7d704f3e4738c31ea83b41a2246c54027c2d6b9fcf915258e9dae170c765de1b

Analysis

max time kernel
131s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
21-11-2024 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PatchMyPC-HomeUpdater.msi
Size

52.1MB
MD5

90cd4318f192766e5a748312a91b8ec4
SHA1

938e4590715babc03b6d436ee944eef0163be12d
SHA256

7d704f3e4738c31ea83b41a2246c54027c2d6b9fcf915258e9dae170c765de1b
SHA512

a1fca167cab1ee9862ca7cc4492ae30f7887dbbb2719bb0d5855f67c32fc17cbe3f35ff95a018a4b544a76a80edc635d215a5c833268ce2c5973b3b6f6962992
SSDEEP

786432:Ec5d3fVmrjV7eIAt0wOTZPtJ4+qwHnhvc:Ec5dPVmrjV7eIlwOTZ7qSC

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{bd40e761-3e88-4202-9b53-26c6bed3d467} = "\"C:\\ProgramData\\Package Cache\\{bd40e761-3e88-4202-9b53-26c6bed3d467}\\windowsdesktop-runtime-8.0.11-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-8.0.11-win-x64.exe

Blocklisted process makes network request 64 IoCs

flow	pid	Process
4	1448	msiexec.exe
6	1448	msiexec.exe
25	3684	MsiExec.exe
26	3684	MsiExec.exe
53	4808	MsiExec.exe
55	4808	MsiExec.exe
57	4808	MsiExec.exe
59	4808	MsiExec.exe
61	4808	MsiExec.exe
68	4808	MsiExec.exe
69	4808	MsiExec.exe
71	4808	MsiExec.exe
258	4808	MsiExec.exe
555	4808	MsiExec.exe
556	4808	MsiExec.exe
557	4808	MsiExec.exe
558	4808	MsiExec.exe
560	4808	MsiExec.exe
564	4808	MsiExec.exe
565	4808	MsiExec.exe
567	4808	MsiExec.exe
568	4808	MsiExec.exe
569	4808	MsiExec.exe
570	4808	MsiExec.exe
571	4808	MsiExec.exe
572	4808	MsiExec.exe
573	4808	MsiExec.exe
574	4808	MsiExec.exe
575	4808	MsiExec.exe
576	4808	MsiExec.exe
577	4808	MsiExec.exe
578	4808	MsiExec.exe
579	4808	MsiExec.exe
580	4808	MsiExec.exe
581	4808	MsiExec.exe
582	4808	MsiExec.exe
583	4808	MsiExec.exe
584	4808	MsiExec.exe
585	4808	MsiExec.exe
586	4808	MsiExec.exe
587	4808	MsiExec.exe
588	4808	MsiExec.exe
589	4808	MsiExec.exe
590	4808	MsiExec.exe
591	4808	MsiExec.exe
594	4808	MsiExec.exe
595	4808	MsiExec.exe
596	4808	MsiExec.exe
598	4808	MsiExec.exe
599	4808	MsiExec.exe
600	4808	MsiExec.exe
601	4808	MsiExec.exe
602	4808	MsiExec.exe
603	4808	MsiExec.exe
604	4808	MsiExec.exe
605	4808	MsiExec.exe
606	4808	MsiExec.exe
607	4808	MsiExec.exe
608	4808	MsiExec.exe
609	4808	MsiExec.exe
610	4808	MsiExec.exe
611	4808	MsiExec.exe
612	4808	MsiExec.exe
613	4808	MsiExec.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	windowsdesktop-runtime-8.0.11-win-x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	PatchMyPC-HomeUpdater.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.TypeConverter.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\PresentationFramework-SystemXml.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\zh-Hant\UIAutomationTypes.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Threading.AccessControl.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\zh-Hans\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Cng.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\ko\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\pl\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebProxy.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\es\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Extensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\tr\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\zh-Hant\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\it\WindowsFormsIntegration.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsBase.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Expressions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\it\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\System.Windows.Controls.Ribbon.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Input.Manipulations.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Xml.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.Extensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\zh-Hans\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\es\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\System.Design.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\cs\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.VisualC.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.EventBasedAsync.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\ja\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\System.Xaml.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\es\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\ja\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\de\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\pl\System.Windows.Forms.Design.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\Microsoft.WindowsDesktop.App.runtimeconfig.json	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\fr\System.Xaml.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\pt-BR\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\Microsoft.Win32.Registry.AccessControl.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\cs\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\WindowsBase.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\pt-BR\ReachFramework.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57f2fb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI280B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AC7.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f4f3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f2fb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E65.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B87.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f300.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F59C11F0-D73F-452B-8D1D-8C33B82D8507}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1279.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f4f1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BF7.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f305.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C0790AA0-0F40-4836-85B2-677B87625E63}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI836.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f4f1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BB7.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A68.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f300.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795\fileCoreHostExe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795\fileCoreHostExe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI274.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f310.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F2A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DAF.tmp	msiexec.exe
File created	C:\Windows\Installer\{20F7796B-F6AB-4715-9814-7D3C49A8D6B8}\ModernHomeUpdater.ClientApp.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\CacheSize.txt	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI360.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25A9.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{20F7796B-F6AB-4715-9814-7D3C49A8D6B8}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF53E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2335.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EEA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AE7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6094.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9C80213E-9079-4561-8D57-1FDD0D62251F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6025.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF397.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65D6.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f30a.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\CacheSize.txt	msiexec.exe
File created	C:\Windows\Installer\e57f314.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDCD.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f304.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6316.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{20F7796B-F6AB-4715-9814-7D3C49A8D6B8}\ModernHomeUpdater.ClientApp.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6664.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD00.tmp	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
2672	EnhancedUI.exe
4632	windowsdesktop-runtime-8.0.11-win-x64.exe
3608	windowsdesktop-runtime-8.0.11-win-x64.exe
4500	windowsdesktop-runtime-8.0.11-win-x64.exe
1156	PatchMyPC-HomeUpdater.exe

