Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-05-2021 17:22
Static task
static1
Behavioral task
behavioral1
Sample
tightvnc-2.8.59-gpl-setup-64bit.msi
Resource
win7v20210408
Behavioral task
behavioral2
Sample
tightvnc-2.8.59-gpl-setup-64bit.msi
Resource
win10v20210410
General
-
Target
tightvnc-2.8.59-gpl-setup-64bit.msi
-
Size
2.4MB
-
MD5
a85259eec8742fdd4acffcdac54cd930
-
SHA1
696204de2e5688356bc01bae037c3b955432acdd
-
SHA256
7e80a38c47a1457a35567f30a7ea515248ca391ae3d9deec48b31868af7315b0
-
SHA512
1b2fd5b8e723c69250d6dfe2c24bbaa80b1a8d050c4d8ca24a2e92cc7f5d284bbac711e452f727c2ce12293ccbf7a4e005f3795015626d4a20f20c49f977a6b6
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
msiexec.exeflow pid process 7 512 msiexec.exe 9 512 msiexec.exe 12 512 msiexec.exe 14 512 msiexec.exe 16 512 msiexec.exe -
Executes dropped EXE 6 IoCs
Processes:
tvnserver.exetvnserver.exetvnserver.exetvnserver.exetvnserver.exetvnserver.exepid process 4480 tvnserver.exe 4512 tvnserver.exe 4536 tvnserver.exe 4684 tvnserver.exe 4732 tvnserver.exe 5012 tvnserver.exe -
Loads dropped DLL 8 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exepid process 2716 MsiExec.exe 4124 MsiExec.exe 4204 MsiExec.exe 4204 MsiExec.exe 4124 MsiExec.exe 4304 MsiExec.exe 4364 MsiExec.exe 4364 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tvnserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tvncontrol = "\"C:\\Program Files\\TightVNC\\tvnserver.exe\" -controlservice -slave" tvnserver.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in Program Files directory 7 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\TightVNC\tvnviewer.exe msiexec.exe File created C:\Program Files\TightVNC\LICENSE.txt msiexec.exe File created C:\Program Files\TightVNC\screenhooks32.dll msiexec.exe File created C:\Program Files\TightVNC\screenhooks64.dll msiexec.exe File created C:\Program Files\TightVNC\hookldr.exe msiexec.exe File created C:\Program Files\TightVNC\tvnserver.exe msiexec.exe File created C:\Program Files\TightVNC\TightVNC Web Site.url msiexec.exe -
Drops file in Windows directory 19 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\f746835.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6CAD.tmp msiexec.exe File opened for modification C:\Windows\Installer\{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}\tvnserver.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI6A1A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6EA4.tmp msiexec.exe File created C:\Windows\Installer\{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}\tvnserver.ico msiexec.exe File created C:\Windows\Installer\{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}\viewer.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI71D2.tmp msiexec.exe File created C:\Windows\Installer\f746835.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}\viewer.ico msiexec.exe File created C:\Windows\Installer\f746837.msi msiexec.exe File created C:\Windows\Installer\SourceHash{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC} msiexec.exe File opened for modification C:\Windows\Installer\MSI6A4A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6B64.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6D89.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI70A9.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe -
Modifies data under HKEY_USERS 7 IoCs
Processes:
MsiExec.exemsiexec.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MsiExec.exe -
Modifies registry class 37 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\DefaultIcon\ = "C:\\Program Files\\TightVNC\\tvnviewer.exe,0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4497C60E20ECBFF478FEE0D972C8E6CB\Server = "TightVNC" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vnc\ = "VncViewer.Config" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\ProductName = "TightVNC" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\VncViewer.Config msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\VncViewer.Config\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\ProductIcon = "C:\\Windows\\Installer\\{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}\\tvnserver.ico" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0B272F1B74B50F64A92F07E546BEA196\4497C60E20ECBFF478FEE0D972C8E6CB msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\PackageName = "tightvnc-2.8.59-gpl-setup-64bit.