Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 14:10
Static task
static1
Behavioral task
behavioral1
Sample
LittleAlterBoy5_5.4.1.17134_64.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
LittleAlterBoy5_5.4.1.17134_64.exe
Resource
win10v2004-20240226-en
General
-
Target
LittleAlterBoy5_5.4.1.17134_64.exe
-
Size
217.0MB
-
MD5
a62c37dc3c08181bad7e1616ec0d919f
-
SHA1
8a2e83146e4b10eb2c0ed8963c643f058877004d
-
SHA256
b65612ace7fc0ae0b5a795abde581c3451388159f63364f4c48f4a2b86234c59
-
SHA512
a8fb973ce513e19261e87848fa942043e9e8a0a009e37e781301918c62273255f7f5fa00ae5879d6c7e30dec5761b7565d331a0b02b5e64ded2a753170844009
-
SSDEEP
6291456:A+EQz6xNZdyDarLdwoixcNiUtSUzNOr2NxeS7c+Vl+uz:A+EFxcDaVLi4jSUzUeT733+y
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules mDNSResponder.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation License Support Win64.exe -
Executes dropped EXE 64 IoCs
pid Process 2336 LittleAlterBoy5_5.4.1.17134_64.tmp 4732 _setup64.tmp 4212 License Support Win64.exe 3292 VC_redist.x86.exe 3776 VC_redist.x86.exe 3376 VC_redist.x64.exe 2172 VC_redist.x64.exe 2120 mDNSResponder.exe 2632 Process not Found 856 ISBEW64.exe 2660 ISBEW64.exe 2376 ISBEW64.exe 2292 ISBEW64.exe 3784 ISBEW64.exe 2896 ISBEW64.exe 4784 ISBEW64.exe 2204 ISBEW64.exe 1212 ISBEW64.exe 3628 ISBEW64.exe 4068 ISBEW64.exe 3476 ISBEW64.exe 2868 ISBEW64.exe 872 ISBEW64.exe 4216 ISBEW64.exe 864 ISBEW64.exe 2500 ISBEW64.exe 4492 ISBEW64.exe 1812 ISBEW64.exe 1364 ISBEW64.exe 1176 ISBEW64.exe 2864 ISBEW64.exe 376 Process not Found 5468 ISBEW64.exe 5508 ISBEW64.exe 5540 ISBEW64.exe 5532 ISBEW64.exe 5620 ISBEW64.exe 5664 ISBEW64.exe 5700 ISBEW64.exe 5732 ISBEW64.exe 5760 ISBEW64.exe 5796 ISBEW64.exe 5828 ISBEW64.exe 9464 ISBEW64.exe 5900 ISBEW64.exe 5924 ISBEW64.exe 5956 ISBEW64.exe 5992 ISBEW64.exe 6040 ISBEW64.exe 6072 ISBEW64.exe 6100 ISBEW64.exe 6140 ISBEW64.exe 6176 ISBEW64.exe 6212 ISBEW64.exe 7276 LDSvc.exe 7520 ISBEW64.exe 9708 ISBEW64.exe 7592 ISBEW64.exe 7620 ISBEW64.exe 7656 ISBEW64.exe 7700 ISBEW64.exe 7740 ISBEW64.exe 7768 ISBEW64.exe 7800 ISBEW64.exe -
Loads dropped DLL 49 IoCs
pid Process 3776 VC_redist.x86.exe 2172 VC_redist.x64.exe 4140 MsiExec.exe 4140 MsiExec.exe 4140 MsiExec.exe 2712 MsiExec.exe 2712 MsiExec.exe 2800 MsiExec.exe 2088 MsiExec.exe 3360 MsiExec.exe 4212 License Support Win64.exe 2808 MsiExec.exe 2808 MsiExec.exe 2808 MsiExec.exe 2552 Process not Found 2808 MsiExec.exe 2808 MsiExec.exe 2808 MsiExec.exe 2808 MsiExec.exe 2808 MsiExec.exe 4212 License Support Win64.exe 4212 License Support Win64.exe 4212 License Support Win64.exe 4212 License Support Win64.exe 5288 MsiExec.exe 5288 MsiExec.exe 1516 Process not Found 5288 MsiExec.exe 5288 MsiExec.exe 5288 MsiExec.exe 5288 MsiExec.exe 5288 MsiExec.exe 5288 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 7276 LDSvc.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe 9388 MsiExec.exe -
Registers COM server for autorun 1 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32 msiexec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ ISSetupPrerequisistes = "\"C:\\Program Files\\Soundtoys\\Utilities\\License Support Win64.exe\"" License Support Win64.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 54 3656 msiexec.exe 56 3656 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: License Support Win64.exe File opened (read-only) \??\S: License Support Win64.exe File opened (read-only) \??\W: License Support Win64.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: License Support Win64.exe File opened (read-only) \??\H: License Support Win64.exe File opened (read-only) \??\M: License Support Win64.exe File opened (read-only) \??\O: License Support Win64.exe File opened (read-only) \??\U: License Support Win64.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: License Support Win64.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: License Support Win64.exe File opened (read-only) \??\N: License Support Win64.exe File opened (read-only) \??\Q: License Support Win64.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: License Support Win64.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: License Support Win64.exe File opened (read-only) \??\L: License Support Win64.exe File opened (read-only) \??\R: License Support Win64.exe File opened (read-only) \??\T: License Support Win64.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: License Support Win64.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: License Support Win64.exe File opened (read-only) \??\K: License Support Win64.exe File opened (read-only) \??\V: License Support Win64.exe File opened (read-only) \??\X: License Support Win64.exe File opened (read-only) \??\Y: License Support Win64.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETBA07.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ilokdrvr64.inf_amd64_4127472559851c12\iLokDrvr.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ilokdrvr64.inf_amd64_4127472559851c12\iLokDrvr64.inf DrvInst.exe File created C:\Windows\SysWOW64\dnssd.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F5.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\iLokDrvr64.inf DrvInst.exe File created C:\Windows\system32\dns-sd.exe msiexec.exe File created C:\Windows\system32\jdns_sd.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\WdfCoInstaller01007.dll DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\SysWOW64\jdns_sd.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\iLokDrvr.sys DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETBA07.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ilokdrvr64.inf_amd64_4127472559851c12\WdfCoInstaller01007.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722} DrvInst.exe File created C:\Windows\SysWOW64\dns-sd.exe msiexec.exe File created C:\Windows\SysWOW64\dnssdX.dll msiexec.exe File created C:\Windows\system32\dnssd.dll msiexec.exe File created C:\Windows\system32\dnssdX.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\ilok-x64.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ilokdrvr64.inf_amd64_4127472559851c12\ilok-x64.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F4.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F4.tmp DrvInst.