Malware Analysis Report

2025-03-14 22:30

Sample ID 240304-rgrlksdb73
Target LittleAlterBoy5_5.4.1.17134_64.exe
SHA256 b65612ace7fc0ae0b5a795abde581c3451388159f63364f4c48f4a2b86234c59
Tags
discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b65612ace7fc0ae0b5a795abde581c3451388159f63364f4c48f4a2b86234c59

Threat Level: Known bad

The file LittleAlterBoy5_5.4.1.17134_64.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence

Modifies firewall policy service

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

Checks installed software on the system

Blocklisted process makes network request

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Runs net.exe

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 14:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 14:10

Reported

2024-03-04 14:14

Platform

win7-20240221-en

Max time kernel

145s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Program Files\Bonjour\mDNSResponder.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-G0PP4.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\Program Files\Bonjour\mDNSResponder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32 C:\Windows\system32\msiexec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ ISSetupPrerequisistes = "\"C:\\Program Files\\Soundtoys\\Utilities\\License Support Win64.exe\"" C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\G: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\I: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\Z: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\T: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\L: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\X: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\V: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\Y: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\M: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\N: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\P: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\R: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\W: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\J: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\S: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\dns-sd.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\dnssd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\dnssd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\dnssdX.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\dnssdX.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\jdns_sd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\jdns_sd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\dns-sd.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\mdnsNSP.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Bonjour\mdnsNSP.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Vstplugins\Soundtoys\LittleAlterBoy.dll C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-CFDI8.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Soundtoys\is-FFG70.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\mDNSResponder.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Soundtoys\uninst\is-9N5IQ.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Common Files\VST3\Soundtoys\is-793MS.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Soundtoys\uninst\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-RFG28.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\Contents\x64\is-UARAT.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\en_GB.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\dns_sd.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Bonjour\dns_sd.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Bonjour\About Bonjour.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\sv.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-2MF3C.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Soundtoys\is-AJ6GG.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Soundtoys\Utilities\is-2PVU7.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\ru.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\About Bonjour.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Soundtoys\uninst\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt_PT.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\dns_sd.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vstplugins\Soundtoys\is-VGVGE.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Soundtoys\Manuals\is-MN6MV.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Soundtoys\uninst\is-R7OPV.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Soundtoys\Utilities\is-N6TP1.tmp C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\dns_sd.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Soundtoys\uninst\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f77893f.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SysWOW64\wusa.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\wusa.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\SysWOW64\wusa.exe N/A
File created C:\Windows\Installer\f77893c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77893c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f778942.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77893f.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI929B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI93B7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\RichText.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9029.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI92EA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI952F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}\Bonjour.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\wusa.exe N/A
File opened for modification C:\Windows\Installer\MSI90D6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI931A.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID\ = "Bonjour.TXTRecord" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.TXTRecord.1\ = "TXTRecord Class" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\Programmable C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{56608F9C-223B-4CB6-813D-85EDCCADFB4B} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID\ = "Bonjour.DNSSDService" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods\ = "7" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\\{15D7BF62-B111-49C3-9E82-1E5859612E57}\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\FLAGS\ = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B0163E6D0340BE4183EB2758E9BEDD8 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDService\CurVer C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord\CLSID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord\CLSID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\Bonjour.DLL C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\Net\2 = "C:\\ProgramData\\Apple\\Installer Cache\\Bonjour 3.0.0.10\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager.1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "IDNSSDEventManager" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ProgID\ = "Bonjour.DNSSDRecord.1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ = "TXTRecord Class" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1523EA646D34FC14C8FD9E203C58611D\2B0163E6D0340BE4183EB2758E9BEDD8 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord\CurVer C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord.1\ = "DNSSDRecord Class" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Bonjour.DLL\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "PSFactoryBuffer" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.TXTRecord\ = "TXTRecord Class" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp
PID 2100 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp
PID 2100 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp
PID 2100 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp
PID 2100 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp
PID 2100 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp
PID 2100 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp
PID 1196 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Users\Admin\AppData\Local\Temp\is-G0PP4.tmp\_isetup\_setup64.tmp
PID 1196 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Users\Admin\AppData\Local\Temp\is-G0PP4.tmp\_isetup\_setup64.tmp
PID 1196 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Users\Admin\AppData\Local\Temp\is-G0PP4.tmp\_isetup\_setup64.tmp
PID 1196 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Users\Admin\AppData\Local\Temp\is-G0PP4.tmp\_isetup\_setup64.tmp
PID 1196 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Program Files\Soundtoys\Utilities\License Support Win64.exe
PID 1196 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Program Files\Soundtoys\Utilities\License Support Win64.exe
PID 1196 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Program Files\Soundtoys\Utilities\License Support Win64.exe
PID 1196 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Program Files\Soundtoys\Utilities\License Support Win64.exe
PID 1196 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Program Files\Soundtoys\Utilities\License Support Win64.exe
PID 1196 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Program Files\Soundtoys\Utilities\License Support Win64.exe
PID 1196 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Program Files\Soundtoys\Utilities\License Support Win64.exe
PID 1872 wrote to memory of 1472 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
PID 1872 wrote to memory of 1472 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
PID 1872 wrote to memory of 1472 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
PID 1872 wrote to memory of 1472 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
PID 1872 wrote to memory of 1472 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
PID 1872 wrote to memory of 1472 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
PID 1872 wrote to memory of 1472 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
PID 1472 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe
PID 1472 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe
PID 1472 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe
PID 1472 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe
PID 1472 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe
PID 1472 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe
PID 1472 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe
PID 1872 wrote to memory of 1512 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
PID 1872 wrote to memory of 1512 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
PID 1872 wrote to memory of 1512 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
PID 1872 wrote to memory of 1512 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
PID 1872 wrote to memory of 1512 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
PID 1872 wrote to memory of 1512 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
PID 1872 wrote to memory of 1512 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
PID 1512 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe
PID 1512 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe
PID 1512 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe
PID 1512 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe
PID 1512 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe
PID 1512 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe
PID 1512 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe
PID 1872 wrote to memory of 2516 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\msiexec.exe
PID 1872 wrote to memory of 2516 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\msiexec.exe
PID 1872 wrote to memory of 2516 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\msiexec.exe
PID 1872 wrote to memory of 2516 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\msiexec.exe
PID 1872 wrote to memory of 2516 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\msiexec.exe
PID 1872 wrote to memory of 2516 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\msiexec.exe
PID 1872 wrote to memory of 2516 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\msiexec.exe
PID 1848 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1848 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1848 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1848 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1848 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1848 wrote to memory of 2592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1848 wrote to memory of 2592 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe

"C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"

C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp" /SL5="$400DE,226646490,848384,C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"

C:\Users\Admin\AppData\Local\Temp\is-G0PP4.tmp\_isetup\_setup64.tmp

helper 105 0x214

C:\Program Files\Soundtoys\Utilities\License Support Win64.exe

"C:\Program Files\Soundtoys\Utilities\License Support Win64.exe"

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe" /quiet /norestart

C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe

"C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe" /quiet /norestart

C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /quiet /norestart

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{15D7BF62-B111-49C3-9E82-1E5859612E57}\Bonjour64.msi" /quiet /qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding DC81A4CF2071FCCC85C9B732B6157D2E

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5724F460C174DE81188CA8AEE9AA2759

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A31C298993A4DFA7D9A7865C27757112 M Global\MSI0000

C:\Windows\system32\MsiExec.exe

"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"

C:\Program Files\Bonjour\mDNSResponder.exe

"C:\Program Files\Bonjour\mDNSResponder.exe"

C:\Windows\SysWOW64\wusa.exe

"C:\Windows\system32\wusa.exe" "C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{4EF18522-4489-4423-9A67-6903B272672E}\Windows6.1-KB2999226-x64.msu" /quiet /norestart

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3147D07623420983D9A5C05EC72405C1 C

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EEBF533C-AF88-4BBD-9D12-320EF29C6283}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{43E494BE-D192-4C07-9EE4-048D46E499E9}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{710BACAA-770F-4048-90DB-862DE5AD03BD}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{076E9B3D-CEC3-4D2F-9CE7-943A41AFB824}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A7768E13-11AC-4A6F-801A-6553F40173F8}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{002DE544-40FF-4692-99B4-E84E8E4856A1}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F6DBDC2-9ACA-4BAA-84A3-2251E61D14CA}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C0A7CA19-AFCD-491D-A5DD-6A1E741DF1A1}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49CE36B1-786B-45FC-8BDD-B7705B32E9E0}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D7677CA9-F8A3-4FF6-B3B7-AD884FE2B5DF}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{822CD264-EF4C-4612-A0B0-94F0507FDEA5}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C8C01AD-2090-4B00-B9FC-81C13E3C5AA7}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19D24993-91C1-4E4C-B23E-72F80FB0C16A}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C19DE14-DFB9-4DB4-94F8-5364A855AE51}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F284DCC0-7874-4A76-9AF2-2A97A9D51FFF}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D973834F-9BA6-4E9E-8306-2C6E313595B8}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{500095E1-C33D-4C33-8160-66F11744B9F0}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3B281E85-2779-42D3-A4AE-18648AD69C21}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BB5F932A-DA22-4B5F-9A47-992C1140AF79}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0FF5F9D6-46F2-486D-942F-5A9309A85BEA}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{982909BE-84BC-4554-81CB-EE8AF0B46690}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4B70712-353A-4BB3-8DFC-3540175AE384}

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 csc3-2010-crl.verisign.com udp
SE 192.229.221.95:80 csc3-2010-crl.verisign.com tcp
N/A 224.0.0.251:5353 udp

Files

memory/2100-0-0x0000000000400000-0x00000000004DC000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp

MD5 57a24b37c5950ef633969bc470fb77c7
SHA1 8ceccc0de092110908a867e3ab2b274ca4e5ad64
SHA256 0c89dc35e7a63f1cf21ad1e7653225496d15d38b8a3de800b37369aea40a198d
SHA512 6144bbfab053cbea7e35f8d0ea9b5e22addd59bb113a68709c5b6b78c83de82fba0bc231f31c59a1bd9b1ea1ae933718e6f73355c7feee448597ab604e113c37

C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp

MD5 eaad805f02c09854ca58096c8e40e28b
SHA1 26d25c3c4baa25daaa2bea4b1dcb69294633cd37
SHA256 bbf8e45b5f154232a6df53355896731acadddd1bdba0a6e54350bd19296bfee8
SHA512 f202ccd17895c06b18ba5f411ff6686d6d84f80734333e407d0d175e5b8e816910956a117210c8287179215efd2b2b5440290719a851982f4e863f8a32ebbead

memory/1196-7-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2100-9-0x0000000000400000-0x00000000004DC000-memory.dmp

memory/1196-10-0x0000000000400000-0x00000000006FF000-memory.dmp

memory/1196-12-0x0000000000400000-0x00000000006FF000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-G0PP4.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

C:\Users\Admin\AppData\Local\Temp\is-D76DN.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp

MD5 3d9fe4c7359d7bb512a86ecb17c42a37
SHA1 79fb651f042d5b2c882c405cde1dc8383b8add60
SHA256 069211bd28e0db91fdc24ba58008c5787b1a09d1cd6ebeaefbeb24ef4522c8fa
SHA512 9f6e26445cec5f6d6518bfdb0d1b6030d2a5f6317e8719716de8dfa8de5a2f63ce780bda1986ebb2ce4caf5ed418135ee2e0859b5fb11cc243113287b40f2682

memory/1196-19-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1196-71-0x0000000000400000-0x00000000006FF000-memory.dmp

\Program Files\Soundtoys\Utilities\License Support Win64.exe

MD5 2f2cfc092856fefee21dda28976b9f5e
SHA1 0d2f294055f946a69387809700d294902b489e41
SHA256 748b1280df5be1e67a57660fa9d7ec7c1793da5d761eb4a254e7775d21fe7f4a
SHA512 a38c6bb714e6bc18fdda70739a45988d94829756fcf43ab48f906ea01b54310ddbabe42f424000fbbc6707dafc1ec99054a156b271d2d83c9a5104d218169767

C:\Program Files\Soundtoys\Utilities\License Support Win64.exe

MD5 21737a4137b30f0710a8f1e36fc7b4cc
SHA1 5ca0fd2b6392b36e9218d90d5f7b30900f5cefff
SHA256 5d66946947a89d8e486f667d7fc9bbe6117771e576d4e7e3e77ce1eae367cfb4
SHA512 e40710e4799ce0cf6558f7691322f8bdf97511e44082a17a8ec7cce7a4e1167e0fdfa5bc720eba5f6bee1d425ec4aa4f77ea260674a2d58b99de7bd595f9261a

C:\Program Files\Soundtoys\Utilities\License Support Win64.exe

MD5 43a76d2223dc51b3afb5ab2c6d740665
SHA1 5660d86fc7e9d132f432f20bb4cf4c26dee81a39
SHA256 81574d5267d75e55633903f100903ec6d04252944a8f9135114253541b61d020
SHA512 55894cf0a02602ad36b798293bd56ae234317b93dc15f092c5d418b64c7300c49866cf7fc2dd67c14f221c4410a515195ca0a12944fe60b00d290115165f60c2

C:\Users\Admin\AppData\Local\Temp\~C12.tmp

MD5 6098f128cf6fe5ddbe128d5cb301c854
SHA1 be8df9ee61475ff6d5913c368e65a1609134fe5a
SHA256 a59e8507bc4beb36b347b43340def8614028f1cf246f7406b63bee70ecea3e03
SHA512 ea0de1f365eae76db99798fe2a8a58614dc1cc35e1a96a4eed558adc011ff1ff8fab74713e687f54775770757b27049541597429b52780f3e5172510aea35430

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\0x0409.ini

MD5 be345d0260ae12c5f2f337b17e07c217
SHA1 0976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256 e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA512 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

memory/1196-142-0x0000000000400000-0x00000000006FF000-memory.dmp

\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe

MD5 20ab3a4b7f27febe6ed047751092fcad
SHA1 bf20c8695f9751654782b56ddde42768aa2d458e
SHA256 96e49374dc6f98e90fc087bced4dfffaf1f73052e76e77b1ba839a58936401f2
SHA512 fdc7f0a56f73fc82dacd7db91a0697667288b438eb5e312f3dde77d318f5f0d9aedf23947d73395f06fa62a7e9776231a067c8dcf65892f3518e8c74a470829f

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe

MD5 bf82864e681af4c99d5df59b5b338448
SHA1 6f5224671f9587509827ecc9581e963c39d9d159
SHA256 b109752bcaab38443c9fd74088f2a058a2f334156aaa72e668aa6b54274d810c
SHA512 d3ffaac7a82afa295adf066acf71e7d5434dbe0e57f42ac95e9bb684c560886248094474634a3b6c9e602710998a10434b5f0ba252b0c80d234b0e603c4e094f

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe

MD5 92d8db8794b9880ca9309fe0b2315f9b
SHA1 7b1fea7e37bc8fe2e1ca052ae15f7e6245d9486b
SHA256 3d8dd82cbc50e6848b93804ec3ffc1c648f9875d6a57cdc68e20498c9d69eb82
SHA512 ba0b49bb0d6e2cfdeceb6f73a7608bc8d356cf9a1a7c3eb46109ffcc321049614ab587fb72408849730ff6b61755f0e7e59e2b0b8268019a8353ac8f8e3587d6

\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe

MD5 59cbe607e8e90ac76d88ace87d1f4239
SHA1 5a69e6deb0ebbdbddb6f3c8c9a7a8864ac2069bf
SHA256 0e0c7e323e962838e93860e00672f8770a009c30b0d0e51de90cb63208d1b59c
SHA512 3c79e38e86f4683e36e2cc685c9214248e76e2f07808448a062ecef44dc88538a843a174754b04d67581021d493c8a4ce20826a124fc5208ac8fed9a09890df1

C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe

MD5 94a321bd8d595ce91a8026bd355c834b
SHA1 e1e7004065d5a04a75791e87115fb751b71074cf
SHA256 ced987548ae4c12aabe0ef841b13611d9c9c16263c70f4ba4e03e66798441cd4
SHA512 1b63471ef9a28aa634b5b12d6c62bc508f031ba37567c2c68ed6905c2e22f546b3ae73f0d2e0c6a897ccba15eade6601415a24dc32abcf7abf467c15d701b9a8

C:\Windows\Temp\{EECB4C6C-3D30-437F-B630-1032FBE11822}\.cr\VC_redist.x86.exe

MD5 c9d95472a5627c6c455e74c8b8fef5be
SHA1 34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82
SHA256 4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b
SHA512 989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

\Windows\Temp\{7EA0DD3E-338C-4254-B5C4-3E0F21B75ED4}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{7EA0DD3E-338C-4254-B5C4-3E0F21B75ED4}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe

MD5 be433764fa9bbe0f2f9c654f6512c9e0
SHA1 b87c38d093872d7be7e191f01107b39c87888a5a
SHA256 40ea2955391c9eae3e35619c4c24b5aaf3d17aeaa6d09424ee9672aa9372aeed
SHA512 8a050ebd392654ce5981af3d0bf99107bfa576529bce8325a7ccc46f92917515744026a2d0ea49afb72bbc4e4278638a0677c6596ad96b7019e47c250e438191

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe

MD5 79560f30911d9355377bb76b2cfcad0c
SHA1 34ed0a158414d5bf993bdebdd695d9b5fef43680
SHA256 8324780c44582ac4e2f16282a9e5cc45c8bf99c4cf19c37ccd4cd0e5e4486131
SHA512 23de9d1db68ecefa05cc218a2958706e84e9bb77c419ad5dea13595e61b024a4231b8fb4114324e3ad1c3adec135114eca434c3029b4e35c276f61fe9707a92d

\Windows\Temp\{810176E9-D886-415E-86AD-249D9B1D07AB}\.cr\VC_redist.x64.exe

MD5 94970fc3a8ed7b9de44f4117419ce829
SHA1 aa1292f049c4173e2ab60b59b62f267fd884d21a
SHA256 de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e
SHA512 b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{15D7BF62-B111-49C3-9E82-1E5859612E57}\Bonjour64.msi

MD5 8dcf5c9eaacdaf4568220d103f393dea
SHA1 27f68596398b68ba048f95752b4eeb4aa013c23f
SHA256 53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93
SHA512 10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar8C5F.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Windows\Installer\MSI9029.tmp

MD5 08c031fa82a09aae1079378669678fe6
SHA1 b109251d2fef08bd446be0c92369e6f11eb67093
SHA256 8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a
SHA512 d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

C:\Windows\Installer\MSI931A.tmp

MD5 6f8e3e4f72620bddc633f0175f47161e
SHA1 53ed75a208cc84f1a065e9e4ece356371cac0341
SHA256 2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e
SHA512 80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

C:\Program Files\Java\jre7\lib\ext\dns_sd.jar

MD5 ca086bb31b598febd7e8d44daf14714a
SHA1 4838808e80df811cfb2bf7faf361b3cbc16f9f81
SHA256 3818abdee5b1d3d77ae4a5ace25a638b2d7d624605f8e8ce14dd6d4c6639c00c
SHA512 54188bf433a0da1b6b8f6f881af6d681a6bb629693191c7ee46f852953529cb94dfa894aca574e1cd7355985ea8d6187e7694c8144ea1db880922676f0dfe0c5