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.vnc msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4497C60E20ECBFF478FEE0D972C8E6CB\Viewer = "TightVNC" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\PackageCode = "F6E2AA17AEC1C9A4890844775A302547" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\ = "VNCviewer Config File" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell\open msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\Version = "34078779" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell\open\command\ = "\"C:\\Program Files\\TightVNC\\tvnviewer.exe\" -optionsfile=\"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4497C60E20ECBFF478FEE0D972C8E6CB msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0B272F1B74B50F64A92F07E546BEA196 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\VncViewer.Config\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4497C60E20ECBFF478FEE0D972C8E6CB\TightVNC msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1788 msiexec.exe 1788 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 512 msiexec.exe Token: SeIncreaseQuotaPrivilege 512 msiexec.exe Token: SeSecurityPrivilege 1788 msiexec.exe Token: SeCreateTokenPrivilege 512 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 512 msiexec.exe Token: SeLockMemoryPrivilege 512 msiexec.exe Token: SeIncreaseQuotaPrivilege 512 msiexec.exe Token: SeMachineAccountPrivilege 512 msiexec.exe Token: SeTcbPrivilege 512 msiexec.exe Token: SeSecurityPrivilege 512 msiexec.exe Token: SeTakeOwnershipPrivilege 512 msiexec.exe Token: SeLoadDriverPrivilege 512 msiexec.exe Token: SeSystemProfilePrivilege 512 msiexec.exe Token: SeSystemtimePrivilege 512 msiexec.exe Token: SeProfSingleProcessPrivilege 512 msiexec.exe Token: SeIncBasePriorityPrivilege 512 msiexec.exe Token: SeCreatePagefilePrivilege 512 msiexec.exe Token: SeCreatePermanentPrivilege 512 msiexec.exe Token: SeBackupPrivilege 512 msiexec.exe Token: SeRestorePrivilege 512 msiexec.exe Token: SeShutdownPrivilege 512 msiexec.exe Token: SeDebugPrivilege 512 msiexec.exe Token: SeAuditPrivilege 512 msiexec.exe Token: SeSystemEnvironmentPrivilege 512 msiexec.exe Token: SeChangeNotifyPrivilege 512 msiexec.exe Token: SeRemoteShutdownPrivilege 512 msiexec.exe Token: SeUndockPrivilege 512 msiexec.exe Token: SeSyncAgentPrivilege 512 msiexec.exe Token: SeEnableDelegationPrivilege 512 msiexec.exe Token: SeManageVolumePrivilege 512 msiexec.exe Token: SeImpersonatePrivilege 512 msiexec.exe Token: SeCreateGlobalPrivilege 512 msiexec.exe Token: SeCreateTokenPrivilege 512 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 512 msiexec.exe Token: SeLockMemoryPrivilege 512 msiexec.exe Token: SeIncreaseQuotaPrivilege 512 msiexec.exe Token: SeMachineAccountPrivilege 512 msiexec.exe Token: SeTcbPrivilege 512 msiexec.exe Token: SeSecurityPrivilege 512 msiexec.exe Token: SeTakeOwnershipPrivilege 512 msiexec.exe Token: SeLoadDriverPrivilege 512 msiexec.exe Token: SeSystemProfilePrivilege 512 msiexec.exe Token: SeSystemtimePrivilege 512 msiexec.exe Token: SeProfSingleProcessPrivilege 512 msiexec.exe Token: SeIncBasePriorityPrivilege 512 msiexec.exe Token: SeCreatePagefilePrivilege 512 msiexec.exe Token: SeCreatePermanentPrivilege 512 msiexec.exe Token: SeBackupPrivilege 512 msiexec.exe Token: SeRestorePrivilege 512 msiexec.exe Token: SeShutdownPrivilege 512 msiexec.exe Token: SeDebugPrivilege 512 msiexec.exe Token: SeAuditPrivilege 512 msiexec.exe Token: SeSystemEnvironmentPrivilege 512 msiexec.exe Token: SeChangeNotifyPrivilege 512 msiexec.exe Token: SeRemoteShutdownPrivilege 512 msiexec.exe Token: SeUndockPrivilege 512 msiexec.exe Token: SeSyncAgentPrivilege 512 msiexec.exe Token: SeEnableDelegationPrivilege 512 msiexec.exe Token: SeManageVolumePrivilege 512 msiexec.exe Token: SeImpersonatePrivilege 512 msiexec.exe Token: SeCreateGlobalPrivilege 512 msiexec.exe Token: SeCreateTokenPrivilege 512 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 512 msiexec.exe Token: SeLockMemoryPrivilege 512 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msiexec.exetvnserver.exepid process 512 msiexec.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
