Analysis

  • max time kernel
    89s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 21:32

Errors

Reason
Machine shutdown

General

  • Target

    VOCALOID6_Editor_6.3.0.exe

  • Size

    656.0MB

  • MD5

    8566aa91af78b2cbe90972b1e2fd1701

  • SHA1

    c71bda0fd7403fb9efc07cfd5f33beb5ede82e7a

  • SHA256

    cb54085178b9605c8135604001e19adeae487d6a1a837dc71c39239ed012613f

  • SHA512

    46de2116a5702f86d5269ba3eb6b903821e16c6b14cdc4a0c80e936d5d1d93e3322c099a99d0abbb23f3c135d381fd5fee1bd4060c590b9d4c0f44992f6a3a41

  • SSDEEP

    12582912:MuYh59VFizqPYC921Q2TB+UubKneKK4hirXbwmYUdaAIiqsYFWpjKjOvBzN1:zYh59VSqPkG2N+Uo46MdF4jk81

Malware Config

Signatures

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 19 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 50 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 49 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
    "C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe
      C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe /q"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}" /IS_temp
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\system32\MSIEXEC.EXE
        "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6 Editor.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="VOCALOID6_Editor_6.3.0.exe" IS_RUNTIME_FILES_LOCATION="C:\Users\Admin\AppData\Local\Temp\{4FE1C2E5-333E-4ADF-8ABE-CCC837BE1F7F}"
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2420
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5CD0C98CE174D700B624813403FCB686 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
        "C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /embed"{AC2262B2-A183-4D3A-9348-FBCB66D8277B}" /hide_splash /hide_progress /runprerequisites"Editor" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST\""
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe
          C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe /q"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}" /embed"{AC2262B2-A183-4D3A-9348-FBCB66D8277B}" /hide_splash /hide_progress /runprerequisites"Editor" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST\"" /eprq /IS_temp
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1032
          • C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe
            "C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe" /install /quiet /norestart
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe
              "C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe
                "C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe" -q -burn.elevated BurnPipe.{9DE61085-9164-4089-ADA7-2BD9032F2970} {AA920AA7-FBA4-451D-B3DF-4184AC7527BC} 2828
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:2732
          • C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe
            "C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe" /q /norestart
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2164
            • C:\Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe
              "C:\Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /q /norestart
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:600
              • C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe
                "C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{BBC55D80-AA8A-4E96-A956-470955167216} {6197D4DD-D3B3-4315-8255-3A5B32E04AA7} 600
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:2972
                • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                  "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=500 -burn.embedded BurnPipe.{89B46264-6278-429C-8709-987856F05E48} {85D40D3D-EC48-4152-A2E3-EF16B9F4B4D3} 2972
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:616
                  • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                    "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=500 -burn.embedded BurnPipe.{89B46264-6278-429C-8709-987856F05E48} {85D40D3D-EC48-4152-A2E3-EF16B9F4B4D3} 2972
                    9⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2628
                    • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                      "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{86ED072D-D3A0-4C34-8430-ECB9921F2440} {358C7505-7957-4784-8734-A0F635FFB668} 2628
                      10⤵
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:1012
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F85600F44627DB0E3133CFBB87880117
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2664
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B1DDD5DCBAA4A03803F5D46F46939FA7
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1564
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C15E0F71540CFB2458D0C1DE20FC15DC
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2384
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1C710EC45715C5285F974A13A7AB81B2
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1776
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1584
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004BC" "00000000000005E0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2744
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1908
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\f7742fd.rbs

          Filesize

          55KB

          MD5

          a89c5b303d8c8b36945783f81f7cce7b

          SHA1

          4743ed35c4b53d8a43beef277e3ecf91ec46b88c

          SHA256

          16e9a94323e07c2fd7a706fa56e1ac5544cf9c1411edfb330806ab1558ae2bc7

          SHA512

          2cc73014d81430adfaa4056f16c2b6ffbc62b0b5823974760a5fc7d0de477a0cd96af3eabe6e6251a117c2621eeb70a82222d1d1c54019f233ad786f62888280

