Analysis
-
max time kernel
113s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:32
Static task
static1
Behavioral task
behavioral1
Sample
VOCALOID6_Editor_6.3.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
VOCALOID6_Editor_6.3.0.exe
Resource
win10v2004-20241007-en
General
-
Target
VOCALOID6_Editor_6.3.0.exe
-
Size
656.0MB
-
MD5
8566aa91af78b2cbe90972b1e2fd1701
-
SHA1
c71bda0fd7403fb9efc07cfd5f33beb5ede82e7a
-
SHA256
cb54085178b9605c8135604001e19adeae487d6a1a837dc71c39239ed012613f
-
SHA512
46de2116a5702f86d5269ba3eb6b903821e16c6b14cdc4a0c80e936d5d1d93e3322c099a99d0abbb23f3c135d381fd5fee1bd4060c590b9d4c0f44992f6a3a41
-
SSDEEP
12582912:MuYh59VFizqPYC921Q2TB+UubKneKK4hirXbwmYUdaAIiqsYFWpjKjOvBzN1:zYh59VSqPkG2N+Uo46MdF4jk81
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation VOCALOID6_Editor_6.3.0.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation VC_redist.x64.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 17 IoCs
pid Process 3124 VOCALOID6_Editor_6.3.0.exe 4268 VOCALOID6_Editor_6.3.0.exe 224 VC_redist.x64.exe 3924 VC_redist.x64.exe 3684 VC_redist.x64.exe 2756 wacE58A.tmp 3696 wacE58A.tmp 1584 _is4FDD.exe 4792 _is4FDD.exe 720 _is4FDD.exe 4912 _is4FDD.exe 3940 _is4FDD.exe 4368 _is4FDD.exe 2984 _is4FDD.exe 1908 _is4FDD.exe 4532 _is4FDD.exe 952 _is4FDD.exe -
Loads dropped DLL 12 IoCs
pid Process 4264 MsiExec.exe 4264 MsiExec.exe 3924 VC_redist.x64.exe 2744 MsiExec.exe 5100 MsiExec.exe 5100 MsiExec.exe 3696 wacE58A.tmp 2744 MsiExec.exe 2744 MsiExec.exe 2744 MsiExec.exe 2744 MsiExec.exe 2744 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ ISSetupPrerequisistes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VOCALOID6_Editor_6.3.0.exe\"" VOCALOID6_Editor_6.3.0.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 19 4108 MSIEXEC.EXE 21 4108 MSIEXEC.EXE 23 4108 MSIEXEC.EXE 57 2744 MsiExec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\600b0ebf-2ce4-41ac-b89e-5796b2464cc8\600b0ebf-2ce4-41ac-b89e-5796b2464cc8.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\StylePreset\Editor\33f80595-092a-46e0-a34f-4a4f9c3612f7.vsstyle msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\84f46d9d-b4ac-4ddd-8f2b-ac8f06201986\84f46d9d-b4ac-4ddd-8f2b-ac8f06201986.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\C11F80B5-C272-4ACC-9FD6-CEED53C0F21F\audio\Count_up_3.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\C49C0809-0412-46A8-9BE9-250098ADC7BE\C49C0809-0412-46A8-9BE9-250098ADC7BE.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\D8160517-D4C6-426A-A22A-5030432A4091\D8160517-D4C6-426A-A22A-5030432A4091.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\E8A69CE8-F9BA-422B-B83B-8F27CCAEC1F3\E8A69CE8-F9BA-422B-B83B-8F27CCAEC1F3.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\FEBF4502-E135-4A7C-8CF3-61B479D53C04\FEBF4502-E135-4A7C-8CF3-61B479D53C04.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\3f2e695a-45ba-4bc4-8945-8e1394cb8d29\3f2e695a-45ba-4bc4-8945-8e1394cb8d29.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\912D56A7-2276-4B63-9610-852FD2C178EB\audio\1_012_count_down_5.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\BECA8862-7EDA-4270-82FC-49E9C7132F65\BECA8862-7EDA-4270-82FC-49E9C7132F65.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\C659ED64-4104-4D8D-8DD6-8A79A230AB6B\C659ED64-4104-4D8D-8DD6-8A79A230AB6B.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\D5E6C364-7A08-405A-BE48-F90DB2C5C0A2\audio\151_LOOK_OUT.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\63D167C3-F0D6-4A39-80C0-175B6360BED0\audio\b_001_yeah-uh-_a.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\be1f52ec-d703-4bf6-a864-925be2e00178\audio\be1f52ec-d703-4bf6-a864-925be2e00178.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\29A7F448-5993-4804-9C37-7D20B5F7CC58\29A7F448-5993-4804-9C37-7D20B5F7CC58.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\ffd28051-0173-49c8-90a5-3286d6a2ff9b\ffd28051-0173-49c8-90a5-3286d6a2ff9b.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\414D6D32-F85D-448E-8BAF-E8876970A937\audio\205_CLAP_CLAP_CLAP.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\538B3AC6-4556-4369-9617-2FE45A4D07EE\audio\b_009_whats_up_a.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\ddb291df-49cc-41a5-a80c-07e2c37078c7\audio\ddb291df-49cc-41a5-a80c-07e2c37078c7.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\edb1fe06-5e90-4920-a3fd-64ce2f889085\audio\edb1fe06-5e90-4920-a3fd-64ce2f889085.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\07d87150-a4c3-45c2-889f-501aef0ecc41\property.json msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\1689FB34-5DAD-480C-968A-274AE9521108\1689FB34-5DAD-480C-968A-274AE9521108.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\175845a4-33a7-4471-baa8-b3fe71d58dfa\property.json msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\5370B1C4-E18E-442D-A657-3F84C778CA8D\audio\a_031_what_a.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\74697C19-B5DF-46E7-B014-84C2AF62B8FF\74697C19-B5DF-46E7-B014-84C2AF62B8FF.