tvnserver.exepid process 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe 4684 tvnserver.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
msiexec.exetvnserver.exetvnserver.exedescription pid process target process PID 1788 wrote to memory of 2716 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 2716 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 2716 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 3572 1788 msiexec.exe srtasks.exe PID 1788 wrote to memory of 3572 1788 msiexec.exe srtasks.exe PID 1788 wrote to memory of 4124 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 4124 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 4204 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 4204 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 4204 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 4304 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 4304 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 4304 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 4364 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 4364 1788 msiexec.exe MsiExec.exe PID 1788 wrote to memory of 4480 1788 msiexec.exe tvnserver.exe PID 1788 wrote to memory of 4480 1788 msiexec.exe tvnserver.exe PID 1788 wrote to memory of 4512 1788 msiexec.exe tvnserver.exe PID 1788 wrote to memory of 4512 1788 msiexec.exe tvnserver.exe PID 4512 wrote to memory of 4684 4512 tvnserver.exe tvnserver.exe PID 4512 wrote to memory of 4684 4512 tvnserver.exe tvnserver.exe PID 1788 wrote to memory of 4732 1788 msiexec.exe tvnserver.exe PID 1788 wrote to memory of 4732 1788 msiexec.exe tvnserver.exe PID 4732 wrote to memory of 5012 4732 tvnserver.exe tvnserver.exe PID 4732 wrote to memory of 5012 4732 tvnserver.exe tvnserver.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\tightvnc-2.8.59-gpl-setup-64bit.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:512
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BD1B5A33CB2420F16B0B8D9287915983 C2⤵
- Loads dropped DLL
PID:2716 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3572
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 812A6967683803DEA2CA9CE21EF334FE2⤵
- Loads dropped DLL
PID:4124 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7D969ECF5F0FFBADCA3F08F0985851F22⤵
- Loads dropped DLL
PID:4204 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 22DB582BFC760DCD0F40CDF854B79CF0 E Global\MSI00002⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4304 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 466C3101CC8F9BB3E09B7D75F1A3AFF9 E Global\MSI00002⤵
- Loads dropped DLL
PID:4364 -
C:\Program Files\TightVNC\tvnserver.exe"C:\Program Files\TightVNC\tvnserver.exe" -reinstall -silent2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4480 -
C:\Program Files\TightVNC\tvnserver.exe"C:\Program Files\TightVNC\tvnserver.exe" -start2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Program Files\TightVNC\tvnserver.exe"C:\Program Files\TightVNC\tvnserver.exe" -controlservice -slave3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4684 -
C:\Program Files\TightVNC\tvnserver.exe"C:\Program Files\TightVNC\tvnserver.exe" -checkservicepasswords2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Program Files\TightVNC\tvnserver.exe"C:\Program Files\TightVNC\tvnserver.exe" -controlservice -reload3⤵
- Executes dropped EXE
PID:5012
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2648
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:192
-
C:\Program Files\TightVNC\tvnserver.exe"C:\Program Files\TightVNC\tvnserver.exe" -service1⤵
- Executes dropped EXE
PID:4536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\TightVNC\tvnserver.exeMD5
5d478f94283cd69f4393d8da703bd442
SHA1b4f4a6d6310c9b236dc96cc216425b76d2a93772
SHA2569b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac
SHA5127840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa
-
