SHA1
05320791cdf33ff3a9989396f6b54172b2d7d0ee

SHA256
94779d2272a18a0340156225485aab95d0473aef478442dfe392d11b7e6f41db

SHA512
3fa2b3c4c57e071f24cdd02fc53dca5206370c8161cd9ba7b95fa8a9bce9e5268f3f7824908f93df7a087afd38425219447339f40908ffc9b1d593d063ae21c1

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.res.1033.dll

Filesize
89KB

MD5
8e97ea8a1ed69806232e8743f9a28706

SHA1
e911d3802e64f9be0e1ac68865bbcc92624d6a1f

SHA256
2893b1b9751f833d4a3ded7c1fba1a96cada2927a2349c5d751365eed647c100

SHA512
aa57fe0b822145aa1d8eb72f9735ef5d92036f24c4c80392799d701447d18ea510331f5653b39c43dc923cd0f1a61bf87be0f8a4927f6e3754d19ac76fd443c3

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.res.1036.dll

Filesize
94KB

MD5
cbf6e77d932688970a28328ca5263501

SHA1
b1d469e921ba90df15760943f228ebb2cbc55792

SHA256
3ffe888bc0bbe9bb81369b49171d532839fbea931d8553371e857df6ef815c13

SHA512
eeb2773960f7ecf9e87b5225cc730651388fab7dadda766a38d345f051ce2cab7027ac6c7286092e86f71c67b8c8a8c01c3808f205082280ad051fcba96358c9

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.res.1040.dll

Filesize
93KB

MD5
dcca7196203d338b41ead5e1418c6a92

SHA1
44267accc8577f093abc77dff8d5f7ff25c343b2

SHA256
c2a81077da2201d180bd5496129ea6bcfc5930d8a6d256babdb9a552b1a597d2

SHA512
13e934786445067be1c9eca38587dc55e294b2df6e1a16d13c584dc3c031126314047c007ecbc4548aa9bbe1f1021f19cd6b639fc66f43ef9465f4c4c10df049

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.res.1041.dll

Filesize
79KB

MD5
0fcc2f2bf7c18392514413a3c2a5ec5a

SHA1
bf7f494336589b8763b0936f0558749dbb407c4b

SHA256
11c111b3f24ba7d197007fb572b9f77e7d6f58c290de239a08f287c2aeb3b89d

SHA512
c704d1264fd2a106487baf87f6db054862bb31576b0716fe1570eca46ba90519c23c3246852c6b33ec1cf1fc6ff1529b163ff38ec9d32c5eb588585545fcb596

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.res.1042.dll

Filesize
78KB

MD5
d276d0c01bf44cb781ff5d293676674b

SHA1
f96e3a9bbac867b4dd9b24312845a852a5b44ed4

SHA256
d6f45cb0308e3790b0d819cae9d87e61d79468414ce7f78bd41e7289fc832945

SHA512
46100a058157b8435633bf0fc6a2c92086d74c60e480e0faa016e7aaba848e16c2431e48b83e738c28e3a393592ff6cc27b7a2c2a55ff6d94494cf83686175c7

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.res.1049.dll

Filesize
91KB

MD5
2e57ae4186f17be4148077ffe8212a27

SHA1
edad955ab3deef258c354d134b5a3443369f85f8

SHA256
ac9ef02d54eb87a5bc2bc8c77a6497853072ff37e7e82495ef8d79f6a5af07e3

SHA512
b2f239253866aab26cb1ab8a90f89ff90553cdb5897bba2ebf0e08eefb5a975c68bf7904f15b09e33777718478e3cc1a074dff8d8ddacc8a56b675adf125443b

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.res.2052.dll

Filesize
74KB

MD5
4b8d230ccfadf8a2d3ea4b1512238292

SHA1
53793dde6106277c33367de5cf361f79a52692c2

SHA256
8fec53f664217f624ec8229425abde74225eccf6b55e41d4c12c9d9789f4159c

SHA512
10993d5ca2b40060ba5925e8d7c008d028c06d909cb3b3a8f8da6a289e2cd45b95227114115e7ab6bed7fc91601d94c5b3c1a9d44e08850dc3048e4e9d51423d

