Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 14:10
Static task
static1
Behavioral task
behavioral1
Sample
LittleAlterBoy5_5.4.1.17134_64.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
LittleAlterBoy5_5.4.1.17134_64.exe
Resource
win10v2004-20240226-en
General
-
Target
LittleAlterBoy5_5.4.1.17134_64.exe
-
Size
217.0MB
-
MD5
a62c37dc3c08181bad7e1616ec0d919f
-
SHA1
8a2e83146e4b10eb2c0ed8963c643f058877004d
-
SHA256
b65612ace7fc0ae0b5a795abde581c3451388159f63364f4c48f4a2b86234c59
-
SHA512
a8fb973ce513e19261e87848fa942043e9e8a0a009e37e781301918c62273255f7f5fa00ae5879d6c7e30dec5761b7565d331a0b02b5e64ded2a753170844009
-
SSDEEP
6291456:A+EQz6xNZdyDarLdwoixcNiUtSUzNOr2NxeS7c+Vl+uz:A+EFxcDaVLi4jSUzUeT733+y
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules mDNSResponder.exe -
Executes dropped EXE 31 IoCs
pid Process 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 2520 _setup64.tmp 1872 License Support Win64.exe 1472 VC_redist.x86.exe 2332 VC_redist.x86.exe 1512 VC_redist.x64.exe 808 VC_redist.x64.exe 2292 mDNSResponder.exe 340 ISBEW64.exe 1064 ISBEW64.exe 2904 ISBEW64.exe 944 ISBEW64.exe 1276 ISBEW64.exe 2748 ISBEW64.exe 1868 ISBEW64.exe 1556 ISBEW64.exe 2260 ISBEW64.exe 2996 ISBEW64.exe 2180 ISBEW64.exe 2420 ISBEW64.exe 2408 ISBEW64.exe 2620 ISBEW64.exe 2416 ISBEW64.exe 1220 ISBEW64.exe 1472 ISBEW64.exe 700 ISBEW64.exe 2356 ISBEW64.exe 3040 ISBEW64.exe 1612 ISBEW64.exe 1700 ISBEW64.exe 300 Process not Found -
Loads dropped DLL 49 IoCs
pid Process 2100 LittleAlterBoy5_5.4.1.17134_64.exe 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 1872 License Support Win64.exe 1472 VC_redist.x86.exe 2332 VC_redist.x86.exe 1872 License Support Win64.exe 1512 VC_redist.x64.exe 808 VC_redist.x64.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 2592 MsiExec.exe 2592 MsiExec.exe 2732 MsiExec.exe 1080 MsiExec.exe 2332 MsiExec.exe 468 Process not Found 1872 License Support Win64.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 784 MsiExec.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe 1872 License Support Win64.exe -
Registers COM server for autorun 1 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32 msiexec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ ISSetupPrerequisistes = "\"C:\\Program Files\\Soundtoys\\Utilities\\License Support Win64.exe\"" License Support Win64.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 3 1848 msiexec.exe 5 1848 msiexec.exe 7 1848 msiexec.exe 9 1848 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: License Support Win64.exe File opened (read-only) \??\G: License Support Win64.exe File opened (read-only) \??\I: License Support Win64.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: License Support Win64.exe File opened (read-only) \??\Z: License Support Win64.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: License Support Win64.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: License Support Win64.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: License Support Win64.exe File opened (read-only) \??\T: License Support Win64.exe File opened (read-only) \??\L: License Support Win64.exe File opened (read-only) \??\X: License Support Win64.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: License Support Win64.exe File opened (read-only) \??\V: License Support Win64.exe File opened (read-only) \??\Y: License Support Win64.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: License Support Win64.exe File opened (read-only) \??\M: License Support Win64.exe File opened (read-only) \??\N: License Support Win64.exe File opened (read-only) \??\P: License Support Win64.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: License Support Win64.exe File opened (read-only) \??\R: License Support Win64.exe File opened (read-only) \??\W: License Support Win64.exe File opened (read-only) \??\J: License Support Win64.exe File opened (read-only) \??\S: License Support Win64.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\system32\dns-sd.exe msiexec.exe File created C:\Windows\SysWOW64\dnssd.dll msiexec.exe File created C:\Windows\system32\dnssd.dll msiexec.exe File created C:\Windows\SysWOW64\dnssdX.dll msiexec.exe File created C:\Windows\system32\dnssdX.dll msiexec.exe File created C:\Windows\SysWOW64\jdns_sd.dll msiexec.exe File created C:\Windows\system32\jdns_sd.dll msiexec.exe File created C:\Windows\SysWOW64\dns-sd.exe msiexec.exe -