C:\Program Files\Bonjour\mdnsNSP.dll

MD5 f9d908de6b166dac9b89bf62fa291ce8
SHA1 938b53238291fc41ae852fdde51eed7a2bff0604
SHA256 d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02
SHA512 6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

\Program Files (x86)\Bonjour\mdnsNSP.dll

MD5 40947436a70e0034e41123df5a0a7702
SHA1 6c27e1dd1c1533feb6435190a5074300ac2a9822
SHA256 5d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9
SHA512 ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704

C:\Program Files\Bonjour\mDNSResponder.exe

MD5 ebbcd5dfbb1de70e8f4af8fa59e401fd
SHA1 5ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88
SHA256 17bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122
SHA512 2fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4

C:\Config.Msi\f778940.rbs

MD5 fe406303970480e0919b35295e4dc4bc
SHA1 2f8548b219ecaeb8b7ec3a431e6b90a967094f3e
SHA256 8c1cc4cbb7d2fe5af1d35b69b50dc70548a88162fb25de1e4218ea808b5fbcf9
SHA512 78435bac7a476e72641255b15660af7105f3094f5ac88641771ecd664ccf85003541a8478a990898661e9217ef3ef58b498b54d37bf074082450e3742c942347

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\{4EF18522-4489-4423-9A67-6903B272672E}\Windows6.1-KB2999226-x64.msu

MD5 ad7f5c851f6387e424ab206effb21354
SHA1 54050a5f8ae7f0c56e553f0090146c17a1d2bf8d
SHA256 43234d2986ca9b0de75d5183977964d161a8395c3396279ddfc9b20698e5bc34
SHA512 3ab0a5eb48c7e5aec55640171acec4e3449dd5e5e90345a39c214be16858d5e66892b01fb4a792405c9fcef9a6286c85e5411c79d38d49930d9edfa40e535093

C:\Users\Admin\AppData\Local\Temp\issB637.tmp

MD5 806a54f833166c929f30031317bbd22e
SHA1 8e03076b34117d63d4da2287cc287d08e213e1cf
SHA256 d3e5f517681335aca1507d398bd52608688a0968c19825a539cb4f6ea05b70f7
SHA512 d382dd47c199f56839286a4b8ceea00b8a70a63924ba113c0d95b2671890925905b6c31b036c91cd4be25193e9b792a2ff2275f886f7e50e1dc0a7a966a637a3

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\_ISMSIDEL.INI

MD5 3fd12382488e4c7b2a9adb557941ed10
SHA1 266f3e5710565a2768958fe8070af5d0f9ba016c
SHA256 91c610ed4d3116410f91a8f32cfe83a452b0fc80d074e57d9970aa88d45772ba
SHA512 17e6e031b894b1f45c00c9169ce03c50e42e1ea1f1a31bbb2e7ca43a964ef50e1f312fc1f981e3aa50cd8bf24bb4168e954116e56df9026f951d476f3f33eca9

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\_ISMSIDEL.INI

MD5 e890f037d6aea155c7a4202c42867552
SHA1 4cb0bebac4d3c349d426b933f80f6cae120e4840
SHA256 a5116c09b3ce64eff1e5b382cd70417f9c3ef7dafa90c42145b26d964a1746d7
SHA512 24a6663dce3819c8a429748ac084b459aa23d9bf09bb96bc75541c46a2dd10e04196e075065f0e9322c06e543621586812998ad832214486380bf232a81ec055

\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\ISSetup.dll

MD5 d0eb7dd08782f010ac10e7e066dfc3df
SHA1 0d2fda64f090e55cf7db9679c512b4f0bb1c403f
SHA256 01aec1cfb8bb777414702427a4046971437d115663132bd0ae29eaefb5855137
SHA512 b1ce26b651ae939e19c28645bd7e064ac15854dac69a404574c512567f7d7a1f0e946879d1fc84a7efd34b4c928440444b110d943712f59c81aebcac384674ca

memory/1872-734-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/1872-735-0x00000000003C0000-0x00000000003C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{A2ACFE8E-EBF7-46E0-B18E-E50A4271D584}\IsConfig.ini

MD5 5fc8d60855a5cec64e1abbbcc133c23b
SHA1 ca723ea715fc0e217a9133611a56da5dca78b547
SHA256 b0e962259029cec81ec5f5783192f552699aac99a14ddea89f74330e50e9340e
SHA512 847f0397aff3b428c9fda79f82b83b0dbec1410d979c7f80b109f6088fb0d04d843e43b1cff5fb99df2cc5ade9da862aaf907c809dbe16910a46b7d8edc47562

C:\Users\Admin\AppData\Local\Temp\{9EEDE7D3-4702-47AC-B04F-2E551F73B462}\PACE License Support Win64.msi

MD5 5b80b53045af4498c992e2ee97f3ebf5
SHA1 bd315c40939f506c268933235b732c1f6eeab150
SHA256 0b0d4c5cb5335a57c2129f65c3302cea48d8122ad1eaf7d2607cda55321ae2f9
SHA512 c61a78c90d3574956a5350fa6ca15a848f459472cb65c77cb783de1a8dbbac1b63a55795b4cbd5703a21a40a2454b31e312dd10f65a5d7f17096928f38e2d6a9

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

MD5 962b85d5bc8945d80b4839e47efe8fdd
SHA1 3291792ee90594baa9083ef544779d6b550d3fec
SHA256 1b220c5a2f74162d7162ba241ad6c594aaf009cc1329429dcf2112e10477e2b5
SHA512 6a2c104a45cb9f11e9a6e2ba2674c03a8b1102ad2be25f1df3bde6af4933db475a6537b54a8d4086867a655f4067980b99dc4844230f7d2727af45dcf5a794ff

C:\Users\Admin\AppData\Local\Temp\MSICC69.tmp

MD5 c23d4d5a87e08f8a822ad5a8dbd69592
SHA1 317df555bc309dace46ae5c5589bec53ea8f137e
SHA256 6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512 fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

\Users\Admin\AppData\Local\Temp\MSICE00.tmp

MD5 edb88affffd67bca3523b41d3e2e4810
SHA1 0055b93907665fed56d22a7614a581a87d060ead
SHA256 4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15
SHA512 2b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf

C:\Users\Admin\AppData\Local\Temp\MSIE068.tmp

MD5 41e098a7c75c0f2fcdcc4c1b605f8cf5
SHA1 b794e06eaba21f0c765841695424d88421f1255b
SHA256 8069bfd2667f5a62519ee604c1062574a0db69c4cfd1b55a0f3895ce7670ee9c
SHA512 777ed995ccc93d768955310841d98ccae155d0a5a2cfa314fb7cfed54c82f65e865ca697210c35d0824076ae9b2459ac85d8ba7dfcc4ae4e6d2af4feb1574c6a

memory/1872-774-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/784-775-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/784-776-0x0000000000210000-0x0000000000212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\setup.inx

MD5 d8146c43b587f98bf1ea586c2b7a71ba
SHA1 5fb052b1fff7762bcbe1a923ccf5520b6f268834
SHA256 c7d4daf78b820c2a31dff646d4f199c1a05faf149178b6cccc776609aa3f06da
SHA512 028c3d77ca56d40627b9cc900492a5ea2eee31a1f69c14349c6c5c7791f3aab45a27e12556c1486f0d1cd3f028d35f35e7e8886c7892efed7d4660d0814e998f

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISRT.dll

MD5 5ecda0a54c4d9babcdb177d54f2e733d
SHA1 e98aa5abf7cc44b50fe6ca7c6b110bb04541fe5b
SHA256 e0926d6cbb4b4bbe673eec59325646ae8f2702e87584bf31dee28c385f45a32c
SHA512 45cb28462f6114765fcf831e2ae4ffc5fee1f59746e9e749106b7cf00b7967a788e5591da2a4e0a6e3ae52d60395d1d66be6112026709c33261c4ca839211616

memory/784-796-0x0000000002C00000-0x0000000002CA7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\_isres_0x0409.dll

MD5 2dd07d5455d3e762e6efb976d4898174
SHA1 2677189384275f0d95eee10d85f1fac78dc557fe
SHA256 7aefc03e9adf64345164971aad3dcd1264f389c3ade513ae420d64ef1f2c1087
SHA512 8d38171c01c919b072fc7bb7938747d4172825481eb715f576a7a8b7623d2df776d6d9307f496b3f17c244cfe5898ad7557ef432f74ef8682219170596efdda2

memory/784-797-0x0000000000470000-0x0000000000472000-memory.dmp

memory/1872-842-0x000000000B960000-0x000000000BA07000-memory.dmp

memory/1872-1326-0x000000000A8B0000-0x000000000A8B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\skineb87.rra

MD5 be8e1e66c14d73fd42b004eaea7c2e5f
SHA1 3f5091e47282f0f8e80027c1b7bcb91f10bf28b2
SHA256 6afb00abaaa7be31895d47a59efaab360e592f08daf1d45919fe21e90aa6132a
SHA512 833f7a0ea9efbfe3d2e0ec7ee1ea13a29b32fbf096cfae57e59af4f7ee4ab3adde19c851a8413eb079e74d25dcf01390ed0dfebeb3f5ab7ac234aa9a46a29daf

memory/1872-5527-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/1872-5528-0x000000000B960000-0x000000000BA07000-memory.dmp

memory/1872-5546-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/1872-5547-0x000000000B960000-0x000000000BA07000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 14:10