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\PACE\Proxy\libpaceedenexperience.dll msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\Proxy\WrapPersist.dll msiexec.exe File created C:\Program Files (x86)\iLok License Manager\ssleay32.dll msiexec.exe File opened for modification C:\Program Files\Soundtoys\uninst\unins000.dat LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\Proxy\Plugins\Platforms\qwindows.dll msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\Authenticode\iLokDrvr.sys msiexec.exe File opened for modification C:\Program Files\Soundtoys\Utilities\License Support Win64.exe LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Soundtoys\Manuals\is-AF14U.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\en_GB.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files\Bonjour\About Bonjour.lnk msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\Authenticode\iLokDrvr64.inf msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\SHA1\iLokDrvr64.inf msiexec.exe File created C:\Program Files (x86)\iLok License Manager\iloktool.exe msiexec.exe File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\Contents\x64\is-IRVLL.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\Proxy\Plugins\ImageFormats\qsvg.dll msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\SHA1\iLokDrvr.sys msiexec.exe File created C:\Program Files\Bonjour\dns_sd.jar msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\Proxy\Qt5Widgets.dll msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe msiexec.exe File created C:\Program Files (x86)\iLok License Manager\LicenseSupportDiagnostic.exe msiexec.exe File created C:\Program Files (x86)\iLok License Manager\Qt5Gui.dll msiexec.exe File created C:\Program Files (x86)\iLok License Manager\WinSparkle.dll msiexec.exe File created C:\Program Files\Soundtoys\is-HU92Q.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files\Soundtoys\is-09A9F.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Soundtoys\Utilities\is-SIRCR.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files\Soundtoys\uninst\unins000.dat LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-NACDI.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\mDNSResponder.exe msiexec.exe File created C:\Program Files (x86)\iLok License Manager\Plugins\ImageFormats\qsvg.dll msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf msiexec.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\Proxy\Qt5Network.dll msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\Authenticode\WdfCoInstaller01007.dll msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\Authenticode\ilok-x64.cat msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\EV\iLokDrvr.sys msiexec.exe File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-0EA21.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files\Soundtoys\uninst\is-G6B6B.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\iLok License Manager\libeay32MD.dll msiexec.exe File created C:\Program Files (x86)\Bonjour\dns_sd.jar msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\Proxy\Plugins\ImageFormats\qico.dll msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf msiexec.exe File created C:\Program Files\Bonjour\mDNSResponder.exe msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\Proxy\Qt5Gui.dll msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\Proxy\Plugins\ImageFormats\qjpeg.dll msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\Proxy\Plugins\ImageFormats\qtiff.dll msiexec.exe File created C:\Program Files (x86)\iLok License Manager\qt.conf msiexec.exe File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-CHQ9J.tmp LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Bonjour\mdnsNSP.dll msiexec.exe File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\EV\iLokDrvr64.inf msiexec.exe File created C:\Program Files (x86)\iLok License Manager\Plugins\ImageFormats\qgif.dll msiexec.exe File opened for modification C:\Program Files\Vstplugins\Soundtoys\LittleAlterBoy.dll LittleAlterBoy5_5.4.1.17134_64.tmp File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\EV\WdfCoInstaller01007.dll msiexec.exe File created C:\Program Files\Soundtoys\Utilities\is-JJO13.tmp LittleAlterBoy5_5.4.1.17134_64.tmp -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\InstallTemp\20240304141305503.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305642.0\mfcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305564.0\8.0.50727.762.cat msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140fra.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File created C:\Windows\Installer\e580a8f.msi msiexec.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305705.0\8.0.50727.762.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240304141305642.0 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File created C:\Windows\Installer\SourceHash{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D} msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305580.0\mfc80u.dll msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfcm100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140jpn.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140rus.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfcm140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File opened for modification C:\Windows\Installer\MSIB4D1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA494.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100esn_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\vcruntime140.dll.363ED482_721F_3A34_85B3_A96CD936D64F msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140deu.dll.363ED482_721F_3A34_85B3_A96CD936D64F msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\vccorlib140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305439.1\8.0.50727.762.policy msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100ita_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140cht.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140ita.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240304141305877.0 msiexec.exe File opened for modification C:\Windows\Installer\MSI9997.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305580.0\mfc80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305720.1\mfc80JPN.dll msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\vcruntime140.dll.363ED482_721F_3A34_85B3_A96CD936D64F msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305799.0\mfc80CHT.dll msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100chs_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100esn_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100u_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfcm100u_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log wusa.