Drops file in Program Files directory 47 IoCs
description ioc Process File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\mdnsNSP.dll msiexec.exe File created C:\Program Files\Bonjour\mdnsNSP.dll msiexec.exe File opened for modification C:\Program Files\Vstplugins\Soundtoys\LittleAlterBoy.dll LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-CFDI8.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Soundtoys\is-FFG70.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\mDNSResponder.exe msiexec.exe File created C:\Program Files\Bonjour\mDNSResponder.exe msiexec.exe File created C:\Program Files\Soundtoys\uninst\is-9N5IQ.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Common Files\VST3\Soundtoys\is-793MS.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files\Soundtoys\uninst\unins000.dat LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-RFG28.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\Contents\x64\is-UARAT.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\en_GB.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\dns_sd.jar msiexec.exe File created C:\Program Files\Bonjour\dns_sd.jar msiexec.exe File created C:\Program Files\Bonjour\About Bonjour.lnk msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\sv.lproj\About Bonjour.rtf msiexec.exe File opened for modification C:\Program Files\Soundtoys\Utilities\License Support Win64.exe LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-2MF3C.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Soundtoys\is-AJ6GG.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Soundtoys\Utilities\is-2PVU7.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\ru.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\About Bonjour.lnk msiexec.exe File opened for modification C:\Program Files\Soundtoys\uninst\unins000.dat LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt_PT.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files\Java\jre7\lib\ext\dns_sd.jar msiexec.exe File created C:\Program Files\Vstplugins\Soundtoys\is-VGVGE.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Soundtoys\Manuals\is-MN6MV.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Soundtoys\uninst\is-R7OPV.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Soundtoys\Utilities\is-N6TP1.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\dns_sd.jar msiexec.exe File created C:\Program Files\Soundtoys\uninst\unins000.msg LittleAlterBoy5_5.4.1.17134_64.tmp -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\Installer\f77893f.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log wusa.exe File opened for modification C:\Windows\WindowsUpdate.log wusa.exe File created C:\Windows\Installer\f77893c.msi msiexec.exe File opened for modification C:\Windows\Installer\f77893c.msi msiexec.exe File created C:\Windows\Installer\f778942.msi msiexec.exe File opened for modification C:\Windows\Installer\f77893f.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI929B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI93B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico msiexec.exe File created C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico msiexec.exe File opened for modification C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI9029.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI92EA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI952F.tmp msiexec.exe File created C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log wusa.exe File opened for modification C:\Windows\Installer\MSI90D6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI931A.