bf066388ba859d290970a6011de59455dcaa6059b0ca120213b0b601ffe59369

Resubmissions

01-12-2024 18:15

241201-wwd19axqbx 10

01-12-2024 18:07

241201-wqgj7axpct 10

Analysis

max time kernel
90s
max time network
142s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-12-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/install_all.bat
Size

1KB
MD5

eb55aae630088c91b88d2bfae4115ea0
SHA1

1495c69946edca474fe30c2b713aacb9f03bbf3a
SHA256

492ee4c16ac45a5483088583c9caa08252d3a1bb3922dbbec834d61673538f17
SHA512

48e4a3fa644b1859131cfec782641aaee9938c88f939ca0509df0f4120b922187753ce7cd7d912d2f90108526ba34d767baa28c9eeeb25d43fff77d38ddfd882

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	vcredist2015_2017_2019_2022_x86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	vcredist2015_2017_2019_2022_x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 8 IoCs

pid	Process
2400	install.exe
536	install.exe
332	Setup.exe
3468	Setup.exe
1244	vcredist2015_2017_2019_2022_x86.exe
4920	VC_redist.x86.exe
188	vcredist2015_2017_2019_2022_x64.exe
3176	VC_redist.x64.exe

Loads dropped DLL 21 IoCs

pid	Process
3116	MsiExec.exe
2548	MsiExec.exe
2548	MsiExec.exe
2400	install.exe
536	install.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
1872	vcredist2012_x86.exe
3672	vcredist2012_x64.exe
3800	vcredist2013_x86.exe
1096	vcredist2013_x64.exe
1244	vcredist2015_2017_2019_2022_x86.exe
188	vcredist2015_2017_2019_2022_x64.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7} = "\"C:\\ProgramData\\Package Cache\\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\\vcredist_x64.exe\" /burn.runonce"	vcredist2013_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{47109d57-d746-4f8b-9618-ed6a17cc922b} = "\"C:\\ProgramData\\Package Cache\\{47109d57-d746-4f8b-9618-ed6a17cc922b}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5af95fd8-a22e-458f-acee-c61bd787178e} = "\"C:\\ProgramData\\Package Cache\\{5af95fd8-a22e-458f-acee-c61bd787178e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist2005_x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist2005_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20241201181823.log\" /passive /norestart ignored /burn.runonce"	vcredist2012_x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} = "\"C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_amd64_20241201181825.log\" /passive /norestart ignored /burn.runonce"	vcredist2012_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece} = "\"C:\\ProgramData\\Package Cache\\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}\\vcredist_x86.exe\" /burn.runonce"	vcredist2013_x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Setup.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mfc100ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc120esn.dll	msiexec.exe
File created	C:\Windows\system32\mfcm120u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc120enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc120kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp120.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp120.dll	msiexec.exe
File created	C:\Windows\system32\vcamp120.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc120fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100esn.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib120.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml	TiWorker.exe
File opened for modification	C:\Windows\system32\msvcp120.dll	msiexec.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml	TiWorker.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120.dll	msiexec.exe
File created	C:\Windows\system32\vcomp120.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc120esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcr120.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib120.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc120ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc120ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc120.dll	msiexec.exe
File created	C:\Windows\system32\mfc120enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\Temp\InFlight\9d38565b1d44db010d0000005c11980c\9d38565b1d44db010e0000005c11980c_manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\8ff02f780acfee139426fe743f849038b8eeb9ce2b41325713d50dae1bfaeb14.cat	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\07edfe611d44db01b30000005c11980c\07edfe611d44db01b40000005c11980c_manifest	TiWorker.exe
File created	C:\Windows\WinSxS\Manifests\amd64_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.6195_none_06366735fd130439.manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\2af6145c1d44db013e0000005c11980c.Generalize.xml	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\2af6145c1d44db01410000005c11980c.Respecialize.xml	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181810546.1\8.0.50727.6195.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.6195_none_23dd61529b99d19d.manifest	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181810514.1\8.0.50727.6195.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\06bc0b611d44db017e0000005c11980c\631d0e611d44db017f0000005c11980c_msvcr80.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcm80.dll	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\1597d45b1d44db012d0000005c11980c_mfc80ita.dll	TiWorker.exe
File opened for modification	C:\Windows\Installer\e5bb131.msi	msiexec.exe
File created	C:\Windows\WinSxS\Temp\InFlight\e0a8d9601d44db01700000005c11980c\e0a8d9601d44db01710000005c11980c_manifest	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181759061.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\4f62ea395689af18e20d302982f2750c091929a70879ab580fa8178f137d11df.cat	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_09c4cec9fac927dd.manifest	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\ac15a9611d44db01960000005c11980c_mfc80chs.dll	TiWorker.exe
File created	C:\Windows\Installer\e5bb191.msi	msiexec.exe
File created	C:\Windows\WinSxS\Manifests\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_cbf5e994470a1a8f.manifest	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\0d34d25b1d44db012a0000005c11980c_mfc80enu.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\bc1a4c611d44db01860000005c11980c\bc1a4c611d44db01870000005c11980c_mfcm80.dll	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\13928b5a1d44db01030000005c11980c\13928b5a1d44db01040000005c11980c_atl80.dll	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\8bad8a5b1d44db01150000005c11980c\40108d5b1d44db011c0000005c11980c_catalog	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Manifests\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_517205a10f4550e3.cat	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181758983.0\mfc80ITA.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241201181759108.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\2af6145c1d44db013f0000005c11980c.Specialize.xml	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\bd3a30be9bfcfbe814a1d495b2692faf9a3a98560d1431cbe60a64af3b69326f.cat	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\ac15a9611d44db01960000005c11980c_mfc80chs.dll	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\9d38565b1d44db010f0000005c11980c\829b585b1d44db01120000005c11980c_msvcm80.dll	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\0d34d25b1d44db012c0000005c11980c_mfc80fra.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Manifests\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_03ce2c72205943d3.manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\8bad8a5b1d44db01170000005c11980c\40108d5b1d44db011b0000005c11980c_mfcm80u.dll	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181810280.0\msvcr80.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\6cdbda542c517fe0e758a06948bb2a67a382aa0fa7ba2eec59e7dcdc44028a9c.cat	TiWorker.exe
File opened for modification	C:\Windows\Installer\MSI179D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\44DB0475D85BA123FA0CD6D35465DDC6\12.0.40660	msiexec.exe
File created	C:\Windows\WinSxS\Temp\InFlight\7bcd2c5c1d44db01440000005c11980c\7bcd2c5c1d44db01460000005c11980c_catalog	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181810514.0\vcomp.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\9b3f91611d44db01900000005c11980c.Respecialize.xml	TiWorker.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\12B8D03ED28D112328CCF0A0D541598E\12.0.40660\F_CENTRAL_vcamp120_x86	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\8bad8a5b1d44db01150000005c11980c\40108d5b1d44db011c0000005c11980c_catalog	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\1597d45b1d44db012e0000005c11980c_mfc80jpn.dll	TiWorker.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\12B8D03ED28D112328CCF0A0D541598E\CacheSize.txt	msiexec.exe
File created	C:\Windows\Installer\e5bb1aa.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\fbc4405b1d44db010a0000005c11980c.Respecialize.xml	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\165b71621d44db01d50000005c11980c\165b71621d44db01d60000005c11980c_manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\61b1e4611d44db01ae0000005c11980c.Specialize.xml	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\44e91d621d44db01bd0000005c11980c\44e91d621d44db01be0000005c11980c_manifest	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\165b71621d44db01d50000005c11980c\165b71621d44db01d60000005c11980c_manifest	TiWorker.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\44DB0475D85BA123FA0CD6D35465DDC6\12.0.40660\F_CENTRAL_mfc120cht_x64	msiexec.exe
File opened for modification	C:\Windows\Installer\e5bb197.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\7bcd2c5c1d44db01470000005c11980c.x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.6195_none_4de39e0d118f2d3f.manifest	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\96dc9c5c1d44db01660000005c11980c\96dc9c5c1d44db01670000005c11980c_manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\aa1fef601d44db01780000005c11980c.Cleanup.xml	TiWorker.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	Setup.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\12B8D03ED28D112328CCF0A0D541598E\12.0.40660\F_CENTRAL_vcamp120_x86	msiexec.exe
File created	C:\Windows\Installer\e5bb14e.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\44DB0475D85BA123FA0CD6D35465DDC6\12.0.40660\F_CENTRAL_mfc120ita_x64	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\44DB0475D85BA123FA0CD6D35465DDC6\12.0.40660\F_CENTRAL_mfcm120u_x64	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 2 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2368	msiexec.exe
3892	msiexec.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3928	1244	WerFault.exe	121
820	188	WerFault.exe	127

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2008_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2010_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2012_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2015_2017_2019_2022_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2008_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2015_2017_2019_2022_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2015_2017_2019_2022_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2015_2017_2019_2022_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2012_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2013_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2010_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2013_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2012_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2005_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2012_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2013_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2013_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2005_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000776893be030d5aaf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000776893be0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900776893be000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d776893be000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000776893be00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Setup.exe