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305424.0\ATL80.dll msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_msvcp100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100esn_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305720.1\mfc80KOR.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305877.0\8.0.50727.762.cat msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100enu_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\vcomp140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140rus.dll.363ED482_721F_3A34_85B3_A96CD936D64F msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSID79.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF04.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140fra.dll.363ED482_721F_3A34_85B3_A96CD936D64F msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240304141305720.0 msiexec.exe File opened for modification C:\Windows\Installer\MSIDF7.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305877.0\8.0.50727.762.policy msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100deu_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_vcomp100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305503.0\msvcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305720.0\8.0.50727.762.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240304141305720.1\mfc80ITA.dll msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\msvcp140.dll.363ED482_721F_3A34_85B3_A96CD936D64F msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\vcruntime140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\concrt140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140cht.dll.363ED482_721F_3A34_85B3_A96CD936D64F msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 47 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 pnputil.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom pnputil.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009b9629f4dfdec3790000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009b9629f40000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009b9629f4000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9b9629f4000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009b9629f400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom pnputil.exe -
Modifies data under HKEY_USERS 62 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\FLAGS msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID\ = "Bonjour.DNSSDRecord" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F} msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService\CLSID\ = "{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B0163E6D0340BE4183EB2758E9BEDD8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ = "DNSSDRecord Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D6E0FC12667136f48A3356A4B112AB68\iLokLicenseManagerShortcut msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ProgID\ = "Bonjour.DNSSDRecord.1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods\ = "14" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D6E0FC12667136f48A3356A4B112AB68\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ProgID\ = "Bonjour.DNSSDService.1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager.1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "IDNSSDEventManager" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.OpenMP,type="win32",version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e0032005f0072002700710025004a006a004a0034007600780044002800660049004c0067005a00780000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D6E0FC12667136f48A3356A4B112AB68\SourceList\Net msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D6E0FC12667136f48A3356A4B112AB68\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\PackageName = "Bonjour64.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods\ = "7" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ = "IDNSSDService" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib\Version = "1.0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D6E0FC12667136f48A3356A4B112AB68 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID\ = "Bonjour.DNSSDService" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D6E0FC12667136f48A3356A4B112AB68\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ = "TXTRecord Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFC,type="win32-policy",version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e005e002a00320070005a00740060003f0050003500620061005700370038003400280076006c006b0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord.1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\FLAGS\ = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ = "DNSSDService Class" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\Version = "1.0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE} msiexec.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2336 LittleAlterBoy5_5.4.1.17134_64.tmp 2336 LittleAlterBoy5_5.4.1.17134_64.tmp 3656 msiexec.exe 3656 msiexec.exe 7276 LDSvc.exe 7276 LDSvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2372 msiexec.exe Token: SeIncreaseQuotaPrivilege 2372 msiexec.exe Token: SeSecurityPrivilege 3656 msiexec.exe Token: SeCreateTokenPrivilege 2372 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2372 msiexec.exe Token: SeLockMemoryPrivilege 2372 msiexec.exe Token: SeIncreaseQuotaPrivilege 2372 msiexec.exe Token: SeMachineAccountPrivilege 2372 msiexec.exe Token: SeTcbPrivilege 2372 msiexec.exe Token: SeSecurityPrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeLoadDriverPrivilege 2372 msiexec.exe Token: SeSystemProfilePrivilege 2372 msiexec.exe Token: SeSystemtimePrivilege 2372 msiexec.exe Token: SeProfSingleProcessPrivilege 2372 msiexec.exe Token: SeIncBasePriorityPrivilege 2372 msiexec.exe Token: SeCreatePagefilePrivilege 2372 msiexec.exe Token: SeCreatePermanentPrivilege 2372 msiexec.exe Token: SeBackupPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeShutdownPrivilege 2372 msiexec.exe Token: SeDebugPrivilege 2372 msiexec.exe Token: SeAuditPrivilege 2372 msiexec.exe Token: SeSystemEnvironmentPrivilege 2372 msiexec.exe Token: SeChangeNotifyPrivilege 2372 msiexec.exe Token: SeRemoteShutdownPrivilege 2372 msiexec.exe Token: SeUndockPrivilege 2372 msiexec.exe Token: SeSyncAgentPrivilege 2372 msiexec.exe Token: SeEnableDelegationPrivilege 2372 msiexec.exe Token: SeManageVolumePrivilege 2372 msiexec.exe Token: SeImpersonatePrivilege 2372 msiexec.exe Token: SeCreateGlobalPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe Token: SeRestorePrivilege 3656 msiexec.exe Token: SeTakeOwnershipPrivilege 3656 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2336 LittleAlterBoy5_5.4.1.17134_64.tmp 4212 License Support Win64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 828 wrote to memory of 2336 828 LittleAlterBoy5_5.4.1.17134_64.exe 90 PID 828 wrote to memory of 2336 828 LittleAlterBoy5_5.4.1.17134_64.exe 90 PID 828 wrote to memory of 2336 828 LittleAlterBoy5_5.4.1.17134_64.exe 90 PID 2336 wrote to memory of 4732 2336 LittleAlterBoy5_5.4.1.17134_64.tmp 97 PID 2336 wrote to memory of 4732 2336 LittleAlterBoy5_5.4.1.17134_64.tmp 97 PID 2336 wrote to memory of 4212 2336 LittleAlterBoy5_5.4.1.17134_64.tmp 99 PID 2336 wrote to memory of 4212 2336 LittleAlterBoy5_5.4.1.17134_64.tmp 99 PID 2336 wrote to memory of 4212 2336 LittleAlterBoy5_5.4.1.17134_64.tmp 99 PID 4212 wrote to memory of 3292 4212 License Support Win64.exe 100 PID 4212 wrote to memory of 3292 4212 License Support Win64.exe 100 PID 4212 wrote to memory of 3292 4212 License Support Win64.exe 100 PID 3292 wrote to memory of 3776 3292 VC_redist.x86.exe 101 PID 3292 wrote to memory of 3776 3292 VC_redist.x86.exe 101 PID 3292 wrote to memory of 3776 3292 VC_redist.x86.exe 101 PID 4212 wrote to memory of 3376 4212 License Support Win64.exe 102 PID 4212 wrote to memory of 3376 4212 License Support Win64.exe 102 PID 4212 wrote to memory of 3376 4212 License Support Win64.exe 102 PID 3376 wrote to memory of 2172 3376 VC_redist.x64.exe 103 PID 3376 wrote to memory of 2172 3376 VC_redist.x64.exe 103 PID 3376 wrote to memory of 2172 3376 VC_redist.x64.exe 103 PID 4212 wrote to memory of 2372 4212 License Support Win64.exe 104 PID 4212 wrote to memory of 2372 4212 License Support Win64.exe 104 PID 4212 wrote to memory of 2372 4212 License Support Win64.exe 104 PID 3656 wrote to memory of 4140 3656 msiexec.exe 107 PID 3656 wrote to memory of 4140 3656 msiexec.exe 107 PID 3656 wrote to memory of 2712 3656 msiexec.exe 108 PID 3656 wrote to memory of 2712 3656 msiexec.exe 108 PID 3656 wrote to memory of 2712 3656 msiexec.exe 108 PID 3656 wrote to memory of 2800 3656 msiexec.exe 109 PID 3656 wrote to memory of 2800 3656 msiexec.exe 109 PID 3656 wrote to memory of 2800 3656 msiexec.exe 109 PID 3656 wrote to memory of 2088 3656 msiexec.exe 110 PID 3656 wrote to memory of 2088 3656 msiexec.exe 110 PID 3656 wrote to memory of 3360 3656 msiexec.exe 111 PID 3656 wrote to memory of 3360 3656 msiexec.exe 111 PID 3656 wrote to memory of 3360 3656 msiexec.exe 111 PID 4212 wrote to memory of 3744 4212 License Support Win64.exe 114 PID 4212 wrote to memory of 3744 4212 License Support Win64.exe 114 PID 4212 wrote to memory of 3744 4212 License Support Win64.exe 114 PID 3656 wrote to memory of 2808 3656 msiexec.exe 115 PID 3656 wrote to memory of 2808 3656 msiexec.exe 115 PID 3656 wrote to memory of 2808 3656 msiexec.exe 115 PID 2808 wrote to memory of 856 2808 MsiExec.exe 116 PID 2808 wrote to memory of 856 2808 MsiExec.exe 116 PID 2808 wrote to memory of 2660 2808 MsiExec.exe 117 PID 2808 wrote to memory of 2660 2808 MsiExec.exe 117 PID 2808 wrote to memory of 2376 2808 MsiExec.exe 118 PID 2808 wrote to memory of 2376 2808 MsiExec.exe 118 PID 2808 wrote to memory of 2292 2808 MsiExec.exe 119 PID 2808 wrote to memory of 2292 2808 MsiExec.exe 119 PID 2808 wrote to memory of 3784 2808 MsiExec.exe 120 PID 2808 wrote to memory of 3784 2808 MsiExec.exe 120 PID 2808 wrote to memory of 2896 2808 MsiExec.exe 121 PID 2808 wrote to memory of 2896 2808 MsiExec.exe 121 PID 2808 wrote to memory of 4784 2808 MsiExec.exe 122 PID 2808 wrote to memory of 4784 2808 MsiExec.exe 122 PID 2808 wrote to memory of 2204 2808 MsiExec.exe 123 PID 2808 wrote to memory of 2204 2808 MsiExec.exe 123 PID 2808 wrote to memory of 1212 2808 MsiExec.exe 124 PID 2808 wrote to memory of 1212 2808 MsiExec.exe 124 PID 2808 wrote to memory of 3628 2808 MsiExec.exe 125 PID 2808 wrote to memory of 3628 2808 MsiExec.exe 125 PID 2808 wrote to memory of 4068 2808 MsiExec.exe 126 PID 2808 wrote to memory of 4068 2808 MsiExec.exe 126 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp"C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp" /SL5="$4014C,226646490,848384,C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\is-3Q8HI.tmp\_isetup\_setup64.tmphelper 105 0x4A43⤵
- Executes dropped EXE
PID:4732
-
-
C:\Program Files\Soundtoys\Utilities\License Support Win64.exe"C:\Program Files\Soundtoys\Utilities\License Support Win64.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe"C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe" /quiet /norestart4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\Temp\{6D9F4CAE-CD8F-4B89-AD68-CAC6F670E647}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{6D9F4CAE-CD8F-4B89-AD68-CAC6F670E647}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe" -burn.filehandle.attached=656 -burn.filehandle.self=684 /quiet /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3776
-
-
-
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe"C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe" /quiet /norestart4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=516 /quiet /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{15D7BF62-B111-49C3-9E82-1E5859612E57}\Bonjour64.msi" /quiet /qn4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\SysWOW64\wusa.exe"C:\Windows\system32\wusa.exe" "C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{4EF18522-4489-4423-9A67-6903B272672E}\Windows8.1-KB2999226-x64.msu" /quiet /norestart4⤵
- Drops file in Windows directory
PID:3744
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F5272278-59D6-4F34-AE36-6605BD6534A5}4⤵
- Executes dropped EXE
PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{51DB5997-FFEA-46B0-995E-8E5A55D3FBA6}4⤵
- Executes dropped EXE
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4D471D45-9CFF-4B6A-8C93-53ECEF0B0AB4}4⤵
- Executes dropped EXE
PID:872
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F244C47E-28AC-4878-8616-159B0066530B}4⤵
- Executes dropped EXE
PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10647409-929D-4363-AAD7-B7142A061C19}4⤵
- Executes dropped EXE
PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DBB4AE5D-09C2-42C1-90E7-3B8ED3603413}4⤵
- Executes dropped EXE
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30FFE9B2-D36A-4781-9F52-DAEC4037587A}4⤵
- Executes dropped EXE
PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3B34182A-FE3E-41E7-873D-441CE5A53AB4}4⤵