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\BC8604E3-60CA-41EA-B17A-A82FFE603FF2\audio\129_WORSE.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\c3502770-eda0-4da1-869c-069241509606\c3502770-eda0-4da1-869c-069241509606.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\StylePreset\Editor\6217dd0b-57a0-492a-bacb-8644204b5479.vsstyle msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\13333b0f-3f62-4508-9dca-94644f2f71e1\13333b0f-3f62-4508-9dca-94644f2f71e1.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\1B6580D9-8E5A-4A9F-9D39-CD56F3F1527F\1B6580D9-8E5A-4A9F-9D39-CD56F3F1527F.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\395d5c82-a80f-464d-908e-d217b95ecd03\audio\395d5c82-a80f-464d-908e-d217b95ecd03.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\413c550d-7d1a-4659-9dd1-3548ed4d94ac\413c550d-7d1a-4659-9dd1-3548ed4d94ac.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\490B086B-4497-4D5A-83B0-84AE96B96910\490B086B-4497-4D5A-83B0-84AE96B96910.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\ae190ac7-67c0-4d7a-866a-200215babd3f\property.json msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\b90024eb-5277-4bfb-99fc-bff2296fc489\property.json msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\f8bf59ac-6d14-4a3f-945b-74538855a6d6\audio\f8bf59ac-6d14-4a3f-945b-74538855a6d6.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\StylePreset\Editor\4d618bf7-a296-4eea-8f89-8d5045a4778e.vsstyle msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\0EBF566B-8A42-49B2-AF64-FEDCF06494F3\0EBF566B-8A42-49B2-AF64-FEDCF06494F3.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\1AF7C420-92CF-4F4C-9E7F-722BB9C22E24\audio\VocalEffectKit_12_Ph.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\1f41ae35-b5b7-4dbc-9ab3-64c0fd226b93\property.json msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\6D607BBA-64F5-4BBF-BEB0-03C040C75FFF\6D607BBA-64F5-4BBF-BEB0-03C040C75FFF.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\94cac05b-7799-48ce-ba9c-495bb3c40f38\94cac05b-7799-48ce-ba9c-495bb3c40f38.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\StylePreset\Editor\b2f5145e-884e-4197-b26d-d7231299d227.vsstyle msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\09393557-f216-4a46-a77d-6781729a48a2\audio\09393557-f216-4a46-a77d-6781729a48a2.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\1e503f20-1956-434e-b00d-961cdd6b1a68\audio\1e503f20-1956-434e-b00d-961cdd6b1a68.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Resource\AttackRelease\Icon\YMH_041.png msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\59BF9B32-6704-4A37-9792-B6E9446A9D08\59BF9B32-6704-4A37-9792-B6E9446A9D08.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\9299eb11-f60c-4a1f-9a7e-89e8a0f0ab79\audio\9299eb11-f60c-4a1f-9a7e-89e8a0f0ab79.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\E2AC6E61-FC74-450E-BCF3-737AD490BE83\E2AC6E61-FC74-450E-BCF3-737AD490BE83.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\F897D086-73B8-44AF-BAF2-B887269E491A\audio\2_054_Who.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Resource\Voice\BP9GAGA4H6WMXP9D\setup.bmp msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\006BB12D-24A1-4E59-B8AE-E3F2330CCC68\006BB12D-24A1-4E59-B8AE-E3F2330CCC68.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\18DA24D0-35A7-4291-9CD9-F2AED115968C\audio\a_037_joh_a.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\2DF047FE-DC32-4457-B259-A8D521BA7988\audio\107_AHUG_AHUG_AHUG.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\418AA13A-3D31-4BF8-AED8-96B9A77C242B\418AA13A-3D31-4BF8-AED8-96B9A77C242B.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\4E649CEF-FE76-4E68-86B8-DC568A3F6A30\4E649CEF-FE76-4E68-86B8-DC568A3F6A30.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\8609362d-daf1-42c2-981a-9fc3901ce9c1\audio\8609362d-daf1-42c2-981a-9fc3901ce9c1.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\B66BF901-0572-4AD2-B3AD-A1A31D4EECB8\B66BF901-0572-4AD2-B3AD-A1A31D4EECB8.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\BE27D73E-A0B2-4373-A0B1-EF6B92D39752\audio\2_021_yeaaah.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\ED9B472A-A729-4B0E-BD67-DB892961A338\ED9B472A-A729-4B0E-BD67-DB892961A338.vsclip msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\518a4bf0-b5dc-4653-8349-5a2638038632\audio\518a4bf0-b5dc-4653-8349-5a2638038632.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\88D186DD-C05D-4871-B7F8-33AF7148D86D\audio\m2_voice_49.wav msiexec.exe File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\C91FF134-5CB7-4199-8041-E6476E4FCB0E\C91FF134-5CB7-4199-8041-E6476E4FCB0E.vsclip msiexec.