Modifies data under HKEY_USERS 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\32	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\33	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\31	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\34	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AB297010A1550CA37AFEF0BA14653C28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717\VC_Runtime_Minimum	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1BAD2218D4DE6763BBA0AC63186945E3\VC_Runtime_Minimum	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4396FC35D89A48D31964CFE4FDD36514\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4396FC35D89A48D31964CFE4FDD36514\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\VC_Redist	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67D6ECF5CD5FBA732B8B22BAC8DE1B4D\FT_VC_Redist_CRT_x64 = "VC_Redist_12222_amd64_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67D6ECF5CD5FBA732B8B22BAC8DE1B4D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1BAD2218D4DE6763BBA0AC63186945E3\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1BAD2218D4DE6763BBA0AC63186945E3\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4396FC35D89A48D31964CFE4FDD36514\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E815EB96CCE9A53884E7857C57002F0\SourceList\LastUsedSource = "n;2;f:\\b3198a339da5dcc54ee3bf27\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFC,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32-policy" = 3600540043006c0046002e005f007400740035006200290038002100600024004b005a0046006d00460054005f00560043005f005200650064006900730074005f004d00460043005f007800360034003e005e002a00320070005a00740060003f0050003500620061005700370038003400280076006c006b0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67D6ECF5CD5FBA732B8B22BAC8DE1B4D\SourceList\Net\2 = "f:\\67043f5c3d5bdda1ae65ab99b83bff12\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v12	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1BAD2218D4DE6763BBA0AC63186945E3\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12\Version = "12.0.40664"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\FT_VC_Redist_CRT_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0FC00402C7EDE723A94E0F3FD809588F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\PackageName = "vc_runtimeMinimum_x86.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.OpenMP,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32-policy" = 3600540043006c0046002e005f007400740035006200290038002100600024004b005a0046006d00460054005f00560043005f005200650064006900730074005f004f00700065006e004d0050005f007800360034003e007900700040005500210076003f005400490037006c007a004c00450075005a003d005a003100730000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE6380BC270BD863282B3D74B09F7570	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1BAD2218D4DE6763BBA0AC63186945E3\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4396FC35D89A48D31964CFE4FDD36514\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AB297010A1550CA37AFEF0BA14653C28\VC_Runtime_Additional	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67D6ECF5CD5FBA732B8B22BAC8DE1B4D\FT_VC_Redist_MFC_x64 = "VC_Redist_12222_amd64_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\VCRedist_x86_enu	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AB297010A1550CA37AFEF0BA14653C28\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12B8D03ED28D112328CCF0A0D541598E	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.CRT,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e004b00520050005200400047006b006e005d0033003d002b004c00380047003600210061002e00490000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.ATL,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32" = 3600540043006c0046002e005f007400740035006200290038002100600024004b005a0046006d00460054005f00560043005f005200650064006900730074005f00410054004c005f007800360034003e0049005b00280055004d0049005b007600260036006a006d005f004f0071005400570060004100370000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1BAD2218D4DE6763BBA0AC63186945E3\ProductName = "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12B8D03ED28D112328CCF0A0D541598E\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\FT_VC_Redist_MFC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\FT_VCRedist_x86_KB2565063_Detection	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.MFCLOC,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64",type="win32" = 3600540043006c0046002e005f007400740035006200290038002100600024004b005a0046006d00460054005f00560043005f005200650064006900730074005f004d00460043004c004f0043005f007800360034003e0077006e002e005a006000290063004000760034003d004b002c0044004f00360056007e0028006e0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4396FC35D89A48D31964CFE4FDD36514\PackageCode = "1553588F03D4A6D43BA639FEDAE4EE30"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\Version = "14.40.33810.0"	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1BAD2218D4DE6763BBA0AC63186945E3\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
332	Setup.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
3468	Setup.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe
1628	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2368	msiexec.exe
Token: SeSecurityPrivilege	1628	msiexec.exe
Token: SeCreateTokenPrivilege	2368	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2368	msiexec.exe
Token: SeLockMemoryPrivilege	2368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2368	msiexec.exe
Token: SeMachineAccountPrivilege	2368	msiexec.exe
Token: SeTcbPrivilege	2368	msiexec.exe
Token: SeSecurityPrivilege	2368	msiexec.exe
Token: SeTakeOwnershipPrivilege	2368	msiexec.exe
Token: SeLoadDriverPrivilege	2368	msiexec.exe
Token: SeSystemProfilePrivilege	2368	msiexec.exe
Token: SeSystemtimePrivilege	2368	msiexec.exe
Token: SeProfSingleProcessPrivilege	2368	msiexec.exe
Token: SeIncBasePriorityPrivilege	2368	msiexec.exe
Token: SeCreatePagefilePrivilege	2368	msiexec.exe
Token: SeCreatePermanentPrivilege	2368	msiexec.exe
Token: SeBackupPrivilege	2368	msiexec.exe
Token: SeRestorePrivilege	2368	msiexec.exe
Token: SeShutdownPrivilege	2368	msiexec.exe
Token: SeDebugPrivilege	2368	msiexec.exe
Token: SeAuditPrivilege	2368	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2368	msiexec.exe
Token: SeChangeNotifyPrivilege	2368	msiexec.exe
Token: SeRemoteShutdownPrivilege	2368	msiexec.exe
Token: SeUndockPrivilege	2368	msiexec.exe
Token: SeSyncAgentPrivilege	2368	msiexec.exe
Token: SeEnableDelegationPrivilege	2368	msiexec.exe
Token: SeManageVolumePrivilege	2368	msiexec.exe
Token: SeImpersonatePrivilege	2368	msiexec.exe
Token: SeCreateGlobalPrivilege	2368	msiexec.exe
Token: SeBackupPrivilege	628	vssvc.exe
Token: SeRestorePrivilege	628	vssvc.exe
Token: SeAuditPrivilege	628	vssvc.exe
Token: SeBackupPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe
Token: SeTakeOwnershipPrivilege	1628	msiexec.exe
Token: SeRestorePrivilege	1628	msiexec.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2368	msiexec.exe
2368	msiexec.exe
3892	msiexec.exe
3892	msiexec.exe
2400	install.exe
2400	install.exe
536	install.exe
536	install.exe
1872	vcredist2012_x86.exe
3672	vcredist2012_x64.exe
3800	vcredist2013_x86.exe
1096	vcredist2013_x64.exe
1244	vcredist2015_2017_2019_2022_x86.exe
188	vcredist2015_2017_2019_2022_x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 4320	3612	cmd.exe	80
PID 3612 wrote to memory of 4320	3612	cmd.exe	80
PID 3612 wrote to memory of 4320	3612	cmd.exe	80
PID 4320 wrote to memory of 2368	4320	vcredist2005_x86.exe	81
PID 4320 wrote to memory of 2368	4320	vcredist2005_x86.exe	81
PID 4320 wrote to memory of 2368	4320	vcredist2005_x86.exe	81
PID 1628 wrote to memory of 1752	1628	msiexec.exe	94
PID 1628 wrote to memory of 1752	1628	msiexec.exe	94
PID 1628 wrote to memory of 3116	1628	msiexec.exe	96
PID 1628 wrote to memory of 3116	1628	msiexec.exe	96
PID 1628 wrote to memory of 3116	1628	msiexec.exe	96
PID 3612 wrote to memory of 3652	3612	cmd.exe	98
PID 3612 wrote to memory of 3652	3612	cmd.exe	98
PID 3612 wrote to memory of 3652	3612	cmd.exe	98
PID 3652 wrote to memory of 3892	3652	vcredist2005_x64.exe	99
PID 3652 wrote to memory of 3892	3652	vcredist2005_x64.exe	99
PID 3652 wrote to memory of 3892	3652	vcredist2005_x64.exe	99
PID 1628 wrote to memory of 2548	1628	msiexec.exe	100
PID 1628 wrote to memory of 2548	1628	msiexec.exe	100
PID 1628 wrote to memory of 2548	1628	msiexec.exe	100
PID 3612 wrote to memory of 2228	3612	cmd.exe	102
PID 3612 wrote to memory of 2228	3612	cmd.exe	102
PID 3612 wrote to memory of 2228	3612	cmd.exe	102
PID 2228 wrote to memory of 2400	2228	vcredist2008_x86.exe	103
PID 2228 wrote to memory of 2400	2228	vcredist2008_x86.exe	103
PID 2228 wrote to memory of 2400	2228	vcredist2008_x86.exe	103
PID 3612 wrote to memory of 2068	3612	cmd.exe	104
PID 3612 wrote to memory of 2068	3612	cmd.exe	104
PID 3612 wrote to memory of 2068	3612	cmd.exe	104
PID 2068 wrote to memory of 536	2068	vcredist2008_x64.exe	105
PID 2068 wrote to memory of 536	2068	vcredist2008_x64.exe	105
PID 3612 wrote to memory of 764	3612	cmd.exe	106
PID 3612 wrote to memory of 764	3612	cmd.exe	106
PID 3612 wrote to memory of 764	3612	cmd.exe	106
PID 764 wrote to memory of 332	764	vcredist2010_x86.exe	107
PID 764 wrote to memory of 332	764	vcredist2010_x86.exe	107
PID 764 wrote to memory of 332	764	vcredist2010_x86.exe	107
PID 3612 wrote to memory of 2884	3612	cmd.exe	108
PID 3612 wrote to memory of 2884	3612	cmd.exe	108
PID 3612 wrote to memory of 2884	3612	cmd.exe	108
PID 2884 wrote to memory of 3468	2884	vcredist2010_x64.exe	109
PID 2884 wrote to memory of 3468	2884	vcredist2010_x64.exe	109
PID 2884 wrote to memory of 3468	2884	vcredist2010_x64.exe	109
PID 3612 wrote to memory of 4936	3612	cmd.exe	111
PID 3612 wrote to memory of 4936	3612	cmd.exe	111
PID 3612 wrote to memory of 4936	3612	cmd.exe	111
PID 4936 wrote to memory of 1872	4936	vcredist2012_x86.exe	112
PID 4936 wrote to memory of 1872	4936	vcredist2012_x86.exe	112
PID 4936 wrote to memory of 1872	4936	vcredist2012_x86.exe	112
PID 3612 wrote to memory of 2572	3612	cmd.exe	114
PID 3612 wrote to memory of 2572	3612	cmd.exe	114
PID 3612 wrote to memory of 2572	3612	cmd.exe	114
PID 2572 wrote to memory of 3672	2572	vcredist2012_x64.exe	115
PID 2572 wrote to memory of 3672	2572	vcredist2012_x64.exe	115
PID 2572 wrote to memory of 3672	2572	vcredist2012_x64.exe	115
PID 3612 wrote to memory of 2140	3612	cmd.exe	116
PID 3612 wrote to memory of 2140	3612	cmd.exe	116
PID 3612 wrote to memory of 2140	3612	cmd.exe	116
PID 2140 wrote to memory of 3800	2140	vcredist2013_x86.exe	117
PID 2140 wrote to memory of 3800	2140	vcredist2013_x86.exe	117
PID 2140 wrote to memory of 3800	2140	vcredist2013_x86.exe	117
PID 3612 wrote to memory of 4824	3612	cmd.exe	118
PID 3612 wrote to memory of 4824	3612	cmd.exe	118
PID 3612 wrote to memory of 4824	3612	cmd.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\install_all.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2005_x86.exe
  vcredist2005_x86.exe /q
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i vcredist.msi
    3⤵
    - Enumerates connected drives
    - Event Triggered Execution: Installer Packages
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2368
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2005_x64.exe
  vcredist2005_x64.exe /q
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i vcredist.msi
    3⤵
    - Enumerates connected drives
    - Event Triggered Execution: Installer Packages
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:3892
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2008_x86.exe
  vcredist2008_x86.exe /qb
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - \??\f:\b3198a339da5dcc54ee3bf27\install.exe
    f:\b3198a339da5dcc54ee3bf27\.\install.exe /qb
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2008_x64.exe
  vcredist2008_x64.exe /qb
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - \??\f:\67043f5c3d5bdda1ae65ab99b83bff12\install.exe
    f:\67043f5c3d5bdda1ae65ab99b83bff12\.\install.exe /qb
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:536
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2010_x86.exe
  vcredist2010_x86.exe /passive /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:764
- - \??\f:\04a6c94daf694ca4be72624682\Setup.exe
    f:\04a6c94daf694ca4be72624682\Setup.exe /passive /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:332
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2010_x64.exe
  vcredist2010_x64.exe /passive /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - \??\f:\31e5e6cdcc4e2d6d47d1\Setup.exe
    f:\31e5e6cdcc4e2d6d47d1\Setup.exe /passive /norestart
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3468
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2012_x86.exe
  vcredist2012_x86.exe /passive /norestart
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2012_x86.exe
    "C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2012_x86.exe" /passive /norestart -burn.unelevated BurnPipe.{B0FB8106-2B1C-4C57-9079-BABDBC80C8CF} {EE46F92C-8183-4C16-8049-05C77CD6F873} 4936
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1872
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2012_x64.exe
  vcredist2012_x64.exe /passive /norestart
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2012_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2012_x64.exe" /passive /norestart -burn.unelevated BurnPipe.{CC166DE3-B614-43FC-B077-CE7E4118CF98} {1375B00D-5331-4DA5-BFE8-8005CA6F753D} 2572
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:3672
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2013_x86.exe
  vcredist2013_x86.exe /passive /norestart
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2013_x86.exe
    "C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2013_x86.exe" /passive /norestart -burn.unelevated BurnPipe.{14E4B4A0-D5F7-4C5C-8908-B8054BD70256} {AA252E74-DE58-4918-8941-F5408867DA3D} 2140
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:3800
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2013_x64.exe
  vcredist2013_x64.exe /passive /norestart
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4824
- - C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2013_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2013_x64.exe" /passive /norestart -burn.unelevated BurnPipe.{0A7CD3E5-A279-462C-987C-62802DBEE84A} {B05DA578-C934-4C40-B151-6D37A0AA216C} 4824
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1096
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2015_2017_2019_2022_x86.exe
  vcredist2015_2017_2019_2022_x86.exe /passive /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3736
- - C:\Windows\Temp\{F2BFED90-7F6C-4A11-8A18-9A95ADF09A36}\.cr\vcredist2015_2017_2019_2022_x86.exe
    "C:\Windows\Temp\{F2BFED90-7F6C-4A11-8A18-9A95ADF09A36}\.cr\vcredist2015_2017_2019_2022_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2015_2017_2019_2022_x86.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560 /passive /norestart
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1244
  - - C:\Windows\Temp\{CACE24A0-1E16-4977-A4A7-4735AD451C38}\.be\VC_redist.x86.exe
      "C:\Windows\Temp\{CACE24A0-1E16-4977-A4A7-4735AD451C38}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{435B451B-BE44-4265-BD10-20EDECA9B28A} {9B77898D-190E-4F13-A9A1-F9D97F96EDEE} 1244
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1144
      4⤵
      Program crash
      PID:3928
- C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2015_2017_2019_2022_x64.exe
  vcredist2015_2017_2019_2022_x64.exe /passive /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608
- - C:\Windows\Temp\{60059A43-D4FF-4807-A8EC-2F0F749959B6}\.cr\vcredist2015_2017_2019_2022_x64.exe
    "C:\Windows\Temp\{60059A43-D4FF-4807-A8EC-2F0F749959B6}\.cr\vcredist2015_2017_2019_2022_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2015_2017_2019_2022_x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=660 /passive /norestart
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:188
  - - C:\Windows\Temp\{06570866-3D30-4117-9EA6-5C35E64A3767}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{06570866-3D30-4117-9EA6-5C35E64A3767}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{A63E5B43-4305-4DF3-897E-271522DCB853} {8A090DCB-49D3-4220-9F54-54F686EFBB53} 188
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 1112
      4⤵
      Program crash
      PID:820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
  2⤵
  PID:1752
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AB0E478355970BEA317C80FD7C6BC2B6
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EF19B6202B146972F251DCA2651D107D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1244 -ip 1244
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 188 -ip 188
1⤵
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5bb12f.rbs