Reported

2024-03-04 14:14

Platform

win10v2004-20240226-en

Max time kernel

127s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Program Files\Bonjour\mDNSResponder.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3Q8HI.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{6D9F4CAE-CD8F-4B89-AD68-CAC6F670E647}\.cr\VC_redist.x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\Program Files\Bonjour\mDNSResponder.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{6D9F4CAE-CD8F-4B89-AD68-CAC6F670E647}\.cr\VC_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32 C:\Windows\system32\msiexec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ ISSetupPrerequisistes = "\"C:\\Program Files\\Soundtoys\\Utilities\\License Support Win64.exe\"" C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\S: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\W: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\H: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\M: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\O: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\U: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\N: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\Q: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\L: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\R: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\T: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\K: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\V: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\X: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\Y: C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETBA07.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ilokdrvr64.inf_amd64_4127472559851c12\iLokDrvr.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ilokdrvr64.inf_amd64_4127472559851c12\iLokDrvr64.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\dnssd.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F5.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F5.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\iLokDrvr64.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\dns-sd.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\jdns_sd.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\WdfCoInstaller01007.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\jdns_sd.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F6.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\iLokDrvr.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETBA07.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ilokdrvr64.inf_amd64_4127472559851c12\WdfCoInstaller01007.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\dns-sd.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\dnssdX.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\dnssd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\dnssdX.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\ilok-x64.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ilokdrvr64.inf_amd64_4127472559851c12\ilok-x64.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F6.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F4.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F4.tmp C:\Windows\system32\DrvInst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\PACE\Proxy\libpaceedenexperience.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\Proxy\WrapPersist.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iLok License Manager\ssleay32.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Soundtoys\uninst\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\Proxy\Plugins\Platforms\qwindows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\Authenticode\iLokDrvr.sys C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Soundtoys\Manuals\is-AF14U.tmp C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\en_GB.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Bonjour\About Bonjour.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\Authenticode\iLokDrvr64.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\SHA1\iLokDrvr64.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iLok License Manager\iloktool.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\Contents\x64\is-IRVLL.tmp C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\Proxy\Plugins\ImageFormats\qsvg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\SHA1\iLokDrvr.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Bonjour\dns_sd.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\Proxy\Qt5Widgets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iLok License Manager\LicenseSupportDiagnostic.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iLok License Manager\Qt5Gui.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iLok License Manager\WinSparkle.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Soundtoys\is-HU92Q.tmp C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Soundtoys\is-09A9F.tmp C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Soundtoys\Utilities\is-SIRCR.tmp C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Soundtoys\uninst\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-NACDI.tmp C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\mDNSResponder.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iLok License Manager\Plugins\ImageFormats\qsvg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\Proxy\Qt5Network.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\Authenticode\WdfCoInstaller01007.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\Authenticode\ilok-x64.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\EV\iLokDrvr.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-0EA21.tmp C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files\Soundtoys\uninst\is-G6B6B.tmp C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\iLok License Manager\libeay32MD.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\dns_sd.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\Proxy\Plugins\ImageFormats\qico.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\Proxy\Qt5Gui.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\Proxy\Plugins\ImageFormats\qjpeg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\Proxy\Plugins\ImageFormats\qtiff.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iLok License Manager\qt.conf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Soundtoys\LittleAlterBoy.aaxplugin\is-CHQ9J.tmp C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Bonjour\mdnsNSP.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\EV\iLokDrvr64.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\iLok License Manager\Plugins\ImageFormats\qgif.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Vstplugins\Soundtoys\LittleAlterBoy.dll C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
File created C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\EV\WdfCoInstaller01007.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Soundtoys\Utilities\is-JJO13.tmp C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\InstallTemp\20240304141305503.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305642.0\mfcm80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305564.0\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140fra.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e580a8f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SysWOW64\wusa.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305705.0\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240304141305642.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305580.0\mfc80u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfcm100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140jpn.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140rus.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfcm140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB4D1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA494.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100esn_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\vcruntime140.dll.363ED482_721F_3A34_85B3_A96CD936D64F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140deu.dll.363ED482_721F_3A34_85B3_A96CD936D64F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\vccorlib140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305439.1\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100ita_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140cht.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140ita.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240304141305877.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9997.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305580.0\mfc80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305720.1\mfc80JPN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\vcruntime140.dll.363ED482_721F_3A34_85B3_A96CD936D64F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305799.0\mfc80CHT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100chs_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100esn_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100u_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfcm100u_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\SysWOW64\wusa.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305424.0\ATL80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_msvcp100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100esn_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305720.1\mfc80KOR.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305877.0\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100enu_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\vcomp140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140rus.dll.363ED482_721F_3A34_85B3_A96CD936D64F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSID79.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF04.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140fra.dll.363ED482_721F_3A34_85B3_A96CD936D64F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240304141305720.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDF7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305877.0\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_mfc100deu_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\F_CENTRAL_vcomp100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305503.0\msvcm80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305720.0\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240304141305720.1\mfc80ITA.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\pnputil.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\msvcp140.dll.363ED482_721F_3A34_85B3_A96CD936D64F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\vcruntime140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\concrt140.dll.EC55875F_6DF4_3DBD_A117_4A27D8F55B9B C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\D6E0FC12667136f48A3356A4B112AB68\5.7.1\mfc140cht.dll.363ED482_721F_3A34_85B3_A96CD936D64F C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\System32\pnputil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\pnputil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\pnputil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\System32\pnputil.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\System32\pnputil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\System32\pnputil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\System32\pnputil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\pnputil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\pnputil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\System32\pnputil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\System32\pnputil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\System32\pnputil.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009b9629f4dfdec3790000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009b9629f40000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009b9629f4000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9b9629f4000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009b9629f400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\System32\pnputil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\pnputil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\System32\pnputil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\System32\pnputil.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\FLAGS C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID\ = "Bonjour.DNSSDRecord" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F} C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService\CLSID\ = "{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B0163E6D0340BE4183EB2758E9BEDD8 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ = "DNSSDRecord Class" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D6E0FC12667136f48A3356A4B112AB68\iLokLicenseManagerShortcut C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ProgID\ = "Bonjour.DNSSDRecord.1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods\ = "14" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D6E0FC12667136f48A3356A4B112AB68\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ProgID\ = "Bonjour.DNSSDService.1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager.1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "IDNSSDEventManager" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC90.OpenMP,type="win32",version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e0032005f0072002700710025004a006a004a0034007600780044002800660049004c0067005a00780000000000 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D6E0FC12667136f48A3356A4B112AB68\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D6E0FC12667136f48A3356A4B112AB68\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\SourceList\PackageName = "Bonjour64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods\ = "7" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ = "IDNSSDService" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D6E0FC12667136f48A3356A4B112AB68 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID\ = "Bonjour.DNSSDService" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D6E0FC12667136f48A3356A4B112AB68\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ = "TXTRecord Class" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.MFC,type="win32-policy",version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e005e002a00320070005a00740060003f0050003500620061005700370038003400280076006c006b0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord.1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\FLAGS\ = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B0163E6D0340BE4183EB2758E9BEDD8\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ = "DNSSDService Class" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f0060005d0072002d00580035006a00530041005f006e00490076003f00500055005a004100530052006500640069007300740072006900620075007400610062006c00650073003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE} C:\Windows\system32\msiexec.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp N/A
N/A N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 828 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp
PID 828 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp
PID 828 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp
PID 2336 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Users\Admin\AppData\Local\Temp\is-3Q8HI.tmp\_isetup\_setup64.tmp
PID 2336 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Users\Admin\AppData\Local\Temp\is-3Q8HI.tmp\_isetup\_setup64.tmp
PID 2336 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Program Files\Soundtoys\Utilities\License Support Win64.exe
PID 2336 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Program Files\Soundtoys\Utilities\License Support Win64.exe
PID 2336 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp C:\Program Files\Soundtoys\Utilities\License Support Win64.exe
PID 4212 wrote to memory of 3292 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
PID 4212 wrote to memory of 3292 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
PID 4212 wrote to memory of 3292 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe
PID 3292 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe C:\Windows\Temp\{6D9F4CAE-CD8F-4B89-AD68-CAC6F670E647}\.cr\VC_redist.x86.exe
PID 3292 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe C:\Windows\Temp\{6D9F4CAE-CD8F-4B89-AD68-CAC6F670E647}\.cr\VC_redist.x86.exe
PID 3292 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe C:\Windows\Temp\{6D9F4CAE-CD8F-4B89-AD68-CAC6F670E647}\.cr\VC_redist.x86.exe
PID 4212 wrote to memory of 3376 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
PID 4212 wrote to memory of 3376 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
PID 4212 wrote to memory of 3376 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe
PID 3376 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe
PID 3376 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe
PID 3376 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe
PID 4212 wrote to memory of 2372 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\msiexec.exe
PID 4212 wrote to memory of 2372 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\msiexec.exe
PID 4212 wrote to memory of 2372 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\msiexec.exe
PID 3656 wrote to memory of 4140 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3656 wrote to memory of 4140 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3656 wrote to memory of 2712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3656 wrote to memory of 2712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3656 wrote to memory of 2712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3656 wrote to memory of 2800 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3656 wrote to memory of 2800 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3656 wrote to memory of 2800 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3656 wrote to memory of 2088 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3656 wrote to memory of 2088 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3656 wrote to memory of 3360 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3656 wrote to memory of 3360 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3656 wrote to memory of 3360 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4212 wrote to memory of 3744 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\wusa.exe
PID 4212 wrote to memory of 3744 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\wusa.exe
PID 4212 wrote to memory of 3744 N/A C:\Program Files\Soundtoys\Utilities\License Support Win64.exe C:\Windows\SysWOW64\wusa.exe
PID 3656 wrote to memory of 2808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3656 wrote to memory of 2808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3656 wrote to memory of 2808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2808 wrote to memory of 856 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 856 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 2660 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 2660 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 2376 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 2376 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 2292 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 2292 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 3784 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 3784 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 2896 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 2896 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 4784 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 4784 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 2204 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 2204 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 1212 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 1212 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 3628 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 3628 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 4068 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe
PID 2808 wrote to memory of 4068 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe

"C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"

C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp" /SL5="$4014C,226646490,848384,C:\Users\Admin\AppData\Local\Temp\LittleAlterBoy5_5.4.1.17134_64.exe"

C:\Users\Admin\AppData\Local\Temp\is-3Q8HI.tmp\_isetup\_setup64.tmp

helper 105 0x4A4

C:\Program Files\Soundtoys\Utilities\License Support Win64.exe

"C:\Program Files\Soundtoys\Utilities\License Support Win64.exe"

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe" /quiet /norestart

C:\Windows\Temp\{6D9F4CAE-CD8F-4B89-AD68-CAC6F670E647}\.cr\VC_redist.x86.exe

"C:\Windows\Temp\{6D9F4CAE-CD8F-4B89-AD68-CAC6F670E647}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe" -burn.filehandle.attached=656 -burn.filehandle.self=684 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe" /quiet /norestart

C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=516 /quiet /norestart

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{15D7BF62-B111-49C3-9E82-1E5859612E57}\Bonjour64.msi" /quiet /qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding FE6DFDA8C9965D9C94A386B9FE4F25D6

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E94C03BAB03C172780FCC5DB496F525E

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 94D514893A827BD844D860106583078E E Global\MSI0000

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"

C:\Program Files\Bonjour\mDNSResponder.exe

"C:\Program Files\Bonjour\mDNSResponder.exe"

C:\Windows\SysWOW64\wusa.exe

"C:\Windows\system32\wusa.exe" "C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{4EF18522-4489-4423-9A67-6903B272672E}\Windows8.1-KB2999226-x64.msu" /quiet /norestart

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A6FD7FADAADF5C182796FAB979FABB91 C

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{67041ADA-05AC-4173-846A-639449C3442D}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{13623D78-6BCB-4D5B-832F-B71AF69C32C8}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E7FD01E6-D7CB-491E-B5D5-8BF1802601E5}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8DC4814D-3F9B-4C10-9444-4725C610BD3D}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BE30E6E0-DE5C-495F-8F3C-9DDBF0821F15}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B0CE265B-2A53-48C7-BD79-5E8C5A3CDD63}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54A6F5E5-4905-47C3-A058-32328F089188}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C5259E0-CCA1-4192-8D2A-A570D18D6EA8}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AACB97CA-6B4A-45C4-89BB-3645CB1B580E}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F8904BC8-F5CA-4BE2-AF1F-31962160E663}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0029FAB-180C-4167-AECC-2E12C8C10623}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F5272278-59D6-4F34-AE36-6605BD6534A5}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{51DB5997-FFEA-46B0-995E-8E5A55D3FBA6}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4D471D45-9CFF-4B6A-8C93-53ECEF0B0AB4}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F244C47E-28AC-4878-8616-159B0066530B}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10647409-929D-4363-AAD7-B7142A061C19}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DBB4AE5D-09C2-42C1-90E7-3B8ED3603413}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30FFE9B2-D36A-4781-9F52-DAEC4037587A}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3B34182A-FE3E-41E7-873D-441CE5A53AB4}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10EEA2D3-0866-49EC-89D0-7E7EAA97C4C4}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7F259611-A1F7-42A9-9EBB-15BAFB4B0894}

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF244929-D762-45C6-AD2D-898ABC000751}

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 428C36B5FED206A70A0F03312DEB27DD

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2D2FDCB5-580E-4ABB-B122-0F4C29C129A8}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C05ACBB-08CF-4485-913F-5AA536BB5773}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7A362E7F-D714-4399-82A8-92AED14A4E40}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA0790A0-18A7-42C1-B98B-2756B0058284}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{786D61D9-CBC5-404F-9535-3951E59E7E61}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{13777CB9-BF67-4083-9D83-29A0F7C01B3B}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1CBD1DFA-66F6-49D4-AD03-48BD6C8127FE}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CD3A2866-EF02-48EA-B90B-4E910096826B}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{152C9D56-190B-4783-99AD-9E81FB46C1BB}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{391E12A1-E140-46E5-9952-4A3FFC7CB173}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60908E5E-7E0D-4CCF-9F07-076B54207C33}

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 11C342A4354C8D60036F5C0D44FBDD12 E Global\MSI0000

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F420C333-CAF9-4E93-AD34-6BCDAFF42696}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5D72C2E7-CA97-4B0C-A80F-3A053591A92C}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{259AB277-388E-4A09-9A25-DC5CADF8D498}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE3B7F10-E41B-42E3-8579-DC12980E8008}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DFC6A228-5A93-44A3-B80A-BAD0741E88C1}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E61E9C7A-CBFB-44DB-873A-C0437ACB04BD}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF4C7426-C96D-4FCF-9BAF-1A1F07B60307}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B0698C78-2199-4F90-A133-DBA080E7930D}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C992071-8DBF-4554-91DE-7475269FA490}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C2BFCC8D-A4FB-4463-8269-CC9013295258}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F44C6C6D-2AF5-445F-B580-91624181E418}

C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe

"C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe" -u https://activation.paceap.com/InitiateActivation

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E7BEDCAC-A3D0-4849-B923-8FC25BD126CE}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{85EBCE29-4CCA-420D-B41A-3400E519D5CD}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1B491657-EB64-47B8-8F54-0394136DAAF8}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{25FCE35D-C56D-4606-8BEA-BCEA02B3845A}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{978CA39C-B6BE-49FB-8328-FEA0358344FD}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59F5D3EB-E423-49C0-A43F-D60EC50CB918}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DB3AE918-7BB2-44B5-ACA6-8F003DBFABC0}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{079E20E7-E25C-458A-9390-6AB230C3821A}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FFF3B989-1925-4C59-9685-1F7D115EF21F}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{40BCB509-6672-4AE9-920F-0394FE6B7DE1}

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{EAAD2DA1-5098-4EA2-8927-FE18BCB7C3EA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F227066-2785-4E7F-A39D-D3BB86170B01}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\Scripts\iLokPnputil.bat" --install EV

C:\Windows\system32\net.exe

C:\Windows\system32\net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\pnputil.exe

C:\Windows\System32\pnputil.exe -i -a "C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\EV\iLokDrvr64.inf"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{95143881-6bb2-c344-81cc-14a6891a0920}\iLokDrvr64.inf" "9" "4e4857d87" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\Common Files\PACE\iLokDriverPackages\EV"

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA33C96B-821F-4036-99C9-9CAA9038D0F6}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77D78092-B61B-4F60-9DC3-2D7733AFE910}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{76848E45-5EB2-449F-A895-BA5E65E9D090}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7A625AED-A9AE-4FD1-BA65-69167CC1740F}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6B52D254-89CB-4FC3-BADD-2FB3D438B888}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{83AC44DE-3309-4E37-AAFF-3DDFFBB14107}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3E706F33-63C8-49A2-91A9-30582D48AA96}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5DC54E6B-6395-47EE-BA61-A0F7263CBFEC}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E3D12385-C9DA-428A-963E-10827E3A2B5C}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A09DA4EB-37D1-436C-BBA2-E72CD8AD2791}

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{CF3B1BB9-B215-43C4-8BCC-29069F9D607F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F72E38CB-CF4D-457E-A7D0-B6A57371D201}

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 csc3-2010-crl.verisign.com udp
SE 192.229.221.95:80 csc3-2010-crl.verisign.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp

Files

memory/828-0-0x0000000000400000-0x00000000004DC000-memory.dmp

memory/828-2-0x0000000000400000-0x00000000004DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PL0PH.tmp\LittleAlterBoy5_5.4.1.17134_64.tmp

MD5 3d9fe4c7359d7bb512a86ecb17c42a37
SHA1 79fb651f042d5b2c882c405cde1dc8383b8add60
SHA256 069211bd28e0db91fdc24ba58008c5787b1a09d1cd6ebeaefbeb24ef4522c8fa
SHA512 9f6e26445cec5f6d6518bfdb0d1b6030d2a5f6317e8719716de8dfa8de5a2f63ce780bda1986ebb2ce4caf5ed418135ee2e0859b5fb11cc243113287b40f2682

memory/2336-6-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/828-8-0x0000000000400000-0x00000000004DC000-memory.dmp

memory/2336-9-0x0000000000400000-0x00000000006FF000-memory.dmp

memory/2336-11-0x0000000000400000-0x00000000006FF000-memory.dmp

memory/2336-12-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/2336-14-0x0000000000400000-0x00000000006FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3Q8HI.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

memory/2336-71-0x0000000000400000-0x00000000006FF000-memory.dmp

C:\Program Files\Soundtoys\Utilities\License Support Win64.exe

MD5 58e116772187550f7090e6753d1c1532
SHA1 c2c0f0258d54f03ce1d96e86cc6a745655a4da4a
SHA256 d053c115877caf04f6bd604e06d1a14f94323722e24abfe732f378399da26acc
SHA512 f24550e29b923093562c070b2ff4b14420c64e3f956fe7f1b089cd0893db8d22b83c63fe6d5233c3af38000481a8396bd98d4b8f7a2896a115cc06032c2a90fc

C:\Program Files\Soundtoys\Utilities\License Support Win64.exe

MD5 4a4b910f8dd56ca229aed91ea540e0b9
SHA1 9fdbb594aa7fcbdf77769b09af23a964d0725084
SHA256 aaf9072bf80c4ba03c9bc9db191e9927f9b9b47ce33c2d25fa9768ec2f70c4d5
SHA512 8972817f3399be3ff79c23b6d7f6406d4c2de61a3fe9665ee9dbc56d0fc2a474015b425f489d28890206ec5ba6241f30a1a1b3e5024498c0a0bcdbb071079bfc