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\Installer\e58c532.msi msiexec.exe File created C:\Windows\Installer\SourceHash{77F28B29-873E-4CCF-8D6E-0ABD971EC467} msiexec.exe File opened for modification C:\Windows\Installer\MSIE4ED.tmp msiexec.exe File opened for modification C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\_93931A50_8680_48E0_883A_3562CB1329BE msiexec.exe File opened for modification C:\Windows\Installer\MSI5C73.tmp msiexec.exe File created C:\Windows\Installer\e58c52f.msi msiexec.exe File created C:\Windows\Installer\e58c530.mst msiexec.exe File opened for modification C:\Windows\Installer\e58c530.mst msiexec.exe File opened for modification C:\Windows\Installer\MSI48E9.tmp msiexec.exe File created C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\_93931A50_8680_48E0_883A_3562CB1329BE msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI21B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4E97.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58c52f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE01A.tmp msiexec.exe File created C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\1033.MST msiexec.exe File opened for modification C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\1033.MST msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VOCALOID6_Editor_6.3.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VOCALOID6_Editor_6.3.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VOCALOID6_Editor_6.3.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VOCALOID6_Editor_6.3.0.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 49 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vpr\VOCALOID6.vpr\ShellNew msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Yamaha.VOCALOID.VST.VSTPluginController\ = "Yamaha.VOCALOID.VST.VSTPluginController" wacE58A.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Yamaha.VOCALOID.VST.VSTPluginController\CLSID\ = "{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}" wacE58A.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3333F4827406A2540A767577CF322B53 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3333F4827406A2540A767577CF322B53\92B82F77E378FCC4D8E6A0DB79E14C76 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell\Open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell\Open\command\ = "\"C:\\Program Files\\VOCALOID6\\Editor\\VOCALOID6.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vpr msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\ProgID\ = "Yamaha.VOCALOID.VST.VSTPluginController" wacE58A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\Version = "100859904" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Yamaha.VOCALOID.VST.VSTPluginController\CLSID wacE58A.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\92B82F77E378FCC4D8E6A0DB79E14C76 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\92B82F77E378FCC4D8E6A0DB79E14C76\Editor msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell\Open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Yamaha.VOCALOID.VST.VSTPluginController wacE58A.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\InProcServer32 wacE58A.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\Transforms = "C:\\Windows\\Installer\\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\\1033.MST" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\InProcServer32\ThreadingModel = "Both" wacE58A.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\ProgID wacE58A.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\ProductName = "VOCALOID6 Editor" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell\ = "Open" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003} wacE58A.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\ProductIcon = "C:\\Windows\\Installer\\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\\ARPPRODUCTICON.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vpr\VOCALOID6.vpr msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\InProcServer32\ = "C:\\Program Files\\VOCALOID6\\Editor\\VOCALOID6Plugin.comhost.dll" wacE58A.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\AuthorizedLUAApp = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell\Open\command\command = 470061006f0056004e006000510048006300400041006100480069006500600072006a00450049003e002e00640035004a0026006800530068004a003f006200560077005000430049005000470073006e002000220025003100220000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vpr\ = "VOCALOID6.vpr" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\Language = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\PackageName = "VOCALOID6 Editor.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\DefaultIcon\ = "C:\\Windows\\Installer\\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\\_93931A50_8680_48E0_883A_3562CB1329BE,0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\ = "CoreCLR COMHost Server" wacE58A.