        • C:\Config.Msi\f774303.rbs

          Filesize

          8KB

          MD5

          5f520a5826b5bc4c08f057a0d2e199a9

          SHA1

          834cc6b8a7ceb33db82cbe1ea88c33214c69e90a

          SHA256

          7ed0d7d3b3bc87ecb5b37ce806d23ff52560d9f76d8d4628b4025969e3544d8a

          SHA512

          d875ea460d40545945b39ff6ef7540d69c3758e1f4adaeda3c3bcd961bbadbf9282367d921eb11ce22c84037a61e70e9b9823deb6f76c5b3cdf63668f765b914

        • C:\Config.Msi\f774309.rbs

          Filesize

          9KB

          MD5

          b8b16c93685d552facb8a33a7558df89

          SHA1

          61eb66a6eb06b5fcb67a545f8d6478fb4615debe

          SHA256

          bfea4cef045c2ab81a3cc0cd84cf4fbfc252c06b4fc19fb0d3e3117273687565

          SHA512

          a6b6dc8b4a05cefd909ba2eea2a7b439f90172703a6ba6c3197c02988e465927215934e0f806e4695751fb1333eb84eb3d72c2a3f5157f425d388b4afdab7e7e

        • C:\Config.Msi\f77430f.rbs

          Filesize

          86KB

          MD5

          65a86dd545146f6b1876efe29305ac00

          SHA1

          ed580dd1f5052db9675676afee092c02c820b560

          SHA256

          02347f6a8e381ae3e490802e6bc269b0ca5d2f4ba9762264f158cd14e5e2d6c8

          SHA512

          2cc873f6775bd800fe5e5be8a485456da831bca893d3b73c67f0c031095efd870ffbab383494bf2d507bb88125de2f563a20d41ad8abd3406ef35bdcae8f9ca9

        • C:\Config.Msi\f774317.rbs

          Filesize

          17KB

          MD5

          385cb0d0d1fc4319941353ec7b523384

          SHA1

          a7715ecdf49e162846f8929c745ac4b01f522c30

          SHA256

          6574403e598944e3f63de6be2a3c90ca6a0155b1edd34392514c77905c11f895

          SHA512

          cef0f7027a490736cc6667ea691fe29e19d23db988aff39b396fb4bb3e7c2aebe98b9e7f3aff049049bd5e41aec562705ba5139afde6d4155483ca389108a6b4

        • C:\Config.Msi\f774323.rbs

          Filesize

          16KB

          MD5

          3795117174739287be65293da4ae49ba

          SHA1

          1c4f572384ad4dcc8c84f697a0c809f232c69f4a

          SHA256

          0d558c337b3878c72aa3202638da5b4dd19889ef659f02155bd185f93b88aa9d

          SHA512

          b952a477d5478c7e14b5413a53cc173910d106196fc447ec6a72c1d2a7ad611102871e4e977fc28e7f4b9b9268c84f44a3b69af1fd13eff0c5dda4c52c51aab2

        • C:\Config.Msi\f77432b.rbs

          Filesize

          18KB

          MD5

          d318a3b9d85b8c4d424edd653cf81b64

          SHA1

          234c9e7ba8f42dceb938eb0ad9e410d6fa571259

          SHA256

          bf933256697469d17d94e53a4191aff49b758bde7d2d43fcb83791574c7c9b98

          SHA512

          7269036d5206d61f79182b2e3a4843eca803e6ae138d855e5eb7a00f00ba74742fede76e9ab97e92832ab214e81f2e0ab94ce4063785c1a9305746f09c826838

        • C:\Config.Msi\f77433a.rbs

          Filesize

          17KB

          MD5

          ca56cf39d757fa79497b5ba7b09c0e8b

          SHA1

          da076ca16008725c2190bba984c2fe881f3fe227

          SHA256

          33b15c7be9f305c8c57495c8c9fb24537be70f4d0c073d57a548615fde5b771b

          SHA512

          50498d7fd7fae0b69a64e26eaa7ff2ad9db5fad806f182b6a9b99ac197a2f7541c198b61ba13a0cd761ee815f847797fc9cf96c9daae59eaf680133c434e1e81