Filesize
73KB

MD5
cc53032e74a298831ed630f4e980cfbd

SHA1
db2db0839964aed4021a5848fe8d8a50325b46a3

SHA256
942b236ec7ba85e0c5bbd44c89b10bc59ed4228ec9a257f90da44091bc79f1b8

SHA512
cbddab924f3d8f4e8dc1ede6dda63dbd8cc48034eceda10c97eb4bdc5ab67a03d152c7e440ec05a960f29e535f17b43d0d39d769e2f2522efff09da689bf3fd7

Download Submit
C:\Config.Msi\e5bb134.rbs

Filesize
73KB

MD5
cbf8ff91450060d969491bc97d5cbccf

SHA1
3758caceca0678e43dfbcef999c05ddfad6dfb10

SHA256
88bfa934a25f4a4f14f48af2b3fa88e9300a2c03967006bd5a299333d151bd72

SHA512
62759b5c29e6ecc8dc8cd25272929c1da97b729e117fcf798495846b9f6ef2cc24dfdaad5b0472de100af564169bd922b432e70e018cfb4846b9547f11e7eabb

Download Submit
C:\Config.Msi\e5bb138.rbs

Filesize
30KB

MD5
058599dfedee3ce284fc0295c667b575

SHA1
00e1e00b26f2a4bb28b33816c17d67952f96efe1

SHA256
547818d6fe8416500168ef2eee281971c0032dd509b37218d8ad1e1b855eeaa1

SHA512
de330b20ffa2e83dd596e5657c456cd543e020d07b71643f62cb2c302a4ac5e07fa22ac7f8257ad438e79d77081becc3194f159b420e3bc9a51cfc669f017c2d

Download Submit
C:\Config.Msi\e5bb13c.rbs

Filesize
30KB

MD5
4ceb19d76fafa3267a223a9b1e1fe88d

SHA1
1d90a38d876cd5b53ec60c4f0032c19bcc4a7024

SHA256
d0112971d02183dccc42b18818686c9ad35d2c7e7fc7e92c0bca2e2484939f4a

SHA512
f1e1f1045e515d0a509278cbfb89767b0e96fda2fb1fe4dc5dd06b18eb55962b19a0baab81c01ff1980a9f463fc8c40ea18fd1e15f95bfa20950dfbe978e71d6

Download Submit
C:\Config.Msi\e5bb140.rbs

Filesize
4KB

MD5
6bf7318deaaac7f82e021fa661aff1c6

SHA1
b85d153c4941a5bff65b4fdffeaae236ebba3af3

SHA256
2c5c2372afce06d5e93e3aa6ca12cb42a67de1c1c9acd6954fffed766272b59b

SHA512
c935eff272a55338abc6026b044050aa666a224a4e17344901e2ee2354bcb0b8d294cb2d86f6c5fd8a9b58f9f242680d938eb04d64c35e380f4068ec9ebd2ffd

Download Submit
C:\Config.Msi\e5bb144.rbs

Filesize
31KB

MD5
6a8840af5f2fddad710c727a301ca8a0

SHA1
9b567d332c3c4755800dba562fe1803be55f2bc1

SHA256
fc8a08ebd204c1b629f3b817fa4f2fd7d769c776116146cb619d87c33b8b1b85

SHA512
65c06df3b96c7cfeac62b46f53384a1d2df5aaead918b811479482155a199cd105e0c59f6e181ed11e1f59557136e4c169b581fc635c91deaeff71700cba7156

Download Submit
C:\Config.Msi\e5bb148.rbs

Filesize
17KB

MD5
e6cccbc747f3b909cf64a619e3357633

SHA1
d5ed5801dc8f69fe8aea3adad7a9b4e03cd5fbdc

SHA256
d84397950992c27634ef58a8a9d14a13720d675a4a29aee7b838cee28f7f2bdc

SHA512
c97cb35d7b23b880093bd99ee7a53ec51b52150b0dea4304aae67b418b27fa6bf7b459896925a0873b02bfa4db6c7b67f10b689e45a5bf14949422c7ff8eb430

Download Submit
C:\Config.Msi\e5bb151.rbs

Filesize
13KB

MD5
fd86c8ec6492734aac47c48b486d9307

SHA1
e690407b66c46b5ef0b48723d14b5775085f3739

SHA256
d91d280304f79909552ba62e37c9cd4375eac3999cf85755f56d7e9d0e46ef60

SHA512
46cd1b8d45289f04d63adf802fe885d303e7f9c8e6284061a0ca32348bf594cad7cfe0e90b467614b716aa38999e09f6237fb07c6473d39ba26eda80566ea672

Download Submit
C:\Config.Msi\e5bb152.rbf

Filesize
444KB

MD5
a883c95684eff25e71c3b644912c73a5

SHA1
3f541023690680d002a22f64153ea4e000e5561b

SHA256
d672fb07a05fb53cc821da0fde823fdfd46071854fe8c6c5ea83d7450b978ecb

SHA512
5a47c138d50690828303b1a01b28e6ef67cfe48215d16ed8a70f2bc8dbb4a73a42c37d02ccae416dc5bd12b7ed14ff692369bc294259b46dbf02dc1073f0cb52

Download Submit
C:\Config.Msi\e5bb153.rbf

Filesize
948KB

MD5
2fb20c782c237f8b23df112326048479

SHA1
b2d5a8b5c0fd735038267914b5080aab57b78243

SHA256
e0305aa54823e6f39d847f8b651b7bd08c085f1dbbcb5c3c1ce1942c0fa1e9fa

SHA512
4c1a67da2a56bc910436f9e339203d939f0bf854b589e26d3f4086277f2bec3dfce8b1f60193418c2544ef0c55713c90f6997df2bfb43f1429f3d00ba46b39b0

Download Submit
C:\Config.Msi\e5bb154.rbf

Filesize
331KB

MD5
69004e08c1eb19fcf709908103c002fd

SHA1
d59459f9a18b2e9a06e5af2b88f4fecb0ce690d5

SHA256
c1b61dd24dc2dd5efd5cd548c0cd74fac112358e9e580df4d780d2c125474dad

SHA512
3fc67a5fccb252a67285e19d62057fb4e3c63e702f4be91e552f93d9827cc746b8fb43b4a3b24b7fd5c48832d18a1dae26c1bd237f40b7b88618d402fdac1a76

Download Submit
C:\Config.Msi\e5bb155.rbf

Filesize
242KB

MD5
c7739dd4212d084d299df68f0a0debc3

SHA1
cba81d847d91bfea5c03279c0ca03fb1aacd4ae9

SHA256
1d67a8464991a03fc190d87b43591764f231d7a7a71a72ffc51d982b26691153

SHA512
5b8e98e6764460f9afbfa6dd34c12ad59284003eea99997c9e1db9b4a85ba30ac8b6a699b2888388dc424c547918137d42984bf040ac3d292e612bc433368fb3

Download Submit
C:\Config.Msi\e5bb156.rbf

Filesize
117KB

MD5
90419039c035404fb1dc38c3fb406f65

SHA1
67884b612d143aa08a307110cee7069bddb989a0

SHA256
62287589fc0b577398005f7ac07256d9fe671cdd3e5369faf74b9f64cb572317

SHA512
e632c78c941861e61fbec68e333e6549cd4bec683593db92c2522e162176bd64160dba37d4226c1599cfe1d77b36d5d4c452dd2f453c291a15310dfb607f3414

Download Submit
C:\Config.Msi\e5bb157.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\e5bb15b.rbs

Filesize
18KB

MD5
7bd960acfcce67b339f3e22a3ca9814d

SHA1
456bd683bfb84cc07b481b8bf0bb8dee506b677f

SHA256
476606a38b8f1e792ad0cb5b796ee7449bec2aa2cc15265d0aefb81f97d809c6

SHA512
b588ffd6056507bc4a6a0d8c537a9612ef0b0b62fc255189f7c800d364ba684ce26156a5eda16279df053d3ff48af42cdfc9681ac7adf4d6fd6b87e7e404c5e1

Download Submit
C:\Config.Msi\e5bb164.rbs

Filesize
14KB

MD5
a28740541d5fb1f282ac887842cc7724

SHA1
c054d86bb9c423aaff67958edda6571add18733b

SHA256
91363a0906d5a6dfdd27cc6dbe3d48ce7a27c2bda342f40b07ca667428041f9f

SHA512
68e7070bae1370d60363c7de0d31c8d669c717e7561d79724385fc6e4cd1e47ef6d297f67e4b29356166af4e04c7dea33878e89058eea5397cea55e8e52e6d97

Download Submit
C:\Config.Msi\e5bb165.rbf

Filesize
644KB

MD5
edef53778eaafe476ee523be5c2ab67f

SHA1
58c416508913045f99cdf559f31e71f88626f6de

SHA256
92faedd18a29e1bd2dd27a1d805ea5aa3e73b954a625af45a74f49d49506d20f

SHA512
7fc931c69aca6a09924c84f57a4a2bcf506859ab02f622d858e9e13d5917c5d3bdd475ba88f7a7e537bdae84ca3df9c3a7c56b2b0ca3c2d463bd7e9b905e2ef8

Download Submit
C:\Config.Msi\e5bb166.rbf

Filesize
940KB

MD5
aeb29ccc27e16c4fd223a00189b44524

SHA1
45a6671c64f353c79c0060bdafea0ceb5ad889be

SHA256
d28c7ab34842b6149609bd4e6b566ddab8b891f0d5062480a253ef20a6a2caaa

SHA512
2ec4d768a07cfa19d7a30cbd1a94d97ba4f296194b9c725cef8e50a2078e9e593a460e4296e033a05b191dc863acf6879d50c2242e82fe00054ca1952628e006

Download Submit
C:\Config.Msi\e5bb167.rbf

Filesize
470KB

MD5
f0ec8a3ddf8e0534983a05a52bce8924

SHA1
5f6d0265273f00ffe8e30cf507f0d05d330ff296

SHA256
88a5ed51a7be4ff7ebded0c107fafda6ace3801877216c0bb6cbb458ae054a7b

SHA512
d7b084d7f20de29ff16341df2756861bb7ac22eab0711869b3e77a84d841fb76a898d7459ca1be62eed522caa1f022c891a7d30c94bf0fff1bb4d016be8aa9bb

