Analysis
-
max time kernel
89s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:32
Static task
static1
Behavioral task
behavioral1
Sample
VOCALOID6_Editor_6.3.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
VOCALOID6_Editor_6.3.0.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
VOCALOID6_Editor_6.3.0.exe
-
Size
656.0MB
-
MD5
8566aa91af78b2cbe90972b1e2fd1701
-
SHA1
c71bda0fd7403fb9efc07cfd5f33beb5ede82e7a
-
SHA256
cb54085178b9605c8135604001e19adeae487d6a1a837dc71c39239ed012613f
-
SHA512
46de2116a5702f86d5269ba3eb6b903821e16c6b14cdc4a0c80e936d5d1d93e3322c099a99d0abbb23f3c135d381fd5fee1bd4060c590b9d4c0f44992f6a3a41
-
SSDEEP
12582912:MuYh59VFizqPYC921Q2TB+UubKneKK4hirXbwmYUdaAIiqsYFWpjKjOvBzN1:zYh59VSqPkG2N+Uo46MdF4jk81
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
pid Process 3048 VOCALOID6_Editor_6.3.0.exe 1032 VOCALOID6_Editor_6.3.0.exe 2676 windowsdesktop-runtime-6.0.12-win-x64.exe 2828 windowsdesktop-runtime-6.0.12-win-x64.exe 2732 windowsdesktop-runtime-6.0.12-win-x64.exe 2164 VC_redist.x64.exe 600 VC_redist.x64.exe 2972 VC_redist.x64.exe -
Loads dropped DLL 19 IoCs
pid Process 1608 VOCALOID6_Editor_6.3.0.exe 2236 MsiExec.exe 2236 MsiExec.exe 1596 VOCALOID6_Editor_6.3.0.exe 1032 VOCALOID6_Editor_6.3.0.exe 2676 windowsdesktop-runtime-6.0.12-win-x64.exe 2828 windowsdesktop-runtime-6.0.12-win-x64.exe 2828 windowsdesktop-runtime-6.0.12-win-x64.exe 2664 MsiExec.exe 1564 MsiExec.exe 1060 msiexec.exe 1060 msiexec.exe 2384 MsiExec.exe 1776 MsiExec.exe 1032 VOCALOID6_Editor_6.3.0.exe 2164 VC_redist.x64.exe 600 VC_redist.x64.exe 600 VC_redist.x64.exe 2628 VC_redist.x64.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{24b99d74-a81e-4765-aefe-be853ac47482} = "\"C:\\ProgramData\\Package Cache\\{24b99d74-a81e-4765-aefe-be853ac47482}\\windowsdesktop-runtime-6.0.12-win-x64.exe\" /burn.runonce" windowsdesktop-runtime-6.0.12-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ ISSetupPrerequisistes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VOCALOID6_Editor_6.3.0.exe\"" VOCALOID6_Editor_6.3.0.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 3 2420 MSIEXEC.EXE 5 2420 MSIEXEC.EXE 7 2420 MSIEXEC.EXE 9 2420 MSIEXEC.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in System32 directory 50 IoCs
description ioc Process File opened for modification C:\Windows\system32\mfc140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140u.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140u.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\system32\concrt140.dll msiexec.exe File opened for modification C:\Windows\system32\vccorlib140.dll msiexec.exe File created C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140esn.dll msiexec.exe File created C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\mfc140.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_2.dll msiexec.exe File created C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140cht.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140deu.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140rus.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\system32\vcamp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140ita.dll msiexec.exe File created C:\Windows\system32\mfc140u.dll msiexec.exe File created C:\Windows\system32\msvcp140.dll msiexec.exe File created C:\Windows\system32\mfc140ita.dll msiexec.exe File created C:\Windows\system32\mfcm140u.dll msiexec.exe File created C:\Windows\system32\mfc140enu.dll msiexec.exe File created C:\Windows\system32\mfc140esn.dll msiexec.exe File created C:\Windows\system32\mfc140jpn.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File opened for modification C:\Windows\system32\vcomp140.dll msiexec.exe File created C:\Windows\system32\vccorlib140.dll msiexec.exe File created C:\Windows\system32\vcomp140.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140_1.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\system32\mfc140deu.dll msiexec.exe File created C:\Windows\system32\mfc140rus.dll msiexec.exe File created C:\Windows\system32\mfcm140.dll msiexec.exe File opened for modification C:\Windows\system32\vcamp140.dll msiexec.exe File created C:\Windows\system32\vcruntime140_1.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140chs.dll msiexec.exe File created C:\Windows\system32\mfc140fra.dll msiexec.exe File created C:\Windows\system32\mfc140chs.dll msiexec.exe File created C:\Windows\system32\concrt140.dll msiexec.exe File created C:\Windows\system32\msvcp140_2.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140enu.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140jpn.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Net.NameResolution.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-core-processthreads-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\pl\System.Xaml.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\System.Windows.Input.Manipulations.