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID\ = "Bonjour.TXTRecord" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.TXTRecord.1\ = "TXTRecord Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\Programmable msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AppID\{56608F9C-223B-4CB6-813D-85EDCCADFB4B} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID\ = "Bonjour.DNSSDService" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods\ = "7" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\\{15D7BF62-B111-49C3-9E82-1E5859612E57}\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\FLAGS\ = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B0163E6D0340BE4183EB2758E9BEDD8 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDService\CurVer msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AppID\Bonjour.DLL msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net\2 = "C:\\ProgramData\\Apple\\Installer Cache\\Bonjour 3.0.0.10\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib\Version = "1.0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager.1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "IDNSSDEventManager" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ProgID\ = "Bonjour.DNSSDRecord.1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ = "TXTRecord Class" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1523EA646D34FC14C8FD9E203C58611D\2B0163E6D0340BE4183EB2758E9BEDD8 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord\CurVer msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord.1\ = "DNSSDRecord Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Bonjour.DLL\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\VersionIndependentProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "PSFactoryBuffer" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.TXTRecord\ = "TXTRecord Class" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 1196 LittleAlterBoy5_5.4.1.17134_64.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1196 LittleAlterBoy5_5.4.1.17134_64.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2516 msiexec.exe Token: SeIncreaseQuotaPrivilege 2516 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeSecurityPrivilege 1848 msiexec.exe Token: SeCreateTokenPrivilege 2516 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2516 msiexec.exe Token: SeLockMemoryPrivilege 2516 msiexec.exe Token: SeIncreaseQuotaPrivilege 2516 msiexec.exe Token: SeMachineAccountPrivilege 2516 msiexec.exe Token: SeTcbPrivilege 2516 msiexec.exe Token: SeSecurityPrivilege 2516 msiexec.exe Token: SeTakeOwnershipPrivilege 2516 msiexec.exe Token: SeLoadDriverPrivilege 2516 msiexec.exe Token: SeSystemProfilePrivilege 2516 msiexec.exe Token: SeSystemtimePrivilege 2516 msiexec.exe Token: SeProfSingleProcessPrivilege 2516 msiexec.exe Token: SeIncBasePriorityPrivilege 2516 msiexec.exe Token: SeCreatePagefilePrivilege 2516 msiexec.exe Token: SeCreatePermanentPrivilege 2516 msiexec.exe Token: SeBackupPrivilege 2516 msiexec.exe Token: SeRestorePrivilege 2516 msiexec.exe Token: SeShutdownPrivilege 2516 msiexec.exe Token: SeDebugPrivilege 2516 msiexec.exe Token: SeAuditPrivilege 2516 msiexec.exe Token: SeSystemEnvironmentPrivilege 2516 msiexec.exe Token: SeChangeNotifyPrivilege 2516 msiexec.exe Token: SeRemoteShutdownPrivilege 2516 msiexec.exe Token: SeUndockPrivilege 2516 msiexec.exe Token: SeSyncAgentPrivilege 2516 msiexec.exe Token: SeEnableDelegationPrivilege 2516 msiexec.exe Token: SeManageVolumePrivilege 2516 msiexec.exe Token: SeImpersonatePrivilege 2516 msiexec.exe Token: SeCreateGlobalPrivilege 2516 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe Token: SeRestorePrivilege 1848 msiexec.exe Token: SeTakeOwnershipPrivilege 1848 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 1872 License Support Win64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 1196 2100 LittleAlterBoy5_5.4.1.17134_64.exe 28 PID 2100 wrote to memory of 1196 2100 LittleAlterBoy5_5.4.1.17134_64.exe 28 PID 2100 wrote to memory of 1196 2100 LittleAlterBoy5_5.4.1.17134_64.exe 28 PID 2100 wrote to memory of 1196 2100 LittleAlterBoy5_5.4.1.17134_64.exe 28 PID 2100 wrote to memory of 1196 2100 LittleAlterBoy5_5.4.1.17134_64.exe 28 PID 2100 wrote to memory of 1196 2100 LittleAlterBoy5_5.4.1.17134_64.exe 28 PID 2100 wrote to memory of 1196 2100 LittleAlterBoy5_5.4.1.17134_64.exe 28 PID 1196 wrote to memory of 2520 