Download Submit
C:\Config.Msi\e5bb168.rbf

Filesize
348KB

MD5
ea1e99dec990691d41f938085f68bcc7

SHA1
5fdcbcd777e10e765d593994dc66f930c1377b0e

SHA256
1b296bd172332d3b2253bdcb6ecac46afef883f75c13c361632ff40fec743fcc

SHA512
e90a40bd8e20bbca3c6188a78ad75578e51d88aa638e0bbfed4f6f6efdd0917e92b08ef4b0ccc2dee08774f08658b189e25234270e8ce1ca60a7e0ec8e3fbcf8

Download Submit
C:\Config.Msi\e5bb169.rbf

Filesize
134KB

MD5
d7dbc7c92177837431ae2fd7fb569e2c

SHA1
c26140204a6db421842ad36599326a5369fd1b5d

SHA256
22d14e004ba4b78a9143257399dc40ef4d0e8f2cdb9127e1ba2638f54cce5c70

SHA512
4f2b197ea912b5ea1a82ac84e1c15ca8e3787460cd79a32733ea920dcf3b1db5cf0507ad7c94f4e4ccab9dfc6773a9d05a8eeaa7bd7c61b63d780b69ed7ae0d8

Download Submit
C:\Config.Msi\e5bb16e.rbs

Filesize
27KB

MD5
aa7c3fb60bc988474b8df0f85adb8059

SHA1
c9f9bb800de4c018f14e667c6b4e393c4e4ad31a

SHA256
098853ffaac718acbfc5c9e513873476d1a7332873d8cdde66bae0b212405c24

SHA512
9cf85d3be292a532e7f639d141ade2ff60fa33791580de501d088ea16aee7046d62ab2e7a336d729df49b19902b3f375213d36a655365c5a32ca454ffe41cc5b

Download Submit
C:\Config.Msi\e5bb185.rbs

Filesize
16KB

MD5
cec851c7806fee5e62dec3da5bd401e1

SHA1
9482acb94caa32d20ba5b028ebf718161c00dcd6

SHA256
b5338fcbe09cdcacafa66a58d3bdd2ffbb9e94bca79099928af9271e501ed5a5

SHA512
6b352fd11da48ff4fe5abfc3405a3019b515e492dd255bb0833a55316c1fe6718d65b136c74d2b9ac2bb82b16c2863627c528a3b7770e724a68d2274686f9974

Download Submit
C:\Config.Msi\e5bb18b.rbs

Filesize
18KB

MD5
dd2ef13110017b2828609511b83eb73a

SHA1
3e8e2a667f643f0d65af312e28193f216846e606

SHA256
7149fce195e1fc65d88881b4c20dee9add8ae8c46f5ac69a31184f4938831c5f

SHA512
a65c00365b14efc686cbfcbb2952d91c86a8acffe245e0fb80cd15978c9d62cdead086dbdaeb8e396001240b19c8f3a7614aad045d5bd71b5b8e4715eb0a4434

Download Submit
C:\Config.Msi\e5bb19c.rbs

Filesize
19KB

MD5
f593acfbe0f0b33faf3ea9d73b015e6c

SHA1
ee6f5d24109b9c3fe7b23585a290b7892f17f64a

SHA256
d31457385fae9a32bf40773412969f6ecf1ab0ef547f7db875c97a81d4df22c4

SHA512
5dbd30f721552cfecefbccbcc290a42411a710acabe8e984da5609f559388ce87a813f24fe34dd821c841c73dcace70de2cc2ff823872af2dfe1d4d7d4a65667

Download Submit
C:\Config.Msi\e5bb1a8.rbs

Filesize
19KB

MD5
06edb1625921baa7c74a69e8ee3e9d33

SHA1
1c6929d50949ebac4ca3337cac18f707dee66f6f

SHA256
bcf315500303dc00d9ab750578e7f474ef380a3f40aab481284850c2837d9f09

SHA512
5e24673e277ad44426a300dad6efa97a831e51d456ce55744e33ffc92b3926115f87d9006985a6dba5ae07c875360ad02689ba0eca1961b1bf985f05eebd56fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
247KB

MD5
cc064d4b81619991de8131a86ad77681

SHA1
88d80d86cc20c27d7d2a872af719300bd2bb73f9

SHA256
913ee5a1cae3e5a1872b3a5efaaa00c58e4beb692492b138f76967da671b0477

SHA512
5aff0eb26cfc187bf58721b2b6d73357d9f1e66d1ac5340ad9ddc08b40ad0eda27a144cb3b650604637a7476c282ded83ed890de98a73ccaf0cc021da3a9eb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
312KB

MD5
77a9bff5af149160775741e204734d47

SHA1
7b5126af69b5a79593f39db94180f1ff11b0e39d

SHA256
20a26ed9a1edf7763a9b515522c5e29720048a482c7fbc8b7ff6bbdd27e61038

SHA512
bb0440f58f07e113bddd9a0afb5aab8af6493218784fe5fa6f4032e3a37088f91b7e766dee87cec4a9ea11d425d27b3b536430de3a52222e8bca3e0247d81e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
2.6MB

MD5
b20bbeb818222b657df49a9cfe4fed79

SHA1
3f6508e880b86502773a3275bc9527f046d45502

SHA256
91bdd063f6c53126737791c9eccf0b2f4cf44927831527245bc89a0be06c0cb4

SHA512
f534bc7bf1597e728940e6c3b77f864adfaa413bb1e080458326b692b0f96bddf4fbd294eeed36d7764a3578e6c8e919488bbf63b8fe2d4355ab3efd685424a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
3.0MB

MD5
6dbdf338a0a25cdb236d43ea3ca2395e

SHA1
685b6ea61e574e628392eaac8b10aff4309f1081

SHA256
200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb

SHA512
6b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_20241201_181818499.html

Filesize
17KB

MD5
d3ef9fe6bc8e40f9c52c4fa9dcdf6989

SHA1
c63e470e7c7b4e7a8bcf82ca8292650b763dddd9

SHA256
e0166d219c153de8aa627ee11bb6ba775ca8276915ffcdd67baf0ed1a37a3bec

SHA512
b1f3b6d91c01b396f8a16b59f2f13f57e1fb2c0afe145495098e996437201baa5e950f2d17ef06b6caf279993ef15cf2242c517e3d5f06c82bd3ab3b590f6d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWL48C.tmp

Filesize
326B

MD5
0e93aad8d3bc7a933c7455aabd8946dc

SHA1
b0d30b9848326e50cc8333b56717929b3dabd794

SHA256
6aca697b575cf202b841a5e4fce264b90c86722bb3121272863313edec6ecb3b

SHA512
d9d313e286af0f337096db54a747abaad98e4395143086271bd6914ced1a9c94aa633ff325017bb350b0d272f58cffc3ca5672316cf318016bd1454e8141482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWLCE8.tmp

Filesize
252B

MD5
24abc8953c5f10f73e1e8173e6c06b47

SHA1
e999f1f70ed0fb79383b051bedba642a57cdc1ff

SHA256
d2e11ef9584305441050382dfe5e2a77043d7888ae1a0017380c1c28d2b5f26e

SHA512
bf61d23b2af4142828cbd97cff968be3d07f10f63713d4f4ea3a2f5c4417b96c53e0a29ff2150672b06bf0b10a32a6962e71ac6b0cdfff29c466b4ea1c3b29aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\wixstdba.dll

Filesize
117KB

MD5
a52e5220efb60813b31a82d101a97dcb

SHA1
56e16e4df0944cb07e73a01301886644f062d79b

SHA256
e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf

SHA512
d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}\.ba1\thm.wxl

Filesize
2KB

MD5
fbfcbc4dacc566a3c426f43ce10907b6

SHA1
63c45f9a771161740e100faf710f30eed017d723

SHA256
70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce

SHA512
063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}\.ba1\thm.xml

Filesize
5KB

MD5
0056f10a42638ea8b4befc614741ddd6

SHA1
61d488cfbea063e028a947cb1610ee372d873c9f

SHA256
6b1ba0dea830e556a58c883290faa5d49c064e546cbfcd0451596a10cc693f87

SHA512
5764ec92f65acc4ebe4de1e2b58b8817e81e0a6bc2f6e451317347e28d66e1e6a3773d7f18be067bbb2cb52ef1fa267754ad2bf2529286cf53730a03409d398e

Download Submit
C:\Windows\Installer\MSIB67B.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\e5bb14e.msi

Filesize
140KB

MD5
89d36fccb34b319b60d1850863e0560b

SHA1
f356410e3946063b85750f54998582510b9672c8

SHA256
60714fcdac0a7cbfc45e6ed9bc6d4b7f8536947f630016e5faca5cce1745adcf

SHA512
24e167d0305811409e433c8d78716e9b3af4bce4b3f372276f4730ae7c802b8be8f193a70ac0d44ad6e083a35f03fcfdb2faaae4a9975c9e2ef1254285b0309f

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml

Filesize
12KB

MD5
296b359c3619f6f180a8ef989aea3b21

SHA1
35c67178b7cc3bf3c2e59bfefe5e4f2ae5af94de

SHA256
7f56c3cc359aa2e0a23fe8bd849a5b5daec3917d62ecd883ea0bc7f741807cf7

SHA512
440899a43ac980ea212bbbb2b1b4ee9c1111619e7143dd9742dbf4d366b3c2ad4a24ea4dc5a0f1ba81f6ada645d6e1b28d789ec0a17565f772645e14c9957c36

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml

Filesize
32KB

MD5
59b37f5621fee0a6921a072a7907fb80

SHA1
46a87791d63bc683631c5939d01c16d6c01617ce

SHA256
ff55642502218ef2577dd4882bf85893e617ce2c8778375da403a7384ac29732

SHA512
c80546f63b55ee56dd62813752dd3c7807a4e2980f6a5746d58ff30e671e4f906eeee7689cdd11b67869393ae12e1b055935c5cfc86387c3a6bf627148ed2e44

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Respecialize.xml

Filesize
416B

MD5
1284256a218ce90dfc01e4c8b8c80144

SHA1
c2fd19e83bf04de35ebf2d94f22682f52631e482

SHA256
1ae7609bea7ad9dbb3dafb75c02b6db17d292b328a31efde93c5982b1b31c4dd

SHA512
2752918105d2636acbace3902e1a3faf1ba4083210cf31325b275965722fbd97c750feb15c9ab48c30a8151570b584eada538f69ed86580e7984a5416dfb01b0

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml

Filesize
19KB

MD5
e5caf8c8b79799a1c0b000e6a5203723

SHA1
e805dbd8cdf629d1485281affe3bbbf6ecf140e3

SHA256
8a534ebd54a7e193df2e605c493ebdd902652e489f08ed7fdf1e6b2b2590d9f8

SHA512
3f0eca05073782486d6467ff8a7f2f0dd3c3015f198dee205d007ffb7497bac08af883b55f81fb6750ab59f5be6571a0323c8f8be079e7a5dcaa7b7d430c3619

Download Submit
C:\Windows\Temp\{06570866-3D30-4117-9EA6-5C35E64A3767}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{06570866-3D30-4117-9EA6-5C35E64A3767}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
ae0540106cfd901b091d3d241e5cb4b0

SHA1
97f93b6e00a5069155a52aa5551e381b6b4221eb

SHA256
8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c

SHA512
29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177

Download Submit
C:\Windows\Temp\{CACE24A0-1E16-4977-A4A7-4735AD451C38}\.be\VC_redist.x86.exe