C:\Users\Admin\AppData\Local\Temp\~F973.tmp

MD5 6098f128cf6fe5ddbe128d5cb301c854
SHA1 be8df9ee61475ff6d5913c368e65a1609134fe5a
SHA256 a59e8507bc4beb36b347b43340def8614028f1cf246f7406b63bee70ecea3e03
SHA512 ea0de1f365eae76db99798fe2a8a58614dc1cc35e1a96a4eed558adc011ff1ff8fab74713e687f54775770757b27049541597429b52780f3e5172510aea35430

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\0x0409.ini

MD5 be345d0260ae12c5f2f337b17e07c217
SHA1 0976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256 e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA512 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe

MD5 38319018aa84855b18cffd4e75153334
SHA1 a712c1bda8cdc965271c6bed5d0e91e5e101039d
SHA256 885160691f5b2fa0a744dfacfb73826ef17066e2b392c44735d40297e27a11d1
SHA512 c59cc82433cd41c2cda52940007383642e57fa0388ba1a4eb28dc4665a3fcb7d9e3e299a8ca5df0dad1ba54c293c453a91b3ae6466494b41193d17454a39e23e

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe

MD5 90beae9e0c97762b3c73171ca9c03405
SHA1 adb82f77c66073f8e9d70011599b01a527b0e589
SHA256 5751bd031a2b66594b479c52a09e002732446009249990bc6dc93a5d67e24016
SHA512 5deba79367884c1c4e95d420b5a5a14269107910db7a133cc90efa957d6cdbd932efca3a2b0ca9d7cf600a7132e89e6d00da60334f7ed9f8ef3c01298fdd42a1

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{2315E48F-4829-48AA-82FB-7AE4975F75C2}\VC_redist.x86.exe

MD5 da2d4f901a4b553e427ce2a724de0988
SHA1 bd03a67bd84bc0f0527562f2cd8db4f6d27b8cf7
SHA256 48d7aae7c9976252d427a6a0e0b77a2e35737c9d07dc98ec02163e9500704c4f
SHA512 c7b69065bd25027f7fca0226cd5cdf070df60e82f960eb30235e7e5375a4152b36f9dfa0f7ec15a597720cfc7600a6609d6f764cd31431fad7a3007d30358e8b

C:\Windows\Temp\{6D9F4CAE-CD8F-4B89-AD68-CAC6F670E647}\.cr\VC_redist.x86.exe

MD5 c9d95472a5627c6c455e74c8b8fef5be
SHA1 34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82
SHA256 4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b
SHA512 989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

C:\Windows\Temp\{6B65C794-5734-443D-A0C3-6AA0AA94CCA1}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{6B65C794-5734-443D-A0C3-6AA0AA94CCA1}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe

MD5 ce7de2ab528950957701c38dec29ff28
SHA1 360809e59e98a2065f5c338d3e1dcc7a11e70e26
SHA256 5a03723d5ada9f94fa67184364704fc3e8b85b9b35477276879b74828815d97b
SHA512 66ba6197099a3ea529916c688e364dfb147762058083a78ef8bb42177e12c586ab0c343a665277a0e933bda0b25318cdf5294bb4c5495d077f74de3294c21f5c

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe

MD5 e21c092c03d04b7af5771cc664b48007
SHA1 5a7f38c97b77fe906a7cf464b2bf4c1743b66b6d
SHA256 71e03df965f45f2c594bd0b4754556924a813489f4201864bd1d4388353215fa
SHA512 6552fb9cd109247cbf5866ce928c604dfb58b29fddbb00b0f7fc5325b9b65a19dd5f6371effd775eb7c5e7c0a98abe2aa1383ca8c8e05f9853dc833e87969273

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{49781A96-DB12-46B4-86C7-F1682BAD6C12}\VC_redist.x64.exe

MD5 201329dbd79492234c05453cc06cd00a
SHA1 6037a2f859da61b9fea2c09d07276afaee3df19c
SHA256 258e66655e58e103be1642c479e77b70feee7e739aa513bcd810242a2a7769ee
SHA512 a0dfe5137a838cde23c30328a2c611b2fc2c8858482fa8ebf625ddbcee4904b09ce1ba2876d8d612f9b5c81778f6e4a270fede5e7f0bb062e54b055bb619ed40

C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe

MD5 c75656c2253f1058f83cd3c3c743eece
SHA1 6665da5a6c0c678afe19e87f0e1d8ef931e91052
SHA256 5f5f89a2534771b70419bbe414e9d04409786f6f98dc9eda85e081adf995cd83
SHA512 cb18b81c91ae1f3ba91c200d3ba95c9ec6cf2e731a87426392b9516883b90e4e2ead26526fba09944a7a75f11a196671d1dadafcc255bab7d9ddd9dbd17aaf42

C:\Windows\Temp\{0B6FE875-46BB-478C-B771-F004B007A3FD}\.cr\VC_redist.x64.exe

MD5 94970fc3a8ed7b9de44f4117419ce829
SHA1 aa1292f049c4173e2ab60b59b62f267fd884d21a
SHA256 de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e
SHA512 b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{15D7BF62-B111-49C3-9E82-1E5859612E57}\Bonjour64.msi

MD5 8dcf5c9eaacdaf4568220d103f393dea
SHA1 27f68596398b68ba048f95752b4eeb4aa013c23f
SHA256 53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93
SHA512 10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088

C:\Windows\Installer\MSID3A.tmp

MD5 08c031fa82a09aae1079378669678fe6
SHA1 b109251d2fef08bd446be0c92369e6f11eb67093
SHA256 8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a
SHA512 d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

C:\Windows\Installer\MSIE57.tmp

MD5 6f8e3e4f72620bddc633f0175f47161e
SHA1 53ed75a208cc84f1a065e9e4ece356371cac0341
SHA256 2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e
SHA512 80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

C:\Program Files\Bonjour\mDNSResponder.exe

MD5 ebbcd5dfbb1de70e8f4af8fa59e401fd
SHA1 5ca966b9a5ff4ecd0e139e21b3e30f3ea48e1a88
SHA256 17bffc5df609ce3b2f0cab4bd6c118608c66a3ad86116a47e90b2bb7d8954122
SHA512 2fbfcff6bc25461e7c98aabdae0efb33f2df64140aaf4b2b0c253e34294e1606077ae47b000ebababb3600bd4d9154a945036c58e4e930da445a0dda765ac8a4

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

MD5 db5bea73edaf19ac68b2c0fad0f92b1a
SHA1 74bb0197763e386036751bf30c5bbf4c389fa24e
SHA256 10f21999ff6b1d410ebf280f7f27deaca5289739cf12f4293b614b8fc6c88dcc
SHA512 63b718288c266debf3f58ac1a62cdcca6f09350616d53a406271d8f4fe6144751eddf7b7ba2dbfe79cfda671ee5afbdbae5798204edaaf4f0391895b824ae7c5

C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar

MD5 ca086bb31b598febd7e8d44daf14714a
SHA1 4838808e80df811cfb2bf7faf361b3cbc16f9f81
SHA256 3818abdee5b1d3d77ae4a5ace25a638b2d7d624605f8e8ce14dd6d4c6639c00c
SHA512 54188bf433a0da1b6b8f6f881af6d681a6bb629693191c7ee46f852953529cb94dfa894aca574e1cd7355985ea8d6187e7694c8144ea1db880922676f0dfe0c5

C:\Program Files\Bonjour\mdnsNSP.dll

MD5 f9d908de6b166dac9b89bf62fa291ce8
SHA1 938b53238291fc41ae852fdde51eed7a2bff0604
SHA256 d0a918ad60221623bb0278ea94cd6938744617fdbb2054968afafc2940648f02
SHA512 6643a7066974abfd5904df73ed225fd5eed4a84341b12199b6eb9a8a2ad234dba865d50f8ccff8a88002ce4c6ae2131745cf43aac88a3a0a66b596fb0d93e56e

C:\Program Files (x86)\Bonjour\mdnsNSP.dll

MD5 40947436a70e0034e41123df5a0a7702
SHA1 6c27e1dd1c1533feb6435190a5074300ac2a9822
SHA256 5d40fd92da5ca59c1badb58ad509db6a6d613f18660a9a270a53eca85d34c3a9
SHA512 ba5634cc82f306245f9f0350bfa0b91e2f5ffc6c355b1452a95483f47e6acdb42c4e063f6c15115faf0f0630005df4fe8ef0e01539c270031cbd07a34a929704

memory/2336-449-0x0000000000400000-0x00000000006FF000-memory.dmp

C:\Config.Msi\e580a8d.rbs

MD5 255e6ec8c0aaa1d9e82ca824b43a4cdd
SHA1 c7ce076208ccd3f843de338515592e6c1b528161
SHA256 063f2deb1b9621a5b9d117422bde2c0a79bebfa8a02b1453b1b1abd4bb750124
SHA512 5a8869428a89f9c442f0a4e449dea94f7850bc46057ab078c932c2db337278faf17cf8fc0263945f785a87c72ced06f8041abd52563859aabaa6b71384287095

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\{4EF18522-4489-4423-9A67-6903B272672E}\Windows8.1-KB2999226-x64.msu

MD5 d0728878f9c6799046b43aeece4f3aca
SHA1 3acbf3890fc9c8a6f3d2155ecf106028e5f55164
SHA256 9f707096c7d279ed4bc2a40ba695efac69c20406e0ca97e2b3e08443c6381d15
SHA512 e5cecaca86779a281bf5c396d7fa3a5f322bc6423e2250d617a6fab229e86d2c9d3b784c1fa3fa2be5513fcd3ba87695b3934d13802ee15cabae62f84c2c3668