        • C:\Program Files\dotnet\LICENSE.txt

          Filesize

          9KB

          MD5

          31c5a77b3c57c8c2e82b9541b00bcd5a

          SHA1

          153d4bc14e3a2c1485006f1752e797ca8684d06d

          SHA256

          7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d

          SHA512

          ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

        • C:\Program Files\dotnet\ThirdPartyNotices.txt

          Filesize

          78KB

          MD5

          f77a4aecfaf4640d801eb6dcdfddc478

          SHA1

          7424710f255f6205ef559e4d7e281a3b701183bb

          SHA256

          d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7

          SHA512

          1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

        • C:\ProgramData\Package Cache\{24b99d74-a81e-4765-aefe-be853ac47482}\state.rsm

          Filesize

          1KB

          MD5

          aa86a7f2d687a5cef2392e2a82d8ae37

          SHA1

          070ce2c91470a098cf1e9e6b4d3940df319cb06c

          SHA256

          18ee2952f9f737226315991724b7f3554dd1247794e12e33cef40b504af0c47d

          SHA512

          e27262bd50a13560a70834471bc7e8f14e07dbcb719ac8aafae1a08f3d8f8789f3fa6d3d6556f958929019d53cbd0b897ea3970af7dfe868e5c18fa71ec43e57

        • C:\Users\Admin\AppData\Local\Temp\CabFFE4.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\MSI188B.tmp

          Filesize

          284KB

          MD5

          b1143a2201943febfca2595b00a86407

          SHA1

          094149e6743583008524d7e0ec4ceb0fc7f0746e

          SHA256

          f67ca8337a1ebed31f5b8008e43997f99e2a434d661d91d997fd95f718a33dc9

          SHA512

          52b8230e2ee323673c37bec00ee2365c779e909bf7114d74c962c52775255e9ddbd8507980acd1c706c1ed302638d90ec12758961725d8463c92249ad99f48d2

        • C:\Users\Admin\AppData\Local\Temp\MSI28A.tmp

          Filesize

          169KB

          MD5

          a74e09608e2cff5885c99735ef8d7ddf

          SHA1

          77898bf942b9024727cc4da2e1148a809e967469

          SHA256

          17c6051e3a1a2000019ae0ef0b51d2896250f742eedfa45b98d570b9b42da6ae

          SHA512

          6fb770b579b8baba0a4685719ae384d3047ac796d7e03f11cfb77a607738be8fc0471809119b1c786d56a2eda8f47b25865e01dd8ae3235ff757248dbbbd32c5

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_000_dotnet_runtime_6.0.12_win_x64.msi.log

          Filesize

          3KB

          MD5

          35591d186a408c8af0dbe1a83130fc49

          SHA1

          0c8d657c3be2c6a77392ecc5e0e79c058bed9123

          SHA256

          0adfa59ab098a539364bde9eb1f5f37cf31f38217422301fd8098300f21470f0

          SHA512

          750d6af6f7b394f6426fcef9c72c9d27db0e10b6884622e098404a51a5b43182fd37a43d5e3a8a57a3fca874e25d7b29e0fc5598eda9fc6eb92675736238c641

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_001_dotnet_hostfxr_6.0.12_win_x64.msi.log

          Filesize

          2KB

          MD5

          ecf193ee840e6e3ea79ef1b23f8ce596

          SHA1

          61e9935dace4f7fbea72e7a3dd1f99967acc33ef

          SHA256

          630694782f49b8e15ee72e150e1d191a11fb059a62cb46bffcc7d6c9c7e05f34

          SHA512

          dd326c3583aa49ee29be6843e64ea57d0d24d5f965a3c1eb7434f56e800e2bbef4eb43ec26a1977074e29d2b9aea771e9dd3a31415c9b6be8eb6d14a11663324

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_002_dotnet_host_6.0.12_win_x64.msi.log

          Filesize

          2KB

          MD5

          c70d5f1b73699ff91c66ed182d8e15ee

          SHA1

          271f87d3858b9941b6b20e9ed869d2b24a19b7f6

          SHA256

          694ba7370d51014538840723dd76978707caf6ebd26f68adeb3ef84d357da919

          SHA512

          5e504e4a72d969e742feca5c3d7233fb9afebf4c6e9f251f89be8306b827403049239b8cedcfb91c9268491569914e7f92ff27689e778153bee33c3ec401e96e

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_003_windowsdesktop_runtime_6.0.12_win_x64.msi.log

          Filesize

          2KB

          MD5

          9cfe216fcf392bff223f6d044488f945

          SHA1

          2d3e6fb793383d32ceab9aa64af6b172fdab81c3

          SHA256

          b6df92ebb1de4724df38b0f28c1625a4a3de1e8aa9a925e6c1da4d2f50c568d9

          SHA512

          bd46f4f35a015cdf711a25469ee0efbde5f8c0e3b1d346ce9c1e5aeacae379bcabfafb8f3ce787458531f4a918c5d51571825fbba13c83abeffd15465e2b7567