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 31 PID 1196 wrote to memory of 2520 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 31 PID 1196 wrote to memory of 2520 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 31 PID 1196 wrote to memory of 2520 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 31 PID 1196 wrote to memory of 1872 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 33 PID 1196 wrote to memory of 1872 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 33 PID 1196 wrote to memory of 1872 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 33 PID 1196 wrote to memory of 1872 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 33 PID 1196 wrote to memory of 1872 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 33 PID 1196 wrote to memory of 1872 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 33 PID 1196 wrote to memory of 1872 1196 LittleAlterBoy5_5.4.1.17134_64.tmp 33 PID 1872 wrote to memory of 1472 1872 License Support Win64.exe 34 PID 1872 wrote to memory of 1472 1872 License Support Win64.exe 34 PID 1872 wrote to memory of 1472 1872 License Support Win64.exe 34 PID 1872 wrote to memory of 1472 1872 License Support Win64.exe 34 PID 1872 wrote to memory of 1472 1872 License Support Win64.exe 34 PID 1872 wrote to memory of 1472 1872 License Support Win64.exe 34 PID 1872 wrote to memory of 1472 1872 License Support Win64.exe 34 PID 1472 wrote to memory of 2332 1472 VC_redist.x86.exe 35 PID 1472 wrote to memory of 2332 1472 VC_redist.x86.exe 35 PID 1472 wrote to memory of 2332 1472 VC_redist.x86.exe 35 PID 1472 wrote to memory of 2332 1472 VC_redist.x86.exe 35 PID 1472 wrote to memory of 2332 1472 VC_redist.x86.exe 35 PID 1472 wrote to memory of 2332 1472 VC_redist.x86.exe 35 PID 1472 wrote to memory of 2332 1472 VC_redist.x86.exe 35 PID 1872 wrote to memory of 1512 1872 License Support Win64.exe 36 PID 1872 wrote to memory of 1512 1872 License Support Win64.exe 36 PID 1872 wrote to memory of 1512 1872 License Support Win64.exe 36 PID 1872 wrote to memory of 1512 1872 License Support Win64.exe 36 PID 1872 wrote to memory of 1512 1872 License Support Win64.exe 36 PID 1872 wrote to memory of 1512 1872 License Support Win64.exe 36 PID 1872 wrote to memory of 1512 1872 License Support Win64.exe 36 PID 1512 wrote to memory of 808 1512 VC_redist.x64.exe 37 PID 1512 wrote to memory of 808 1512 VC_redist.x64.exe 37 PID 1512 wrote to memory of 808 1512 VC_redist.x64.exe 37 PID 1512 wrote to memory of 808 1512 VC_redist.x64.exe 37 PID 1512 wrote to memory of 808 1512 VC_redist.x64.exe 37 PID 1512 wrote to memory of 808 1512 VC_redist.x64.exe 37 PID 1512 wrote to memory of 808 1512 VC_redist.x64.exe 37 PID 1872 wrote to memory of 2516 1872 License Support Win64.exe 38 PID 1872 wrote to memory of 2516 1872 License Support Win64.exe 38 PID 1872 wrote to memory of 2516 1872 License Support Win64.exe 38 PID 1872 wrote to memory of 2516 1872 License Support Win64.exe 38 PID 1872 wrote to memory of 2516 1872 License Support Win64.exe 38 PID 1872 wrote to memory of 2516 1872 License Support Win64.exe 38 PID 1872 wrote to memory of 2516 1872 License Support Win64.exe 38 PID 1848 wrote to memory of 1968 1848 msiexec.exe 40 PID 1848 wrote to memory of 1968 1848 msiexec.exe 40 PID 1848 wrote to memory of 1968 1848 msiexec.exe 40 PID 1848 wrote to memory of 1968 1848 msiexec.exe 40 PID 1848 wrote to memory of 1968 1848 msiexec.exe 40 PID 1848 wrote to memory of 2592 1848 msiexec.exe 41 PID 1848 wrote to memory of 2592 1848 msiexec.exe 41 PID 1848 wrote to memory of 2592 1848 msiexec.exe 41 PID 1848 wrote to memory of 2592 1848 msiexec.exe 41 PID 1848 wrote to memory of 2592 1848 msiexec.exe 41 PID 1848 wrote to memory of 2592 1848 msiexec.exe 41 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp"C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp" /SL5="$400DE,226646490,848384,C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\is-G0PP4.tmp\_isetup\_setup64.tmphelper 105 0x2143⤵
- Executes dropped EXE
PID:2520
-
-