C:\Users\Admin\AppData\Local\Temp\iss2901.tmp

MD5 806a54f833166c929f30031317bbd22e
SHA1 8e03076b34117d63d4da2287cc287d08e213e1cf
SHA256 d3e5f517681335aca1507d398bd52608688a0968c19825a539cb4f6ea05b70f7
SHA512 d382dd47c199f56839286a4b8ceea00b8a70a63924ba113c0d95b2671890925905b6c31b036c91cd4be25193e9b792a2ff2275f886f7e50e1dc0a7a966a637a3

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\_ISMSIDEL.INI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\_ISMSIDEL.INI

MD5 68b5cee7a2fb4c8e21f240737265e14a
SHA1 f23c438b4d011073279c9bc85865c874fbfcf0de
SHA256 e9dd221ed24d09d958b426e109668620a89796aac100b8ecf2678f980656227e
SHA512 aecbaac3962d1c7678bbba43f8c43451efb6b7859cbb88bc3cf2620d777025066fc028c2e16f6b84045b91a97d20c9530aa1d66406bbb92ccb07a9bf12258c87

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\_ISMSIDEL.INI

MD5 780ecbfe29b525adec69589bb0925cb1
SHA1 1954ee7e7ed03a9dc877d2c3b05e86459a6292b8
SHA256 a56b6431264c75fe9120b11476147aa215dd78ddd8e606023f16960891e69c2c
SHA512 2252a44d9da77391e3ff83c0007e4ec281fef79e2df20adadb584d6f377d023cf73bf9c76c0d0771a58b062024ec1118602fa77f9dcb56083cedec9e55c4759f

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\ISSetup.dll

MD5 41e098a7c75c0f2fcdcc4c1b605f8cf5
SHA1 b794e06eaba21f0c765841695424d88421f1255b
SHA256 8069bfd2667f5a62519ee604c1062574a0db69c4cfd1b55a0f3895ce7670ee9c
SHA512 777ed995ccc93d768955310841d98ccae155d0a5a2cfa314fb7cfed54c82f65e865ca697210c35d0824076ae9b2459ac85d8ba7dfcc4ae4e6d2af4feb1574c6a

memory/4212-675-0x0000000010000000-0x00000000101F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{CD30008A-4057-4130-96E7-107D6265EBE5}\IsConfig.ini

MD5 5fc8d60855a5cec64e1abbbcc133c23b
SHA1 ca723ea715fc0e217a9133611a56da5dca78b547
SHA256 b0e962259029cec81ec5f5783192f552699aac99a14ddea89f74330e50e9340e
SHA512 847f0397aff3b428c9fda79f82b83b0dbec1410d979c7f80b109f6088fb0d04d843e43b1cff5fb99df2cc5ade9da862aaf907c809dbe16910a46b7d8edc47562

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\PACE License Support Win64.msi

MD5 c5cbd59e9901c3c1c6a112fa726cceb0
SHA1 5f7f18a1edd6221b890ee5b63147b74fc6c8d10e
SHA256 bf9e00b22e6eb0a9d598e25c28a74ac565b176a8a164607a0a94a5a230216038
SHA512 b5044f29636ad2d60efcc8344b26baa89b6ea9ee42a566ecff00972e29c2dfae15b9ba3f58bb9a5846d1596d7a420a8054982357d7f37558086c4b1bd60a7586

memory/4212-687-0x0000000002980000-0x0000000002982000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

MD5 962b85d5bc8945d80b4839e47efe8fdd
SHA1 3291792ee90594baa9083ef544779d6b550d3fec
SHA256 1b220c5a2f74162d7162ba241ad6c594aaf009cc1329429dcf2112e10477e2b5
SHA512 6a2c104a45cb9f11e9a6e2ba2674c03a8b1102ad2be25f1df3bde6af4933db475a6537b54a8d4086867a655f4067980b99dc4844230f7d2727af45dcf5a794ff

C:\Users\Admin\AppData\Local\Temp\MSI2D0C.tmp

MD5 c23d4d5a87e08f8a822ad5a8dbd69592
SHA1 317df555bc309dace46ae5c5589bec53ea8f137e
SHA256 6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512 fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

C:\Users\Admin\AppData\Local\Temp\MSI2D5B.tmp

MD5 edb88affffd67bca3523b41d3e2e4810
SHA1 0055b93907665fed56d22a7614a581a87d060ead
SHA256 4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15
SHA512 2b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf

memory/2808-708-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/2808-709-0x0000000000860000-0x0000000000862000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\setup.inx

MD5 d8146c43b587f98bf1ea586c2b7a71ba
SHA1 5fb052b1fff7762bcbe1a923ccf5520b6f268834
SHA256 c7d4daf78b820c2a31dff646d4f199c1a05faf149178b6cccc776609aa3f06da
SHA512 028c3d77ca56d40627b9cc900492a5ea2eee31a1f69c14349c6c5c7791f3aab45a27e12556c1486f0d1cd3f028d35f35e7e8886c7892efed7d4660d0814e998f

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISRT.dll

MD5 5ecda0a54c4d9babcdb177d54f2e733d
SHA1 e98aa5abf7cc44b50fe6ca7c6b110bb04541fe5b
SHA256 e0926d6cbb4b4bbe673eec59325646ae8f2702e87584bf31dee28c385f45a32c
SHA512 45cb28462f6114765fcf831e2ae4ffc5fee1f59746e9e749106b7cf00b7967a788e5591da2a4e0a6e3ae52d60395d1d66be6112026709c33261c4ca839211616

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\_isres_0x0409.dll

MD5 2dd07d5455d3e762e6efb976d4898174
SHA1 2677189384275f0d95eee10d85f1fac78dc557fe
SHA256 7aefc03e9adf64345164971aad3dcd1264f389c3ade513ae420d64ef1f2c1087
SHA512 8d38171c01c919b072fc7bb7938747d4172825481eb715f576a7a8b7623d2df776d6d9307f496b3f17c244cfe5898ad7557ef432f74ef8682219170596efdda2

memory/2808-730-0x0000000002B40000-0x0000000002BE7000-memory.dmp

memory/2808-732-0x0000000002BF0000-0x0000000002BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\ISBEW64.exe

MD5 22ecca7139fc78f7928e9540a45dd2c7
SHA1 aabfa0a1de048732597f3e69cebb694bee88a7d1
SHA256 b108f5bdc4ae76f326fd1c99022cedda62af11e2262809ad79b2c071e0615484
SHA512 258a3f62904f7022c4ad5d4bab1687f505b8cb282a2d995a4cea29210def83c5e9ec003e88e4659ff7f828182f812172280199c491fe610cc286cf9ddbce037b

C:\Users\Admin\AppData\Local\Temp\{8CEF2083-C378-4667-A1DA-5113FD486453}\skin362e.rra

MD5 be8e1e66c14d73fd42b004eaea7c2e5f
SHA1 3f5091e47282f0f8e80027c1b7bcb91f10bf28b2
SHA256 6afb00abaaa7be31895d47a59efaab360e592f08daf1d45919fe21e90aa6132a
SHA512 833f7a0ea9efbfe3d2e0ec7ee1ea13a29b32fbf096cfae57e59af4f7ee4ab3adde19c851a8413eb079e74d25dcf01390ed0dfebeb3f5ab7ac234aa9a46a29daf

memory/4212-1318-0x00000000063F0000-0x0000000006497000-memory.dmp

memory/4212-1969-0x00000000063F0000-0x0000000006497000-memory.dmp

memory/4212-2360-0x0000000003F60000-0x0000000003F62000-memory.dmp

memory/4212-5466-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/4212-5467-0x00000000063F0000-0x0000000006497000-memory.dmp

memory/4212-5471-0x00000000063F0000-0x0000000006497000-memory.dmp

memory/2808-5474-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/4212-5484-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/4212-5485-0x00000000063F0000-0x0000000006497000-memory.dmp

memory/5288-5486-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/5288-5487-0x00000000033F0000-0x00000000033F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{F9085E6F-BC23-43EA-9B4A-CF2312D7A9D0}\IsConfig.ini

MD5 f85fb84dc27b75e5cebe32d89be93ea6
SHA1 3d7de6e572ce0eafdccef331e39e6f94b75b414b
SHA256 6f6532353669cea1baffbb12e9d0304ff3a882f232cf5f25c030a04b16dd20c5
SHA512 7f947f2d650813f9e212d149bdf6efff9685b406c12ddfe08bbf4879b081c72f27a41a41f66485e792a58d148db0ed0274f1fb7527e4b813cf37e7fe3488cb48

memory/5288-5495-0x00000000039C0000-0x0000000003A49000-memory.dmp

memory/5288-5494-0x0000000003890000-0x0000000003937000-memory.dmp

memory/5288-5496-0x0000000003500000-0x0000000003502000-memory.dmp

memory/9388-5503-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/9388-5504-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/9388-5505-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{EDD9854C-79FD-494D-94A9-4FEAB7CBF8C3}\IsConfig.ini

MD5 c88556b5771542ba96767a5117ce6053
SHA1 160d86bfc85cb14e43fc40300a50fc0a06b87e71
SHA256 fd53cc5bcb77cebe93db2ce11e4c78ff2a3e1035818987a8ed0efd12168163d7
SHA512 de2991d6b1584b61c4f7e445224c4f8d888e129a5a226b92aec3cd99041c694f639b6ca93ef2d97f70d299817e3fecf4ffb40298478366cb58d6f2ef73917eed

memory/9388-5512-0x0000000002D30000-0x0000000002DB9000-memory.dmp

memory/9388-5513-0x0000000002BE0000-0x0000000002C87000-memory.dmp

memory/9388-5514-0x00000000028B0000-0x00000000028B2000-memory.dmp

memory/7276-5793-0x00007FF9D6870000-0x00007FF9D692E000-memory.dmp

memory/7276-5794-0x0000000000550000-0x0000000000650000-memory.dmp

memory/9388-5801-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/9388-5802-0x00000000026D0000-0x00000000026D2000-memory.dmp

memory/9388-5814-0x00000000029E0000-0x0000000002A87000-memory.dmp

memory/9388-5813-0x0000000002F10000-0x0000000002F99000-memory.dmp

memory/9388-5815-0x0000000002700000-0x0000000002702000-memory.dmp

C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F4.tmp

MD5 af30155cd33639edfcd31eb9c80edd3d
SHA1 0d0dc51143fc1f9b0a41a1ac0554a3ddfcb9af65
SHA256 3e42dc05577ec55ceb296de329178687a5c29e787855c58c40b758344a00a56e
SHA512 21f2b2c48753698b09c3631b16a555cbd18638ecdac74117beed76f2690feab1781841b74cd59b88561912b341a78d45d4da2b0f64e325f19b1d7ecbe964e5a4