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.FileSystem.Watcher.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Text.RegularExpressions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\pt-BR\PresentationCore.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\es\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\zh-Hant\System.Windows.Controls.Ribbon.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\es\System.Windows.Controls.Ribbon.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Security.SecureString.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Security.Principal.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\Microsoft.NETCore.App.runtimeconfig.json msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\PresentationFramework-SystemCore.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\UIAutomationClientSideProviders.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Threading.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Private.Xml.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\cs\WindowsBase.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\PresentationFramework.AeroLite.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Diagnostics.Tracing.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\it\System.Xaml.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\zh-Hans\System.Windows.Input.Manipulations.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\de\System.Windows.Forms.Design.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\.version msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ru\System.Windows.Input.Manipulations.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\tr\PresentationFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\System.Xaml.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\UIAutomationClient.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Data.Common.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ru\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\it\WindowsFormsIntegration.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\fr\System.Windows.Forms.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Formats.Asn1.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\zh-Hant\System.Windows.Input.Manipulations.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\zh-Hans\System.Windows.Forms.Primitives.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\fr\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Xml.Serialization.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Xml.XDocument.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\it\ReachFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Reflection.Extensions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Collections.Immutable.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Web.HttpUtility.dll msiexec.exe File created C:\Program Files\dotnet\LICENSE.txt msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\es\ReachFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Net.Mail.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ru\System.Xaml.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\pl\System.Windows.Forms.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\Microsoft.VisualBasic.Core.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.Compression.FileSystem.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\System.Diagnostics.EventLog.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\Microsoft.WindowsDesktop.App.runtimeconfig.json msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Globalization.Calendars.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Runtime.Serialization.Xml.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\cs\PresentationFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\vcruntime140_cor3.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ko\System.Xaml.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.Compression.Brotli.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\System.Security.Cryptography.Xml.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\UIAutomationClientSideProviders.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.Pipes.AccessControl.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-crt-stdio-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\ThirdPartyNotices.txt msiexec.exe -