Loads dropped DLL 64 IoCs

pid	Process
4808	MsiExec.exe
4808	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3684	MsiExec.exe
3608	windowsdesktop-runtime-8.0.11-win-x64.exe
4320	MsiExec.exe
4320	MsiExec.exe
3216	MsiExec.exe
3216	MsiExec.exe
1704	MsiExec.exe
1704	MsiExec.exe
1704	MsiExec.exe
1704	MsiExec.exe
4172	MsiExec.exe
4172	MsiExec.exe
4288	windowsdesktop-runtime-8.0.2-win-x64.exe
4788	MsiExec.exe
4788	MsiExec.exe
3712	MsiExec.exe
3712	MsiExec.exe
3160	MsiExec.exe
3160	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
3344	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe
3864	MsiExec.exe
2372	MsiExec.exe
3864	MsiExec.exe
2372	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1448	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.11-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.11-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EnhancedUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.2-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.11-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.2-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.2-win-x64.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3608	windowsdesktop-runtime-8.0.11-win-x64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{bd40e761-3e88-4202-9b53-26c6bed3d467}\Dependents	windowsdesktop-runtime-8.0.11-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.44.23191_x64\DisplayName = "Microsoft .NET Host FX Resolver - 8.0.11 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6F05B006EF15FED56A7079F7AB6FD21F\0AA0970C04F06384582B76B77826E536	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.8.8795_x64	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70BF2CCB0FC824541BC016CBFE40FA2F\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{63880b41-04fc-4f9b-92c4-4455c255eb8c}	windowsdesktop-runtime-8.0.2-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D881F2EC0135A4B72CA89D27FD72F577	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA0970C04F06384582B76B77826E536\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.8.8795_x64\Dependents	windowsdesktop-runtime-8.0.2-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{bd40e761-3e88-4202-9b53-26c6bed3d467}\ = "{bd40e761-3e88-4202-9b53-26c6bed3d467}"	windowsdesktop-runtime-8.0.11-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\ = "{9C80213E-9079-4561-8D57-1FDD0D62251F}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E31208C997091654D875F1DDD02652F1\MainFeature	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63337BB296F4141479799EDBF63E89A0\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA0970C04F06384582B76B77826E536\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\DOTNET_CLI_SHAREDHOST_8.0_X64\DEPENDENTS\{63880B41-04FC-4F9B-92C4-4455C255EB8C}	windowsdesktop-runtime-8.0.2-win-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18237B7CA0BADAD40AF9C5034D6097CA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6977F02BA6F51748941D7C3948A6D8B\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\PackageCode = "3558879DFFDC297478AF98DA2AA0BD7A"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6DA04985925EAF493E05C325D562007	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA0970C04F06384582B76B77826E536\PackageCode = "F40D0C15A7A9CAC47B09E6C88478AF33"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DF1F64D8EF250D42BCA10C1326BB942\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{bd40e761-3e88-4202-9b53-26c6bed3d467}	windowsdesktop-runtime-8.0.11-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA0970C04F06384582B76B77826E536\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DF1F64D8EF250D42BCA10C1326BB942	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18237B7CA0BADAD40AF9C5034D6097CA\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\Dependents\{bd40e761-3e88-4202-9b53-26c6bed3d467}	windowsdesktop-runtime-8.0.11-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64	windowsdesktop-runtime-8.0.11-win-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\WINDOWSDESKTOP_RUNTIME_64.8.8806_X64\DEPENDENTS\{63880B41-04FC-4F9B-92C4-4455C255EB8C}	windowsdesktop-runtime-8.0.2-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6977F02BA6F51748941D7C3948A6D8B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6DA04985925EAF493E05C325D562007\E31208C997091654D875F1DDD02652F1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F11C95FF37DB254D8D1C8338BD25870	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\ProductName = "Microsoft .NET Host FX Resolver - 8.0.11 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA0970C04F06384582B76B77826E536	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EC4D2DC6E5F594446E1328CE265CCE74	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\SourceList\PackageName = "dotnet-runtime-8.0.11-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.44.23191_x64\Version = "64.44.23191"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\Version = "1076648599"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6977F02BA6F51748941D7C3948A6D8B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64	windowsdesktop-runtime-8.0.11-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA0970C04F06384582B76B77826E536\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6977F02BA6F51748941D7C3948A6D8B\ProductName = "Patch My PC Home Updater"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4314D9BC1755DB976919CB1686BE4BF0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D0D4B2638348AD44682BEF4CE400F0AC\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6977F02BA6F51748941D7C3948A6D8B\SourceList\PackageName = "PatchMyPC-HomeUpdater.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D0D4B2638348AD44682BEF4CE400F0AC\Provider	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AA0970C04F06384582B76B77826E536\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\Version = "64.44.23191"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4314D9BC1755DB976919CB1686BE4BF0\0F11C95FF37DB254D8D1C8338BD25870	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3684	MsiExec.exe
3684	MsiExec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
4284	msiexec.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe
2672	EnhancedUI.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1448	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1448	msiexec.exe
Token: SeSecurityPrivilege	4284	msiexec.exe
Token: SeCreateTokenPrivilege	1448	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1448	msiexec.exe