        • C:\Users\Admin\AppData\Local\Temp\Tar16D.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20241109213544_000_vcRuntimeMinimum_x64.log

          Filesize

          2KB

          MD5

          5d4d1ef8b47229372eb87f1beb3ca47c

          SHA1

          8bf961a3db90d3e759bce2dc85d5f260bc3c2926

          SHA256

          ee7235f3da884a11729346f89b52892428ec1d28e969f1385e4747a6da97a2a9

          SHA512

          c047c0ad734b7a70c4d14284c11087a8bd7930ded6e7094b4c22c7c151e86e9f17a9b6bc695d5ffaec994445c0bf82a1d8bfc540db10ea7d210e038167b28c3b

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20241109213544_001_vcRuntimeAdditional_x64.log

          Filesize

          2KB

          MD5

          7005d3dcdb30ca3bf59b9c68dfbbb365

          SHA1

          c444e26b635626707a33c88efd4a0490ac65fac6

          SHA256

          73c3c6a4b835b2e905ef49b5c74557cafd61c3145702901f42ac06e22e18caf3

          SHA512

          1837fb262249ec9a7d4688bd0028697968b48ef964e42456bf4532a0b5f7788c57a77e6ad70f4b44260a20e729cdae53b3847c51143cd63dca5856cf127101d4

        • C:\Users\Admin\AppData\Local\Temp\issF115.tmp

          Filesize

          2.7MB

          MD5

          fdd10a5a9ac6360ee3caba1a704b2f59

          SHA1

          a8169bb8e4c6611eda2c59686a748d403f2104d5

          SHA256

          1fb7b2bb5a334e83437b60420db6e63970ba404aaea291a7af2dcb064061e262

          SHA512

          363b90205ae882845ff4a0d1253f3fcc8eb3bef5cd8151f943f243685c36d54f179fab4d587e3413688b4304b8270dd5fc04f01634fe34fd8a93f08a94e33ab3

        • C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\_ISMSIDEL.INI

          Filesize

          660B

          MD5

          e6e4a274381c3796b324e2a623e3c05e

          SHA1

          f4eae4ca1ff8f9fddfc38205911466c868ddc568

          SHA256

          8ef487cef512b05eddfab4ffd314e9392db24a853866b9ca213b9702b9e04ca5

          SHA512

          b745bbfa3b64fe8ab275adb80fda0ff1a4b3a8f408f4e668b8240fa56d5764de47f22efe7477a42392f5b10351a3eada8f7b7042578140deff8b920785133671

        • C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\0x0409.ini

          Filesize

          22KB

          MD5

          1196f20ca8bcaa637625e6a061d74c9e

          SHA1

          d0946b58676c9c6e57645dbcffc92c61eca3b274

          SHA256

          cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29

          SHA512

          75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

        • C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST

          Filesize

          36KB

          MD5

          be309cfc568c998921ca5a29c8b1d913

          SHA1

          1a146dfeb395ef533e737b123a148d4b1518c2ce

          SHA256

          e9ff0bf5037af12db72a5c882927b60b99207551378987c4b9a7025867a120ee

          SHA512

          44036f0547b71e1ed62b8284f33a38d485188f0076fccff0d4c2a6e06446dacd03bfd8f319c0a2027aafe43b150e2d68c2c9a34c2f79385f69502dd3e805d007

        • C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\_ISMSIDEL.INI

          Filesize

          660B

          MD5

          aee84ed9c421e202c8f630c52aceec2f

          SHA1

          84e7c6e8d275f6571bd711fae21394322e34312d

          SHA256

          5cafa41ab2ae11dd150cc9d01e8b7170d3af1880653571c6859bd879fe82c373

          SHA512

          2a2c8c1f33fbd47ca381df357a65b85b71eeb896cb6117dd3950076989ca39fbaba17e891fcb25a79f8a3967f4de3c5e6d21b05b6f1107f4a213122684911501