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\PackageCode = "C089FDFCAEA1D364B9CDF042A688EC5D" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2068 msiexec.exe 2068 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4108 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 4108 MSIEXEC.EXE Token: SeSecurityPrivilege 2068 msiexec.exe Token: SeCreateTokenPrivilege 4108 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 4108 MSIEXEC.EXE Token: SeLockMemoryPrivilege 4108 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 4108 MSIEXEC.EXE Token: SeMachineAccountPrivilege 4108 MSIEXEC.EXE Token: SeTcbPrivilege 4108 MSIEXEC.EXE Token: SeSecurityPrivilege 4108 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 4108 MSIEXEC.EXE Token: SeLoadDriverPrivilege 4108 MSIEXEC.EXE Token: SeSystemProfilePrivilege 4108 MSIEXEC.EXE Token: SeSystemtimePrivilege 4108 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 4108 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 4108 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 4108 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 4108 MSIEXEC.EXE Token: SeBackupPrivilege 4108 MSIEXEC.EXE Token: SeRestorePrivilege 4108 MSIEXEC.EXE Token: SeShutdownPrivilege 4108 MSIEXEC.EXE Token: SeDebugPrivilege 4108 MSIEXEC.EXE Token: SeAuditPrivilege 4108 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 4108 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 4108 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 4108 MSIEXEC.EXE Token: SeUndockPrivilege 4108 MSIEXEC.EXE Token: SeSyncAgentPrivilege 4108 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 4108 MSIEXEC.EXE Token: SeManageVolumePrivilege 4108 MSIEXEC.EXE Token: SeImpersonatePrivilege 4108 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 4108 MSIEXEC.EXE Token: SeCreateTokenPrivilege 4108 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 4108 MSIEXEC.EXE Token: SeLockMemoryPrivilege 4108 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 4108 MSIEXEC.EXE Token: SeMachineAccountPrivilege 4108 MSIEXEC.EXE Token: SeTcbPrivilege 4108 MSIEXEC.EXE Token: SeSecurityPrivilege 4108 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 4108 MSIEXEC.EXE Token: SeLoadDriverPrivilege 4108 MSIEXEC.EXE Token: SeSystemProfilePrivilege 4108 MSIEXEC.EXE Token: SeSystemtimePrivilege 4108 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 4108 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 4108 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 4108 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 4108 MSIEXEC.EXE Token: SeBackupPrivilege 4108 MSIEXEC.EXE Token: SeRestorePrivilege 4108 MSIEXEC.EXE Token: SeShutdownPrivilege 4108 MSIEXEC.EXE Token: SeDebugPrivilege 4108 MSIEXEC.EXE Token: SeAuditPrivilege 4108 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 4108 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 4108 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 4108 MSIEXEC.EXE Token: SeUndockPrivilege 4108 MSIEXEC.EXE Token: SeSyncAgentPrivilege 4108 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 4108 MSIEXEC.EXE Token: SeManageVolumePrivilege 4108 MSIEXEC.EXE Token: SeImpersonatePrivilege 4108 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 4108 MSIEXEC.EXE Token: SeCreateTokenPrivilege 4108 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 4108 MSIEXEC.EXE Token: SeLockMemoryPrivilege 4108 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4108 MSIEXEC.EXE 4108 MSIEXEC.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1384 VOCALOID6_Editor_6.3.0.exe 4268 VOCALOID6_Editor_6.3.0.exe 224 VC_redist.x64.exe 3924 VC_redist.x64.exe 3684 VC_redist.x64.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 1676 wrote to memory of 3124 1676 VOCALOID6_Editor_6.3.0.exe 89 PID 1676 wrote to memory of 3124 1676 VOCALOID6_Editor_6.3.0.exe 89 PID 1676 wrote to memory of 3124 1676 VOCALOID6_Editor_6.3.0.exe 89 PID 3124 wrote to memory of 4108 3124 VOCALOID6_Editor_6.3.0.exe 99 PID 3124 wrote to memory of 4108 3124 VOCALOID6_Editor_6.3.0.exe 99 PID 2068 wrote to memory of 4264 2068 msiexec.exe 105 PID 2068 wrote to memory of 4264 2068 msiexec.exe 105 PID 2068 wrote to memory of 4264 2068 msiexec.exe 105 PID 4264 wrote to memory of 1384 4264 MsiExec.exe 109 PID 4264 wrote to memory of 1384 4264 MsiExec.exe 109 PID 4264 wrote to memory of 1384 4264 MsiExec.exe 109 PID 1384 wrote to memory of 4268 1384 VOCALOID6_Editor_6.3.0.exe 110 PID 1384 wrote to memory of 4268 1384 VOCALOID6_Editor_6.3.0.exe 110 PID 1384 wrote to memory of 4268 1384 VOCALOID6_Editor_6.3.0.exe 110 PID 4268 wrote to memory of 224 4268 VOCALOID6_Editor_6.3.0.exe 111 PID 4268 wrote to memory of 224 4268 VOCALOID6_Editor_6.3.0.exe 111 PID 4268 wrote to memory of 224 4268 VOCALOID6_Editor_6.3.0.exe 111 PID 224 wrote to memory of 3924 224 VC_redist.x64.exe 112 PID 224 wrote to memory of 3924 224 VC_redist.x64.exe 112 PID 224 wrote to memory of 3924 224 VC_redist.x64.exe 112 PID 3924 wrote to memory of 3684 3924 VC_redist.x64.exe 113 PID 3924 wrote to memory of 3684 3924 VC_redist.x64.exe 113 PID 3924 wrote to memory of 3684 3924 VC_redist.x64.exe 113 PID 4268 wrote to memory of 4308 4268 VOCALOID6_Editor_6.3.0.exe 124 PID 4268 wrote to memory of 4308 4268 VOCALOID6_Editor_6.3.0.exe 124 PID 4268 wrote to memory of 4308 4268 VOCALOID6_Editor_6.3.0.exe 