Token: SeLockMemoryPrivilege	1448	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1448	msiexec.exe
Token: SeMachineAccountPrivilege	1448	msiexec.exe
Token: SeTcbPrivilege	1448	msiexec.exe
Token: SeSecurityPrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeLoadDriverPrivilege	1448	msiexec.exe
Token: SeSystemProfilePrivilege	1448	msiexec.exe
Token: SeSystemtimePrivilege	1448	msiexec.exe
Token: SeProfSingleProcessPrivilege	1448	msiexec.exe
Token: SeIncBasePriorityPrivilege	1448	msiexec.exe
Token: SeCreatePagefilePrivilege	1448	msiexec.exe
Token: SeCreatePermanentPrivilege	1448	msiexec.exe
Token: SeBackupPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeShutdownPrivilege	1448	msiexec.exe
Token: SeDebugPrivilege	1448	msiexec.exe
Token: SeAuditPrivilege	1448	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1448	msiexec.exe
Token: SeChangeNotifyPrivilege	1448	msiexec.exe
Token: SeRemoteShutdownPrivilege	1448	msiexec.exe
Token: SeUndockPrivilege	1448	msiexec.exe
Token: SeSyncAgentPrivilege	1448	msiexec.exe
Token: SeEnableDelegationPrivilege	1448	msiexec.exe
Token: SeManageVolumePrivilege	1448	msiexec.exe
Token: SeImpersonatePrivilege	1448	msiexec.exe
Token: SeCreateGlobalPrivilege	1448	msiexec.exe
Token: SeCreateTokenPrivilege	1448	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1448	msiexec.exe
Token: SeLockMemoryPrivilege	1448	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1448	msiexec.exe
Token: SeMachineAccountPrivilege	1448	msiexec.exe
Token: SeTcbPrivilege	1448	msiexec.exe
Token: SeSecurityPrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeLoadDriverPrivilege	1448	msiexec.exe
Token: SeSystemProfilePrivilege	1448	msiexec.exe
Token: SeSystemtimePrivilege	1448	msiexec.exe
Token: SeProfSingleProcessPrivilege	1448	msiexec.exe
Token: SeIncBasePriorityPrivilege	1448	msiexec.exe
Token: SeCreatePagefilePrivilege	1448	msiexec.exe
Token: SeCreatePermanentPrivilege	1448	msiexec.exe
Token: SeBackupPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeShutdownPrivilege	1448	msiexec.exe
Token: SeDebugPrivilege	1448	msiexec.exe
Token: SeAuditPrivilege	1448	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1448	msiexec.exe
Token: SeChangeNotifyPrivilege	1448	msiexec.exe
Token: SeRemoteShutdownPrivilege	1448	msiexec.exe
Token: SeUndockPrivilege	1448	msiexec.exe
Token: SeSyncAgentPrivilege	1448	msiexec.exe
Token: SeEnableDelegationPrivilege	1448	msiexec.exe
Token: SeManageVolumePrivilege	1448	msiexec.exe
Token: SeImpersonatePrivilege	1448	msiexec.exe
Token: SeCreateGlobalPrivilege	1448	msiexec.exe
Token: SeCreateTokenPrivilege	1448	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1448	msiexec.exe
Token: SeLockMemoryPrivilege	1448	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1448	msiexec.exe
2672	EnhancedUI.exe
1448	msiexec.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4808	4284	msiexec.exe	83
PID 4284 wrote to memory of 4808	4284	msiexec.exe	83
PID 4284 wrote to memory of 4808	4284	msiexec.exe	83
PID 4808 wrote to memory of 2672	4808	MsiExec.exe	84
PID 4808 wrote to memory of 2672	4808	MsiExec.exe	84
PID 4808 wrote to memory of 2672	4808	MsiExec.exe	84
PID 4284 wrote to memory of 3684	4284	msiexec.exe	88
PID 4284 wrote to memory of 3684	4284	msiexec.exe	88
PID 4284 wrote to memory of 3684	4284	msiexec.exe	88
PID 3684 wrote to memory of 4632	3684	MsiExec.exe	97
PID 3684 wrote to memory of 4632	3684	MsiExec.exe	97
PID 3684 wrote to memory of 4632	3684	MsiExec.exe	97
PID 4632 wrote to memory of 3608	4632	windowsdesktop-runtime-8.0.11-win-x64.exe	98
PID 4632 wrote to memory of 3608	4632	windowsdesktop-runtime-8.0.11-win-x64.exe	98
PID 4632 wrote to memory of 3608	4632	windowsdesktop-runtime-8.0.11-win-x64.exe	98
PID 3608 wrote to memory of 4500	3608	windowsdesktop-runtime-8.0.11-win-x64.exe	99
PID 3608 wrote to memory of 4500	3608	windowsdesktop-runtime-8.0.11-win-x64.exe	99
PID 3608 wrote to memory of 4500	3608	windowsdesktop-runtime-8.0.11-win-x64.exe	99
PID 4284 wrote to memory of 4320	4284	msiexec.exe	100
PID 4284 wrote to memory of 4320	4284	msiexec.exe	100
PID 4284 wrote to memory of 4320	4284	msiexec.exe	100
PID 4284 wrote to memory of 3216	4284	msiexec.exe	101
PID 4284 wrote to memory of 3216	4284	msiexec.exe	101
PID 4284 wrote to memory of 3216	4284	msiexec.exe	101
PID 4284 wrote to memory of 1704	4284	msiexec.exe	102
PID 4284 wrote to memory of 1704	4284	msiexec.exe	102
PID 4284 wrote to memory of 1704	4284	msiexec.exe	102
PID 4284 wrote to memory of 4172	4284	msiexec.exe	103
PID 4284 wrote to memory of 4172	4284	msiexec.exe	103
PID 4284 wrote to memory of 4172	4284	msiexec.exe	103
PID 4500 wrote to memory of 32	4500	windowsdesktop-runtime-8.0.11-win-x64.exe	104
PID 4500 wrote to memory of 32	4500	windowsdesktop-runtime-8.0.11-win-x64.exe	104
PID 4500 wrote to memory of 32	4500	windowsdesktop-runtime-8.0.11-win-x64.exe	104
PID 32 wrote to memory of 4288	32	windowsdesktop-runtime-8.0.2-win-x64.exe	105
PID 32 wrote to memory of 4288	32	windowsdesktop-runtime-8.0.2-win-x64.exe	105
PID 32 wrote to memory of 4288	32	windowsdesktop-runtime-8.0.2-win-x64.exe	105
PID 4288 wrote to memory of 4336	4288	windowsdesktop-runtime-8.0.2-win-x64.exe	106
PID 4288 wrote to memory of 4336	4288	windowsdesktop-runtime-8.0.2-win-x64.exe	106
PID 4288 wrote to memory of 4336	4288	windowsdesktop-runtime-8.0.2-win-x64.exe	106
PID 4284 wrote to memory of 4788	4284	msiexec.exe	107
PID 4284 wrote to memory of 4788	4284	msiexec.exe	107
PID 4284 wrote to memory of 4788	4284	msiexec.exe	107
PID 4284 wrote to memory of 3712	4284	msiexec.exe	108
PID 4284 wrote to memory of 3712	4284	msiexec.exe	108
PID 4284 wrote to memory of 3712	4284	msiexec.exe	108
PID 4284 wrote to memory of 3160	4284	msiexec.exe	109
PID 4284 wrote to memory of 3160	4284	msiexec.exe	109
PID 4284 wrote to memory of 3160	4284	msiexec.exe	109
PID 4284 wrote to memory of 2364	4284	msiexec.exe	113
PID 4284 wrote to memory of 2364	4284	msiexec.exe	113
PID 4284 wrote to memory of 2372	4284	msiexec.exe	115
PID 4284 wrote to memory of 2372	4284	msiexec.exe	115
PID 4284 wrote to memory of 2372	4284	msiexec.exe	115
PID 4284 wrote to memory of 3344	4284	msiexec.exe	116
PID 4284 wrote to memory of 3344	4284	msiexec.exe	116
PID 4284 wrote to memory of 3864	4284	msiexec.exe	117
PID 4284 wrote to memory of 3864	4284	msiexec.exe	117
PID 4284 wrote to memory of 3864	4284	msiexec.exe	117
PID 3684 wrote to memory of 1156	3684	MsiExec.exe	119
PID 3684 wrote to memory of 1156	3684	MsiExec.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PatchMyPC-HomeUpdater.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1448