Filesize
634KB

MD5
337b547d2771fdad56de13ac94e6b528

SHA1
3aeecc5933e7d8977e7a3623e8e44d4c3d0b4286

SHA256
81873c2f6c8bc4acaad66423a1b4d90e70214e59710ea7f11c8aeb069acd4cd0

SHA512
0d0102fafb7f471a6836708d81952f2c90c2b126ad1b575f2e2e996540c99f7275ebd1f570cafcc945d26700debb1e86b19b090ae5cdec2326dd0a6a918b7a36

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758780.0\ATL80.dll

Filesize
95KB

MD5
d5e459bed3db9cf7fc6cc1455f177d2d

SHA1
e2847abaf79ac97b5d530e0e1a2da74e7dc67bf5

SHA256
fcab2130fab57b6728c50d5b9e9924f001c43538de4f675de03537ff0d9b84bd

SHA512
f8a090bfe74b5fd112ded3f1269ada31f94aa00816cb345f96de68948e4759082d43185852b9e061a5ded4d8e3fa66d4bdf0f5c89cb3148918b0580aa644390d

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758780.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.cat

Filesize
7KB

MD5
ba3d94dfab205d6fc0fbbed6940842c0

SHA1
5d8bf309358910af9fa6e2954e9ff9e08742f35f

SHA256
d4106aa2a6eb6fb48440cd9728d01cd829d94a69da0a493ec2a4364f835f8695

SHA512
32840d8074732771cab7d4f49f8c4b19b9147f6fd9f889dbe8a8f1027aa5eaa47beacad82a020f6ecbf2323bd45976550afaab20aa2701fe9297bebb4be24390

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758780.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.manifest

Filesize
466B

MD5
8f90207a9e223214ec04ccf005f097f1

SHA1
daf891d9782593a0a05d5ff83e1f6dfab7a6ec3f

SHA256
d00269babdb5f3eb1cdd535260124b4b5fa599f2af8605ba468949d64f6eacbf

SHA512
ef4615354860e4ddfa2dd4aa3a2ebbf34568c416246bebb6b4c03509e17ced071aa725704b8d4edc18950c851879beb8ec1ad09843f3b4d18a5bc3152be5918d

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758811.0\msvcm80.dll

Filesize
468KB

MD5
1d109ed0d660654ea7ff1574558031c4

SHA1
04c690eb322e236a9bed2937a04430c6fda3b13d

SHA256
7dcb3c45938d31854e46b5e5b0e16d538e29230d1bc81086d40c8db3bdf510bc

SHA512
806cb75368b38ad6e7de3c41e600f537dadf11c2def3b5171818945f2ee5a495cb143198e4eb80d0df5f964d8bbae09630869a8a6cdacf67d2c3690df457275a

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758811.0\msvcr80.dll

Filesize
617KB

MD5
c9564cf4976e7e96b4052737aa2492b4

SHA1
43851fe4644c0a1eb31fe80f427777f1f0015efa

SHA256
c3ac989c8489a23bb96400b1856f5325ffc67e844f04651ea5d61bc20a991c6d

SHA512
8e9817ab398a86af6982d39fed018ff5282f60c5330dbef6417cfbe73731d8503c63da32107d948cc1eba14dd30aab614c7c858300e4f79ca418dc42d353f9c8

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758811.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.cat

Filesize
7KB

MD5
18e56040841c2096b1af7107943d15bf

SHA1
c0fdaf3e13ecd412c584fe574a8a18c16b45a1ea

SHA256
ef5447e606a2355c0bb9fd9a9af318b45359a7bf6ecebecdd09517e67239c599

SHA512
db587a4fb1acd0aa219b87046c7c4801ac9e1a1837e330261409580c310e940438e60fbd2311b2ce1438da48bff293bb8311c605bbc9078b975cfaca4e72ddc1

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758811.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.manifest

Filesize
1KB

MD5
188e68005ed62f32248032c65cb4de96

SHA1
52eb6b2490a1d60a0dbf9f92334937ba196bae44

SHA256
aa8e944adfeed4b29cc9262c63f43ed752f8ef44d52fd868e41bdf1ea974d1b0

SHA512
9ef823bf26a08b2d697f2d88abd92d7c54b25be8d65f6f3a832e9d53472d1252b62ef5e04bca0534fa6f8586633e9e73f91feca07d11728cf7b07e7434cf20d9

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758874.0\mfc80u.dll

Filesize
1.0MB

MD5
e2c48cd0132d4d1dc7d0df9a6bef686a

SHA1
a091b626be276c742e8d8f86988ed07f1e9083d4

SHA256
52d1a8aa992af2f727da4b16522d604648d700997b1620ccb67d05838c127674

SHA512
8cc0186b55168de98df803cbb999a5de22fa47b9276ec89a67cb932bba924def18d8241f194fa0f75d92a8d106b3b39de57722d36e3c7452b5c7384f26caaf11

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758874.0\mfcm80.dll

Filesize
68KB

MD5
83362ee950ad18adb85b54409155c378

SHA1
74d11bbf3da8aa217d1e83425a67621b126371c5

SHA256
be1faa17b466e56da8259cdc1f1b02ee0deb4c5e022e6eb3b82643ef508c8bea

SHA512
7b657edb50d8e4b634c0961040cc951cb0feaa5d1d22d8aadf0620e469d64e7c2bd623fc82ce2c8ca3daf438fba8ccedaca878e2c019c6d4fe993669e6764af2

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758874.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b.manifest

Filesize
2KB

MD5
f79c2e87aefedb361fe85b75d147d02f

SHA1
125dc6c2f4845375c2d4e25ed0ff609a0cbfd572

SHA256
e424ef35e909c5863c2668b34f316e9ba507a29c924dfd0970219b0f1898c619

SHA512
851bc6f4497bfa4b133fb1a7a3d0e806aeb8f4a5852439f632c128c9387ba4c769fa18dc2bf1bae6adab9e917e1bd9e42ba9aaca92e64f28a0fb82feceabb02a

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758983.0\mfc80CHS.dll

Filesize
40KB

MD5
4a3acbde55eb9bb30895b06f21650614

SHA1
2b763bd66e3a3de4eb331155445e08798f120087

SHA256
83b6804e66e0be5dae2e948988fb269777ec91234f5a508c3fe830d79e6876fb

SHA512
9c50ad27160037f98c0b68a6d037431614632d631048570c8c8ae9679b1494bb35db5564d03868da0d78225b320d7740117e97f4f3aba7bc69386b9ac993734d

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758983.0\mfc80CHT.dll

Filesize
44KB

MD5
dc4091ea96ce9e94f291aa7fff7f2db6

SHA1
a5924abcfe23187d5316f995fe7b618b1eaed3f4

SHA256
6a4a6b2293e306040609f42b07afd251c80e8c33800cc4c9a04b51630226d8f0

SHA512
0c5aecd8c0070c8b298bf3a4a6c3cc11cb73cc7d84fca868be5ecbcbc6d8bff6c56028e2ba534b5f61432761ee368885d7d2a0e99be85e39ea60ffdbbc1b6869

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758983.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.cat

Filesize
7KB

MD5
d14805929182d6dbe0026c166f5ac457

SHA1
50753b5772f25269940f5f7dcaa9cc68c35d2b55

SHA256
ec631dae1d6f771523bf6af2e0751649563281982d902bb6bf59364209f16e64

SHA512
e037d42c4e1fc65b6cd1360292dfbf466f22eb71d50bb1fde33fadc20bc21a4ed29ec59395d3bf6488ca93e114a62037c4960b4cc68e9b73f686231ad16e1d76

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181758983.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.manifest

Filesize
1KB

MD5
a96c1a792597529a4252a12fce28d71c

SHA1
b2e2e51a6fcfa607b13764e88d1db1beb9e5062f

SHA256
7fdc0b814cae706a97f75df902e07d5e95a2da216dad20d3cb5a2be8d248468e

SHA512
dceffc6842b50e8eb0762a386a0ef6540d5bc568b8d209a23bb97bffce763cb436ea05692a4f53e6cd61f4624cdf9481012e52f99297457e64bea81b98873a72

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759061.0\vcomp.dll

Filesize
64KB

MD5
73dbaa64d589f3262615550dd6881fee

SHA1
bd0f7710e18e27a61d6b98a476e2048813f9e63b

SHA256
24025f2734201fe69a679194c6611a1603c4e7592809b6a185334e7d8bcc038a

SHA512
aa4b2aa582a5cfdb2d19dd5db777d70656b577e72abb198ceba03603b37b2d1204e4bf5a29cf039ff9f6f191da80e08e9f75d0ae1047f40edb1a15b5a5b72cff

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759061.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.cat

Filesize
7KB

MD5
a518b9698bff3816caf1e2d7412a629c

SHA1
6d6b9c1b4923136be88789bd02b3d2935b59bbdd

SHA256
d802b081436da1cc95f13b9d5567a6233bb5f82fae9297e23e967d449e70260d

SHA512
4356e355267ec7c42a354e17d6e298c883fb8adacde94ee2188ea1f62e67c2b75e6430f7203caaf097ccb42a7e4847c00ccc0a95b2de0cff457235125d5a88c9

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759061.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.manifest

Filesize
469B

MD5
984eabf1f9878aaaca749d547d700ad9

SHA1
1de0c54f06e9ed3f0dc7cee2bcd2c4a9ddba109e

SHA256
f3f918af785d0c497c93ca1959541bfd65040bb4c8934d419a689e331b94a0c7

SHA512
447df7555ded851e946ab0bfac3d86f3c666bae4ee8f6ee1686b610f3ccf34ed6b1b4ef25ff8930b70b5a1ccff9d35b5e92454f65c8a37a2078eae5925195a6e

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759077.0\8.0.50727.6195.cat

Filesize
7KB

MD5
2ec75e994bc827ba135ba24aacdc8351

SHA1
6fd68c5f7554a8af565ae70e7f2aa7974ec0ebee

SHA256
dedb067d2d11f8f1007365f028cfaf2a0b2c3f61c8d6c9c51810c4ec6c11f511

SHA512
58eea8bbdae1e3aaeebdbec8249494f052a0429fdd55315dca5d56dad2ba7096d07ddf30fc2bbd572af6c1e23f045cb03fd4d2f8aea7f5215d410e19dfaf620c

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759077.0\8.0.50727.6195.policy

Filesize
804B

MD5
c42fb80cf323059a678a0699819bfcd7

SHA1
ae3a29d768e42d9fe560883959257a5db6c32645

SHA256
33550e0ab4cf946411e934a46d922bb996dda93668554d4de024c98c14f15b70

SHA512
6a396fc24d5e0bcaee09673e0d86e99d066d32e66c6bd1dd8bcbd32f66233fcabf007cfec2aef39d8aeaf070eda1f88acb78c29bafaeef788a104ba6d0cd3239

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759092.0\8.0.50727.6195.cat

Filesize
7KB

MD5
a0b91c5271c038ee9cc9c7d5437cde91

SHA1
d986dc5a1d979f453aea7241ac94aa6866fdc668

SHA256
04349a39eef3bd9d4b1de9b5bda2bd6fc4f517ccb57c0ceaeb7291d5b68a401e

SHA512
179f532dada3f7bf89498678b7cc30ea766ea8109fca9a015856ffad5774c2a01ecd9e55c7ded27de85f85af017f4336893a3bd4a9cd6b43713755e76e1bc228

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759092.0\8.0.50727.6195.policy

Filesize
804B

MD5
506d067f2c986c31d26ca54a106dc0f1

SHA1
0683162b9f08c75a9aee8ab4626ba11a74c48ef5

SHA256
e446fc3432a5d83eb96142ce40f4cc8ed417872539893ace445f7236ff4dd187

SHA512
79f87d44ea7c3de16ba0d395bc07e4f870ed03c6fe87f75651f7a3d823470fa44f8b500a4487b2bd283f67b7ed91c2e082e26785ccb174f420f61429eb1ec860