Drops file in Windows directory 49 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f77430b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5128.tmp msiexec.exe File opened for modification C:\Windows\WindowsUpdate.log VC_redist.x64.exe File created C:\Windows\Installer\f774314.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI9939.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4C40.tmp msiexec.exe File opened for modification C:\Windows\Installer\f774308.ipi msiexec.exe File created C:\Windows\Installer\f77433b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI447F.tmp msiexec.exe File created C:\Windows\Installer\f774308.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5975.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI93F6.tmp msiexec.exe File created C:\Windows\Installer\f7742f9.msi msiexec.exe File created C:\Windows\Installer\f7742ff.msi msiexec.exe File created C:\Windows\Installer\f77430e.ipi msiexec.exe File created C:\Windows\Installer\f774311.msi msiexec.exe File opened for modification C:\Windows\Installer\f774311.msi msiexec.exe File opened for modification C:\Windows\Installer\f774314.ipi msiexec.exe File created C:\Windows\Installer\f774328.ipi msiexec.exe File opened for modification C:\Windows\Installer\f7742f9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4CEF.tmp msiexec.exe File created C:\Windows\Installer\f77430b.msi msiexec.exe File created C:\Windows\Installer\f774310.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f774328.ipi msiexec.exe File opened for modification C:\Windows\WindowsUpdate.log windowsdesktop-runtime-6.0.12-win-x64.exe File created C:\Windows\Installer\f7742fc.ipi msiexec.exe File opened for modification C:\Windows\Installer\f7742fc.ipi msiexec.exe File opened for modification C:\Windows\Installer\f77430e.ipi msiexec.exe File opened for modification C:\Windows\Installer\f774325.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI48A7.tmp msiexec.exe File opened for modification C:\Windows\Installer\f774305.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4EF6.tmp msiexec.exe File created C:\Windows\Installer\f77430a.msi msiexec.exe File created C:\Windows\Installer\f774325.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9A63.tmp msiexec.exe File opened for modification C:\Windows\WindowsUpdate.log VC_redist.x64.exe File created C:\Windows\Installer\f7742fe.msi msiexec.exe File opened for modification C:\Windows\Installer\f7742ff.msi msiexec.exe File opened for modification C:\Windows\Installer\f774302.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4E57.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI95FB.tmp msiexec.exe File created C:\Windows\Installer\f774324.msi msiexec.exe File created C:\Windows\Installer\f774302.ipi msiexec.exe File created C:\Windows\Installer\f774304.msi msiexec.exe File created C:\Windows\Installer\f774305.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsdesktop-runtime-6.0.12-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VOCALOID6_Editor_6.3.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VOCALOID6_Editor_6.3.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VOCALOID6_Editor_6.3.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsdesktop-runtime-6.0.12-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VOCALOID6_Editor_6.3.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsdesktop-runtime-6.0.12-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\32 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\33 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\34 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31\52C64B7E DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\33 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\34 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\35 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\32 msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64\ = "{0712F23C-FBAC-436C-9DDB-125F32D15033}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\57551FB77DE5D216E4457A8034D0EF38\C32F2170CABFC634D9BD21F5231D0533 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.51.52100_x64\Version = "48.51.52100" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\ProductName = "Microsoft .NET Host - 6.0.12 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\Assignment = "1" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{0025DD72-A959-45B5-A0A3-7EFEB15A8050}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64 windowsdesktop-runtime-6.0.12-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\094F9C7997352096B7082D27C35AD959\E9AA512E2FD5CB44D9F61E1A0B3C84BF msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\PackageCode = "901C43977048E1D48B1CB3E9E488E16D" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{24b99d74-a81e-4765-aefe-be853ac47482}\Dependents windowsdesktop-runtime-6.0.12-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\PackageCode = "4636416B02CCB1B408C62C5F856366FD" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\Provider msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{24b99d74-a81e-4765-aefe-be853ac47482}\Dependents\{24b99d74-a81e-4765-aefe-be853ac47482} windowsdesktop-runtime-6.0.12-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\ = "{8bdfe669-9705-4184-9368-db9ce581e0e7}" VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\676627E34F5BAD849B9F871AB5F7A807\Provider msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Dependents windowsdesktop-runtime-6.0.12-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\676627E34F5BAD849B9F871AB5F7A807 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Version = "14.36.32532.0" VC_redist.x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{24b99d74-a81e-4765-aefe-be853ac47482}\Version = "6.0.12.31928" windowsdesktop-runtime-6.0.12-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{3E726676-B5F4-48DA-B9F9-78A15B7F8A70}v48.51.52100\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\\packages\\vcRuntimeMinimum_amd64\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2A1D5C7710A520B4CF71F18CEA425338\1CD76FB15BB85FA4EB02B3359D35D210 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\Servicing_Key msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Net msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Version = "237272852" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{E215AA9E-5DF2-44BC-9D6F-E1A1B0C348FB}v48.51.51943\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_48.51.52100_x64 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\ProductName = "Microsoft Windows Desktop Runtime - 6.0.12 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EA0C5AE0E23539C708618982000C701F msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\PackageName = "vc_runtimeAdditional_x64.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.51.52100_x64\ = "{3E726676-B5F4-48DA-B9F9-78A15B7F8A70}" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64\DisplayName = "Microsoft .NET Host FX Resolver - 6.0.12 (x64)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\InstanceType = "0" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe 1060 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2420 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2420 MSIEXEC.EXE Token: SeRestorePrivilege 1060 msiexec.exe Token: SeTakeOwnershipPrivilege 1060 msiexec.exe Token: SeSecurityPrivilege 1060 msiexec.exe Token: SeCreateTokenPrivilege 2420 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2420 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2420 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2420 MSIEXEC.EXE Token: SeMachineAccountPrivilege 2420 MSIEXEC.EXE Token: SeTcbPrivilege 2420 MSIEXEC.EXE Token: SeSecurityPrivilege 2420 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 2420 MSIEXEC.EXE Token: SeLoadDriverPrivilege 2420 MSIEXEC.EXE Token: SeSystemProfilePrivilege 2420 MSIEXEC.EXE Token: SeSystemtimePrivilege 2420 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 2420 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 2420 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 2420 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 2420 MSIEXEC.EXE Token: SeBackupPrivilege 2420 MSIEXEC.EXE Token: SeRestorePrivilege 2420 MSIEXEC.EXE Token: SeShutdownPrivilege 2420 MSIEXEC.EXE Token: SeDebugPrivilege 2420 MSIEXEC.EXE Token: SeAuditPrivilege 2420 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 2420 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 2420 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 2420 MSIEXEC.EXE Token: SeUndockPrivilege 2420 MSIEXEC.EXE Token: SeSyncAgentPrivilege 2420 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 2420 MSIEXEC.EXE Token: SeManageVolumePrivilege 2420 MSIEXEC.EXE Token: SeImpersonatePrivilege 2420 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 2420 MSIEXEC.EXE Token: SeCreateTokenPrivilege 2420 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2420 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2420 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2420 MSIEXEC.EXE Token: SeMachineAccountPrivilege 2420 MSIEXEC.EXE Token: SeTcbPrivilege 2420 MSIEXEC.EXE Token: SeSecurityPrivilege 2420 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 2420 MSIEXEC.EXE Token: SeLoadDriverPrivilege 2420 MSIEXEC.EXE Token: SeSystemProfilePrivilege 2420 MSIEXEC.EXE Token: SeSystemtimePrivilege 2420 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 2420 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 2420 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 2420 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 2420 MSIEXEC.EXE Token: SeBackupPrivilege 2420 MSIEXEC.EXE Token: SeRestorePrivilege 2420 MSIEXEC.EXE Token: SeShutdownPrivilege 2420 MSIEXEC.EXE Token: SeDebugPrivilege 2420 MSIEXEC.EXE Token: SeAuditPrivilege 2420 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 2420 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 2420 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 2420 MSIEXEC.EXE Token: SeUndockPrivilege 2420 MSIEXEC.EXE Token: SeSyncAgentPrivilege 2420 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 2420 MSIEXEC.EXE Token: SeManageVolumePrivilege 2420 MSIEXEC.EXE Token: SeImpersonatePrivilege 2420 