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 916780C301A65225B0354A03445B92BF U
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\MSI8545\EnhancedUI.exe
    EmbeddedUI.exe /embeddedui 1448
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 515F4241C1095D980D7AE856A3157097 C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Roaming\Patch My PC\Patch My PC Home Updater\prerequisites\.NET 8.0\windowsdesktop-runtime-8.0.11-win-x64.exe
    "C:\Users\Admin\AppData\Roaming\Patch My PC\Patch My PC Home Updater\prerequisites\.NET 8.0\windowsdesktop-runtime-8.0.11-win-x64.exe" /q /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\Temp\{D083E24D-70B9-4427-BA31-CAAB14F71917}\.cr\windowsdesktop-runtime-8.0.11-win-x64.exe
      "C:\Windows\Temp\{D083E24D-70B9-4427-BA31-CAAB14F71917}\.cr\windowsdesktop-runtime-8.0.11-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\Patch My PC\Patch My PC Home Updater\prerequisites\.NET 8.0\windowsdesktop-runtime-8.0.11-win-x64.exe" -burn.filehandle.attached=692 -burn.filehandle.self=548 /q /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      System Time Discovery
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Windows\Temp\{3F29F2F4-F3DC-4BD4-B3B4-497CC14D07ED}\.be\windowsdesktop-runtime-8.0.11-win-x64.exe
        
        "C:\Windows\Temp\{3F29F2F4-F3DC-4BD4-B3B4-497CC14D07ED}\.be\windowsdesktop-runtime-8.0.11-win-x64.exe" -q -burn.elevated BurnPipe.{8DF5BCE9-5717-4368-95B3-BD7F4E8D280D} {34E978F3-0077-4746-9B34-7994B46FDAA2} 3608
        5⤵
        Adds Run key to start application
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        
        "C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={bd40e761-3e88-4202-9b53-26c6bed3d467} -burn.filehandle.self=1004 -burn.embedded BurnPipe.{A58585A1-05BC-40D5-8DD8-7E9FE0FBC08A} {F4ED3587-5B95-457B-982F-B8901F7D1B6B} 4500
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        
        "C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={bd40e761-3e88-4202-9b53-26c6bed3d467} -burn.filehandle.self=1004 -burn.embedded BurnPipe.{A58585A1-05BC-40D5-8DD8-7E9FE0FBC08A} {F4ED3587-5B95-457B-982F-B8901F7D1B6B} 4500
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        
        "C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe" -q -burn.elevated BurnPipe.{55267E5A-5F63-4B37-8BAB-45493AFA2EB5} {012CC82A-37B3-4049-A941-16E77D4EE4F1} 4288
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
- - C:\Program Files\Patch My PC\Patch My PC Home Updater\PatchMyPC-HomeUpdater.exe
    "C:\Program Files\Patch My PC\Patch My PC Home Updater\PatchMyPC-HomeUpdater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2BE245360A5030BA1304476530736E8D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4320
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C61B0B82407F7B3E1ED1CC592723852E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3216
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F1645D7B6EECE4E93CDA0397AC3D9998
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C201F27DD863871595CA1F53954D5315
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4172
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 81C23C67CB26E6C414B4431C105EACC9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ACF1B99AE6DEEB658D2DE3F93064F4F2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3712
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 297EC7701DE308013E7B269FB8D26AAC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3160
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2364
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0A6B4BC0AB1173C98733CB728B1F0B78
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 2A1CC6D728AF0A9DFDFE228E3DF6D965
  2⤵
  - Loads dropped DLL
  PID:3344
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9CF10EA21CC68B677E643EE48E76F948 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f2fe.rbs

Filesize
48KB

MD5
ca664cd79875989597a91d0d9da8b15e

SHA1
e4e1e7943cb199925f052db0a1e1285b59906401

SHA256
831f555e4843f8857edf922e1e4d14e1c3921e674af097d5210b9c2474e93f7b

SHA512
b49d8c034d7ebae907086513026e051e41df3fa5962a2197f484dd834cf48247d18626e447802f094598c73c8038aa3254312d422420a482b688ec8f3312ca98

Download Submit
C:\Config.Msi\e57f303.rbs

Filesize
9KB

MD5
3cd6f0a0a565b6b0bf5d6f8144f02dcc

SHA1
ce516ea5c1d8079a019cb6250c1153546bd006ba

SHA256
514dd98ecab3c729fa5835d74b6e6a24c32c83810379bbcfce2c831e158f9ed0

SHA512
dda059528cb14adef92dd7dde2361de66cccec29fa45968d5f46ce9fa6606b990439631ce9c0bebc15fb0d808fccad2a55393584f2fd754d544e87ddfc76a2f2