- Executes dropped EXE
PID:1812
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10EEA2D3-0866-49EC-89D0-7E7EAA97C4C4}4⤵
- Executes dropped EXE
PID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7F259611-A1F7-42A9-9EBB-15BAFB4B0894}4⤵
- Executes dropped EXE
PID:1176
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF244929-D762-45C6-AD2D-898ABC000751}4⤵
- Executes dropped EXE
PID:2864
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Registers COM server for autorun
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding FE6DFDA8C9965D9C94A386B9FE4F25D62⤵
- Loads dropped DLL
PID:4140
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E94C03BAB03C172780FCC5DB496F525E2⤵
- Loads dropped DLL
PID:2712
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 94D514893A827BD844D860106583078E E Global\MSI00002⤵
- Loads dropped DLL
PID:2800
-
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"2⤵
- Loads dropped DLL
PID:2088
-
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"2⤵
- Loads dropped DLL
PID:3360
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A6FD7FADAADF5C182796FAB979FABB91 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{67041ADA-05AC-4173-846A-639449C3442D}3⤵
- Executes dropped EXE
PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{13623D78-6BCB-4D5B-832F-B71AF69C32C8}3⤵
- Executes dropped EXE
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E7FD01E6-D7CB-491E-B5D5-8BF1802601E5}3⤵
- Executes dropped EXE
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8DC4814D-3F9B-4C10-9444-4725C610BD3D}3⤵
- Executes dropped EXE
PID:2292
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BE30E6E0-DE5C-495F-8F3C-9DDBF0821F15}3⤵
- Executes dropped EXE
PID:3784
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B0CE265B-2A53-48C7-BD79-5E8C5A3CDD63}3⤵
- Executes dropped EXE
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54A6F5E5-4905-47C3-A058-32328F089188}3⤵
- Executes dropped EXE
PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C5259E0-CCA1-4192-8D2A-A570D18D6EA8}3⤵
- Executes dropped EXE
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AACB97CA-6B4A-45C4-89BB-3645CB1B580E}3⤵
- Executes dropped EXE
PID:1212
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F8904BC8-F5CA-4BE2-AF1F-31962160E663}3⤵
- Executes dropped EXE
PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0029FAB-180C-4167-AECC-2E12C8C10623}3⤵
- Executes dropped EXE
PID:4068
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 428C36B5FED206A70A0F03312DEB27DD2⤵
- Loads dropped DLL
PID:5288 -
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2D2FDCB5-580E-4ABB-B122-0F4C29C129A8}3⤵
- Executes dropped EXE
PID:5468
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C05ACBB-08CF-4485-913F-5AA536BB5773}3⤵
- Executes dropped EXE
PID:5508
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7A362E7F-D714-4399-82A8-92AED14A4E40}3⤵
- Executes dropped EXE
PID:5540
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA0790A0-18A7-42C1-B98B-2756B0058284}3⤵
- Executes dropped EXE
PID:5532
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{786D61D9-CBC5-404F-9535-3951E59E7E61}3⤵
- Executes dropped EXE
PID:5620
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{13777CB9-BF67-4083-9D83-29A0F7C01B3B}3⤵
- Executes dropped EXE
PID:5664
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1CBD1DFA-66F6-49D4-AD03-48BD6C8127FE}3⤵
- Executes dropped EXE
PID:5700
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CD3A2866-EF02-48EA-B90B-4E910096826B}3⤵
- Executes dropped EXE
PID:5732
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{152C9D56-190B-4783-99AD-9E81FB46C1BB}3⤵
- Executes dropped EXE
PID:5760
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{391E12A1-E140-46E5-9952-4A3FFC7CB173}3⤵
- Executes dropped EXE
PID:5796
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60908E5E-7E0D-4CCF-9F07-076B54207C33}3⤵
- Executes dropped EXE
PID:5828
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 11C342A4354C8D60036F5C0D44FBDD12 E Global\MSI00002⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:9388 -
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F420C333-CAF9-4E93-AD34-6BCDAFF42696}3⤵
- Executes dropped EXE
PID:9464
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5D72C2E7-CA97-4B0C-A80F-3A053591A92C}3⤵
- Executes dropped EXE
PID:5900
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{259AB277-388E-4A09-9A25-DC5CADF8D498}3⤵
- Executes dropped EXE
PID:5924
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE3B7F10-E41B-42E3-8579-DC12980E8008}3⤵
- Executes dropped EXE
PID:5956
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DFC6A228-5A93-44A3-B80A-BAD0741E88C1}3⤵
- Executes dropped EXE
PID:5992
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E61E9C7A-CBFB-44DB-873A-C0437ACB04BD}3⤵
- Executes dropped EXE
PID:6040
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF4C7426-C96D-4FCF-9BAF-1A1F07B60307}3⤵
- Executes dropped EXE
PID:6072
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B0698C78-2199-4F90-A133-DBA080E7930D}3⤵
- Executes dropped EXE
PID:6100
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C992071-8DBF-4554-91DE-7475269FA490}3⤵
- Executes dropped EXE
PID:6140
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C2BFCC8D-A4FB-4463-8269-CC9013295258}3⤵
- Executes dropped EXE
PID:6176
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F44C6C6D-2AF5-445F-B580-91624181E418}3⤵
- Executes dropped EXE
PID:6212
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E7BEDCAC-A3D0-4849-B923-8FC25BD126CE}3⤵
- Executes dropped EXE
PID:7520
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{85EBCE29-4CCA-420D-B41A-3400E519D5CD}3⤵
- Executes dropped EXE
PID:9708
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1B491657-EB64-47B8-8F54-0394136DAAF8}3⤵
- Executes dropped EXE
PID:7592
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{25FCE35D-C56D-4606-8BEA-BCEA02B3845A}3⤵
- Executes dropped EXE
PID:7620
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{978CA39C-B6BE-49FB-8328-FEA0358344FD}3⤵
- Executes dropped EXE
PID:7656
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59F5D3EB-E423-49C0-A43F-D60EC50CB918}3⤵
- Executes dropped EXE
PID:7700
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DB3AE918-7BB2-44B5-ACA6-8F003DBFABC0}3⤵
- Executes dropped EXE
PID:7740
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{079E20E7-E25C-458A-9390-6AB230C3821A}3⤵
- Executes dropped EXE
PID:7768