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759092.1\8.0.50727.6195.cat

Filesize
7KB

MD5
7d6e726f120320f4821ebdbdbd3c85ed

SHA1
cd9bc7f950da33bafe152c2122c797854cfd75d8

SHA256
bf39559e406fa59f9e7b0ba2902cd016800e24198d53d97943c97f1b5716b8ba

SHA512
bcc321efd17b3151901d438f6c8ed3dc745f846dce9c2058374a380285c70e93f70e8133c1a3a57614b96afa8bb7469f8fe1651288808b2162c20b2fa9e8ab3f

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759092.1\8.0.50727.6195.policy

Filesize
804B

MD5
a5e87aac0f9748c664c5538ade2c40d5

SHA1
b232e6a8ee62f94ca7f92c0dae4297f7db877b0f

SHA256
957fca4d0bfbca1660436f7812d6f6e803b237e9dce651f1f6bb856fa3077a71

SHA512
856d9fd9a8db20f3f0668e3d51090c5e61d1f6333e6cb2a4a3148c424c7342ebf1dbf6df78fc640d0039e89afcbc562421cac674e20e45d62ebc66fca549d1dd

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759092.2\8.0.50727.6195.cat

Filesize
7KB

MD5
43a69419b31545cdd4a3505f3b3b192c

SHA1
70c124d5ac7bd4e12d4b5d1cb002da6b5bdd5eec

SHA256
754510064b4349644326f5c9633aaa980db143c46bbdd44e9d64a7ba3c524882

SHA512
b31c9bd8d4f0df1f3947d8f33a36cbeb7e50147966fac776ee11934104016e93aa1fb06f1e42106e28be3ce38433b74e8d88f0c04ee1127c5d1b16f9084ec2d9

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759092.2\8.0.50727.6195.policy

Filesize
810B

MD5
1c27a7f7d8ec9d6787dd79ddb1f7ad96

SHA1
e15e0910658808476ffb3fd73b17c18cb9cf6bad

SHA256
7a27ac14852d08d8df398b4edd656ff260492d5e113c1bfae9de119a5ae7b374

SHA512
3112b2c7350aac8b7ea0efaef4b68be737e0bdc81d485783e12118751f70c1a2dc11392f28b86371be73fff2a9e36a5bbd0211c2928dfc022b1370ecb8528d93

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759108.0\8.0.50727.6195.cat

Filesize
7KB

MD5
25147ad0e140e1a5d1571959fd18e337

SHA1
9f3714c6a901034897e4f0a633de2e4c1a0b9ad8

SHA256
bd3a30be9bfcfbe814a1d495b2692faf9a3a98560d1431cbe60a64af3b69326f

SHA512
736250d3b1abd9c3f459d18d442676bd477167ac7df25e734a74cd327fbfcecbcee664ee9fbba983b2861356fcfdb13aca2a64dc66eb9e9cc4468767b178df73

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181759108.0\8.0.50727.6195.policy

Filesize
810B

MD5
6daea6599188c59d5dcab27d6959b31d

SHA1
112689776ac072aac8ca474adc40a148d928d772

SHA256
04b850adae1d1e58e980e4faee571f5d76155206d6abf542937a7eefe1d42e05

SHA512
e7b07b5b13f0c62180d8fefa99d3952b2f07017434d8ca21034c055384c103f2b21adf698ebc50d4fae664eab216baffc59c478a7f2f99fae7c99e859dc9437a

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181810280.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.manifest

Filesize
1KB

MD5
5007d16dc76d9690bd9f440ed4e0d8e9

SHA1
581a5d414bb73b185e739bf0e289185cd8924698

SHA256
166a9aab866eff598cc4f351741255bb7d9995c5dc2328b818bcedb03eab9b4e

SHA512
d4a4ab4b9214f03b25c1494591a94039897080683c90bf55ed2e62d759e12bb7206b32cbd75abc7c21a84b6630b3417cee9fbb78d03c7cedc7e403efdd65f06b

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181810280.0\msvcm80.dll

Filesize
503KB

MD5
a7e03e5e0c27ddd4cfe8f243fbe853f8

SHA1
49195761495f675808a26092975d89e59e0dea8e

SHA256
835195907e9f3731a07e590e4bf15a3ebce17f53d3bb6cd6ef7cfb26fbde1f55

SHA512
369708e3625d9a9619524b270e96498d434b3eb5ad5a4694ad1807def4524a22c8ae3bd1bb215343660267ee9db72d156503434a59aec6a0ffc8401c2a57a8ae

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181810280.0\msvcp80.dll

Filesize
1.0MB

MD5
a8704a10ffde468f4ab18ebf82a9a86f

SHA1
33823c9ab1233de5c65d8af76ff7ba459903ad10

SHA256
40f6502679cee0b657b0005278fbe7213bdda6deaacf868058e17737c182e1b4

SHA512
5cb273ddcbba599293a9f1c2340f92333f5a09d2faddf23b7fdb8294f51ff9702eac19f3d58687a29cd21177da795f492e49064d6fbd9afff30d461a9d449100

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181810280.0\msvcr80.dll

Filesize
783KB

MD5
ec6ba7c92fa5b2aa4afdf4df22aedab7

SHA1
12f75b92e743b8333c50afac1b2a3875cfaa222d

SHA256
690f12c490bee2bf17ab7b6804e6e9b96f51c304350ccde80fe5c7eefa89720e

SHA512
9cefd9e0410d5c694d7801bed8eb5266c7a57b10bccccce2c1b3e79ddfaf234e2f01ef7d5f6f1d468920fbe94b2e3e527c9ce871df83a04223d87a3967d79897

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181810358.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.cat

Filesize
7KB

MD5
e84be5c560256089ac85baae7c8e8e25

SHA1
dcd932fa7e1e714b653ccf9199595d16d9534698

SHA256
42094bd6ffb22c1b7ba25167ce361b0ef8de5b55799879a43d35182ef6d15b89

SHA512
d5e8074de8d13328d0005325b19309461aec6524ba7356208f7984f95a3d48f1d8c6f7fc422ed3b22b1fb76f16e36351de1b64da5038f066ca7738cf27e26bb1

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181810358.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.manifest

Filesize
2KB

MD5
53d0eb4787ab5147880d4247e866d3be

SHA1
5f56c8892c59d2754d43fe31d1afb8dd80c6a0df

SHA256
864b736f4a81101d4d11ba0785c0d71c1b8ac2bcfe07114f0d55790762985a1c

SHA512
5061910b335e2fae0465fc21154fcc40fbf769fe4d3e206412f840a21bbf25b55b0ed35537cabb83b40ca7e7c7553fc21438e1f51e436b1041f52dd312836581

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181810358.0\mfc80.dll

Filesize
1.6MB

MD5
6061114558d3d1cbe66f2ef2af148966

SHA1
868fdf79f649858ba46c46e66176c93f6743e1cd

SHA256
22b9a40cce2c79d2dfa42b653ce02b7b2d78faf15a0762a00b6b7d8bb6d4cf51

SHA512
e711713ddec4d28c42c28625f13e7fefaf092704299ba31e17dc25c4ddcdb1e4ddd0ea39b9a2470f21620a2b02177ed07300d29282e9968533b8ec08a8fdb88f

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181810358.0\mfc80u.dll

Filesize
1.6MB

MD5
b1fdcfff7609e121c10751a669ab1611

SHA1
9c4700012ef000fd8d9ceff0fa2914cd2efe1c27

SHA256
1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1

SHA512
60fafda20ca7ec6e3da418181f11491e258ad37ba0b14ca6d7da498a8a9ddf5a0414f4a918f58bf8dce33c723ffa24d1c8506b3794ef4f57d02d83ce6245295b

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181810358.0\mfcm80.dll

Filesize
63KB

MD5
7e39d0459ae7196c1645294bbfe9b1eb

SHA1
1bf2c8916af19dc4d42343cfa3d611d1cc296559

SHA256
c15707cd0df5c35a4a1a7e74330df4ce27668c6d95d35cc72664efcb08d5dde0

SHA512
10db4adb8e09c450f06791bca0794dd9af3918cd34a950af4f5489fb5ce03a9ba240f48437666e2fb581ba6642f5b7a226682d2e32582ff4864ba4e82c10843c

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181810436.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest

Filesize
1KB

MD5
0a30e4abb49c877d643d8cff8e4c7977

SHA1
9dae7ef5e2903d846678b933c0be78f850c7d1b6

SHA256
ae42f6cb2fc2cf833a3fb68c0a0dd37b5aa5f53c4ff28dec310fe7f246368e06

SHA512
8db807a3af88624a91368cf23d32b5af024ab3d5ff7d55ad29d4229c515e842db238c02315492d9510d0bfe7adce1ebdcea04ae6b7f1726e17f52ed96b9fc4b7

Download Submit
C:\Windows\WinSxS\Temp\InFlight\06bc0b611d44db017c0000005c11980c\631d0e611d44db01820000005c11980c_catalog

Filesize
7KB

MD5
b354cde1be33de4638c2ed962a4a2a08

SHA1
fd27c720683cdff3d03d51f889c372d6ed775f1a

SHA256
6cdbda542c517fe0e758a06948bb2a67a382aa0fa7ba2eec59e7dcdc44028a9c

SHA512
a2b9e1b346d2af88ab26737e8c0a855e657579987483af0d903fb21c9d81d04303e15fb254d0c2b16bb73e553337a1a8415186aa2ea9b330c3d3d383aa971dfa

Download Submit
C:\Windows\WinSxS\Temp\InFlight\07edfe611d44db01b30000005c11980c\07edfe611d44db01b40000005c11980c_manifest

Filesize
808B

MD5
257bb6731b8e0fad3208385c03e3373a

SHA1
d55623ad3245b5e1cb8d2cf64b2e9d9eb9e7a1fb

SHA256
d554bc68b9cce5ed2c68b23bb7001aaea0040bad7391b6a555cc493a23360779

SHA512
f1ef1ed6385c371471307c01fb7d1f42b43a2064b1d3f7f857ce85f5dffe76b0bcea0f1484c476da219c658b61519792c4144437b691907e84bb272baf2a2ede

Download Submit
C:\Windows\WinSxS\Temp\InFlight\07edfe611d44db01b30000005c11980c\07edfe611d44db01b50000005c11980c_catalog

Filesize
7KB

MD5
3596efc007aba99f43932bad89de3b75

SHA1
86ce465282bccb4901b983fdc13197df78adc038

SHA256
63823f9854def18e6350783009baa784d3af2ee4513defacd2065b0f7be1651d

SHA512
14d1a20af9b48e72f2506b915dff3c9e63d861eb32923c6fb67d9fd49843df8dcb550c94d7f28d33fd93069685598fcb2fc76fe86b6c0b0509ad5390dd54ab5f

Download Submit
C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\0d34d25b1d44db01290000005c11980c_mfc80esp.dll

Filesize
60KB

MD5
d07aac2bc04602d886c3a925eb209d15

SHA1
d7f2f3eb4d854e84481229a7cf5b7bbc27e1ae8c

SHA256
a28eecf6002085273575e887832b8b77fb5321a19412fb7eba580ebdaec1044f

SHA512
593b8a3810f81b8e705de1b7d07a9c3c602e53c9b8246d67e70e218b4bbd3f4e3e0c347893b4cf65490d8387310690b37fe643bfa935c50eda9bd0989b42ff4b

Download Submit
C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\0d34d25b1d44db012a0000005c11980c_mfc80enu.dll