C:\Program Files\Soundtoys\Utilities\License Support Win64.exe"C:\Program Files\Soundtoys\Utilities\License Support Win64.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe"C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe" /quiet /norestart4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /quiet /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332
-
-
-
C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe"C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe" /quiet /norestart4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /quiet /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{15D7BF62-B111-49C3-9E82-1E5859612E57}\Bonjour64.msi" /quiet /qn4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\SysWOW64\wusa.exe"C:\Windows\system32\wusa.exe" "C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{4EF18522-4489-4423-9A67-6903B272672E}\Windows6.1-KB2999226-x64.msu" /quiet /norestart4⤵
- Drops file in Windows directory
PID:896
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C8C01AD-2090-4B00-B9FC-81C13E3C5AA7}4⤵
- Executes dropped EXE
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19D24993-91C1-4E4C-B23E-72F80FB0C16A}4⤵
- Executes dropped EXE
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C19DE14-DFB9-4DB4-94F8-5364A855AE51}4⤵
- Executes dropped EXE
PID:2620
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F284DCC0-7874-4A76-9AF2-2A97A9D51FFF}4⤵
- Executes dropped EXE
PID:2416
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D973834F-9BA6-4E9E-8306-2C6E313595B8}4⤵
- Executes dropped EXE
PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{500095E1-C33D-4C33-8160-66F11744B9F0}4⤵
- Executes dropped EXE
PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3B281E85-2779-42D3-A4AE-18648AD69C21}4⤵
- Executes dropped EXE
PID:700
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BB5F932A-DA22-4B5F-9A47-992C1140AF79}4⤵
- Executes dropped EXE
PID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0FF5F9D6-46F2-486D-942F-5A9309A85BEA}4⤵
- Executes dropped EXE
PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{982909BE-84BC-4554-81CB-EE8AF0B46690}4⤵
- Executes dropped EXE
PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4B70712-353A-4BB3-8DFC-3540175AE384}4⤵
- Executes dropped EXE
PID:1700
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Registers COM server for autorun
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding DC81A4CF2071FCCC85C9B732B6157D2E2⤵
- Loads dropped DLL
PID:1968
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5724F460C174DE81188CA8AEE9AA27592⤵
- Loads dropped DLL
PID:2592
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A31C298993A4DFA7D9A7865C27757112 M Global\MSI00002⤵
- Loads dropped DLL
PID:2732
-
-
C:\Windows\system32\MsiExec.exe"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"2⤵
- Loads dropped DLL
PID:1080
-
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"2⤵
- Loads dropped DLL
PID:2332
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3147D07623420983D9A5C05EC72405C1 C2⤵
- Loads dropped DLL
PID:784 -
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EEBF533C-AF88-4BBD-9D12-320EF29C6283}3⤵
- Executes dropped EXE
PID:340
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{43E494BE-D192-4C07-9EE4-048D46E499E9}3⤵
- Executes dropped EXE
PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{710BACAA-770F-4048-90DB-862DE5AD03BD}3⤵
- Executes dropped EXE
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{076E9B3D-CEC3-4D2F-9CE7-943A41AFB824}3⤵
- Executes dropped EXE
PID:944
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A7768E13-11AC-4A6F-801A-6553F40173F8}3⤵
- Executes dropped EXE
PID:1276
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{002DE544-40FF-4692-99B4-E84E8E4856A1}3⤵
- Executes dropped EXE
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F6DBDC2-9ACA-4BAA-84A3-2251E61D14CA}3⤵
- Executes dropped EXE
PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C0A7CA19-AFCD-491D-A5DD-6A1E741DF1A1}3⤵
- Executes dropped EXE
PID:1556
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49CE36B1-786B-45FC-8BDD-B7705B32E9E0}3⤵
- Executes dropped EXE
PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D7677CA9-F8A3-4FF6-B3B7-AD884FE2B5DF}3⤵
- Executes dropped EXE
PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{822CD264-EF4C-4612-A0B0-94F0507FDEA5}3⤵
- Executes dropped EXE
PID:2180
-
-
-
C:\Program Files\Bonjour\mDNSResponder.exe"C:\Program Files\Bonjour\mDNSResponder.exe"1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:2292
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2248
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118KB
MD5fe406303970480e0919b35295e4dc4bc
SHA12f8548b219ecaeb8b7ec3a431e6b90a967094f3e
SHA2568c1cc4cbb7d2fe5af1d35b69b50dc70548a88162fb25de1e4218ea808b5fbcf9
SHA51278435bac7a476e72641255b15660af7105f3094f5ac88641771ecd664ccf85003541a8478a990898661e9217ef3ef58b498b54d37bf074082450e3742c942347
-
Filesize
451KB
MD5ebbcd5dfbb1de70e8f4af8fa59e401fd
SHA15ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88
SHA25617bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122
SHA5122fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4
-
Filesize
129KB
MD5f9d908de6b166dac9b89bf62fa291ce8
SHA1938b53238291fc41ae852fdde51eed7a2bff0604
SHA256d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02
SHA5126643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e
-
Filesize
16KB
MD5ca086bb31b598febd7e8d44daf14714a
SHA14838808e80df811cfb2bf7faf361b3cbc16f9f81
SHA2563818abdee5b1d3d77ae4a5ace25a638b2d7d624605f8e8ce14dd6d4c6639c00c
SHA51254188bf433a0da1b6b8f6f881af6d681a6bb629693191c7ee46f852953529cb94dfa894aca574e1cd7355985ea8d6187e7694c8144ea1db880922676f0dfe0c5
-
Filesize
6.3MB
MD521737a4137b30f0710a8f1e36fc7b4cc
SHA15ca0fd2b6392b36e9218d90d5f7b30900f5cefff
SHA2565d66946947a89d8e486f667d7fc9bbe6117771e576d4e7e3e77ce1eae367cfb4
SHA512e40710e4799ce0cf6558f7691322f8bdf97511e44082a17a8ec7cce7a4e1167e0fdfa5bc720eba5f6bee1d425ec4aa4f77ea260674a2d58b99de7bd595f9261a
-
Filesize
7.4MB
MD543a76d2223dc51b3afb5ab2c6d740665
SHA15660d86fc7e9d132f432f20bb4cf4c26dee81a39
SHA25681574d5267d75e55633903f100903ec6d04252944a8f9135114253541b61d020
SHA51255894cf0a02602ad36b798293bd56ae234317b93dc15f092c5d418b64c7300c49866cf7fc2dd67c14f221c4410a515195ca0a12944fe60b00d290115165f60c2
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
57KB
MD5c23d4d5a87e08f8a822ad5a8dbd69592
SHA1317df555bc309dace46ae5c5589bec53ea8f137e
SHA2566d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b
-
Filesize
1.8MB
MD541e098a7c75c0f2fcdcc4c1b605f8cf5
SHA1b794e06eaba21f0c765841695424d88421f1255b
SHA2568069bfd2667f5a62519ee604c1062574a0db69c4cfd1b55a0f3895ce7670ee9c
SHA512777ed995ccc93d768955310841d98ccae155d0a5a2cfa314fb7cfed54c82f65e865ca697210c35d0824076ae9b2459ac85d8ba7dfcc4ae4e6d2af4feb1574c6a
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
2.9MB
MD53d9fe4c7359d7bb512a86ecb17c42a37
SHA179fb651f042d5b2c882c405cde1dc8383b8add60
SHA256069211bd28e0db91fdc24ba58008c5787b1a09d1cd6ebeaefbeb24ef4522c8fa
SHA5129f6e26445cec5f6d6518bfdb0d1b6030d2a5f6317e8719716de8dfa8de5a2f63ce780bda1986ebb2ce4caf5ed418135ee2e0859b5fb11cc243113287b40f2682
-
Filesize
1.5MB
MD5eaad805f02c09854ca58096c8e40e28b
SHA126d25c3c4baa25daaa2bea4b1dcb69294633cd37
SHA256bbf8e45b5f154232a6df53355896731acadddd1bdba0a6e54350bd19296bfee8
SHA512f202ccd17895c06b18ba5f411ff6686d6d84f80734333e407d0d175e5b8e816910956a117210c8287179215efd2b2b5440290719a851982f4e863f8a32ebbead
-
Filesize
1.3MB
MD5806a54f833166c929f30031317bbd22e
SHA18e03076b34117d63d4da2287cc287d08e213e1cf
SHA256d3e5f517681335aca1507d398bd52608688a0968c19825a539cb4f6ea05b70f7
SHA512d382dd47c199f56839286a4b8ceea00b8a70a63924ba113c0d95b2671890925905b6c31b036c91cd4be25193e9b792a2ff2275f886f7e50e1dc0a7a966a637a3
-
Filesize
148KB
MD5962b85d5bc8945d80b4839e47efe8fdd
SHA13291792ee90594baa9083ef544779d6b550d3fec
SHA2561b220c5a2f74162d7162ba241ad6c594aaf009cc1329429dcf2112e10477e2b5
SHA5126a2c104a45cb9f11e9a6e2ba2674c03a8b1102ad2be25f1df3bde6af4933db475a6537b54a8d4086867a655f4067980b99dc4844230f7d2727af45dcf5a794ff
-
Filesize
262KB
MD55ecda0a54c4d9babcdb177d54f2e733d
SHA1e98aa5abf7cc44b50fe6ca7c6b110bb04541fe5b
SHA256e0926d6cbb4b4bbe673eec59325646ae8f2702e87584bf31dee28c385f45a32c
SHA51245cb28462f6114765fcf831e2ae4ffc5fee1f59746e9e749106b7cf00b7967a788e5591da2a4e0a6e3ae52d60395d1d66be6112026709c33261c4ca839211616
-
Filesize
385KB