124 PID 2068 wrote to memory of 2744 2068 msiexec.exe 126 PID 2068 wrote to memory of 2744 2068 msiexec.exe 126 PID 2068 wrote to memory of 2744 2068 msiexec.exe 126 PID 2068 wrote to memory of 5100 2068 msiexec.exe 127 PID 2068 wrote to memory of 5100 2068 msiexec.exe 127 PID 2068 wrote to memory of 5100 2068 msiexec.exe 127 PID 5100 wrote to memory of 2756 5100 MsiExec.exe 128 PID 5100 wrote to memory of 2756 5100 MsiExec.exe 128 PID 5100 wrote to memory of 3696 5100 MsiExec.exe 129 PID 5100 wrote to memory of 3696 5100 MsiExec.exe 129 PID 2744 wrote to memory of 1584 2744 MsiExec.exe 132 PID 2744 wrote to memory of 1584 2744 MsiExec.exe 132 PID 2744 wrote to memory of 4792 2744 MsiExec.exe 133 PID 2744 wrote to memory of 4792 2744 MsiExec.exe 133 PID 2744 wrote to memory of 720 2744 MsiExec.exe 134 PID 2744 wrote to memory of 720 2744 MsiExec.exe 134 PID 2744 wrote to memory of 4912 2744 MsiExec.exe 135 PID 2744 wrote to memory of 4912 2744 MsiExec.exe 135 PID 2744 wrote to memory of 3940 2744 MsiExec.exe 136 PID 2744 wrote to memory of 3940 2744 MsiExec.exe 136 PID 2744 wrote to memory of 4368 2744 MsiExec.exe 137 PID 2744 wrote to memory of 4368 2744 MsiExec.exe 137 PID 2744 wrote to memory of 2984 2744 MsiExec.exe 138 PID 2744 wrote to memory of 2984 2744 MsiExec.exe 138 PID 2744 wrote to memory of 1908 2744 MsiExec.exe 139 PID 2744 wrote to memory of 1908 2744 MsiExec.exe 139 PID 2744 wrote to memory of 4532 2744 MsiExec.exe 140 PID 2744 wrote to memory of 4532 2744 MsiExec.exe 140 PID 2744 wrote to memory of 952 2744 MsiExec.exe 141 PID 2744 wrote to memory of 952 2744 MsiExec.exe 141 PID 3124 wrote to memory of 2704 3124 VOCALOID6_Editor_6.3.0.exe 142 PID 3124 wrote to memory of 2704 3124 VOCALOID6_Editor_6.3.0.exe 142 PID 3124 wrote to memory of 2704 3124 VOCALOID6_Editor_6.3.0.exe 142 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exeC:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe /q"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}" /IS_temp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\system32\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6 Editor.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="VOCALOID6_Editor_6.3.0.exe" IS_RUNTIME_FILES_LOCATION="C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4108
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}"3⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 20A4B7D29195959B82E92183A863B446 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /embed"{990E389C-A68B-416E-991F-4E2E96A10070}" /hide_splash /hide_progress /runprerequisites"Editor" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\1033.MST\""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exeC:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe /q"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}" /embed"{990E389C-A68B-416E-991F-4E2E96A10070}" /hide_splash /hide_progress /runprerequisites"Editor" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\1033.MST\"" /eprq /IS_temp4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe"C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe" /q /norestart5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576 /q /norestart6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.be\VC_redist.x64.exe"C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{50405421-A765-469A-BC89-B4CB1D051FE4} {EBE789B4-5B75-4E3D-8106-A271E842DCF6} 39247⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3684
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}"5⤵
- System Location Discovery: System Language Discovery
PID:4308
-
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 78A043472644D950665F9918619C3D362⤵
- Loads dropped DLL
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exeC:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8320CA09-BF58-4E11-836E-27A95AE01AD4}3⤵
- Executes dropped EXE
PID:1584
-
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exeC:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{140BAA28-B27F-4871-8753-6673FB296997}3⤵
- Executes dropped EXE
PID:4792
-
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exeC:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1699DD88-6BEA-4E4E-9CF8-7CC7602DCB68}3⤵
- Executes dropped EXE
PID:720
-
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exeC:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF236989-E706-47C1-803A-971BFBBD697C}3⤵
- Executes dropped EXE
PID:4912
-
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exeC:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A7738412-2D5C-4136-850A-3F8353113273}3⤵
- Executes dropped EXE
PID:3940
-
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exeC:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{86FB7D49-FEF4-4544-8A6D-E72319806F3A}3⤵
- Executes dropped EXE
PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exeC:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C2581955-6E2F-41EF-9919-B8FFF9FB64EC}3⤵
- Executes dropped EXE