Filesize
56KB

MD5
28a09777d2d952122567a8a82f1a2c7b

SHA1
af2e9cd4a0321f310c87deaf9170dbc32c4b3f94

SHA256
772260df36ae85a0619c51402de416e0c329976b724c8e9c4f8c013cbb7c7289

SHA512
669df5234bb735649f839715c2dc3fb2206cd27ee639821c25730d3800abc9dbc9ee764d9f7a8cd639a23affaad09cc0f97000513ffddf95e3995f7a06f66681

Download Submit
C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\0d34d25b1d44db012b0000005c11980c_mfc80deu.dll

Filesize
64KB

MD5
4e8b1e9567b3cd76ca628c9026ae1125

SHA1
c3dcf34c6ea0111034a4d903310ba5b3e7b181aa

SHA256
fd39ab4518de31a44563c68c2a84e3c94594c1d53edaa0a15f6148043e4300cb

SHA512
02215a72be80a6b428434ff86d04797fcb8c77cb4520a149c1123eb35d1e56a4633b53b01a6c78376d60fb92977a93fa6144275e0518f461c8f6dd71f98f82ff

Download Submit
C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\0d34d25b1d44db012c0000005c11980c_mfc80fra.dll

Filesize
60KB

MD5
6a8e515791acb27f18d08a895974e953

SHA1
e4fe0c307beb45180b0327575eb3d824af20f5e0

SHA256
269229464378ef4de681739ae57e4e6f8c5d23f06ac701ddca0e3580b5d2fc72

SHA512
68b3defd72f014b3ed804ce0c2249f56d8a081e2def5e818142c386510ee85b0803b9b5ee72b11b4c8872e247e07dbdbaa5b229eadae69af06886dbb3ced09df

Download Submit
C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\1597d45b1d44db012d0000005c11980c_mfc80ita.dll

Filesize
60KB

MD5
5225673e3f28a251cc8449efa7c82f03

SHA1
27f132e5490ae64921a601162e21eb613726bac2

SHA256
4e7467582d0d22366de5bcd73e8bfb15dcd28d7a6a8dcbda78e81fd175f6176f

SHA512
11ac795790b39eb5b831fda432b518b8a6609f7a52bfe28c5ba3bb7370f3d30f8aefb6872f5560403d75e39a23052534225e2136ec63528701d93a59f20c3536

Download Submit
C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\1597d45b1d44db012e0000005c11980c_mfc80jpn.dll

Filesize
48KB

MD5
194d495897dd9d46a3c9befef6cf863d

SHA1
c7adb52b5f3d9033f1cf58c95c3c967c4d670b5b

SHA256
9dcb5eb5fbf87ab36bc26f2e5feb14f5911c08bb52487a135cc41b2160abd10d

SHA512
ca9c19bf4ed4b31e29fc763bc3af58d2fe723604b96ed57a2c922cd99aac5010d6d8ff6204de7dd1d52888710638d554ff4371864f0ba1c910ab72f1fc7cb431

Download Submit
C:\Windows\WinSxS\Temp\InFlight\0d34d25b1d44db01260000005c11980c\1597d45b1d44db012f0000005c11980c_mfc80kor.dll

Filesize
48KB

MD5
adc1e6a231011cb4a4322061f2b13800

SHA1
976889857a64171713029a86538b6a2aa5e6c449

SHA256
e0d59fe3c09dc18151486ccdbb64c8158d0d4911b59cc90e0760f0fe5b8b2631

SHA512
b218e913be1e0883050349556541d27431a05282872b99ea05098e3e8fae1ed185517a76998677715d43b343dbbe7a5e203fd68962df23d19481294e8e205518

Download Submit
C:\Windows\WinSxS\Temp\InFlight\165b71621d44db01d50000005c11980c\165b71621d44db01d60000005c11980c_manifest

Filesize
814B

MD5
5683a1f4c14f8300ec1b56ec0833ae6c

SHA1
08d201267e5bd758bf5097e408befafc65e17bb7

SHA256
3bdd54c0c1d1cdcbe3e76c5fce35c0a298f6f41ebcda77d59ca1d3f4f803f36a

SHA512
259329a258206f88d1ec2c6f4476ec9a9a190d6b4153639e6aa4a8875d320e8dadc449ab464835f627ae4112b64fd32510096e5500daa31ce51ddd8389bf62df

Download Submit
C:\Windows\WinSxS\Temp\InFlight\165b71621d44db01d50000005c11980c\165b71621d44db01d70000005c11980c_catalog

Filesize
7KB

MD5
951735a1486781bd7c99a0fcf9b797dd

SHA1
0da61c9e50cbaa015f5672c331b1907c58d3dcfe

SHA256
4f6feba9ef47626e8728278c7fcdff893b0135e29ed845800a2caae16364031a

SHA512
ee83bdc505a697df32eca9c8507b506d8918e99db2a1f9bb5d39b71c636be5a097f94bde69f6c68a8bdda732f019417ec698d8fd8e3ff060a8d3338999f2dee2

Download Submit
C:\Windows\WinSxS\Temp\InFlight\19372c621d44db01c10000005c11980c\19372c621d44db01c20000005c11980c_manifest

Filesize
808B

MD5
fdc6f08fc576e11f3641d072bdef897c

SHA1
4c6a512ce77643b9f808a50e196f2d937e89122c

SHA256
4f03e5f6486c8ff83e621c796ce7ae785b3ea8f0e963b28557494db329a35283

SHA512
e0e536d527a1f55befcf0a41bca68e002c880032308cca97d8db9d45b6b40db1a581ebd99a8e7f130cd539f7152b0b939b34d91e6af7b565ab90acc7a873e3e7

Download Submit
C:\Windows\WinSxS\Temp\InFlight\19372c621d44db01c10000005c11980c\19372c621d44db01c30000005c11980c_catalog

Filesize
7KB

MD5
3a3b80fe407a92934e4518ebade1979a

SHA1
1c437ad5ef8296d97b9e75a41f1198cdbcb1bf3d

SHA256
f379a62da7882cfaeecf349a3e71f7ce3a8fb9d10252ea6dfe82aade98d9c1c7

SHA512
83648c89eb8f610eecf571ccd4238a3c18f2a635c260976dd394675ea09681f6d84402e7509772f608d198a8bf0dc53f728ac3e773c04b528e5885ea1ad87b7d

Download Submit
C:\Windows\WinSxS\Temp\InFlight\30c5d8611d44db01a90000005c11980c\30c5d8611d44db01aa0000005c11980c_vcomp.dll

Filesize
85KB

MD5
7dded2186b66976f153c49639de0ef6f

SHA1
2d3d5db864166083b29283430b7870919b752f59

SHA256
58f1e11860669a6782812b29b806f6e22f6a730941f4b7077cdc1628315c0f97

SHA512
dc1ee298edef952354732cc5ce36e09f78c2f61f47a8f3e9a3dfef0eca7afb73c373480dbf26e593536493c42f0862651bcbf60bde4bd0067f63e22aebbd1afb

Download Submit
C:\Windows\WinSxS\Temp\InFlight\44e91d621d44db01bd0000005c11980c\44e91d621d44db01be0000005c11980c_manifest

Filesize
808B

MD5
88aa67e60918c52c58a09e8d7f2d0c6b

SHA1
f20952ab2d73d5d09da3252e7a9459cda57f29ec

SHA256
fd79e7b44d13c528a5e98347c5600d589f2051827fc9db84ced593b1d6c6031e

SHA512
6d7f662847ad59e4969fe29f26963c473b9519387c6eae6bab7c001ffff59bbaa79e9e9dfe68ed9904b46a5b0c07137655ab460c073500cfebd667631494632a

Download Submit
C:\Windows\WinSxS\Temp\InFlight\44e91d621d44db01bd0000005c11980c\44e91d621d44db01bf0000005c11980c_catalog

Filesize
7KB

MD5
c5d07781729503cf2a217088971ea6b2

SHA1
355d6447d464e1f9de91e51b2fbd549d7466392a

SHA256
62a38259b8e351c6fda81945bcee3d0c45977f638362284613f31463928ab981

SHA512
68d62701da08f7aae0907e5f44bfbbdfb01225efa4bb59d3480f846804f52bd6ffbeee47590685b7c76af264907f7b68c536908ea49b19b8dbe5a458ec4aaa88

Download Submit
C:\Windows\WinSxS\Temp\InFlight\6bfc4f621d44db01cb0000005c11980c\6bfc4f621d44db01cc0000005c11980c_manifest

Filesize
814B

MD5
893ad4ebca99cad3fc059c3c17263954

SHA1
f17ff3ba6d41949a8ba75884f04060909337ff6c

SHA256
521cc2fc97113a8da1c3b44e0eb470f16f441d45c0db95bc8d2290687540fa02

SHA512
f337369c0c9980fb3dd5afa5dcffd8df53b4ee6413dbccf988cfa111b04cd6625c718ddc6155d1d4870ad4e7ae1c1edc1cb651889ab8e39c10bceb80db482cbf

Download Submit
C:\Windows\WinSxS\Temp\InFlight\6bfc4f621d44db01cb0000005c11980c\6bfc4f621d44db01cd0000005c11980c_catalog

Filesize
7KB

MD5
43a8b1e76ea1caccc6057b08e724ba8b

SHA1
b55401836c3a3eab3ce29c53a648873906e0e356

SHA256
39979146256c348ebc7f52e18859f9517ef7bc8560dcaed95c1d8d2e4c8fc498

SHA512
09519d3914a1cd52602fec9b981a7fee14d4c03f49cbcbcf45d4bc4b3dc32712675eb5c6201233a6a60a9580feaf3f68d9db93dae9b711b89d3d65838fe4e28a

Download Submit
C:\Windows\WinSxS\Temp\InFlight\8bad8a5b1d44db01150000005c11980c\40108d5b1d44db011c0000005c11980c_catalog

Filesize
7KB

MD5
b0ee1be78206c74429a021688bb34c58

SHA1
f0951dbc13499134373a17aaa0a242759824edbc

SHA256
db8ee01212450d7d7a787865f7df29ec48f12ebb1264df17afa2c4cae12224ef

SHA512
4d82ed69f600bd33e1caf583996ebcab596f7791b3511b3ff29bc8418efc4ea59ce9762c240b4d590778bd9e29e16153abf16125b00cb8cf5ebec5721dfeabaa

Download Submit
C:\Windows\WinSxS\Temp\InFlight\8bad8a5b1d44db01170000005c11980c\40108d5b1d44db011a0000005c11980c_mfc80.dll

Filesize
1.1MB

MD5
1f5afd468eb5e09e9ed75a087529eab5

SHA1
b69201b0705139f025a583034436d761c1e62e09

SHA256
8204dbcc054c1e54b6065bacb78c55716681ad91759e25111b4e4797e51d0aa3

SHA512
3c21730b4dff6fa22ab273b2987d8cb5c9c01bca4657734e793bf37b5b94106cf1043d7ce6cdb51ec6f3d4e9d6799e0c844a07976da47882432cae18b3406d76

Download Submit
C:\Windows\WinSxS\Temp\InFlight\8bad8a5b1d44db01170000005c11980c\40108d5b1d44db011b0000005c11980c_mfcm80u.dll

Filesize
56KB

MD5
26aafee5c30020c99120ee113d751f7e

SHA1
828b8da62b265d99a2be741ed54d4ab7de61f833

SHA256
ab8bb84e0131a72114b3eb399f120b9cedd0250fb91a6cd528b4e3e98ef913cd

SHA512
b9fe5a19749147aa2406c0780360d871fa95ee06692354a8c6866959d888aa7c051c41b3f07162adbf95919308b4c83764a1a1323ee888bc34f99b190bd2999e

Download Submit
C:\Windows\WinSxS\Temp\InFlight\9d38565b1d44db010f0000005c11980c\829b585b1d44db01110000005c11980c_msvcp80.dll