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 2420 MSIEXEC.EXE Token: SeCreateTokenPrivilege 2420 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2420 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 3048 1608 VOCALOID6_Editor_6.3.0.exe 30 PID 1608 wrote to memory of 3048 1608 VOCALOID6_Editor_6.3.0.exe 30 PID 1608 wrote to memory of 3048 1608 VOCALOID6_Editor_6.3.0.exe 30 PID 1608 wrote to memory of 3048 1608 VOCALOID6_Editor_6.3.0.exe 30 PID 1608 wrote to memory of 3048 1608 VOCALOID6_Editor_6.3.0.exe 30 PID 1608 wrote to memory of 3048 1608 VOCALOID6_Editor_6.3.0.exe 30 PID 1608 wrote to memory of 3048 1608 VOCALOID6_Editor_6.3.0.exe 30 PID 3048 wrote to memory of 2420 3048 VOCALOID6_Editor_6.3.0.exe 31 PID 3048 wrote to memory of 2420 3048 VOCALOID6_Editor_6.3.0.exe 31 PID 3048 wrote to memory of 2420 3048 VOCALOID6_Editor_6.3.0.exe 31 PID 3048 wrote to memory of 2420 3048 VOCALOID6_Editor_6.3.0.exe 31 PID 3048 wrote to memory of 2420 3048 VOCALOID6_Editor_6.3.0.exe 31 PID 3048 wrote to memory of 2420 3048 VOCALOID6_Editor_6.3.0.exe 31 PID 3048 wrote to memory of 2420 3048 VOCALOID6_Editor_6.3.0.exe 31 PID 1060 wrote to memory of 2236 1060 msiexec.exe 33 PID 1060 wrote to memory of 2236 1060 msiexec.exe 33 PID 1060 wrote to memory of 2236 1060 msiexec.exe 33 PID 1060 wrote to memory of 2236 1060 msiexec.exe 33 PID 1060 wrote to memory of 2236 1060 msiexec.exe 33 PID 1060 wrote to memory of 2236 1060 msiexec.exe 33 PID 1060 wrote to memory of 2236 1060 msiexec.exe 33 PID 2236 wrote to memory of 1596 2236 MsiExec.exe 34 PID 2236 wrote to memory of 1596 2236 MsiExec.exe 34 PID 2236 wrote to memory of 1596 2236 MsiExec.exe 34 PID 2236 wrote to memory of 1596 2236 MsiExec.exe 34 PID 2236 wrote to memory of 1596 2236 MsiExec.exe 34 PID 2236 wrote to memory of 1596 2236 MsiExec.exe 34 PID 2236 wrote to memory of 1596 2236 MsiExec.exe 34 PID 1596 wrote to memory of 1032 1596 VOCALOID6_Editor_6.3.0.exe 35 PID 1596 wrote to memory of 1032 1596 VOCALOID6_Editor_6.3.0.exe 35 PID 1596 wrote to memory of 1032 1596 VOCALOID6_Editor_6.3.0.exe 35 PID 1596 wrote to memory of 1032 1596 VOCALOID6_Editor_6.3.0.exe 35 PID 1596 wrote to memory of 1032 1596 VOCALOID6_Editor_6.3.0.exe 35 PID 1596 wrote to memory of 1032 1596 VOCALOID6_Editor_6.3.0.exe 35 PID 1596 wrote to memory of 1032 1596 VOCALOID6_Editor_6.3.0.exe 35 PID 1032 wrote to memory of 2676 1032 VOCALOID6_Editor_6.3.0.exe 36 PID 1032 wrote to memory of 2676 1032 VOCALOID6_Editor_6.3.0.exe 36 PID 1032 wrote to memory of 2676 1032 VOCALOID6_Editor_6.3.0.exe 36 PID 1032 wrote to memory of 2676 1032 VOCALOID6_Editor_6.3.0.exe 36 PID 1032 wrote to memory of 2676 1032 VOCALOID6_Editor_6.3.0.exe 36 PID 1032 wrote to memory of 2676 1032 VOCALOID6_Editor_6.3.0.exe 36 PID 1032 wrote to memory of 2676 1032 VOCALOID6_Editor_6.3.0.exe 36 PID 2676 wrote to memory of 2828 2676 windowsdesktop-runtime-6.0.12-win-x64.exe 37 PID 2676 wrote to memory of 2828 2676 windowsdesktop-runtime-6.0.12-win-x64.exe 37 PID 2676 wrote to memory of 2828 2676 windowsdesktop-runtime-6.0.12-win-x64.exe 37 PID 2676 wrote to memory of 2828 2676 windowsdesktop-runtime-6.0.12-win-x64.exe 37 PID 2676 wrote to memory of 2828 2676 windowsdesktop-runtime-6.0.12-win-x64.exe 37 PID 2676 wrote to memory of 2828 2676 windowsdesktop-runtime-6.0.12-win-x64.exe 37 PID 2676 wrote to memory of 2828 2676 windowsdesktop-runtime-6.0.12-win-x64.exe 37 PID 2828 wrote to memory of 2732 2828 windowsdesktop-runtime-6.0.12-win-x64.exe 38 PID 2828 wrote to memory of 2732 2828 windowsdesktop-runtime-6.0.12-win-x64.exe 38 PID 2828 wrote to memory of 2732 2828 windowsdesktop-runtime-6.0.12-win-x64.exe 38 PID 2828 wrote to memory of 2732 2828 windowsdesktop-runtime-6.0.12-win-x64.exe 38 PID 2828 wrote to memory of 2732 2828 windowsdesktop-runtime-6.0.12-win-x64.exe 38 PID 2828 wrote to memory of 2732 2828 windowsdesktop-runtime-6.0.12-win-x64.exe 38 PID 2828 wrote to memory of 2732 2828 windowsdesktop-runtime-6.0.12-win-x64.exe 38 PID 1060 wrote to memory of 2664 1060 msiexec.exe 39 PID 1060 wrote to memory of 2664 1060 msiexec.exe 39 PID 1060 wrote to memory of 2664 1060 msiexec.exe 39 PID 1060 wrote to memory of 2664 1060 msiexec.exe 39 PID 1060 wrote to memory of 2664 1060 msiexec.exe 39 PID 1060 wrote to memory of 2664 1060 msiexec.exe 39 PID 1060 wrote to memory of 2664 1060 msiexec.exe 39 PID 1060 wrote to memory of 1564 1060 msiexec.exe 40 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exeC:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe /q"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}" /IS_temp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6 Editor.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="VOCALOID6_Editor_6.3.0.exe" IS_RUNTIME_FILES_LOCATION="C:\Users\Admin\AppData\Local\Temp\{4FE1C2E5-333E-4ADF-8ABE-CCC837BE1F7F}"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2420