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FFF3B989-1925-4C59-9685-1F7D115EF21F}3⤵
- Executes dropped EXE
PID:7800
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{40BCB509-6672-4AE9-920F-0394FE6B7DE1}3⤵PID:7832
-
-
C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F227066-2785-4E7F-A39D-D3BB86170B01}3⤵PID:7864
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\Scripts\iLokPnputil.bat" --install EV3⤵PID:7904
-
C:\Windows\system32\net.exeC:\Windows\system32\net session4⤵PID:7956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session5⤵PID:7976
-
-
-
C:\Windows\System32\pnputil.exeC:\Windows\System32\pnputil.exe -i -a "C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\EV\iLokDrvr64.inf"4⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:7992
-
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA33C96B-821F-4036-99C9-9CAA9038D0F6}3⤵PID:8364
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77D78092-B61B-4F60-9DC3-2D7733AFE910}3⤵PID:8428
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{76848E45-5EB2-449F-A895-BA5E65E9D090}3⤵PID:8460
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7A625AED-A9AE-4FD1-BA65-69167CC1740F}3⤵PID:8492
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6B52D254-89CB-4FC3-BADD-2FB3D438B888}3⤵PID:8520
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{83AC44DE-3309-4E37-AAFF-3DDFFBB14107}3⤵PID:8556
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3E706F33-63C8-49A2-91A9-30582D48AA96}3⤵PID:8600
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5DC54E6B-6395-47EE-BA61-A0F7263CBFEC}3⤵PID:8704
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E3D12385-C9DA-428A-963E-10827E3A2B5C}3⤵PID:8672
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A09DA4EB-37D1-436C-BBA2-E72CD8AD2791}3⤵PID:8632
-
-
C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F72E38CB-CF4D-457E-A7D0-B6A57371D201}3⤵PID:8732
-
-
-
C:\Program Files\Bonjour\mDNSResponder.exe"C:\Program Files\Bonjour\mDNSResponder.exe"1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:2120
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2888
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:968
-
C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe"C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe" -u https://activation.paceap.com/InitiateActivation1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:7276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Checks SCSI registry key(s)
PID:8064 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{95143881-6bb2-c344-81cc-14a6891a0920}\iLokDrvr64.inf" "9" "4e4857d87" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\EV"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:8104
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4228
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD5255e6ec8c0aaa1d9e82ca824b43a4cdd
SHA1c7ce076208ccd3f843de338515592e6c1b528161
SHA256063f2deb1b9621a5b9d117422bde2c0a79bebfa8a02b1453b1b1abd4bb750124
SHA5125a8869428a89f9c442f0a4e449dea94f7850bc46057ab078c932c2db337278faf17cf8fc0263945f785a87c72ced06f8041abd52563859aabaa6b71384287095
-
Filesize
381KB
MD5db5bea73edaf19ac68b2c0fad0f92b1a
SHA174bb0197763e386036751bf30c5bbf4c389fa24e
SHA25610f21999ff6b1d410ebf280f7f27deaca5289739cf12f4293b614b8fc6c88dcc
SHA51263b718288c266debf3f58ac1a62cdcca6f09350616d53a406271d8f4fe6144751eddf7b7ba2dbfe79cfda671ee5afbdbae5798204edaaf4f0391895b824ae7c5
-
Filesize
118KB
MD540947436a70e0034e41123df5a0a7702
SHA16c27e1dd1c1533feb6435190a5074300ac2a9822
SHA2565d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9
SHA512ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704
-
Filesize
451KB
MD5ebbcd5dfbb1de70e8f4af8fa59e401fd
SHA15ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88
SHA25617bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122
SHA5122fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4
-
Filesize
129KB
MD5f9d908de6b166dac9b89bf62fa291ce8
SHA1938b53238291fc41ae852fdde51eed7a2bff0604
SHA256d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02
SHA5126643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e
-
Filesize
16KB
MD5ca086bb31b598febd7e8d44daf14714a
SHA14838808e80df811cfb2bf7faf361b3cbc16f9f81
SHA2563818abdee5b1d3d77ae4a5ace25a638b2d7d624605f8e8ce14dd6d4c6639c00c
SHA51254188bf433a0da1b6b8f6f881af6d681a6bb629693191c7ee46f852953529cb94dfa894aca574e1cd7355985ea8d6187e7694c8144ea1db880922676f0dfe0c5
-
Filesize
44.3MB
MD54a4b910f8dd56ca229aed91ea540e0b9
SHA19fdbb594aa7fcbdf77769b09af23a964d0725084
SHA256aaf9072bf80c4ba03c9bc9db191e9927f9b9b47ce33c2d25fa9768ec2f70c4d5
SHA5128972817f3399be3ff79c23b6d7f6406d4c2de61a3fe9665ee9dbc56d0fc2a474015b425f489d28890206ec5ba6241f30a1a1b3e5024498c0a0bcdbb071079bfc
-
Filesize
37.4MB
MD558e116772187550f7090e6753d1c1532
SHA1c2c0f0258d54f03ce1d96e86cc6a745655a4da4a
SHA256d053c115877caf04f6bd604e06d1a14f94323722e24abfe732f378399da26acc
SHA512f24550e29b923093562c070b2ff4b14420c64e3f956fe7f1b089cd0893db8d22b83c63fe6d5233c3af38000481a8396bd98d4b8f7a2896a115cc06032c2a90fc
-
Filesize
57KB
MD5c23d4d5a87e08f8a822ad5a8dbd69592
SHA1317df555bc309dace46ae5c5589bec53ea8f137e
SHA2566d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b
-
Filesize
141KB
MD5edb88affffd67bca3523b41d3e2e4810
SHA10055b93907665fed56d22a7614a581a87d060ead
SHA2564c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15
SHA5122b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf
-
Filesize
6KB
MD5e4211d6d009757c078a9fac7ff4f03d4
SHA1019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA51217257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e
-
Filesize
2.9MB
MD53d9fe4c7359d7bb512a86ecb17c42a37
SHA179fb651f042d5b2c882c405cde1dc8383b8add60
SHA256069211bd28e0db91fdc24ba58008c5787b1a09d1cd6ebeaefbeb24ef4522c8fa
SHA5129f6e26445cec5f6d6518bfdb0d1b6030d2a5f6317e8719716de8dfa8de5a2f63ce780bda1986ebb2ce4caf5ed418135ee2e0859b5fb11cc243113287b40f2682
-
Filesize
1.3MB
MD5806a54f833166c929f30031317bbd22e
SHA18e03076b34117d63d4da2287cc287d08e213e1cf
SHA256d3e5f517681335aca1507d398bd52608688a0968c19825a539cb4f6ea05b70f7
SHA512d382dd47c199f56839286a4b8ceea00b8a70a63924ba113c0d95b2671890925905b6c31b036c91cd4be25193e9b792a2ff2275f886f7e50e1dc0a7a966a637a3
-
Filesize
148KB
MD5962b85d5bc8945d80b4839e47efe8fdd
SHA13291792ee90594baa9083ef544779d6b550d3fec
SHA2561b220c5a2f74162d7162ba241ad6c594aaf009cc1329429dcf2112e10477e2b5
SHA5126a2c104a45cb9f11e9a6e2ba2674c03a8b1102ad2be25f1df3bde6af4933db475a6537b54a8d4086867a655f4067980b99dc4844230f7d2727af45dcf5a794ff
-
Filesize
128KB