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\install.res.3082.dll

Filesize
94KB

MD5
55a9b25fa0d768fb902842439d041b1f

SHA1
da103afd92af9b6f89b604191db2805a015a8c38

SHA256
8f826dba565fc464395ed24219da946f55692705de9f61f501dcfebf338970a3

SHA512
dc1b1dc345cb0e2e7e055abc07fc1374abbf773afae64fc27db292c5b97a166bfe4eaa69188d6831a91bfa2913c2238277a860a098ee9606b4112cba55067f7d

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\vc_red.msi

Filesize
227KB

MD5
6e17361f8e53b47656bcf0ed90ade095

SHA1
bce290a700e31579356f7122fb38ce3be452628a

SHA256
8811e5fe167223d906701bc8deb789de0a731e888e285834bcae164b03d43c96

SHA512
a566fc8bbb4d354db32f13de2fde73a1210c61b1c30a1be22b16c7e98b8d51c673259c57a924b04035cb9f0bf4a087a3e8b32221e7ff87032cddc840ffe3ed2f

Download Submit
\??\c:\d534a68ad1f11259ef2d922de691\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
memory/636-6804-0x00000000048C0000-0x00000000049C7000-memory.dmp

Filesize
1.0MB

Download
memory/636-6796-0x0000000003830000-0x0000000003847000-memory.dmp

Filesize
92KB

Download
memory/636-6798-0x0000000003F90000-0x0000000003FC0000-memory.dmp

Filesize
192KB

Download
memory/636-6799-0x0000000003FC0000-0x0000000003FD6000-memory.dmp

Filesize
88KB

Download
memory/636-6801-0x0000000004810000-0x000000000481F000-memory.dmp

Filesize
60KB

Download
memory/636-6802-0x0000000004880000-0x00000000048AF000-memory.dmp

Filesize
188KB

Download
memory/636-6795-0x00000000037E0000-0x00000000037FA000-memory.dmp

Filesize
104KB

Download
memory/636-6806-0x00000000049E0000-0x0000000004A16000-memory.dmp

Filesize
216KB

Download
memory/636-6809-0x0000000004D20000-0x0000000004D38000-memory.dmp

Filesize
96KB

Download
memory/636-6793-0x0000000003700000-0x00000000037D6000-memory.dmp

Filesize
856KB

Download
memory/636-6797-0x0000000003F60000-0x0000000003F71000-memory.dmp

Filesize
68KB

Download
memory/2664-31-0x00000000022F0000-0x00000000022FD000-memory.dmp

Filesize
52KB

Download
memory/3640-6819-0x00000000030F0000-0x0000000003107000-memory.dmp

Filesize
92KB

Download
memory/3640-6822-0x0000000003FB0000-0x0000000003FC6000-memory.dmp

Filesize
88KB

Download
memory/3640-6821-0x0000000003F80000-0x0000000003FB0000-memory.dmp

Filesize
192KB

Download
memory/3640-6824-0x0000000004800000-0x000000000480F000-memory.dmp

Filesize
60KB

Download
memory/3640-6829-0x0000000004900000-0x0000000004A07000-memory.dmp

Filesize
1.0MB

Download
memory/3640-6827-0x00000000048B0000-0x00000000048E6000-memory.dmp

Filesize
216KB

Download
memory/3640-6825-0x0000000004870000-0x000000000489F000-memory.dmp

Filesize
188KB

Download
memory/3640-6820-0x0000000003F50000-0x0000000003F61000-memory.dmp

Filesize
68KB

Download
memory/3640-6818-0x00000000030A0000-0x00000000030BA000-memory.dmp

Filesize
104KB

Download
memory/3640-6816-0x00000000037A0000-0x0000000003876000-memory.dmp

Filesize
856KB

Download