MD52dd07d5455d3e762e6efb976d4898174
SHA12677189384275f0d95eee10d85f1fac78dc557fe
SHA2567aefc03e9adf64345164971aad3dcd1264f389c3ade513ae420d64ef1f2c1087
SHA5128d38171c01c919b072fc7bb7938747d4172825481eb715f576a7a8b7623d2df776d6d9307f496b3f17c244cfe5898ad7557ef432f74ef8682219170596efdda2
-
Filesize
239KB
MD5d8146c43b587f98bf1ea586c2b7a71ba
SHA15fb052b1fff7762bcbe1a923ccf5520b6f268834
SHA256c7d4daf78b820c2a31dff646d4f199c1a05faf149178b6cccc776609aa3f06da
SHA512028c3d77ca56d40627b9cc900492a5ea2eee31a1f69c14349c6c5c7791f3aab45a27e12556c1486f0d1cd3f028d35f35e7e8886c7892efed7d4660d0814e998f
-
Filesize
23KB
MD5be8e1e66c14d73fd42b004eaea7c2e5f
SHA13f5091e47282f0f8e80027c1b7bcb91f10bf28b2
SHA2566afb00abaaa7be31895d47a59efaab360e592f08daf1d45919fe21e90aa6132a
SHA512833f7a0ea9efbfe3d2e0ec7ee1ea13a29b32fbf096cfae57e59af4f7ee4ab3adde19c851a8413eb079e74d25dcf01390ed0dfebeb3f5ab7ac234aa9a46a29daf
-
Filesize
21KB
MD5be345d0260ae12c5f2f337b17e07c217
SHA10976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA51277040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff
-
C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\PACE License Support Win64.msi
Filesize30.0MB
MD55b80b53045af4498c992e2ee97f3ebf5
SHA1bd315c40939f506c268933235b732c1f6eeab150
SHA2560b0d4c5cb5335a57c2129f65c3302cea48d8122ad1eaf7d2607cda55321ae2f9
SHA512c61a78c90d3574956a5350fa6ca15a848f459472cb65c77cb783de1a8dbbac1b63a55795b4cbd5703a21a40a2454b31e312dd10f65a5d7f17096928f38e2d6a9
-
Filesize
9KB
MD53fd12382488e4c7b2a9adb557941ed10
SHA1266f3e5710565a2768958fe8070af5d0f9ba016c
SHA25691c610ed4d3116410f91a8f32cfe83a452b0fc80d074e57d9970aa88d45772ba
SHA51217e6e031b894b1f45c00c9169ce03c50e42e1ea1f1a31bbb2e7ca43a964ef50e1f312fc1f981e3aa50cd8bf24bb4168e954116e56df9026f951d476f3f33eca9
-
Filesize
10KB
MD5e890f037d6aea155c7a4202c42867552
SHA14cb0bebac4d3c349d426b933f80f6cae120e4840
SHA256a5116c09b3ce64eff1e5b382cd70417f9c3ef7dafa90c42145b26d964a1746d7
SHA51224a6663dce3819c8a429748ac084b459aa23d9bf09bb96bc75541c46a2dd10e04196e075065f0e9322c06e543621586812998ad832214486380bf232a81ec055
-
C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{15D7BF62-B111-49C3-9E82-1E5859612E57}\Bonjour64.msi
Filesize2.6MB
MD58dcf5c9eaacdaf4568220d103f393dea
SHA127f68596398b68ba048f95752b4eeb4aa013c23f
SHA25653be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93
SHA51210f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088
-
C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
Filesize2.3MB
MD5bf82864e681af4c99d5df59b5b338448
SHA16f5224671f9587509827ecc9581e963c39d9d159
SHA256b109752bcaab38443c9fd74088f2a058a2f334156aaa72e668aa6b54274d810c
SHA512d3ffaac7a82afa295adf066acf71e7d5434dbe0e57f42ac95e9bb684c560886248094474634a3b6c9e602710998a10434b5f0ba252b0c80d234b0e603c4e094f
-
C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
Filesize1.7MB
MD592d8db8794b9880ca9309fe0b2315f9b
SHA17b1fea7e37bc8fe2e1ca052ae15f7e6245d9486b
SHA2563d8dd82cbc50e6848b93804ec3ffc1c648f9875d6a57cdc68e20498c9d69eb82
SHA512ba0b49bb0d6e2cfdeceb6f73a7608bc8d356cf9a1a7c3eb46109ffcc321049614ab587fb72408849730ff6b61755f0e7e59e2b0b8268019a8353ac8f8e3587d6
-
C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
Filesize3.7MB
MD579560f30911d9355377bb76b2cfcad0c
SHA134ed0a158414d5bf993bdebdd695d9b5fef43680
SHA2568324780c44582ac4e2f16282a9e5cc45c8bf99c4cf19c37ccd4cd0e5e4486131
SHA51223de9d1db68ecefa05cc218a2958706e84e9bb77c419ad5dea13595e61b024a4231b8fb4114324e3ad1c3adec135114eca434c3029b4e35c276f61fe9707a92d
-
C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{4EF18522-4489-4423-9A67-6903B272672E}\Windows6.1-KB2999226-x64.msu
Filesize1010KB
MD5ad7f5c851f6387e424ab206effb21354
SHA154050a5f8ae7f0c56e553f0090146c17a1d2bf8d
SHA25643234d2986ca9b0de75d5183977964d161a8395c3396279ddfc9b20698e5bc34
SHA5123ab0a5eb48c7e5aec55640171acec4e3449dd5e5e90345a39c214be16858d5e66892b01fb4a792405c9fcef9a6286c85e5411c79d38d49930d9edfa40e535093
-
Filesize
170B
MD55fc8d60855a5cec64e1abbbcc133c23b
SHA1ca723ea715fc0e217a9133611a56da5dca78b547
SHA256b0e962259029cec81ec5f5783192f552699aac99a14ddea89f74330e50e9340e
SHA512847f0397aff3b428c9fda79f82b83b0dbec1410d979c7f80b109f6088fb0d04d843e43b1cff5fb99df2cc5ade9da862aaf907c809dbe16910a46b7d8edc47562