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5CD0C98CE174D700B624813403FCB686 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /embed"{AC2262B2-A183-4D3A-9348-FBCB66D8277B}" /hide_splash /hide_progress /runprerequisites"Editor" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST\""3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exeC:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe /q"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}" /embed"{AC2262B2-A183-4D3A-9348-FBCB66D8277B}" /hide_splash /hide_progress /runprerequisites"Editor" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST\"" /eprq /IS_temp4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe"C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe" /install /quiet /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe"C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe"C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe" -q -burn.elevated BurnPipe.{9DE61085-9164-4089-ADA7-2BD9032F2970} {AA920AA7-FBA4-451D-B3DF-4184AC7527BC} 28287⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2732
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe"C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe" /q /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /q /norestart6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe"C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{BBC55D80-AA8A-4E96-A956-470955167216} {6197D4DD-D3B3-4315-8255-3A5B32E04AA7} 6007⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2972 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=500 -burn.embedded BurnPipe.{89B46264-6278-429C-8709-987856F05E48} {85D40D3D-EC48-4152-A2E3-EF16B9F4B4D3} 29728⤵
- System Location Discovery: System Language Discovery
PID:616 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=500 -burn.embedded BurnPipe.{89B46264-6278-429C-8709-987856F05E48} {85D40D3D-EC48-4152-A2E3-EF16B9F4B4D3} 29729⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2628 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{86ED072D-D3A0-4C34-8430-ECB9921F2440} {358C7505-7957-4784-8734-A0F635FFB668} 262810⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1012
-
-
-
-
-
-
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F85600F44627DB0E3133CFBB878801172⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2664
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B1DDD5DCBAA4A03803F5D46F46939FA72⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1564
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C15E0F71540CFB2458D0C1DE20FC15DC2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2384
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C710EC45715C5285F974A13A7AB81B22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1776
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1584
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004BC" "00000000000005E0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2744
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1908
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5a89c5b303d8c8b36945783f81f7cce7b
SHA14743ed35c4b53d8a43beef277e3ecf91ec46b88c
SHA25616e9a94323e07c2fd7a706fa56e1ac5544cf9c1411edfb330806ab1558ae2bc7
SHA5122cc73014d81430adfaa4056f16c2b6ffbc62b0b5823974760a5fc7d0de477a0cd96af3eabe6e6251a117c2621eeb70a82222d1d1c54019f233ad786f62888280
-
Filesize
8KB
MD55f520a5826b5bc4c08f057a0d2e199a9
SHA1834cc6b8a7ceb33db82cbe1ea88c33214c69e90a
SHA2567ed0d7d3b3bc87ecb5b37ce806d23ff52560d9f76d8d4628b4025969e3544d8a
SHA512d875ea460d40545945b39ff6ef7540d69c3758e1f4adaeda3c3bcd961bbadbf9282367d921eb11ce22c84037a61e70e9b9823deb6f76c5b3cdf63668f765b914
-
Filesize
9KB
MD5b8b16c93685d552facb8a33a7558df89
SHA161eb66a6eb06b5fcb67a545f8d6478fb4615debe
SHA256bfea4cef045c2ab81a3cc0cd84cf4fbfc252c06b4fc19fb0d3e3117273687565
SHA512a6b6dc8b4a05cefd909ba2eea2a7b439f90172703a6ba6c3197c02988e465927215934e0f806e4695751fb1333eb84eb3d72c2a3f5157f425d388b4afdab7e7e
-
Filesize
86KB
MD565a86dd545146f6b1876efe29305ac00
SHA1ed580dd1f5052db9675676afee092c02c820b560
SHA25602347f6a8e381ae3e490802e6bc269b0ca5d2f4ba9762264f158cd14e5e2d6c8
SHA5122cc873f6775bd800fe5e5be8a485456da831bca893d3b73c67f0c031095efd870ffbab383494bf2d507bb88125de2f563a20d41ad8abd3406ef35bdcae8f9ca9
-
Filesize
17KB
MD5385cb0d0d1fc4319941353ec7b523384
SHA1a7715ecdf49e162846f8929c745ac4b01f522c30
SHA2566574403e598944e3f63de6be2a3c90ca6a0155b1edd34392514c77905c11f895
SHA512cef0f7027a490736cc6667ea691fe29e19d23db988aff39b396fb4bb3e7c2aebe98b9e7f3aff049049bd5e41aec562705ba5139afde6d4155483ca389108a6b4
-
Filesize
16KB
MD53795117174739287be65293da4ae49ba
SHA11c4f572384ad4dcc8c84f697a0c809f232c69f4a
SHA2560d558c337b3878c72aa3202638da5b4dd19889ef659f02155bd185f93b88aa9d
SHA512b952a477d5478c7e14b5413a53cc173910d106196fc447ec6a72c1d2a7ad611102871e4e977fc28e7f4b9b9268c84f44a3b69af1fd13eff0c5dda4c52c51aab2
-
Filesize
18KB
MD5d318a3b9d85b8c4d424edd653cf81b64