        • C:\Users\Admin\AppData\Local\Temp\~D54B.tmp

          Filesize

          5KB

          MD5

          6d3271c739103d849fcceb07a86dbff8

          SHA1

          880e9f0b6373582ed50a0ec42ddfde85463832d2

          SHA256

          34b2395b16519a8ed5a2e782c5e9381b50abb7efcaa3eed874fc48a8ac1b2da9

          SHA512

          6e07eee1ed956e5c12c15df7c0c2913a4852aadce0490d6951a8db45a83061126b78fd69954d085f31c69b676fade58b1a7d49e1fba9bb8d4013e03ed3d24472

        • C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.ba\bg.png

          Filesize

          4KB

          MD5

          9eb0320dfbf2bd541e6a55c01ddc9f20

          SHA1

          eb282a66d29594346531b1ff886d455e1dcd6d99

          SHA256

          9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

          SHA512

          9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

        • C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\dotnet_host_6.0.12_win_x64.msi

          Filesize

          736KB

          MD5

          753735368ed5ab04df161907268651c5

          SHA1

          e68772a1f4f752a5d11340fb9724643f764ef06c

          SHA256

          26a5442a404027b6cacf87381d2f7219f9c8c05f8ea380000d27290bd79c2cfc

          SHA512

          3746c4801fb9e6b3fa2e0f3245756bdf7a725bb64c53539b25ab133b959a9318d92151157f2a09bf06b9618ebd66e1bf3b15e53173d9ce10b77c17ca3db012e9

        • C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\dotnet_hostfxr_6.0.12_win_x64.msi

          Filesize

          804KB

          MD5

          288f19e824eafccf3654eeebf69c03f1

          SHA1

          14d49baab39001a3459be19f9e760e467b39c90d

          SHA256

          264d63dcaa7052dcf9539fedc99f5a56da6234e3a69433a6cdeaa50cfc143e8f

          SHA512

          3ca3f18db329164f46aab9b8228dc5e79ded4fce571b848556fccc28970829ffb38070daf593c617ba2acdff859f48fc49ccaf77d052f76004cba200f5b2735c

        • C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\dotnet_runtime_6.0.12_win_x64.msi

          Filesize

          25.6MB

          MD5

          ed04f657c593c878184f2cacd259d89d

          SHA1

          b3b9ef6c6a7d7b26e1db8a25c9cfca801b4510e2

          SHA256

          c271c90769d282c35da7496b217d8c1b7e1f110f98c910263fd0a511f06b7b6c

          SHA512

          e5540046b4fad6b2848a8a5ec895e1482d1b185ff580e086f998217c4f1af8e101c66724c35f1149014e4bd3037814ebc0f9246f943f129df3f65bb401a9c5aa

        • C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\windowsdesktop_runtime_6.0.12_win_x64.msi

          Filesize

          28.6MB

          MD5

          224844b83b90ae86a10a48240d7b410a

          SHA1

          9c773d4a08542284ea3c1fa923ecb0509dd69279

          SHA256

          c610983fcb3e7d6ba33c5882da3e3b95d13a18c0a974421a67cdf54430c4546e

          SHA512

          ae7c109331b758b48df9b7b3958762da7a6412b6f1483fba18cc01832f053c1a39ccd91fdaa217f0b9e15716d1f2ec5798815ebfdfa00d8d3147a6827d8af603

        • C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.ba\logo.png

          Filesize

          1KB

          MD5

          d6bd210f227442b3362493d046cea233

          SHA1

          ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

          SHA256

          335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

          SHA512

          464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

        • C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

          Filesize

          5.4MB

          MD5

          46efc5476e6d948067b9ba2e822fd300

          SHA1

          d17c2bf232f308e53544b2a773e646d4b35e3171

          SHA256

          2de285c0fc328d30501cad8aa66a0ca9556ad5e30d03b198ebdbc422347db138

          SHA512

          58c9b43b0f93da00166f53fda324fcf78fb1696411e3c453b66e72143e774f68d377a0368b586fb3f3133db7775eb9ab7e109f89bb3c5e21ddd0b13eaa7bd64c

        • C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\cab5046A8AB272BF37297BB7928664C9503

          Filesize

          935KB

          MD5

          c2df6cb9082ac285f6acfe56e3a4430a

          SHA1

          591e03bf436d448296798a4d80f6a39a00502595

          SHA256

          b8b4732a600b741e824ab749321e029a07390aa730ec59401964b38105d5fa11

          SHA512

          9f21b621fc871dd72de0c518174d1cbe41c8c93527269c3765b65edee870a8945ecc2700d49f5da8f6fab0aa3e4c2db422b505ffcbcb2c5a1ddf4b9cec0e8e13