Filesize
541KB

MD5
0b3595a4ff0b36d68e5fc67fd7d70fdc

SHA1
973614ac9622d5ea9cdd68febce3258d196408b6

SHA256
372af797353f9335915cd06d4076bab8410775dcaf2dac0593197d7c41bbffb2

SHA512
e191de0236e05e0bb198c51e2f630b56b833b868383e7ab0bbfd91010fa57a9402364e1082c0f267b1e24789f6d7e6d0253d2a932369f469588eec6ada3f48be

Download Submit
C:\Windows\WinSxS\Temp\InFlight\a363d6611d44db01a70000005c11980c\30c5d8611d44db01ab0000005c11980c_catalog

Filesize
7KB

MD5
bc6287a77e9c14e1115a72c36e1f1d5b

SHA1
bce07cf37261072dc97a455da0fa3aa1a7b59fc7

SHA256
4f62ea395689af18e20d302982f2750c091929a70879ab580fa8178f137d11df

SHA512
fb59e86261aaf15bbb85c8992f34746434d7614e0bd8111082e79f0846110cbaafd9c31a4f52c6b49cc6923264759104d175e00f2f5022023f926be7d8b8aa27

Download Submit
C:\Windows\WinSxS\Temp\InFlight\a363d6611d44db01a70000005c11980c\a363d6611d44db01a80000005c11980c_manifest

Filesize
471B

MD5
bdff146ddf80bbc613fdd3f8b768f516

SHA1
ba7844b8147691be6b1f76bab57277ada41411a3

SHA256
ecdee295b46b56cee4d5b4652afcb76ce8a89ba3c5608becc9cbee6d338d1eec

SHA512
9a54ea92e5bf7bbfc89c7a2023f792161716d77f55ab49cf201bf69b71642e568c34a9e89a0424433ad47056e4f79e4ead8cab2d72fca7358b903d7442f08d9d

Download Submit
C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01930000005c11980c\2ddbad611d44db019f0000005c11980c_catalog

Filesize
7KB

MD5
2521f433a529b990c8aec52651ad4762

SHA1
62172e865072466962b1c8861985eab36afd4f27

SHA256
6a203ae94e79b521120dc6becc0a8685eafa0631fa3c4ff93aae85b475d966a0

SHA512
637372201255b49fcfcfaaaf57a2714935d86bb8cef615032e5e72284d78a734465abfcdbf4c6a62fda63a8b8ef0802324a853bf35574813e50a028f93c38ca4

Download Submit
C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\2ddbad611d44db019d0000005c11980c_mfc80jpn.dll

Filesize
38KB

MD5
a15f889b929ee56cc0e89f739cdc2339

SHA1
3704e6eefe4082caf93dd6e5933cbc93dc3486d5

SHA256
4db5cdcccbc0afc58176599f921ec9c99589cb1ae46e3552d5181e0b303053e0

SHA512
049daabb1860259e8eff90a5619334ad6d342b94612391f3c29b9d95c40773674e86c9b6eef0c0b44b73a2fd88ff18514dfa54f994244a4c5b5e062e27c93668

Download Submit
C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\2ddbad611d44db019e0000005c11980c_mfc80kor.dll

Filesize
37KB

MD5
46603020a4999ebbd829930b82f42068

SHA1
32a0385ba33b9add62b667fda4836f3e3522220d

SHA256
02c7b3f37b8bdbf7d193b7c78489a4787459eb19e06ff9ac342911971b863738

SHA512
4c8c7cc48e74ebf43fabbf832d7b9a99b1d2471f407cdbf7ec75b14d428926573d809b7b1967bc432171e4064b56130281013b3cbad4ae01a5b7ded3934487bd

Download Submit
C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\6178ab611d44db01990000005c11980c_mfc80enu.dll

Filesize
46KB

MD5
442235ac4f20b195f932990cae47408e

SHA1
c8031df9365b2c888d8bc3eee92e432169562b72

SHA256
811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c

SHA512
5fca808a351cee28ccc5c7649f2d9f5c07e4129f24302fd3dcd8a921baf201a18d9ca7d76f10c148d6f17f40616bbee701d8d70a5e713052d85f5c4000c58136

Download Submit
C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\6178ab611d44db019a0000005c11980c_mfc80deu.dll

Filesize
53KB

MD5
d0acc020301c86d91cf85c5e84e3f1a5

SHA1
35493af1649e3dc8ed5e192d8305837e98b126dc

SHA256
7d282751179fc9110aff8ffddb45bf716c7c09c8ea758a9017cf42d8906c9011

SHA512
359255c61f8accfed9ab34e69f4b77a4c5d41b0d3dd0e22bc1f9aa2e815e40132655138a52d116b01984d2c53e718b3ce7b3c0b2f2945591c7dfd9f4d35fc079

Download Submit
C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\6178ab611d44db019b0000005c11980c_mfc80fra.dll

Filesize
51KB

MD5
7294a6b310e898247120f69774fac9a8

SHA1
6625d36c6bd20c67e3d6bf5cfcfc0cc6a4c49c13

SHA256
5906a72b441962750124d9647a8cb0f7c21456bb17bf3a109662d06818ed991b

SHA512
67ee24a0be544243471adf1989d2689c7cc1203dafe04feb936ed883a4d6c459d3ea4eef64a771613322f1d0e8fc54eee7044e552f0a234de7c5df1a394233ac

Download Submit
C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\6178ab611d44db019c0000005c11980c_mfc80ita.dll

Filesize
51KB

MD5
fd3434c1cc2602b211acc6fa9e4eec22

SHA1
72657573856efd742fa1e49c9c90b62c1d2089a6

SHA256
7f0cc8119f2b9c4c11416ec2b41437f8a167cc7ba2694d1c17f6d57fb02d34db

SHA512
fc438023658c3bb644f2266e577af8be50b367b69b7980a953a458984587153fe41d4d90ba9bdbbc460f6c5d28240316ab842fa3f11e37fac5794f48c18720b5

Download Submit
C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\ac15a9611d44db01960000005c11980c_mfc80chs.dll

Filesize
32KB

MD5
89ef0f5bf7453a64bf81778040321548

SHA1
1950b676284c79db99098f99e56be6ffb68ce74b

SHA256
cb9153f71fbaa44cb4b40f44e4b3ef57135cf80a4d30e754373c84aee932c933

SHA512
0055043a25f71ff0a20b3e3799e48a5d6fcd32d37da099745a3798b4791b318f7886b1f2ff62b8c32e13cfadc902bbe97c419034f3eec0d255b29be7ec96d9d0

Download Submit
C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\ac15a9611d44db01970000005c11980c_mfc80cht.dll

Filesize
33KB

MD5
aced5a8f040f52b9ec676b8e1a8f3ffa

SHA1
95a0b1b3ab6e6645af10aa084f18a78bd18f13bf

SHA256
24f8092954769e087e45b5905d0dc6ea63802da89f0f9e6a57669071edfe6465

SHA512
a6cef4f4e1df279a81e2d8d7dc1a7e0d700df515e11b7f961453d30b7ba53eec052d90cc0914fd51a24435f0e7226d00f33529fa36c432fcc1127ab942fb2973

Download Submit
C:\Windows\WinSxS\Temp\InFlight\ac15a9611d44db01950000005c11980c\ac15a9611d44db01980000005c11980c_mfc80esp.dll

Filesize
50KB

MD5
d398ca3996602379bc0aca583ff63c0c

SHA1
f18477c60ce1a7da3fdbfb259ae443305d220409

SHA256
b95b98c5acaa8e0d2a3c779e01072c4bbe5551936b9ab484456335c4e58baa39

SHA512
bfe809fa500b66eaef03adc010e93f2292d499034290642ff7ba5670083de27a7cf1cb8bc9fde909a407df7184bab00dcfd82255d070b28aa7284838236a3ee1

Download Submit
C:\Windows\WinSxS\Temp\InFlight\bc1a4c611d44db01860000005c11980c\2da274611d44db018a0000005c11980c_mfcm80u.dll

Filesize
62KB

MD5
a3fed5334dbb597becd6c66ab5a8f688

SHA1
99eabfc0af71989c4fb21a6f777c804c3c9bd84a

SHA256
51df1ca5507ac1525baf2727abb6e2ee10f9354ca98089d75448dec86967087e

SHA512
0c5e4bc98f216b028d0e963a3cde3834ce57f73f76e70f6e4fe5d0c5fca8e619d0400de278eb8e3e8fd5a642e56caf1430a7365164f3cd5370c5376d1d1b9f48

Download Submit
C:\Windows\WinSxS\Temp\InFlight\e0a8d9601d44db01700000005c11980c\e0a8d9601d44db01710000005c11980c_manifest

Filesize
468B

MD5
a800edb21b7c61760f945a8a4342711e

SHA1
99c90d7ab5dd897f52ce0b75065cf57ef280614c

SHA256
2533db8081d4e5ad6a398b30f111a7b9a2ec4845e50a83b9ea1a59ee109e8720

SHA512
af6a0d26ac30b2c70ee18f516c34a12383e594636bd92b49da9bded43b2bd77ad2337de154c3ab6e02d7387a1dc58079436b295d75b07f84b7c03f53e2e23a42

Download Submit
C:\Windows\WinSxS\Temp\InFlight\e0a8d9601d44db01700000005c11980c\e0a8d9601d44db01740000005c11980c_catalog

Filesize
7KB

MD5
58246b81d7b5783485d651c893c6cbb7

SHA1
869ae6682001c94fb11886e77995ac295067439c

SHA256
8ff02f780acfee139426fe743f849038b8eeb9ce2b41325713d50dae1bfaeb14

SHA512
634c0ee577b044f8e3320af3a3f7ddd8bb3916411a39c0409b717f4d3ba39463bca9be46e2595b358209f8a1ba005b41b4e0d784127db343f1023c6e69fb5c6f

Download Submit
C:\Windows\WinSxS\Temp\InFlight\e0a8d9601d44db01720000005c11980c\e0a8d9601d44db01730000005c11980c_atl80.dll

Filesize
111KB

MD5
b95f748c4f100dd0f6e8115cc0968670

SHA1
1fdf6b3801d4ebe3d29bfb4a9dbf9d5a5779ce37

SHA256
9a306e9c79df259187839ec74b7a9f2fcebfa5ee54184bb46c48e605b4120c36

SHA512
e97660a01dfa02464ffc48ebec6b9f2fec0daf12ddf169c811859c9947c2f73b696ab5b80acfc5210ff9e35a4ba723d42f7d8f691c370e19db066c812e8926a6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.9MB

MD5
88a3fa118cab56608f9ed604fb080e57

SHA1
abc9d26f048459bcbcaefba064d1ab3d5700c3ac

SHA256
9dfec07e058d6cf85be7fb7f947fd9f465b3d1ff9c4382848d48b685d21acf39

SHA512
62fc11c2339a7d86ed4f77fbbe85ee961967e8b5b522ee0aace1c2a659b99e7199019495ac950eb19262966e2860b07a6be5f410949dcfe501d6ab5f35c047f4

Download Submit
\??\Volume{be936877-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{98df9743-e9b9-4b06-a074-d18affe0c72e}_OnDiskSnapshotProp

Filesize
6KB

MD5
e0f70133df97b24b19e75769e71cb1c7

SHA1
5ffaee5437ef29b7be397318daca6d685bfffb21

SHA256
caca5bdb282943ab98a581024cb59442f1ba9ff58c17e73019ca0a785e9519c9

SHA512
238a2566bf7492210481c1e0c5fc32d1a601f280928a63592b80f6502f160e66740a9065f69e268b6e94a3b1109b54e8f039a934ebc14e9f6a250afafd4ce3bb

Download Submit