C:\Program Files\TightVNC\tvnserver.exeMD5
5d478f94283cd69f4393d8da703bd442
SHA1b4f4a6d6310c9b236dc96cc216425b76d2a93772
SHA2569b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac
SHA5127840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa
-
C:\Program Files\TightVNC\tvnserver.exeMD5
5d478f94283cd69f4393d8da703bd442
SHA1b4f4a6d6310c9b236dc96cc216425b76d2a93772
SHA2569b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac
SHA5127840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa
-
C:\Program Files\TightVNC\tvnserver.exeMD5
5d478f94283cd69f4393d8da703bd442
SHA1b4f4a6d6310c9b236dc96cc216425b76d2a93772
SHA2569b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac
SHA5127840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa
-
C:\Program Files\TightVNC\tvnserver.exeMD5
5d478f94283cd69f4393d8da703bd442
SHA1b4f4a6d6310c9b236dc96cc216425b76d2a93772
SHA2569b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac
SHA5127840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa
-
C:\Program Files\TightVNC\tvnserver.exeMD5
5d478f94283cd69f4393d8da703bd442
SHA1b4f4a6d6310c9b236dc96cc216425b76d2a93772
SHA2569b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac
SHA5127840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa
-
C:\Program Files\TightVNC\tvnserver.exeMD5
5d478f94283cd69f4393d8da703bd442
SHA1b4f4a6d6310c9b236dc96cc216425b76d2a93772
SHA2569b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac
SHA5127840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17MD5
f9b08c45101ee8375915a03a3123067b
SHA141ead912bcf27306ae9d3d438ca46a0baad4061e
SHA25687d5b0a608ee3680c8a2a0a3b84aed60ca182b6ab2d0be732f83f546bcffe400
SHA512fea4abbc4ab40e6e7851a3f3c8652319cb4b9cc1163add9329e74a512338c85e6190d07fae5b4e8431e7cea613dd15b7bf2fc3603db20901468e90687619f0ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
5c23ef4b2e861d68b28e015d948f89cd
SHA1c988b471f96a80c4d74deaf05a7e965aeb07e457
SHA256164c38fae9ce4805dd774ce07375fbeb9ee91df73a905558c050f381982dcae0
SHA51242944358031d13fc8f7d8e6bf4a0962d1c503e1fe996e2b3ccd0719e3c264104da16ed7bcfbaadd67d2eb850cf0db8f21e93bdec7bb9224770804cfbc2752539
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_2C6D150AA157B3BBB8A52450BB086C70MD5
c88f14e939adc7301260af6d7b1c9382
SHA1d34ba242c2c8fe3ec18a5f8574d2affe2c712025
SHA2564799c838d5e3b178e06df8cd569d22ffdf92a09e392eb985956044e12e6c5e4d
SHA512b624b78f5a573921d7d14bfcfbe7d4a551d408d10e9b356a8d3fa65b3b04a16ffe6ec8c9910a8f7438ed2b309136e4c8417903fad606b0f105f2c0a3bc0c7f8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17MD5
e0dd3d7463938ad26ab978635a554208
SHA19e676f739a9b94c78e7b174e932c4abf51bb4c40
SHA2560f220e88ac3c94329b09c2c369c2e1313b946c74f515624ad40a6112da83a34f
SHA512f4425a165ed072252127f2255cb9832b3c93e33fb55c437fb23efd4bcf3bb2fe7c112593f023155ad605f1123bcbcf2209f716a2bfbdd92cf9ed4c2004934f40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
8be056425b8d4590e255a05fc1ef61f8
SHA16e82c3929ae23441c475f44988859e1ced89ff59
SHA256e982696763cd89223a75a37452a16a1651233aca49668ef5c739991bb2cfa5a6
SHA512e943c36a1e6e49ba1c80ce5e9cc354bfb6cf0ff8467b641a693815c38d8eed652f8d398db7da5e8c11cdde8f717c89686c3a615f7adaf00f7b2450f9b734f2a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_2C6D150AA157B3BBB8A52450BB086C70MD5
58b05aa8be5d4d5593eab26dab7e49c6
SHA154aedf9ad632fb2031f53824054045461ed08e4e
SHA25630db2465acf738354530e01e6fa54007dd5b678d5ff42e536c0fae3cbb5ede0d
SHA512e285f045c581b9bfb78601faebee842420dc3cc3ec8361b0654a507db90b9b709bafd0d6cf3b4fafad44e126a563287dff7232ccc7e4bf0334b145f0cfddb6ae
-
C:\Users\Admin\AppData\Local\Temp\MSIFDF2.tmpMD5
a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
C:\Windows\Installer\MSI6A4A.tmpMD5
b2e2c24ebce4f188cf28b9e1470227f5
SHA19de61721326d8e88636f9633aa37fcb885a4babe
SHA256233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69
SHA512343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354
-
C:\Windows\Installer\MSI6B64.tmpMD5
93394d2866590fb66759f5f0263453f2
SHA12f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA2565c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622
-
C:\Windows\Installer\MSI6CAD.tmpMD5
93394d2866590fb66759f5f0263453f2