C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F5.tmp

MD5 a9a5d554ee54caa78a9fbff76bc74d1b
SHA1 3534ebaeebd8861807e28f212dd4ef59ae2c4596
SHA256 590288df2cf650c88b418c2446108036746dca30ec3c0ec819a8f06f06a705ed
SHA512 e2f48cc4c926175c7913510c2c111ef06b69702c9801892f75a84ff04eae002dc8d28b0525a0f0d6ca67a2c538a84c0cf34b440e21fa964119a08e0acbcc6c89

C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETB9F6.tmp

MD5 8d94d7271425756de312e2f1b894f78b
SHA1 4463ca042cfa66a776e01d3915543cbcdd21f34e
SHA256 f39bb45a191a4e07c6ade3ff1fc19ee5b1e60a6d5c99a4e8ee66100c322d9823
SHA512 231daeb977fb463b05e10ecad110ef80e6a550524f50d4cd5e43e4085f15dcaa8faeb60523dcd98cadfad324b5da46ab41bbcf842472904b65b0849970633d24

C:\Windows\System32\DriverStore\Temp\{d58b3b8f-ef30-024d-9877-bb5877496722}\SETBA07.tmp

MD5 7bd98a95ec9019010e8aaa9f7fe5bea4
SHA1 4b60bddc26a6c1e505fd8f4060260f4642765d5a
SHA256 fff0ccbddab48c9467b384876d80d9af1d36a0dfd49ecac352d1fd03b698655c
SHA512 e57a24a7da0044851154137b09e3ee59c25e88e141846d5a692d07cd32d0a12508e8a29144b3f016425260a58a616e390f3daa0892e615c9485c26cf57112fb7

memory/9388-5895-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/9388-5896-0x00000000026E0000-0x00000000026E2000-memory.dmp

memory/5288-5897-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/9388-5899-0x0000000002F10000-0x0000000002FB7000-memory.dmp

memory/9388-5898-0x0000000002FC0000-0x0000000003049000-memory.dmp

memory/9388-5900-0x00000000026F0000-0x00000000026F2000-memory.dmp

memory/9388-5983-0x0000000010000000-0x00000000101F2000-memory.dmp

memory/7276-5988-0x00007FF9D6870000-0x00007FF9D692E000-memory.dmp

memory/9388-6161-0x0000000002BE0000-0x0000000002C87000-memory.dmp

memory/4212-6188-0x0000000010000000-0x00000000101F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{BA4B3654-0896-4BC3-8DB8-B95A72F8D54C}\_isres_0x0409.dll

MD5 ef9981e91f1e89f574c1fd5a9f33c104
SHA1 4a4d93250ea55f2fd8016019ffecbd346a9cf898
SHA256 baea8898b54c528eae355a970f9d78c95c26b3b2a8c500e3fb6766bc879037c3
SHA512 4c7a5e9a7082bcc893a6a3368be634c651a049448ac90884b710eb4fa1dc480d6c4e94db12fd9ada53e3a8cdefff0990d7dd0cab173009e45bba643f7d88fdd5

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\BonjourWin64LS.prq

MD5 15555cbf31a9886efd19b25d03fd9999
SHA1 1747bdee10c7030015fde30dde8b2d0f1d44c1f0
SHA256 a088878368797f6e079a1d3f4fd07a8c41e8584f9e75caf293a175afd962bfb3
SHA512 c163322cadabd96b5a0be8ef55b1e9c20cb8b9b6b5a87efcdff9a1ef41c7ce01537fcacf91b1642886e46ea8453f6744800694374b9cfe4bee884eda4c77a00f

C:\Users\Admin\AppData\Local\Temp\{BA4B3654-0896-4BC3-8DB8-B95A72F8D54C}\ISBEWI64.exe

MD5 ee55ce6c2ab607c146095178d734ed0c
SHA1 e73050e3dd159df0db798136cb07137bc279642f
SHA256 b06f0e78467a28d89070ce33a0bd4d11ace79f50be570be76360be9281097fc9
SHA512 0c092ea74e9de918b00c6662dcd2a027d7e5359217feccc7fec9a50c590e92993bd5881f0c188f7be68df10a21bfddf12972aca7d9d03b31a034ec19973694e5

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\_ISMSIDEL.INI

MD5 31bbe50b2d94ea9e914355956d7bea49
SHA1 df0e6b3aa9632aca544207ebe17bffc41f2b68a8
SHA256 5307dfcbdcf6d6cc119ef8557a8e06e13775f9c6faf7257f61a2abe862a4a4e5
SHA512 3fdc87a826fb7b808c96ab4e32bf32b9d902595cc1920a146cb1d9245f718e93a9bd1ff81558a0dacc0a15917f6ee6c83c03f1858736923bc08c235c9de97aae

C:\Users\Admin\AppData\Local\Temp\{BA4B3654-0896-4BC3-8DB8-B95A72F8D54C}\IsConfig.ini

MD5 aef3ceefc59a0d9cda30d7b3ef70dea5
SHA1 833f090f77edbc4b409886316deb21f484b782ff
SHA256 1bf85a5fa78894d1210063759abd2cf8c390556ca7022a03f41020c16a8abac6
SHA512 f009112c2810e011abd412a8e95f5dc90e24b49185daed0da32ac2fb7551e2c9020cf59fdaf0152baf37d208ffb5237e944048ab6d045205ede5e99c1bc8ad2b

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\_ISMSIDEL.INI

MD5 f87382fc7604a837bdb1be851000b15b
SHA1 cb1a0de7b734e1bd05faa32e9ee22c7111b4484e
SHA256 27d1d2688dd0fcc2feaf7e2dc40078f676f61cac09233ad18beeccfb646f1c7a
SHA512 449d2f1bb679e2b0ff84905fb506d4121ce1147bc58ca1e136be9f082b91b34a36b1d90cfdac19ac68bab7991274fb148216e2ff0a03d094348aea93e14d2bfb

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\setup.isn

MD5 a6403b5ee5f9f09eaf60a41b4705b0ec
SHA1 4ce6a4a0991cd52d37facb7494eeed398f7ddb38
SHA256 9dca1adf06c8247a11fc09517c4e8a0206075dd663f921d9945053994fdeffc7
SHA512 7a2c6c580811d498a627fcd4645238d3f5225b22da07f7fbefa87bf344497aa8469e74cb7d84349d701636d12e6a61f406eeea90f7e1fb18a3d05ae5aed01d6f

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\UCRT63x64.prq

MD5 0e10ca2d56f862cc2f4d618faba99aaf
SHA1 93706ff049c6ff76fa2537efd5f5ccbfc620c0c3
SHA256 e6ea2b931860b8362fb8f5830f3d05741de3a8b7f541af3b456629e3ab90349f
SHA512 3c650881db06b603637f848552c580f48eae93202526ed4b8c526e9f94f18410d197b72d591637f941c643ecdde3e8dd00b7fe7e7a0f52faec8f831446c302f5

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\VS2019EtAlRedistsWin32.prq

MD5 c1ebbdb4fde707ae1a19c3f8a3c037d7
SHA1 5b89fedd99f21a1be0e71c344593ef7e8a02bf18
SHA256 886ae7127390cf701be20d762de8008908d29874b3db5f7bcdec3ab3ffceb0f2
SHA512 b1a505f0eee54f8f80c00e51fd03967ec080db6c9fce671db429d83a4d1003105b35c80aa1953d195304e594e89e09f2b93ba4cf0b698be6ee070b1969a77e85

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\_ISMSIDEL.INI

MD5 e0dac65635c79399e951589b98c3ec4d
SHA1 7322fa504dd65edfb17480213ce11a8c56b6e152
SHA256 572be4547e8ca666aed87e4f5c3c633abc7e09d28ee21f5af2ff28843b15b651
SHA512 2b26d6610e379dd50b493706e6b7ff1bcf6b447570d7ccd800b603b00e2b35103430721f89091f941db03e299d0663c241e1296b9e7213d416633d67bdf1dfc6

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\VS2019EtAlRedistsx64.prq

MD5 3319f71dd8e53d12c70ae6019eb49b38
SHA1 1f2ce2ea4d8c9c4b0fb76a09e84dc55d44b8f1ae
SHA256 89cf87f10bd3386eca6b30c80610ef41791046f62d76a9a021318d5197914d75
SHA512 a80ecf432bc89954287860a686cc48f2d1b6d4123505556a5a1f9d6474319bbf4b88bb1886f83bbd62e699b3b1615882aa2fa97156ba5f8785840a8e4bea1f6c

memory/2336-6376-0x0000000000400000-0x00000000006FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{EFCE9029-378B-4593-8360-1C17DABCC2AB}\_ISMSIDEL.INI

MD5 c10f0c1c213324eb2d479d8617a58197
SHA1 5d830ffc7950e47de2a7f9efafca8425c37a382c
SHA256 06d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be
SHA512 6b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702

memory/2336-6385-0x0000000000400000-0x00000000006FF000-memory.dmp

memory/828-6386-0x0000000000400000-0x00000000004DC000-memory.dmp