-
Filesize
5KB
MD56098f128cf6fe5ddbe128d5cb301c854
SHA1be8df9ee61475ff6d5913c368e65a1609134fe5a
SHA256a59e8507bc4beb36b347b43340def8614028f1cf246f7406b63bee70ecea3e03
SHA512ea0de1f365eae76db99798fe2a8a58614dc1cc35e1a96a4eed558adc011ff1ff8fab74713e687f54775770757b27049541597429b52780f3e5172510aea35430
-
Filesize
75KB
MD508c031fa82a09aae1079378669678fe6
SHA1b109251d2fef08bd446be0c92369e6f11eb67093
SHA2568764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a
SHA512d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c
-
Filesize
75KB
MD56f8e3e4f72620bddc633f0175f47161e
SHA153ed75a208cc84f1a065e9e4ece356371cac0341
SHA2562adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e
SHA51280187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
112KB
MD594a321bd8d595ce91a8026bd355c834b
SHA1e1e7004065d5a04a75791e87115fb751b71074cf
SHA256ced987548ae4c12aabe0ef841b13611d9c9c16263c70f4ba4e03e66798441cd4
SHA5121b63471ef9a28aa634b5b12d6c62bc508f031ba37567c2c68ed6905c2e22f546b3ae73f0d2e0c6a897ccba15eade6601415a24dc32abcf7abf467c15d701b9a8
-
Filesize
632KB
MD5c9d95472a5627c6c455e74c8b8fef5be
SHA134cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82
SHA2564b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b
SHA512989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31
-
Filesize
118KB
MD540947436a70e0034e41123df5a0a7702
SHA16c27e1dd1c1533feb6435190a5074300ac2a9822
SHA2565d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9
SHA512ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704
-
Filesize
5.5MB
MD52f2cfc092856fefee21dda28976b9f5e
SHA10d2f294055f946a69387809700d294902b489e41
SHA256748b1280df5be1e67a57660fa9d7ec7c1793da5d761eb4a254e7775d21fe7f4a
SHA512a38c6bb714e6bc18fdda70739a45988d94829756fcf43ab48f906ea01b54310ddbabe42f424000fbbc6707dafc1ec99054a156b271d2d83c9a5104d218169767
-
Filesize
141KB
MD5edb88affffd67bca3523b41d3e2e4810
SHA10055b93907665fed56d22a7614a581a87d060ead
SHA2564c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15
SHA5122b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf
-
Filesize
2.6MB
MD557a24b37c5950ef633969bc470fb77c7
SHA18ceccc0de092110908a867e3ab2b274ca4e5ad64
SHA2560c89dc35e7a63f1cf21ad1e7653225496d15d38b8a3de800b37369aea40a198d
SHA5126144bbfab053cbea7e35f8d0ea9b5e22addd59bb113a68709c5b6b78c83de82fba0bc231f31c59a1bd9b1ea1ae933718e6f73355c7feee448597ab604e113c37
-
Filesize
6KB
MD5e4211d6d009757c078a9fac7ff4f03d4
SHA1019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA51217257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e
-
Filesize
1.2MB
MD5d0eb7dd08782f010ac10e7e066dfc3df
SHA10d2fda64f090e55cf7db9679c512b4f0bb1c403f
SHA25601aec1cfb8bb777414702427a4046971437d115663132bd0ae29eaefb5855137
SHA512b1ce26b651ae939e19c28645bd7e064ac15854dac69a404574c512567f7d7a1f0e946879d1fc84a7efd34b4c928440444b110d943712f59c81aebcac384674ca
-
\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
Filesize4.4MB
MD520ab3a4b7f27febe6ed047751092fcad
SHA1bf20c8695f9751654782b56ddde42768aa2d458e
SHA25696e49374dc6f98e90fc087bced4dfffaf1f73052e76e77b1ba839a58936401f2
SHA512fdc7f0a56f73fc82dacd7db91a0697667288b438eb5e312f3dde77d318f5f0d9aedf23947d73395f06fa62a7e9776231a067c8dcf65892f3518e8c74a470829f
-
\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
Filesize14.4MB
MD5be433764fa9bbe0f2f9c654f6512c9e0
SHA1b87c38d093872d7be7e191f01107b39c87888a5a
SHA25640ea2955391c9eae3e35619c4c24b5aaf3d17aeaa6d09424ee9672aa9372aeed
SHA5128a050ebd392654ce5981af3d0bf99107bfa576529bce8325a7ccc46f92917515744026a2d0ea49afb72bbc4e4278638a0677c6596ad96b7019e47c250e438191
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
632KB
MD594970fc3a8ed7b9de44f4117419ce829
SHA1aa1292f049c4173e2ab60b59b62f267fd884d21a
SHA256de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e
SHA512b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f
-
Filesize
128KB
MD559cbe607e8e90ac76d88ace87d1f4239
SHA15a69e6deb0ebbdbddb6f3c8c9a7a8864ac2069bf
SHA2560e0c7e323e962838e93860e00672f8770a009c30b0d0e51de90cb63208d1b59c
SHA5123c79e38e86f4683e36e2cc685c9214248e76e2f07808448a062ecef44dc88538a843a174754b04d67581021d493c8a4ce20826a124fc5208ac8fed9a09890df1