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exeC:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3FD6C05E-CE79-402B-8598-E3CFA0446001}3⤵
- Executes dropped EXE
PID:1908
-
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exeC:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C125D510-2701-4054-8FD8-B9311D293A35}3⤵
- Executes dropped EXE
PID:4532
-
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exeC:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C80667CD-F64E-4B0D-9AEA-43555A5FFCD0}3⤵
- Executes dropped EXE
PID:952
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B7B0EB179A8806CCFB04335B935812AE E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\wacE58A.tmpC:\Users\Admin\AppData\Local\Temp\wacE58A.tmp {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E7D8A5B0-4C37-498B-A6EE-A0838F17BDBD}3⤵
- Executes dropped EXE
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\wacE58A.tmpC:\Users\Admin\AppData\Local\Temp\wacE58A.tmp {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B599EA7B-48AA-4282-A674-56EEA46A6460}3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3696
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3472
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:3672
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD59810d857aae84985aea41a5ab76558f1
SHA1bc78cad99207a260b2ad08bf7a659371d278cc92
SHA256a3ad30b695dbe4d46ce37742d654f987612c70340dfbd57115d2844a380ef5a1
SHA51204e087cf9e4f7dd902e545d8b3d5a9cbd159ee7555c43757e7683a00fc300ddbefb12abd1c1fa43b1747cfee6c58ed605e1d82a905522dc4cefc4873f7915c36
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\18909f6c-ec11-4ee4-b879-2a7e81e6adb2\18909f6c-ec11-4ee4-b879-2a7e81e6adb2.vsclip
Filesize14KB
MD53127bf31e4188cf1caa4840c416c660d
SHA152621bfea13d865a1be95666c66ffa8ad01cab7f
SHA256e867af097da6986e5c1e09274ea145230cc51e06569f3f4ffe992d2c5b19dd46
SHA5120b7869dd147eb40ed1bc4d9f4ae4bf96d3bbbea76990d1f499830aaf7530ac19198dea3ccd1653d15a7af4a1ca72a6a5a912723e4d8057d5ca458c9213723cc6
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\1e9f9466-8e9b-451e-99f2-7be6166c6905\1e9f9466-8e9b-451e-99f2-7be6166c6905.vsclip
Filesize20KB
MD5bc1755db28846936428133f2a1dfac51
SHA10aa3ee6e354441318689a835cc6dd1a409841b91
SHA256ef1f7163da8e4f2d08d022f4d1b84a487eeff01b3f9c402aced70b7bfc48ef0a
SHA5121bfde0be277202c705e9ce4f4c60c816fe7f641f58e53a3b561c3aa39cdbbf5f8c37b6ac0eb76776dcf2cd874aa45181a085aac65724628adf8bb998cc69e1b4
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\481df1b5-9569-4d06-8355-3b0976f6d4f8\481df1b5-9569-4d06-8355-3b0976f6d4f8.vsclip
Filesize15KB
MD5beca7f74e8c9d7e43ba936d9327654d9
SHA12c5c32b8e3612d0090a47270461ae53798d50dec
SHA256a27f1525fd3886248de2d2c211982437f2ddf6726f45c17191f06c2911b23690
SHA512656fb8aad68dc4efec9e5116044dce0edb535ce2286247ef9abd801a8c91b23b97442289f79b601b1b4922da8c1790695463aba7e06eb0ddb59572f4a9a83c1c
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\4e9e8d7a-38ee-4af8-b9c0-8b3ebc7e91e4\4e9e8d7a-38ee-4af8-b9c0-8b3ebc7e91e4.vsclip
Filesize13KB
MD5ed69ed3a5c5a8ccc3e1000a5aa2fa7e4
SHA18d9f0c8135af96d6483ded36d72732b168288cb9
SHA2566360210e2a8bbbe504444379e3f5f09fc9cade69e099e42219aa52a8130724d5
SHA512460c3cfb1051d88a60e16db92530fb191f99ac34f2bb4781d698783314f657bb58489a34265ce01ac3a729ed591f64b2cf5ea8beda34d9bafc07273eb7fb24a0
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\52aea056-bd3e-4720-b250-7928595a6300\52aea056-bd3e-4720-b250-7928595a6300.vsclip
Filesize114KB
MD559c43d9bff06c935ffed11381e7490d2
SHA1461bc0732b091bb253d0b2bd4b63121a13935b62
SHA256266dac91dd012c4f89b15ffa2f89c1717f6128f46a4eca3ad6e5a93ce2486353
SHA512f85ce60adca328a9d424e2934fe10a4c3ffcf8ff1343ff8e521e90406cc2dd1c95e813c872eb906dc8c43a0fc8e8eb80050b791900c3e25f6afd33c4eefe8e38
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\588a3384-0982-4002-992c-4eb425f48992\588a3384-0982-4002-992c-4eb425f48992.vsclip
Filesize13KB
MD53c9d0a8fce0a304bced39eab2a5a28ee
SHA13c50f28d90ee461912486077e6b742381ee9efac
SHA256a2826a7fa411f4a0d7a331fb11efca601d619c57ae769e5388a3ffde5e442728
SHA512d9ff8aa3d671da148805b72821686e40eeb2c65b4fdc2f9a9b86519c86a8c4189ade6a09e0ad841c4bbe14d17b3c046075633c2eb75073ce0ef2219f62a5bd64
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\8694f31a-b087-483e-adfe-29e28aee6ac0\8694f31a-b087-483e-adfe-29e28aee6ac0.vsclip
Filesize14KB
MD557cffcba5df553665d6e900ce85302b6
SHA1cb002080c3ee879c8724c34aa4f44baf32ff5678
SHA2563ad6dede1e4deb4a478c3983890f29739bea1e9cc2fc0309598a28f8e3851cdf
SHA51244799c64dbe15b5f99098188e66e56f8188424948431e642aea8a6ae4a7c24d1605ce49b9a711145eb1f13cf84ca94084dfb8b4a1d810735d8650116aaa20c53
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\8822c71b-47a6-4318-a032-e57a1b740cb2\8822c71b-47a6-4318-a032-e57a1b740cb2.vsclip
Filesize23KB
MD51e2fe51f28326c28b9582f476b41643d
SHA1cc2760abb825744f0da7e6dc3d2a6ce7b0ab921f
SHA256cf75ce306ccec78630596503204ad6a8513a07bb40344d4e12941a944eacc463
SHA5124041f11af4ee284bde436a9de8272523d411f735a47298a5c6d8f1ad27c8bedea0b496b1a00815df606048894e71498429113735341202c4abdf48c0575fbf12