SHA1234c9e7ba8f42dceb938eb0ad9e410d6fa571259
SHA256bf933256697469d17d94e53a4191aff49b758bde7d2d43fcb83791574c7c9b98
SHA5127269036d5206d61f79182b2e3a4843eca803e6ae138d855e5eb7a00f00ba74742fede76e9ab97e92832ab214e81f2e0ab94ce4063785c1a9305746f09c826838
-
Filesize
17KB
MD5ca56cf39d757fa79497b5ba7b09c0e8b
SHA1da076ca16008725c2190bba984c2fe881f3fe227
SHA25633b15c7be9f305c8c57495c8c9fb24537be70f4d0c073d57a548615fde5b771b
SHA51250498d7fd7fae0b69a64e26eaa7ff2ad9db5fad806f182b6a9b99ac197a2f7541c198b61ba13a0cd761ee815f847797fc9cf96c9daae59eaf680133c434e1e81
-
Filesize
9KB
MD531c5a77b3c57c8c2e82b9541b00bcd5a
SHA1153d4bc14e3a2c1485006f1752e797ca8684d06d
SHA2567f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d
SHA512ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6
-
Filesize
78KB
MD5f77a4aecfaf4640d801eb6dcdfddc478
SHA17424710f255f6205ef559e4d7e281a3b701183bb
SHA256d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7
SHA5121b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b
-
Filesize
1KB
MD5aa86a7f2d687a5cef2392e2a82d8ae37
SHA1070ce2c91470a098cf1e9e6b4d3940df319cb06c
SHA25618ee2952f9f737226315991724b7f3554dd1247794e12e33cef40b504af0c47d
SHA512e27262bd50a13560a70834471bc7e8f14e07dbcb719ac8aafae1a08f3d8f8789f3fa6d3d6556f958929019d53cbd0b897ea3970af7dfe868e5c18fa71ec43e57
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
284KB
MD5b1143a2201943febfca2595b00a86407
SHA1094149e6743583008524d7e0ec4ceb0fc7f0746e
SHA256f67ca8337a1ebed31f5b8008e43997f99e2a434d661d91d997fd95f718a33dc9
SHA51252b8230e2ee323673c37bec00ee2365c779e909bf7114d74c962c52775255e9ddbd8507980acd1c706c1ed302638d90ec12758961725d8463c92249ad99f48d2
-
Filesize
169KB
MD5a74e09608e2cff5885c99735ef8d7ddf
SHA177898bf942b9024727cc4da2e1148a809e967469
SHA25617c6051e3a1a2000019ae0ef0b51d2896250f742eedfa45b98d570b9b42da6ae
SHA5126fb770b579b8baba0a4685719ae384d3047ac796d7e03f11cfb77a607738be8fc0471809119b1c786d56a2eda8f47b25865e01dd8ae3235ff757248dbbbd32c5
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_000_dotnet_runtime_6.0.12_win_x64.msi.log
Filesize3KB
MD535591d186a408c8af0dbe1a83130fc49
SHA10c8d657c3be2c6a77392ecc5e0e79c058bed9123
SHA2560adfa59ab098a539364bde9eb1f5f37cf31f38217422301fd8098300f21470f0
SHA512750d6af6f7b394f6426fcef9c72c9d27db0e10b6884622e098404a51a5b43182fd37a43d5e3a8a57a3fca874e25d7b29e0fc5598eda9fc6eb92675736238c641
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_001_dotnet_hostfxr_6.0.12_win_x64.msi.log
Filesize2KB
MD5ecf193ee840e6e3ea79ef1b23f8ce596
SHA161e9935dace4f7fbea72e7a3dd1f99967acc33ef
SHA256630694782f49b8e15ee72e150e1d191a11fb059a62cb46bffcc7d6c9c7e05f34
SHA512dd326c3583aa49ee29be6843e64ea57d0d24d5f965a3c1eb7434f56e800e2bbef4eb43ec26a1977074e29d2b9aea771e9dd3a31415c9b6be8eb6d14a11663324
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_002_dotnet_host_6.0.12_win_x64.msi.log
Filesize2KB
MD5c70d5f1b73699ff91c66ed182d8e15ee
SHA1271f87d3858b9941b6b20e9ed869d2b24a19b7f6
SHA256694ba7370d51014538840723dd76978707caf6ebd26f68adeb3ef84d357da919
SHA5125e504e4a72d969e742feca5c3d7233fb9afebf4c6e9f251f89be8306b827403049239b8cedcfb91c9268491569914e7f92ff27689e778153bee33c3ec401e96e
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_003_windowsdesktop_runtime_6.0.12_win_x64.msi.log
Filesize2KB
MD59cfe216fcf392bff223f6d044488f945
SHA12d3e6fb793383d32ceab9aa64af6b172fdab81c3
SHA256b6df92ebb1de4724df38b0f28c1625a4a3de1e8aa9a925e6c1da4d2f50c568d9
SHA512bd46f4f35a015cdf711a25469ee0efbde5f8c0e3b1d346ce9c1e5aeacae379bcabfafb8f3ce787458531f4a918c5d51571825fbba13c83abeffd15465e2b7567
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2KB
MD55d4d1ef8b47229372eb87f1beb3ca47c
SHA18bf961a3db90d3e759bce2dc85d5f260bc3c2926
SHA256ee7235f3da884a11729346f89b52892428ec1d28e969f1385e4747a6da97a2a9
SHA512c047c0ad734b7a70c4d14284c11087a8bd7930ded6e7094b4c22c7c151e86e9f17a9b6bc695d5ffaec994445c0bf82a1d8bfc540db10ea7d210e038167b28c3b
-
Filesize
2KB
MD57005d3dcdb30ca3bf59b9c68dfbbb365
SHA1c444e26b635626707a33c88efd4a0490ac65fac6
SHA25673c3c6a4b835b2e905ef49b5c74557cafd61c3145702901f42ac06e22e18caf3
SHA5121837fb262249ec9a7d4688bd0028697968b48ef964e42456bf4532a0b5f7788c57a77e6ad70f4b44260a20e729cdae53b3847c51143cd63dca5856cf127101d4
-
Filesize
2.7MB
MD5fdd10a5a9ac6360ee3caba1a704b2f59
SHA1a8169bb8e4c6611eda2c59686a748d403f2104d5
SHA2561fb7b2bb5a334e83437b60420db6e63970ba404aaea291a7af2dcb064061e262
SHA512363b90205ae882845ff4a0d1253f3fcc8eb3bef5cd8151f943f243685c36d54f179fab4d587e3413688b4304b8270dd5fc04f01634fe34fd8a93f08a94e33ab3
-
Filesize
660B
MD5e6e4a274381c3796b324e2a623e3c05e
SHA1f4eae4ca1ff8f9fddfc38205911466c868ddc568
SHA2568ef487cef512b05eddfab4ffd314e9392db24a853866b9ca213b9702b9e04ca5
SHA512b745bbfa3b64fe8ab275adb80fda0ff1a4b3a8f408f4e668b8240fa56d5764de47f22efe7477a42392f5b10351a3eada8f7b7042578140deff8b920785133671
-
Filesize
22KB
MD51196f20ca8bcaa637625e6a061d74c9e
SHA1d0946b58676c9c6e57645dbcffc92c61eca3b274