Download Submit
C:\Config.Msi\e57f308.rbs

Filesize
11KB

MD5
888d8285efe1f5c0e58350b01a295c72

SHA1
dd9336633f0120f1cd585db9a4f143f498eb8ff0

SHA256
1ead401827b28b14eecf2d9ea5f781b01d6f30af40f5dafb6088ca5473398b78

SHA512
f54790fde7cc31ab7c632751137e7a56cf29636197312198fc322947d51b184417b466b068bad295db081893de5619fcf72b4635596500129e845a22182a1d03

Download Submit
C:\Config.Msi\e57f30d.rbs

Filesize
8KB

MD5
f1d70b616c609aff353cf2bce633d1de

SHA1
e1c992a90d1764f029763ed4e341c893fa15aed2

SHA256
50042e97b9c00527d104504688aabefba2b26f638ac2816693f43459818c0889

SHA512
6e3c90c3b905a08fd85e00b298a534e140ce07ea993de18b10c1dc2b8a184a422c55c1631f0de217864223b111098dc2f4ec3d4776ca4921a30007ad5b9e1a51

Download Submit
C:\Config.Msi\e57f30e.rbf

Filesize
143KB

MD5
33b4c87f18b4c49114d7a8980241657a

SHA1
254c67b915e45ad8584434a4af5e06ca730baa3b

SHA256
587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662

SHA512
42b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9

Download Submit
C:\Config.Msi\e57f30f.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\e57f313.rbs

Filesize
87KB

MD5
4116313387cebbf81207a8ecdfbd8b29

SHA1
4692f144b6dbd2a78c584220c92293306589bd12

SHA256
15c19de367ef818e5207c2dd8c2e9a97892dd2ea5d005f4b2e3d57d8d2bd4a3d

SHA512
32aaf7a0c4d3cdada0f9a535fbe4e536424820165c246e26baa590538d07477e4020eab2970ec756e66cbf435ff1b0a3c30167743504e9bdf34a8957e32ba106

Download Submit
C:\Config.Msi\e57f317.rbs

Filesize
131KB

MD5
d7fc65ae3023d985a5ae064e25bfa6fe

SHA1
e62984281aecd09829edc0670fe9f538998338ef

SHA256
6a489842635828c96cb06183b134ff31ddae645082f81fff6a94024e9048bc0b

SHA512
247117e762e431a8ff1399a42412a41cfb1785bb5aad2b5012d176f93f170d366736d2bf12f45adfa0e18df224946a2f5fe07e8586bc9a74f7531638294b9366

Download Submit
C:\Config.Msi\e57f434.rbs

Filesize
8KB

MD5
d3bea170933b4d6838107332058b8eba

SHA1
c803c57543d19e815ec5f4b2400fd7693bcfe730

SHA256
138fde235d5b8bfc80335ffd34f270a0f722682a0c593479c0e31f7f4026f111

SHA512
783a608b98c510fcd580cf691acdf737bb5b030c68f434a7f90374e55aa3c6c0573fa8c217bbda9f1a9c93481f81f6137b1da040e919a9f12d67d8d2ded7d983

Download Submit
C:\Config.Msi\e57f438.rbs

Filesize
85KB

MD5
f8e965928d68ea4f36e1372ce754caaa

SHA1
eb62e94783ba48ec8fac5678cdc04f7027939534

SHA256
6141e0f5ce3ca48dcc228e372d9ebb1952391aed9cd6130a2651fe9a0f63f5f9

SHA512
4e6e738a1820e2f5a3555510bded1aa0089318ee0c52e0c7aeb570b17dae78981566b60679d85b7dbd1943b7f052faf6011f0cc8cb46db05dd2c03049a1712d4

Download Submit
C:\Config.Msi\e57f4f2.rbs

Filesize
2.3MB

MD5
fe3232b8c1623785e07227dde38831c6

SHA1
a4e6c89ed95779cab575a0be89058b611d00bf78

SHA256
a62e21a09dc605d085a78f4aa8c234fa7e974f3ddde5268b6b050a7a51888664

SHA512
383511a41bd2520319119d22948688255fc68a3615a0facd38544a1ed04997045cf8cee48f19b297ab1ba1ed7491f649390dbd77797369d4dadcaa1f16abb12d

Download Submit
C:\Config.Msi\e57f4f4.rbs

Filesize
580B

MD5
df7c2c8773094bc02fedc515a31c2f96

SHA1
31571b06b696d44b069aac9c97e085e8a694086d

SHA256
aa59b10c4ef10fc5a57405899336e170488a30344b8bf840c645fc415bf9ba09

SHA512
fceec5cbe6f7b5bda59354b17878c75edfb866d2216c2055560ef1262d5167510bb5c4cb766785f72d0eeaf195a45e17ca5c07e7a19f366135495aecea9a07b7

Download Submit
C:\Program Files\Patch My PC\Patch My PC Home Updater\PatchMyPC-HomeUpdater.exe

Filesize
27.0MB

MD5
939d9c12f0e38f23a7ad1a8946d256f9

SHA1
a8bb1add888a7740704bba00a5f71b6db16d0279

SHA256
942c964c31455fe66e1adfefdd361a84d2c584c419ef9742ecc01e759e9a90b1

SHA512
33cdaf189326053457e395ab1b229c3bf2d660cd610770f406e200fce320858c58f3ea7ca0ba26494ba41a7a3062efb5ad82d988673cf49fe2efd0d2277c9f47

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Patch My PC Home Updater\Patch My PC Home Updater.lnk

Filesize
2KB

MD5
9f04c7b2dd5b3937aef091656ff4dde2

SHA1
d68ab40f9e9df373aab670bfcc61ca0837d88950

SHA256
c7e678eeef2a59f778476a58a37cbe8493f2619d73717372dc7e4173ec89cd91

SHA512
831c49cef80d2b0eadf5f5930a2e8054cec7813f873f03577b2f1ff2a49a48fd09c856d726675b7636690d5aede4f7d0a2881c8f857c2a93919f484f297980a9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Patch My PC Home Updater\Patch My PC Home Updater.lnk~RFe5863f5.TMP