MD522ecca7139fc78f7928e9540a45dd2c7
SHA1aabfa0a1de048732597f3e69cebb694bee88a7d1
SHA256b108f5bdc4ae76f326fd1c99022cedda62af11e2262809ad79b2c071e0615484
SHA512258a3f62904f7022c4ad5d4bab1687f505b8cb282a2d995a4cea29210def83c5e9ec003e88e4659ff7f828182f812172280199c491fe610cc286cf9ddbce037b
-
Filesize
262KB
MD55ecda0a54c4d9babcdb177d54f2e733d
SHA1e98aa5abf7cc44b50fe6ca7c6b110bb04541fe5b
SHA256e0926d6cbb4b4bbe673eec59325646ae8f2702e87584bf31dee28c385f45a32c
SHA51245cb28462f6114765fcf831e2ae4ffc5fee1f59746e9e749106b7cf00b7967a788e5591da2a4e0a6e3ae52d60395d1d66be6112026709c33261c4ca839211616
-
Filesize
385KB
MD52dd07d5455d3e762e6efb976d4898174
SHA12677189384275f0d95eee10d85f1fac78dc557fe
SHA2567aefc03e9adf64345164971aad3dcd1264f389c3ade513ae420d64ef1f2c1087
SHA5128d38171c01c919b072fc7bb7938747d4172825481eb715f576a7a8b7623d2df776d6d9307f496b3f17c244cfe5898ad7557ef432f74ef8682219170596efdda2
-
Filesize
239KB
MD5d8146c43b587f98bf1ea586c2b7a71ba
SHA15fb052b1fff7762bcbe1a923ccf5520b6f268834
SHA256c7d4daf78b820c2a31dff646d4f199c1a05faf149178b6cccc776609aa3f06da
SHA512028c3d77ca56d40627b9cc900492a5ea2eee31a1f69c14349c6c5c7791f3aab45a27e12556c1486f0d1cd3f028d35f35e7e8886c7892efed7d4660d0814e998f
-
Filesize
23KB
MD5be8e1e66c14d73fd42b004eaea7c2e5f
SHA13f5091e47282f0f8e80027c1b7bcb91f10bf28b2
SHA2566afb00abaaa7be31895d47a59efaab360e592f08daf1d45919fe21e90aa6132a
SHA512833f7a0ea9efbfe3d2e0ec7ee1ea13a29b32fbf096cfae57e59af4f7ee4ab3adde19c851a8413eb079e74d25dcf01390ed0dfebeb3f5ab7ac234aa9a46a29daf
-
Filesize
325KB
MD5ee55ce6c2ab607c146095178d734ed0c
SHA1e73050e3dd159df0db798136cb07137bc279642f
SHA256b06f0e78467a28d89070ce33a0bd4d11ace79f50be570be76360be9281097fc9
SHA5120c092ea74e9de918b00c6662dcd2a027d7e5359217feccc7fec9a50c590e92993bd5881f0c188f7be68df10a21bfddf12972aca7d9d03b31a034ec19973694e5
-
Filesize
163B
MD5aef3ceefc59a0d9cda30d7b3ef70dea5
SHA1833f090f77edbc4b409886316deb21f484b782ff
SHA2561bf85a5fa78894d1210063759abd2cf8c390556ca7022a03f41020c16a8abac6
SHA512f009112c2810e011abd412a8e95f5dc90e24b49185daed0da32ac2fb7551e2c9020cf59fdaf0152baf37d208ffb5237e944048ab6d045205ede5e99c1bc8ad2b
-
Filesize
546KB
MD5ef9981e91f1e89f574c1fd5a9f33c104
SHA14a4d93250ea55f2fd8016019ffecbd346a9cf898
SHA256baea8898b54c528eae355a970f9d78c95c26b3b2a8c500e3fb6766bc879037c3
SHA5124c7a5e9a7082bcc893a6a3368be634c651a049448ac90884b710eb4fa1dc480d6c4e94db12fd9ada53e3a8cdefff0990d7dd0cab173009e45bba643f7d88fdd5
-
Filesize
170B
MD55fc8d60855a5cec64e1abbbcc133c23b
SHA1ca723ea715fc0e217a9133611a56da5dca78b547
SHA256b0e962259029cec81ec5f5783192f552699aac99a14ddea89f74330e50e9340e
SHA512847f0397aff3b428c9fda79f82b83b0dbec1410d979c7f80b109f6088fb0d04d843e43b1cff5fb99df2cc5ade9da862aaf907c809dbe16910a46b7d8edc47562
-
Filesize
215B
MD5c88556b5771542ba96767a5117ce6053
SHA1160d86bfc85cb14e43fc40300a50fc0a06b87e71
SHA256fd53cc5bcb77cebe93db2ce11e4c78ff2a3e1035818987a8ed0efd12168163d7
SHA512de2991d6b1584b61c4f7e445224c4f8d888e129a5a226b92aec3cd99041c694f639b6ca93ef2d97f70d299817e3fecf4ffb40298478366cb58d6f2ef73917eed
-
Filesize
21KB
MD5be345d0260ae12c5f2f337b17e07c217
SHA10976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA51277040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff
-
Filesize
923B
MD515555cbf31a9886efd19b25d03fd9999
SHA11747bdee10c7030015fde30dde8b2d0f1d44c1f0
SHA256a088878368797f6e079a1d3f4fd07a8c41e8584f9e75caf293a175afd962bfb3
SHA512c163322cadabd96b5a0be8ef55b1e9c20cb8b9b6b5a87efcdff9a1ef41c7ce01537fcacf91b1642886e46ea8453f6744800694374b9cfe4bee884eda4c77a00f
-
Filesize
1.8MB
MD541e098a7c75c0f2fcdcc4c1b605f8cf5
SHA1b794e06eaba21f0c765841695424d88421f1255b
SHA2568069bfd2667f5a62519ee604c1062574a0db69c4cfd1b55a0f3895ce7670ee9c
SHA512777ed995ccc93d768955310841d98ccae155d0a5a2cfa314fb7cfed54c82f65e865ca697210c35d0824076ae9b2459ac85d8ba7dfcc4ae4e6d2af4feb1574c6a
-
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\PACE License Support Win64.msi
Filesize48.3MB
MD5c5cbd59e9901c3c1c6a112fa726cceb0
SHA15f7f18a1edd6221b890ee5b63147b74fc6c8d10e
SHA256bf9e00b22e6eb0a9d598e25c28a74ac565b176a8a164607a0a94a5a230216038
SHA512b5044f29636ad2d60efcc8344b26baa89b6ea9ee42a566ecff00972e29c2dfae15b9ba3f58bb9a5846d1596d7a420a8054982357d7f37558086c4b1bd60a7586
-
Filesize
1KB
MD50e10ca2d56f862cc2f4d618faba99aaf
SHA193706ff049c6ff76fa2537efd5f5ccbfc620c0c3
SHA256e6ea2b931860b8362fb8f5830f3d05741de3a8b7f541af3b456629e3ab90349f
SHA5123c650881db06b603637f848552c580f48eae93202526ed4b8c526e9f94f18410d197b72d591637f941c643ecdde3e8dd00b7fe7e7a0f52faec8f831446c302f5
-
Filesize
579B
MD5c1ebbdb4fde707ae1a19c3f8a3c037d7
SHA15b89fedd99f21a1be0e71c344593ef7e8a02bf18
SHA256886ae7127390cf701be20d762de8008908d29874b3db5f7bcdec3ab3ffceb0f2
SHA512b1a505f0eee54f8f80c00e51fd03967ec080db6c9fce671db429d83a4d1003105b35c80aa1953d195304e594e89e09f2b93ba4cf0b698be6ee070b1969a77e85
-
Filesize
579B
MD53319f71dd8e53d12c70ae6019eb49b38
SHA11f2ce2ea4d8c9c4b0fb76a09e84dc55d44b8f1ae
SHA25689cf87f10bd3386eca6b30c80610ef41791046f62d76a9a021318d5197914d75
SHA512a80ecf432bc89954287860a686cc48f2d1b6d4123505556a5a1f9d6474319bbf4b88bb1886f83bbd62e699b3b1615882aa2fa97156ba5f8785840a8e4bea1f6c
-
Filesize
9KB
MD568b5cee7a2fb4c8e21f240737265e14a
SHA1f23c438b4d011073279c9bc85865c874fbfcf0de
SHA256e9dd221ed24d09d958b426e109668620a89796aac100b8ecf2678f980656227e
SHA512aecbaac3962d1c7678bbba43f8c43451efb6b7859cbb88bc3cf2620d777025066fc028c2e16f6b84045b91a97d20c9530aa1d66406bbb92ccb07a9bf12258c87
-
Filesize
7KB
MD531bbe50b2d94ea9e914355956d7bea49
SHA1df0e6b3aa9632aca544207ebe17bffc41f2b68a8
SHA2565307dfcbdcf6d6cc119ef8557a8e06e13775f9c6faf7257f61a2abe862a4a4e5
SHA5123fdc87a826fb7b808c96ab4e32bf32b9d902595cc1920a146cb1d9245f718e93a9bd1ff81558a0dacc0a15917f6ee6c83c03f1858736923bc08c235c9de97aae
-
Filesize
6KB
MD5f87382fc7604a837bdb1be851000b15b
SHA1cb1a0de7b734e1bd05faa32e9ee22c7111b4484e
SHA25627d1d2688dd0fcc2feaf7e2dc40078f676f61cac09233ad18beeccfb646f1c7a
SHA512449d2f1bb679e2b0ff84905fb506d4121ce1147bc58ca1e136be9f082b91b34a36b1d90cfdac19ac68bab7991274fb148216e2ff0a03d094348aea93e14d2bfb
-
Filesize
2KB
MD5e0dac65635c79399e951589b98c3ec4d
SHA17322fa504dd65edfb17480213ce11a8c56b6e152
SHA256572be4547e8ca666aed87e4f5c3c633abc7e09d28ee21f5af2ff28843b15b651
SHA5122b26d6610e379dd50b493706e6b7ff1bcf6b447570d7ccd800b603b00e2b35103430721f89091f941db03e299d0663c241e1296b9e7213d416633d67bdf1dfc6
-
Filesize
46B
MD5c10f0c1c213324eb2d479d8617a58197
SHA15d830ffc7950e47de2a7f9efafca8425c37a382c
SHA25606d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be
SHA5126b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702
-
Filesize