SHA256cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29
SHA51275e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3
-
Filesize
36KB
MD5be309cfc568c998921ca5a29c8b1d913
SHA11a146dfeb395ef533e737b123a148d4b1518c2ce
SHA256e9ff0bf5037af12db72a5c882927b60b99207551378987c4b9a7025867a120ee
SHA51244036f0547b71e1ed62b8284f33a38d485188f0076fccff0d4c2a6e06446dacd03bfd8f319c0a2027aafe43b150e2d68c2c9a34c2f79385f69502dd3e805d007
-
Filesize
660B
MD5aee84ed9c421e202c8f630c52aceec2f
SHA184e7c6e8d275f6571bd711fae21394322e34312d
SHA2565cafa41ab2ae11dd150cc9d01e8b7170d3af1880653571c6859bd879fe82c373
SHA5122a2c8c1f33fbd47ca381df357a65b85b71eeb896cb6117dd3950076989ca39fbaba17e891fcb25a79f8a3967f4de3c5e6d21b05b6f1107f4a213122684911501
-
Filesize
5KB
MD56d3271c739103d849fcceb07a86dbff8
SHA1880e9f0b6373582ed50a0ec42ddfde85463832d2
SHA25634b2395b16519a8ed5a2e782c5e9381b50abb7efcaa3eed874fc48a8ac1b2da9
SHA5126e07eee1ed956e5c12c15df7c0c2913a4852aadce0490d6951a8db45a83061126b78fd69954d085f31c69b676fade58b1a7d49e1fba9bb8d4013e03ed3d24472
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
736KB
MD5753735368ed5ab04df161907268651c5
SHA1e68772a1f4f752a5d11340fb9724643f764ef06c
SHA25626a5442a404027b6cacf87381d2f7219f9c8c05f8ea380000d27290bd79c2cfc
SHA5123746c4801fb9e6b3fa2e0f3245756bdf7a725bb64c53539b25ab133b959a9318d92151157f2a09bf06b9618ebd66e1bf3b15e53173d9ce10b77c17ca3db012e9
-
Filesize
804KB
MD5288f19e824eafccf3654eeebf69c03f1
SHA114d49baab39001a3459be19f9e760e467b39c90d
SHA256264d63dcaa7052dcf9539fedc99f5a56da6234e3a69433a6cdeaa50cfc143e8f
SHA5123ca3f18db329164f46aab9b8228dc5e79ded4fce571b848556fccc28970829ffb38070daf593c617ba2acdff859f48fc49ccaf77d052f76004cba200f5b2735c
-
Filesize
25.6MB
MD5ed04f657c593c878184f2cacd259d89d
SHA1b3b9ef6c6a7d7b26e1db8a25c9cfca801b4510e2
SHA256c271c90769d282c35da7496b217d8c1b7e1f110f98c910263fd0a511f06b7b6c
SHA512e5540046b4fad6b2848a8a5ec895e1482d1b185ff580e086f998217c4f1af8e101c66724c35f1149014e4bd3037814ebc0f9246f943f129df3f65bb401a9c5aa
-
Filesize
28.6MB
MD5224844b83b90ae86a10a48240d7b410a
SHA19c773d4a08542284ea3c1fa923ecb0509dd69279
SHA256c610983fcb3e7d6ba33c5882da3e3b95d13a18c0a974421a67cdf54430c4546e
SHA512ae7c109331b758b48df9b7b3958762da7a6412b6f1483fba18cc01832f053c1a39ccd91fdaa217f0b9e15716d1f2ec5798815ebfdfa00d8d3147a6827d8af603
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
5.4MB
MD546efc5476e6d948067b9ba2e822fd300
SHA1d17c2bf232f308e53544b2a773e646d4b35e3171
SHA2562de285c0fc328d30501cad8aa66a0ca9556ad5e30d03b198ebdbc422347db138
SHA51258c9b43b0f93da00166f53fda324fcf78fb1696411e3c453b66e72143e774f68d377a0368b586fb3f3133db7775eb9ab7e109f89bb3c5e21ddd0b13eaa7bd64c
-
Filesize
935KB
MD5c2df6cb9082ac285f6acfe56e3a4430a
SHA1591e03bf436d448296798a4d80f6a39a00502595
SHA256b8b4732a600b741e824ab749321e029a07390aa730ec59401964b38105d5fa11
SHA5129f21b621fc871dd72de0c518174d1cbe41c8c93527269c3765b65edee870a8945ecc2700d49f5da8f6fab0aa3e4c2db422b505ffcbcb2c5a1ddf4b9cec0e8e13
-
Filesize
188KB
MD5dd070483eda0af71a2e52b65867d7f5d
SHA12b182fc81d19ae8808e5b37d8e19c4dafeec8106
SHA2561c450cacdbf38527c27eb2107a674cd9da30aaf93a36be3c5729293f6f586e07
SHA51269e16ee172d923173e874b12037629201017698997e8ae7a6696aab1ad3222ae2359f90dea73a7487ca9ff6b7c01dc6c4c98b0153b6f1ada8b59d2cec029ec1a
-
Filesize
188KB
MD5a4075b745d8e506c48581c4a99ec78aa
SHA1389e8b1dbeebdff749834b63ae06644c30feac84
SHA256ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93
SHA5120b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada
-
Filesize
16KB
MD5f0013f01ea6f7a727597a6e3895ff371
SHA18db01687cddfd01b25c9fd4c200b8d0dca7413c8
SHA2563e6ad41f21175c11c9375ec3d9a79a12a9eed043673b28aea43cfe41e493db6f
SHA5129b6acc6c4e5c679b4ae1ac070f42587f778e5b57f5e70d1020a5effa949a8d88e3ab728bbbf2da0b4ea38380c65ab62148df6641d94e73f10a1cbda5a62356c6
-
Filesize
133KB
MD53aff413d3c0a1615d2c1badb538544f9
SHA1504e19e5e2b6a2d7e8e62b7eb5cd65551c2eb071
SHA2562d38778abe2ada4ff1acc0cc4a93261fd059888b19c49afa53be6a0a2fff2b24
SHA5126567aaa771d322dfba29bb8e472872c0eec210faf846f988003775045b47461222e10401babb0027758ae1ea5459963b7e089196d9781732dac38379936eb953
-
\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe
Filesize24.2MB
MD5077f0abdc2a3881d5c6c774af821f787
SHA1c483f66c48ba83e99c764d957729789317b09c6b
SHA256917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA51270a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939
-
Filesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
Filesize
197KB
MD54356ee50f0b1a878e270614780ddf095
SHA1b5c0915f023b2e4ed3e122322abc40c4437909af
SHA25641a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
610KB
MD529fbc5cabda5a2afdc4ca20e78e7f61a
SHA1535dba4d2ebb82f0dd217f4876d25e6430146645
SHA256aff17ea5884da8f7e7d10f9fd6a6e4e8d43b9e34d28df55f08328e0d84a7ecf7
SHA5124ddb847a9747f857ad37216e42224320003e99f73929c617c6946d2352e6fe8528faf225d1be3bd650f7ac533246a8303a48628a0de689f3b273955cf9fcbab2
-
Filesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3