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\9ef77e48-7b5b-4e09-b4ff-dde83ca44729\9ef77e48-7b5b-4e09-b4ff-dde83ca44729.vsclip
Filesize12KB
MD565a2b413c89b52b9be68910bb393b7d1
SHA17f6d44c5ace284e205d149465d262527507e0b0f
SHA2561f1e29a3006cdb03a1285861f2facd3dcf798f929ec7b2adf5088e0d510773df
SHA51257bd0d19c89430336639d2bf759693f217ff8f9f2789f0bdf3d5201b521c6161c927100c57dd5378d97c9622f2c2233f124c4f00b8b8a1c49b63a92d82dc3f11
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\a5a70597-5a98-4cfa-b35d-6fc794b33bf9\a5a70597-5a98-4cfa-b35d-6fc794b33bf9.vsclip
Filesize19KB
MD54778a49dc00b734af56e8cb20fb9ac64
SHA12badf94e0d5166f2d35bb03c6a7f82b24d300f37
SHA256ee6b448d7c6642840f9f017783d0b442faed6f56eebbd8a3e79e71f2c74a0d85
SHA512693141d97cb6ad88923d2bfb5acc3907e78ed2c304416d28cce562f5e8b9737b78856b1add12d7f737c3a82f9c80a99696213f4ac6eede79061c8ff8607445d2
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\a9427b36-005d-414a-8748-a131db2c3abb\a9427b36-005d-414a-8748-a131db2c3abb.vsclip
Filesize10KB
MD5af99e9b05767ee8dfaf4afe4ef670b19
SHA13cc95490df3351982a37e27111c77685413025fd
SHA256f76a83882ebfa4dca2e2f2c760fcea092acd65be378053833759b323a63dd375
SHA512bb78e98e50d331d10a0fcec9926a7ce7c094a2b2da1f427e42bf2fc71cbbf395d2c31630a49b9cccbe2e253723986fa20e1229ad404f4762126a3c8aa3e6208e
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\b48609c6-784e-4e04-8132-cdc17687b765\b48609c6-784e-4e04-8132-cdc17687b765.vsclip
Filesize11KB
MD51bef83375ff519096f4db83954a14b64
SHA1ac29603230e294a87ed1daa63967def206bd3b16
SHA25657443c51d0f4083bce712ff10b7db3fa50624c6dbf2508bba8f47deaaa75cdf0
SHA51249a07ee3def07f7c873dbede8a0ec88d9bad69fd318dde88bcb234c12d54829afd7e2d29212d59e7d9070cb57faab5862eb37e180b9d9cfbe394011b14e6d7df
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\bccfaace-0c86-4628-be69-37a66d78e296\bccfaace-0c86-4628-be69-37a66d78e296.vsclip
Filesize17KB
MD5c61fc0759796506c29fd04c9f4c93fd2
SHA1c6c7b4b8cd928a28255135f2c5ebe704b3ba7f24
SHA256e1737a734302e23111d73b1e6c27ff175cdd845ca6de501b3b602be019896e97
SHA5127df5fef783da19c2adacdf33d55fa1fb84f716f1c28210ff68d16601e2dbfd2cf34035fa22c6cbbc3eefa8ec8228ab8286165d5ed15e56de42719d46e651eebb
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\ce5c1fba-e3e9-4865-b860-a65cf54dc1bd\ce5c1fba-e3e9-4865-b860-a65cf54dc1bd.vsclip
Filesize10KB
MD50fe0fb34ffeef16450ce540eefd7dcc1
SHA1c47e2ed92ee3d17a06af9cc12b271166942f0687
SHA25632f17b4f1edbf1e23e5f8ceced915218ad47c451b4aac453584049714dd8b2f5
SHA5120e220d02d61b3222141b2f191c952eec20ead90fe9695e66091e698b4c9c6aa1420d24f41fa76323d4a467932b051843acb0fec44f1c0edd3baa17041e41ef18
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\e2849f6f-8de0-4762-8c59-dbd78c61022d\e2849f6f-8de0-4762-8c59-dbd78c61022d.vsclip
Filesize12KB
MD59e651c10042948e5f287f145570c9ed8
SHA1860fff704e5f2bfa4a6a91c2e619634a5ac7906a
SHA256b9857e23821dd017275ad0d803be8c7954bf23fa2c283f8995fbeb4fda667b19
SHA5123671ea1aaae467c2bb7137319be89e69254b24db156fe42b57416252c8bb54411f23385a50e617ed2aa588b258c5cf6c09975beea3ae3c378a64cec979de709c
-
C:\Program Files\Common Files\VOCALOID6\Media\Editor\fe81ea40-d60e-4e6c-804a-52a719725b0f\fe81ea40-d60e-4e6c-804a-52a719725b0f.vsclip
Filesize16KB
MD50ddcb20699241cadd7cde0e8f2c5957a
SHA10659636f0caa48000c9313c17adf38420f6f181b
SHA2568cc71bda44b635bf97d68a6ff6f4bbf638aafdc5fdfc59c57cbfa61aeef4d525
SHA512a752cb1e13acd8298f7f413b9fe715cf9a691023e47030ab4c264b695328ecb66f1c6b64aa4f9fccbc081f6cfa53cd6fb9c14c6567c5a50202104146f0ac64ff
-
Filesize
569KB
MD58329424b323f4501efe48ead6208cdf4
SHA1ccabb9aa3ffaa24497d7026d452da4e7e5630015
SHA2561b9b732dfc9f9bdd85477626871f87498e18a8069347130b73a239f7c5ab7a33
SHA512c6860e2780f4d40271e6bc7ceba97b59d8b6edf249d0350605521b212f5b0882d74a5ef933e8f867969adbb877674ff245121aa2f920b24902dc53b6f4fa9334
-
Filesize
569KB
MD5d58164d41e9c65beab935509be355c64
SHA104e01693ad939e2cfb287eb1d1f074c7e5ed7cfa
SHA2567e3161aaa6fafb13cc4965ba75c9eb93c6eaf39fc18c7d351a9d5b386144d88e
SHA5120ec7e24e0e557b521f8acf8ca825e2284e5520765be47ae6ff32a27ed7b134479abe1ecdac626a76aaa31916aef3f9b48987d890769a852c0a160320a66d4cfb
-
Filesize
284KB
MD5275a1391944531c65ed1092a31e6d7e4
SHA132cb644690b2ad8dec076a3d630e1d50b1ba42c7
SHA256cd4d159b44b47d3d5d41543d1ff2ace84941cd7c61c8ddfffad2e939dffb5101
SHA5127c4bc8c85255aff74629937e52349dcefbcb4ab6cbaed9d4270199136038a989eaafe4f18e1c3dd176409ceafa4a553387bb1f6f532364f5b5948d6391f7dee7
-
Filesize
569KB
MD5004701e6ddadbf073080e275187db638
SHA1b3dc7a665ef868b779359fb17101e448005d2a60
SHA256480565bb3f64b242e1c7ad4c67e2bb5c099ba92f268ba3708eccb55026ca1a24
SHA5124bde31a198055466fa1bdf24aa10b3dd2776cee973e3a57ff2545b592f8aa6b13cd0cb76a28761f1d6b4057f8121e9c5d35ffff1ac9d9a5c8931b2080eaedcb5
-
Filesize
284KB
MD5a49a37068286ea3d949a00d8454686a5
SHA1f912cb2ab0150bc8f0bff9f8c045f6c6d66200be
SHA2562f14ac01fdf2b234f371e63c1660870ea6f03afe6efbb96b4887951c6745a7b0
SHA5121d09056f08c9cf3603392171e15fc2f7b0219daf0986a0f7ddac9e15a11440837276c4861e9ab9b01ac472a9b478b94ffe096874c0964e55b320f3431f0ca1a6