Filesize
2KB

MD5
30d517eb7f1b3a3becc192b9f9db0a17

SHA1
227750ec6150434c512b11d4780be57a4faae53a

SHA256
d381312755bbec9adbcc5da67c83d3bb0fa9d1e5d7115be9fc155e04d6dc0f76

SHA512
4bd2fb302185039e96ba6e1e3e6efbb71bd32d13b77718eaebcfbb22becfe43f49f8b160925ba82f661c459f740f239426ebd9e48cd764c7b4b949d5e2b5a0b2

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\67167f270d96e6db370a449a\5.0.5.0\tracking.ini

Filesize
84B

MD5
3a4507075f29fccd25c52838e085557a

SHA1
5a9c8239cb1bc0d161954affe9746c681aab608d

SHA256
ea9dc7fc70472b760af4a0a376bc5577ae4d600f50dda77264d78fad61c49285

SHA512
f92c967787adc532008719d978041ef68a2c449c993b76646d4267d9d71688bf72b2f82a527f9a38ec216c756e6c4f2a0f616d921089b9e8a0e49e696086f299

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\67167f270d96e6db370a449a\5.0.5.0\{5FF1EA78-8818-4C16-A3F3-19A05B455B53}.session

Filesize
1KB

MD5
754c59a4864ce73411c88f565ab288eb

SHA1
22c74675639e255df4f76e35f09f7232573811bd

SHA256
5d40677f0c3a60d7fba7e66926926c8e3102c5fd556c840f732b857e4b44d630

SHA512
29444b80ac0c40f5b4efe9728f5b91fe42b3d387114ec5206f25d8ef132bea6739b596c3fae72c0d047139fa63a117d0490cec2f47fadb3d57ec92038ec02d02

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\67167f270d96e6db370a449a\5.0.5.0\{5FF1EA78-8818-4C16-A3F3-19A05B455B53}.session

Filesize
6KB

MD5
c8943c9fb4f81f3cf9951da4bedd3377

SHA1
7da3ade10213a3d4a2df3eb2c92aa7734f044b06

SHA256
dcf571de2a5ad10aae1dff0275defb76ece95fcefb20a414f9f60652d3f5d45a

SHA512
fc72a58c9c8ac79853ecbb174e7446ab678482ab4f3ea0d149b82409042a4557795e5e49fecff9323f27d53bf074649fbb6fabe4244cae329901da39e98c566a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2672\HomeUpdaterIcon_512x.ico

Filesize
368KB

MD5
312763060691450c526fd10e36c1a652

SHA1
a4a6668f675c812470bf4922a6cfd83d50b7dbba

SHA256
466d5cec4533319ea60526572612cd7601c15e2bdc9a936b686693a1f68c5065

SHA512
0bb1655a4c5e322d4d1e8d38d419723d3945a9b2e1bd96e5c8303c2830ff162aa366f8141711c4fbdf83c8d083dae6b2d15a13cdf74a29b7add67e72485e9c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2672\HomeUpdaterInstallerImageLrgVcenter.png

Filesize
36KB

MD5
0c3b6463a7531ab8ea5ee1487faff136

SHA1
dbba0d98dfe668479e4009089af6b8ecc3c3657c

SHA256
880bac6e058ad6d0f8aaae0a3f5e2c876e7b0c995f44c7606250825f62e1f09c

SHA512
bc24a147013d18b5060387bada30971f87eb53e1980786613c58f06bf3d60fe28e5f3d9599887c8fd93bfc4ab2b3c16a5ef0c9f9d161ad8111b65a3fe8f4c4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2672\HomeUpdaterVariantSizes.ico

Filesize
134KB

MD5
2a0f3ad57986895bbbb00cf44b78e8e1

SHA1
2dc73af2b1870c4742482bf1cac3c58c87721676

SHA256
4bad55787cc29a06388e7ed351b45ee7ebd911a178f110e6a7a5b14d401dd289

SHA512
2c53268147af77efbb2478ab35af31f5ae1f0e4d85114249d7b84fdf93e4ed42c6d70c258e15a81463e877708cd6bf6c44efbcf06bd3cfa0d4756c8a5749806e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2672\ProgressImage.png

Filesize
1KB

MD5
8c903c7a534cd12c8eea9582068fb39d

SHA1
ed049dcebc99857fa90043861c5619c776f8e937

SHA256
efdf35f6be917e4cbb41482226f2b475537f1d3de9d415933ed499a89342eae1

SHA512
baf4487948277bb04392b81f2ac211b96f6adc37545a3ddf60df50721329b6d967bfd85eb9048c1c343094d37350f90f988fca3ba587f31b3e96734b9ff05a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2672\aboutbtndark.png

Filesize
1KB

MD5
b51b54b77e9cbfdb1063f7487c1c07ec

SHA1
8a8a7036cfbc86a537447bf71b9f6795923db8b9

SHA256
9d7243c688264329a8cb9e22da00b651e0a9407741d722e03dd67cc8b3ee1335

SHA512
04cef1aa3a530e7f03054369450eb42f36bf45c13c7445adf450ec4635a8601447c5bb6e978b3adabe9021019644681bf1609539eb548dd50ada973aac0c6555

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2672\buttonimgs

Filesize
1KB

MD5
7633f00ea029a3b988c354441f0f4722

SHA1
a72a74af68d006a35efcf9be6fe3424ff31fb84c

SHA256
ed127a86f01d767643af667c1d52525a3cb7632713b981896af72628da7ee7fa

SHA512
52c70cbd6fa3cc292a1d5b505b272d88b6f950eac4d24df750b7c8ce5bcacdff9fc9fdd0ccff8f081d05852559ae187f50d4e6b4f5f95e8c648a658d4b9a03b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2672\buttonimgsdark_v4.png