SHA12f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA2565c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622
-
C:\Windows\Installer\MSI6D89.tmpMD5
b2e2c24ebce4f188cf28b9e1470227f5
SHA19de61721326d8e88636f9633aa37fcb885a4babe
SHA256233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69
SHA512343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354
-
C:\Windows\Installer\MSI6EA4.tmpMD5
93394d2866590fb66759f5f0263453f2
SHA12f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA2565c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622
-
C:\Windows\Installer\MSI70A9.tmpMD5
b2e2c24ebce4f188cf28b9e1470227f5
SHA19de61721326d8e88636f9633aa37fcb885a4babe
SHA256233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69
SHA512343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354
-
C:\Windows\Installer\MSI71D2.tmpMD5
7e753b064a0b3408726aa232feb7cf8a
SHA1c76c3dc5ae1c05fdb34ae963646a904b60aa5759
SHA2564cf2358692062cdd2920d5d1c6ebdb7f9b81b1d2e5c6fba24f1bc4027688185f
SHA5129a12f495d4555e6b4ef9ab6173258ccaf73e718d29d4db134aeb551224016c7c1916261e3301280930f20601fede648cb796608e24d4690dec5fb90cd2d8cede
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2MD5
45fe08b7d7c81ae2a3d47fd804418e3a
SHA1953d3dfc199eaadb96aeccfdfd25af4f6a492422
SHA256bd81593ea4c9bb23d094a4149702624c32f058f00afb4925f9c7752747c02fab
SHA51237351206259b387d058cafe242b17bb79ad1773c9b4cc9005be45c0a95a3ec18918e8d5ffa5af11b7d961516c639bf0e8847abc2073c50dc6defd5f39975acca
-
\??\Volume{266d1ca4-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{7fbb08b3-4afe-4e10-8fc9-a59c1e4ce498}_OnDiskSnapshotPropMD5
229419edd1e1ec5571d46053b388e1e4
SHA10dcc0ba198b538561dc3167158d99fe6bd7f3f3a
SHA256d86c8e1aa02b1812cf6a0de4643aa0db2ebd804dc55c49cddb819d6536c75aad
SHA512f5ad19f78835d893841e9f9dbc8f467c06a16a81fdbc57bfc843caf664250e47d9d3dd17b383c60c7e5065fa94e94b8ef0816bf9d70d4cd6d5436287a734ac60
-
\Users\Admin\AppData\Local\Temp\MSIFDF2.tmpMD5
a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
\Windows\Installer\MSI6A4A.tmpMD5
b2e2c24ebce4f188cf28b9e1470227f5
SHA19de61721326d8e88636f9633aa37fcb885a4babe
SHA256233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69
SHA512343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354
-
\Windows\Installer\MSI6B64.tmpMD5
93394d2866590fb66759f5f0263453f2
SHA12f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA2565c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622
-
\Windows\Installer\MSI6CAD.tmpMD5
93394d2866590fb66759f5f0263453f2
SHA12f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA2565c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622
-
\Windows\Installer\MSI6D89.tmpMD5
b2e2c24ebce4f188cf28b9e1470227f5
SHA19de61721326d8e88636f9633aa37fcb885a4babe
SHA256233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69
SHA512343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354
-
\Windows\Installer\MSI6EA4.tmpMD5
93394d2866590fb66759f5f0263453f2
SHA12f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA2565c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622
-
\Windows\Installer\MSI70A9.tmpMD5
b2e2c24ebce4f188cf28b9e1470227f5
SHA19de61721326d8e88636f9633aa37fcb885a4babe
SHA256233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69
SHA512343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354
-
\Windows\Installer\MSI71D2.tmpMD5
7e753b064a0b3408726aa232feb7cf8a
SHA1c76c3dc5ae1c05fdb34ae963646a904b60aa5759
SHA2564cf2358692062cdd2920d5d1c6ebdb7f9b81b1d2e5c6fba24f1bc4027688185f
SHA5129a12f495d4555e6b4ef9ab6173258ccaf73e718d29d4db134aeb551224016c7c1916261e3301280930f20601fede648cb796608e24d4690dec5fb90cd2d8cede
-
memory/2716-118-0x0000000000000000-mapping.dmp
-
memory/3572-123-0x0000000000000000-mapping.dmp
-
memory/4124-130-0x0000000000000000-mapping.dmp
-
memory/4204-135-0x0000000000000000-mapping.dmp
-
memory/4304-144-0x0000000000000000-mapping.dmp
-
memory/4364-149-0x0000000000000000-mapping.dmp
-
memory/4480-156-0x0000000000000000-mapping.dmp
-
memory/4512-159-0x0000000000000000-mapping.dmp
-
memory/4684-162-0x0000000000000000-mapping.dmp
-
memory/4732-164-0x0000000000000000-mapping.dmp
-
memory/5012-168-0x0000000000000000-mapping.dmp