10KB
MD5780ecbfe29b525adec69589bb0925cb1
SHA11954ee7e7ed03a9dc877d2c3b05e86459a6292b8
SHA256a56b6431264c75fe9120b11476147aa215dd78ddd8e606023f16960891e69c2c
SHA5122252a44d9da77391e3ff83c0007e4ec281fef79e2df20adadb584d6f377d023cf73bf9c76c0d0771a58b062024ec1118602fa77f9dcb56083cedec9e55c4759f
-
Filesize
54KB
MD5a6403b5ee5f9f09eaf60a41b4705b0ec
SHA14ce6a4a0991cd52d37facb7494eeed398f7ddb38
SHA2569dca1adf06c8247a11fc09517c4e8a0206075dd663f921d9945053994fdeffc7
SHA5127a2c6c580811d498a627fcd4645238d3f5225b22da07f7fbefa87bf344497aa8469e74cb7d84349d701636d12e6a61f406eeea90f7e1fb18a3d05ae5aed01d6f
-
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{15D7BF62-B111-49C3-9E82-1E5859612E57}\Bonjour64.msi
Filesize2.6MB
MD58dcf5c9eaacdaf4568220d103f393dea
SHA127f68596398b68ba048f95752b4eeb4aa013c23f
SHA25653be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93
SHA51210f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088
-
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
Filesize8.3MB
MD538319018aa84855b18cffd4e75153334
SHA1a712c1bda8cdc965271c6bed5d0e91e5e101039d
SHA256885160691f5b2fa0a744dfacfb73826ef17066e2b392c44735d40297e27a11d1
SHA512c59cc82433cd41c2cda52940007383642e57fa0388ba1a4eb28dc4665a3fcb7d9e3e299a8ca5df0dad1ba54c293c453a91b3ae6466494b41193d17454a39e23e
-
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
Filesize6.1MB
MD590beae9e0c97762b3c73171ca9c03405
SHA1adb82f77c66073f8e9d70011599b01a527b0e589
SHA2565751bd031a2b66594b479c52a09e002732446009249990bc6dc93a5d67e24016
SHA5125deba79367884c1c4e95d420b5a5a14269107910db7a133cc90efa957d6cdbd932efca3a2b0ca9d7cf600a7132e89e6d00da60334f7ed9f8ef3c01298fdd42a1
-
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
Filesize7.1MB
MD5da2d4f901a4b553e427ce2a724de0988
SHA1bd03a67bd84bc0f0527562f2cd8db4f6d27b8cf7
SHA25648d7aae7c9976252d427a6a0e0b77a2e35737c9d07dc98ec02163e9500704c4f
SHA512c7b69065bd25027f7fca0226cd5cdf070df60e82f960eb30235e7e5375a4152b36f9dfa0f7ec15a597720cfc7600a6609d6f764cd31431fad7a3007d30358e8b
-
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
Filesize1.2MB
MD5ce7de2ab528950957701c38dec29ff28
SHA1360809e59e98a2065f5c338d3e1dcc7a11e70e26
SHA2565a03723d5ada9f94fa67184364704fc3e8b85b9b35477276879b74828815d97b
SHA51266ba6197099a3ea529916c688e364dfb147762058083a78ef8bb42177e12c586ab0c343a665277a0e933bda0b25318cdf5294bb4c5495d077f74de3294c21f5c
-
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
Filesize462KB
MD5e21c092c03d04b7af5771cc664b48007
SHA15a7f38c97b77fe906a7cf464b2bf4c1743b66b6d
SHA25671e03df965f45f2c594bd0b4754556924a813489f4201864bd1d4388353215fa
SHA5126552fb9cd109247cbf5866ce928c604dfb58b29fddbb00b0f7fc5325b9b65a19dd5f6371effd775eb7c5e7c0a98abe2aa1383ca8c8e05f9853dc833e87969273
-
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
Filesize656KB
MD5201329dbd79492234c05453cc06cd00a
SHA16037a2f859da61b9fea2c09d07276afaee3df19c
SHA256258e66655e58e103be1642c479e77b70feee7e739aa513bcd810242a2a7769ee
SHA512a0dfe5137a838cde23c30328a2c611b2fc2c8858482fa8ebf625ddbcee4904b09ce1ba2876d8d612f9b5c81778f6e4a270fede5e7f0bb062e54b055bb619ed40
-
C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{4EF18522-4489-4423-9A67-6903B272672E}\Windows8.1-KB2999226-x64.msu
Filesize981KB
MD5d0728878f9c6799046b43aeece4f3aca
SHA13acbf3890fc9c8a6f3d2155ecf106028e5f55164
SHA2569f707096c7d279ed4bc2a40ba695efac69c20406e0ca97e2b3e08443c6381d15
SHA512e5cecaca86779a281bf5c396d7fa3a5f322bc6423e2250d617a6fab229e86d2c9d3b784c1fa3fa2be5513fcd3ba87695b3934d13802ee15cabae62f84c2c3668
-
Filesize
193B
MD5f85fb84dc27b75e5cebe32d89be93ea6
SHA13d7de6e572ce0eafdccef331e39e6f94b75b414b
SHA2566f6532353669cea1baffbb12e9d0304ff3a882f232cf5f25c030a04b16dd20c5
SHA5127f947f2d650813f9e212d149bdf6efff9685b406c12ddfe08bbf4879b081c72f27a41a41f66485e792a58d148db0ed0274f1fb7527e4b813cf37e7fe3488cb48
-
Filesize
5KB
MD56098f128cf6fe5ddbe128d5cb301c854
SHA1be8df9ee61475ff6d5913c368e65a1609134fe5a
SHA256a59e8507bc4beb36b347b43340def8614028f1cf246f7406b63bee70ecea3e03
SHA512ea0de1f365eae76db99798fe2a8a58614dc1cc35e1a96a4eed558adc011ff1ff8fab74713e687f54775770757b27049541597429b52780f3e5172510aea35430
-
Filesize
75KB
MD508c031fa82a09aae1079378669678fe6
SHA1b109251d2fef08bd446be0c92369e6f11eb67093
SHA2568764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a
SHA512d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c
-
Filesize
75KB
MD56f8e3e4f72620bddc633f0175f47161e
SHA153ed75a208cc84f1a065e9e4ece356371cac0341
SHA2562adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e
SHA51280187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869
-
Filesize
11KB
MD5af30155cd33639edfcd31eb9c80edd3d
SHA10d0dc51143fc1f9b0a41a1ac0554a3ddfcb9af65
SHA2563e42dc05577ec55ceb296de329178687a5c29e787855c58c40b758344a00a56e
SHA51221f2b2c48753698b09c3631b16a555cbd18638ecdac74117beed76f2690feab1781841b74cd59b88561912b341a78d45d4da2b0f64e325f19b1d7ecbe964e5a4
-
Filesize
1.4MB
MD5a9a5d554ee54caa78a9fbff76bc74d1b
SHA13534ebaeebd8861807e28f212dd4ef59ae2c4596
SHA256590288df2cf650c88b418c2446108036746dca30ec3c0ec819a8f06f06a705ed
SHA512e2f48cc4c926175c7913510c2c111ef06b69702c9801892f75a84ff04eae002dc8d28b0525a0f0d6ca67a2c538a84c0cf34b440e21fa964119a08e0acbcc6c89
-
Filesize
36KB
MD58d94d7271425756de312e2f1b894f78b
SHA14463ca042cfa66a776e01d3915543cbcdd21f34e
SHA256f39bb45a191a4e07c6ade3ff1fc19ee5b1e60a6d5c99a4e8ee66100c322d9823
SHA512231daeb977fb463b05e10ecad110ef80e6a550524f50d4cd5e43e4085f15dcaa8faeb60523dcd98cadfad324b5da46ab41bbcf842472904b65b0849970633d24
-
Filesize
3KB
MD57bd98a95ec9019010e8aaa9f7fe5bea4
SHA14b60bddc26a6c1e505fd8f4060260f4642765d5a
SHA256fff0ccbddab48c9467b384876d80d9af1d36a0dfd49ecac352d1fd03b698655c
SHA512e57a24a7da0044851154137b09e3ee59c25e88e141846d5a692d07cd32d0a12508e8a29144b3f016425260a58a616e390f3daa0892e615c9485c26cf57112fb7
-
Filesize
114KB
MD5c75656c2253f1058f83cd3c3c743eece
SHA16665da5a6c0c678afe19e87f0e1d8ef931e91052
SHA2565f5f89a2534771b70419bbe414e9d04409786f6f98dc9eda85e081adf995cd83
SHA512cb18b81c91ae1f3ba91c200d3ba95c9ec6cf2e731a87426392b9516883b90e4e2ead26526fba09944a7a75f11a196671d1dadafcc255bab7d9ddd9dbd17aaf42
-
Filesize
632KB
MD594970fc3a8ed7b9de44f4117419ce829
SHA1aa1292f049c4173e2ab60b59b62f267fd884d21a
SHA256de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e
SHA512b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
632KB
MD5c9d95472a5627c6c455e74c8b8fef5be
SHA134cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82
SHA2564b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b
SHA512989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31