Filesize
1KB

MD5
9da277bfddf1010c939a47e19783f894

SHA1
d3daba841debdf102d2aefe47964b881ca852f76

SHA256
2f83e4c5b8e081cc5a1dd9c2ae5b233f9dce900b632de2bae1c235267a804775

SHA512
3357c0ede9d0978b8520c2eb1f2f88c3c664bd0ef25ff81d70e89c147dcf935c8fe52dd6af6762d468415de43ab3111e25efa257e0dacc4cf0a4887fc2b86793

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2672\checkboxdark.png

Filesize
1KB

MD5
da526c0caa0495a9c96ecc574cc5ff20

SHA1
f570c7cda9594f68950ebfad4497863eddf55097

SHA256
205a20e410235b12b18cf6b48e69edf1d8dc28e6ea9f4896baf3adeff33260ba

SHA512
600ea6951973b3f3efcb8649030ddedf223927b9cced03e8ce99b818f6a26b0d3f0f0075af0c696593db9086f422147ffa35dc4ba8fc10061fb4922024ad0c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2672\checkboximgs

Filesize
1KB

MD5
bf7ac146eb80de9d4d3e6b5a7998ebbf

SHA1
532b1bae084af1bb3a8880c47a509ce1bb804df3

SHA256
73616e9e679089cd5c580d5ef9cc96859f13509af8150fe081d67a1935ce4885

SHA512
ea5ed62de728d88cf598b0b9bb1da953b2ee7675cb71d04f022ce41b2697e0f02bef269181c09ede6c28c6946dd8944abbb487ab4be8b190fc9b72423ca4a905

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2672\custominstallbtn

Filesize
914B

MD5
fb33dcad5260941fc9261b1f378d5775

SHA1
5bfbefc05e1d1f41b10974b1ca43495053ad95f3

SHA256
9ccbc0baba2efe3424610a0f282626e2364473c5afc5cd6d485e6673bff3a862

SHA512
7cc5481fbcb4e4f0420da5196a209124f615c0b42e2f1ff5da444ac13c0d8698b5f20472ee1743c126d0bbdc6241e2ccbb58f6ac0970dba6aff74189d600f0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6E4A.tmp

Filesize
997KB

MD5
ee09d6a1bb908b42c05fd0beeb67dfd2

SHA1
1eb7c1304b7bca649c2a5902b18a1ea57ceaa532

SHA256
7bbf611f5e2a16439dc8cd11936f6364f6d5cc0044545c92775da5646afc7752

SHA512
2dd2e4e66d2f2277f031c5f3c829a31c3b29196ab27262c6a8f1896a2113a1be1687c9e8cd9667b89157f099dfb969ef14ae3ea602d4c772e960bc41d39c3d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI796F.tmp

Filesize
886KB

MD5
1d51848e7512c27af22cdf0213e11cf5

SHA1
d35ab52e49c82bb72f0ad7c7568035e8a41564e4

SHA256
0b73497f2ad7a4a04f36b8d46816c5404ba828d7feeca90b3abe28599e9c4619

SHA512
b6513f1ab6af820fd139ba5fe5399268077c328b8dbd19471db203f94f6aec2702baaec37209b4056531cab56d54b09f6d446f0f398befa1cc9cd4f77e65e079

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI79BE.tmp

Filesize
1.1MB

MD5
e83d774f643972b8eccdb3a34da135c5

SHA1
a58eccfb12d723c3460563c5191d604def235d15

SHA256
d0a6f6373cfb902fcd95bc12360a9e949f5597b72c01e0bd328f9b1e2080b5b7

SHA512
cb5ff0e66827e6a1fa27abdd322987906cfdb3cdb49248efee04d51fee65e93b5d964ff78095866e197448358a9de9ec7f45d4158c0913cbf0dbd849883a6e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7C51.tmp

Filesize
324KB

MD5
4f17c2364ddc2715d92688da3f954373

SHA1
054a9de08a1719ecdc772ff88b560ec60587cdde

SHA256
da3d066167e07202062186d10608f37ae5a87b05bbc518de45d86acecb76add3

SHA512
168b3c9905fe8ff7101be2d238e56a2a90185e9eb48b5c8290bd64bb1e0e8b73af488f9386e0c8175dd023b14b185f7743462df605fcf9861c47eec35da70bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8545\EnhancedUI.exe

Filesize
3.9MB

MD5
8307a6d4f7b38e17969620c9affd11c4

SHA1
1dcb61e526a0becefb4f477dae32927bca825cbb

SHA256
50f54e0f63695c39524d331b8dc49aa4ff62c540661dcbcd69bec9cfaccf19a7

SHA512
a4a442ce89eb528bb7c244130abc2af4ace56f5696e4356cf3cdcb84e4eb2d37b491f41130fb79f886a088dfd261cf0d9a81a236993a41a1097ff8bd07ed15c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8545\InstallerAnalytics.dll

Filesize
1.1MB

MD5
f3d0d2776bab52020228e030f3dc20a8

SHA1
ff0e1aa1526f5e9234b176deb93d25ba185b16c9

SHA256
2cf277a1060bd9a9c6c22482ec607bd7b6f15c02b1421db173cbf97297c12405

SHA512
7e1adf3533a79fe46d541266b3c0b38ae5a0ceb11386aeebf55890d7dfe36d71200508a6cd007e0721cc23a19219acba9799fc77b784e8e3527e98702de95702

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8545\embeddeduiproxy.dll

Filesize
312KB

MD5
bd46d7634e2bd65c94b0c57003511c53

SHA1
eaf0b6e0f4bebf51de81d6dfce3753573148fd68

SHA256
0abb111356e0bc3899331a020f6ba22d0701bb3f3bf79c01bfd039e35a968689

SHA512
bc6cb20e65e427ab669133e060227cb58fd43929c501718112fb83d2b79f7a065a4cee1233fdfa2e00f94499a33823b4f8130bc660820e0cf071b4b894947c56

Download Submit
C:\Windows\Installer\MSI1279.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI5CD2.tmp