        • C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\vcRuntimeAdditional_x64

          Filesize

          188KB

          MD5

          dd070483eda0af71a2e52b65867d7f5d

          SHA1

          2b182fc81d19ae8808e5b37d8e19c4dafeec8106

          SHA256

          1c450cacdbf38527c27eb2107a674cd9da30aaf93a36be3c5729293f6f586e07

          SHA512

          69e16ee172d923173e874b12037629201017698997e8ae7a6696aab1ad3222ae2359f90dea73a7487ca9ff6b7c01dc6c4c98b0153b6f1ada8b59d2cec029ec1a

        • C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\vcRuntimeMinimum_x64

          Filesize

          188KB

          MD5

          a4075b745d8e506c48581c4a99ec78aa

          SHA1

          389e8b1dbeebdff749834b63ae06644c30feac84

          SHA256

          ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93

          SHA512

          0b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada

        • C:\Windows\WindowsUpdate.log

          Filesize

          16KB

          MD5

          f0013f01ea6f7a727597a6e3895ff371

          SHA1

          8db01687cddfd01b25c9fd4c200b8d0dca7413c8

          SHA256

          3e6ad41f21175c11c9375ec3d9a79a12a9eed043673b28aea43cfe41e493db6f

          SHA512

          9b6acc6c4e5c679b4ae1ac070f42587f778e5b57f5e70d1020a5effa949a8d88e3ab728bbbf2da0b4ea38380c65ab62148df6641d94e73f10a1cbda5a62356c6

        • \Program Files\dotnet\dotnet.exe

          Filesize

          133KB

          MD5

          3aff413d3c0a1615d2c1badb538544f9

          SHA1

          504e19e5e2b6a2d7e8e62b7eb5cd65551c2eb071

          SHA256

          2d38778abe2ada4ff1acc0cc4a93261fd059888b19c49afa53be6a0a2fff2b24

          SHA512

          6567aaa771d322dfba29bb8e472872c0eec210faf846f988003775045b47461222e10401babb0027758ae1ea5459963b7e089196d9781732dac38379936eb953

        • \Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe

          Filesize

          24.2MB

          MD5

          077f0abdc2a3881d5c6c774af821f787

          SHA1

          c483f66c48ba83e99c764d957729789317b09c6b

          SHA256

          917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888

          SHA512

          70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

        • \Windows\Installer\MSI48A7.tmp

          Filesize

          225KB

          MD5

          d711da8a6487aea301e05003f327879f

          SHA1

          548d3779ed3ab7309328f174bfb18d7768d27747

          SHA256

          3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

          SHA512

          c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

        • \Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.ba\wixstdba.dll

          Filesize

          197KB

          MD5

          4356ee50f0b1a878e270614780ddf095

          SHA1

          b5c0915f023b2e4ed3e122322abc40c4437909af

          SHA256

          41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

          SHA512

          b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

        • \Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.ba\wixstdba.dll

          Filesize

          191KB

          MD5

          eab9caf4277829abdf6223ec1efa0edd

          SHA1

          74862ecf349a9bedd32699f2a7a4e00b4727543d

          SHA256

          a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

          SHA512

          45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

        • \Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe

          Filesize

          610KB

          MD5

          29fbc5cabda5a2afdc4ca20e78e7f61a

          SHA1

          535dba4d2ebb82f0dd217f4876d25e6430146645

          SHA256

          aff17ea5884da8f7e7d10f9fd6a6e4e8d43b9e34d28df55f08328e0d84a7ecf7

          SHA512

          4ddb847a9747f857ad37216e42224320003e99f73929c617c6946d2352e6fe8528faf225d1be3bd650f7ac533246a8303a48628a0de689f3b273955cf9fcbab2

        • \Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe

          Filesize

          635KB

          MD5

          35e545dac78234e4040a99cbb53000ac

          SHA1

          ae674cc167601bd94e12d7ae190156e2c8913dc5

          SHA256

          9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

          SHA512

          bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

        • memory/616-1234-0x0000000001220000-0x0000000001297000-memory.dmp

          Filesize

          476KB

        • memory/1012-1196-0x0000000001220000-0x0000000001297000-memory.dmp

          Filesize

          476KB

        • memory/2628-1233-0x0000000001220000-0x0000000001297000-memory.dmp

          Filesize

          476KB