Filesize
396KB

MD5
163e750fcf53df3639dfddcdd3206e56

SHA1
2859ca10d30edfd8eb704530a6e0069e44a0c833

SHA256
b78f7adb3fc99902a50dae748de4834c4363dcc7b0352efe6dade091895fd37f

SHA512
e5ac3a8417a83df4ffa5acf078752011fe088adf275f744f22d3c43d141f8290871ad778d3fca621f641aa75718b32cc7accc398207b65fa61f4ce95a5b1ee4a

Download Submit
C:\Windows\Installer\MSI6316.tmp

Filesize
220KB

MD5
4e8128658ddd99d57fe33a49b847f71c

SHA1
8b1b264ed31c1275f8b6d87ef4c59d810b9471f2

SHA256
37258f62d1e88c7c71d773a9944d2e88a2269b576470042623e57b5cff459b84

SHA512
3af709d6adf16be7659c53a94889fa555a380603086272b34a2b46119c3b8260adb31abf9e817afac9a7d2213a6236a223552783b39f91f65e7194de27da5da6

Download Submit
C:\Windows\Installer\MSI6664.tmp

Filesize
879KB

MD5
bd3ff2df6feef5b9efadc7faa0b128ac

SHA1
00f649909fa4adb523133da4e95a130193598932

SHA256
91b67a83d1dce44af9c9df58005009d6ad0e0a037ac37b7919daa764c196c99c

SHA512
76823f5ea9532d6531e0c1991c9bd293e5edf062c9f7c2ce7b3f77a5d141486844108db0a9cff1808e4b7e6845d5a3cd31a80ba81c074f2caf5564ed83b92e72

Download Submit
C:\Windows\Installer\MSIFD00.tmp

Filesize
219KB

MD5
928f4b0fc68501395f93ad524a36148c

SHA1
084590b18957ca45b4a0d4576d1cc72966c3ea10

SHA256
2bf33a9b9980e44d21d48f04cc6ac4eed4c68f207bd5990b7d3254a310b944ae

SHA512
7f2163f651693f9b73a67e90b5c820af060a23502667a5c32c3beb2d6b043f5459f22d61072a744089d622c05502d80f7485e0f86eb6d565ff711d5680512372

Download Submit
C:\Windows\Installer\e57f300.msi

Filesize
772KB

MD5
d73de5788ab129f16afdd990d8e6bfa9

SHA1
88cb87af50ea4999e2079d9269ce64c8eb1a584e

SHA256
4f9ac5a094e9b1b4f0285e6e69c2e914e42dcc184dfe6fe93894f8e03ca6c193

SHA512
bfc32f9a20e30045f5207446c6ab6e8ef49a3fd7a5a41491c2242e10fee8efd2f82f81c3ff3bf7681e5e660fde065a315a89d87e9f488c863421fe1d6381ba3b

Download Submit
C:\Windows\Installer\e57f314.msi

Filesize
29.1MB

MD5
230fed97d6f8eab7800e2316fef53c00

SHA1
7a97f51462584f6a8cc9eb08da654dea4d2b7fba

SHA256
c9aaa2ab9905abbbecff1ad3c3ecbae1f4d7fe8a063f3bfd2fcfe5176fcb169d

SHA512
e0af63d92aecc632b1273e63b5327d2ca9ea3d7a086807205043e4bc76050a22de786e419c1d95a8a8521f39af8c4dc6cf9563dd88e3174e5e87a2d30a6f2352

Download Submit
C:\Windows\Temp\{3F29F2F4-F3DC-4BD4-B3B4-497CC14D07ED}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{3F29F2F4-F3DC-4BD4-B3B4-497CC14D07ED}\.ba\wixstdba.dll

Filesize
190KB

MD5
f1919c6bd85d7a78a70c228a5b227fbe

SHA1
71647ebf4e7bed3bc1663d520419ac550fe630ff

SHA256
dcea15f3710822ffc262e62ec04cc7bbbf0f33f5d1a853609fbfb65cb6a45640

SHA512
c7ff9b19c9bf320454a240c6abbc382950176a6befce05ea73150eeb0085d0b6ed5b65b2dcb4b04621ef9cca1d5c4e59c6682b9c85d1d5845e5ce3e5eedfd2eb

Download Submit
C:\Windows\Temp\{3F29F2F4-F3DC-4BD4-B3B4-497CC14D07ED}\dotnet_runtime_8.0.11_win_x64.msi

Filesize
26.3MB

MD5
b9c6d23462adef092b8a5b7880531b03

SHA1
9e8c4f7f48d38fb54a93789a583852869c074f2d

SHA256
2e23da54aa1ff64de09021ab089c1be6d4a323bdf0d8f46f78b5c6a33df83109

SHA512
18623991c5690e516541eaf867f22b3a1a02317392178943143bedc7f7eda5e02e69665c3c4a5fa50ade516a191bbbf16fd71e60f3225f660fb10ebc25cd01a5

Download Submit
C:\Windows\Temp\{D083E24D-70B9-4427-BA31-CAAB14F71917}\.cr\windowsdesktop-runtime-8.0.11-win-x64.exe

Filesize
608KB

MD5
fba0b1010e82ee3896e104749f505f54

SHA1
e7e43e8da6af9cd6a6b740b8f70caeb5fbfda730

SHA256
4aae588970b5de7e67c0c46b19d7e671e8186d5fd7082c1f602f57f1ced0e516

SHA512
91bd3515bde8cee82529636025f70b3ca9447338417b6b4f37074e57d5fb810be030f92b0a42fea0d4692979250c01462a41c2477dcf972f1f7554248af16543

Download Submit
memory/32-1117-0x0000000000880000-0x00000000008F6000-memory.dmp

Filesize
472KB

Download
memory/2372-1171-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/3344-1180-0x000002F276190000-0x000002F27619A000-memory.dmp

Filesize
40KB

Download
memory/4288-1116-0x0000000000880000-0x00000000008F6000-memory.dmp

Filesize
472KB

Download
memory/4336-1091-0x0000000000880000-0x00000000008F6000-memory.dmp

Filesize
472KB

Download