-
Filesize
194KB
MD52ee29628c601b21205b628920b881c9b
SHA1a41de07cb67ce5d90d2e1953acf6ad07bb5ba763
SHA256975f110fa114108f73d7db2fb6b889387b379a9df226621c4f82429f7a435cdf
SHA512bfdf0e779fb9c1f8080528631b28b01097d39cda9037f6a15bcc4aea8134f3254f6c63d93243104144b1c999c495ea6e54086808ddd68389daf569dd3e988b06
-
Filesize
58KB
MD58d66629aa455ec0ef90d750dd51f438a
SHA136b934a298be4803eee637063b3876551e725339
SHA256344c4729becdd414b8e446794cae2415451d270ff6de1f645b163c092d108eff
SHA512daaeb0a09870984f68d7deac6dc7d8b9c604a4a7daf5cb09571457fb62c3dbb95149e47768430a9c279451e04c3e69cc9c4ea6c5cc3f6c4372b6f13296004ed9
-
Filesize
4.8MB
MD5b1c20d2f1a70a96946af73495ab70f55
SHA10385c8c2fe0c4fc6396b974638e25ebc0332e775
SHA2569bbf4cde5e61d5a628423c0a3e478d645b4dde687ac56721655ede03ed99da2f
SHA51249283eb9e7220e09c8fca51879a7da713ab9151d05631cd14295781213e36be43415349c02f0039013eb517188cca768bfc22a5c789896e72bc7bbb244c2b1ad
-
Filesize
407B
MD55d6ab666fb94e136578929a9e2469705
SHA159117c4e2c67fbcad255633f37a720a9ddb68351
SHA2569e72299350f7636bc7be5437b9ab52c244105a019f1be081562289d98bb83c9a
SHA512c5da9d0c31ae491ac908e1d69f0afc3496219637e290ffabf568e2505f3211d7c195293e8e27a7396d3f152a71e3b0047b8f8867cd90912c4d9935536577a613
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Filesize765B
MD5d311d0bc764f0f8102d7135bc83b4593
SHA1bc710f58804d00a7ebaa4d2ddd882279ed05e5d2
SHA256b94a81fa3cb01a903368b02ff1fbecc6f019d732f693776d62788b38fbbaa490
SHA5123a8462b95924ee562b5e074420bdeb658875c4540411952c556c1e7c80e26216074a642402307254b4683c7d61fe4ccac6c56a46719de90df6b64e1cf69dae11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_B0DC81B52DC0E20DB5F04AB84DEAAA9B
Filesize638B
MD56d78c5cdd8e63ad8010797aa2017b238
SHA1f2bd9c37dad68a8d47075d53cc8cbed4e3befbd1
SHA25606956b410c188891a2312ad83f16eb816dbf4d0e9dc7c377f0b976dfb9ba8461
SHA51253019709e0d90d7891bec5189dc0de539a3abee5cfb322d44b5034031da5a9749ad20ccb6ba4d08265190e86c1890d2752b4e0f655e05904792722928dbaf977
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize1KB
MD5a49813a199dca7806e0d9e75afccf1ed
SHA1509ff362730afd40ea482c760fb6a561af75e3f4
SHA256fb0dc1baaa57ec867bd9332adec22afcf205192d60e923d63a152b9ee5379bd1
SHA512686b7df717e7f247c682a072fd047d8acca25609d119a75e6ebdf750d66622e848aeee4605c7523c62611ca3184870bd5b6a3bb26d05ba259d6d89cd774e5706
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Filesize484B
MD5c519484a3c1564a39846c67aadcfb893
SHA1b7dd9232c93a50ef6c2466cb0071d5ebf28477b8
SHA25623e257343e432e941167c6262065f47a12a1f74969bf5a5357cba206a72c2a54
SHA512968b3d3219a45829b6022ea72912c3402861d92bfcb4c8f691192544b518127289923ee72ab660c0e855f201453adb833cdda0ccb5fa919bbd8010e6742b6784
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_B0DC81B52DC0E20DB5F04AB84DEAAA9B
Filesize480B
MD5161f26b50fc6970fa2f4ff07b6afa4f4
SHA1d4fc7337c4c8e14da61832c5c3ac72e4da1f8c28
SHA256930949a7158eeb3b6efb6745ace73e71464d3f3bf514ba63e4ad39b775286827
SHA512b4e8fefd68bed9effb3e67a3fd3cc8823379a2941c863bb175eba113187efb5daab82fd6d24aa06800c8809f7af3dd4b3424e403fcecc5e53a3e93e06031cb11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize482B
MD5bf4444ab7e8d10928e1b0c004bd1f974
SHA1e99c816a58d9557e679a0ab62c0c539ccc3b9997
SHA25699de2c507ec253417e14b2d329d370e7e3e0ae12e5348c2e6f03d00aca8d1d56
SHA512b5491eaf86cfb19e2a103b0cb3b41de519a98164565aca14b612bd97685876d327f43d8ce8b10420545b44db86bbf24b665cc92a91ea1b27c291ecf18c6036e7
-
Filesize
169KB
MD5a74e09608e2cff5885c99735ef8d7ddf
SHA177898bf942b9024727cc4da2e1148a809e967469
SHA25617c6051e3a1a2000019ae0ef0b51d2896250f742eedfa45b98d570b9b42da6ae
SHA5126fb770b579b8baba0a4685719ae384d3047ac796d7e03f11cfb77a607738be8fc0471809119b1c786d56a2eda8f47b25865e01dd8ae3235ff757248dbbbd32c5
-
Filesize
284KB
MD5b1143a2201943febfca2595b00a86407
SHA1094149e6743583008524d7e0ec4ceb0fc7f0746e
SHA256f67ca8337a1ebed31f5b8008e43997f99e2a434d661d91d997fd95f718a33dc9
SHA51252b8230e2ee323673c37bec00ee2365c779e909bf7114d74c962c52775255e9ddbd8507980acd1c706c1ed302638d90ec12758961725d8463c92249ad99f48d2
-
Filesize
286B
MD5f2823cb97683f6010ed2724fd5ce25f8
SHA1569cef87990811d4b75744066b827de036d6ad40
SHA2561ee4906ef9ddac7b48a11379a3ea7f881bc4f486c53a3925b0a21ebddb3a6781
SHA512b93ee480b0d781692bcf2fa11bd755da6822db50540a76b6772fccd2ac5974a6bf7a0d40583dfdc41f43fa4fbc79d3075d9287833d3985c9ca95d7857ca8704e
-
Filesize
2.7MB
MD5fdd10a5a9ac6360ee3caba1a704b2f59
SHA1a8169bb8e4c6611eda2c59686a748d403f2104d5
SHA2561fb7b2bb5a334e83437b60420db6e63970ba404aaea291a7af2dcb064061e262
SHA512363b90205ae882845ff4a0d1253f3fcc8eb3bef5cd8151f943f243685c36d54f179fab4d587e3413688b4304b8270dd5fc04f01634fe34fd8a93f08a94e33ab3
-
Filesize
181KB
MD5a73f181849d157bfa4c802a54be7bf06
SHA1d87302abad182b74864b0a0bd886a311acbfc024
SHA256037f8de004e6e6bfcbc9b719a6a9198c4397e4561cc0107108e00233f94886d0
SHA51243b03dd2dc743324461dc16a12199eabaa19099626e5a54294ec76549084c05f8ce24f6e22b6e8c7871c5eb4ecf4449e8a4e36f0371f3c4772bc6a7d8fd30975
-
Filesize
178B
MD5409d16bccfdec3afb8aa4f9ad8f8a191
SHA1cb5e5c3a91dc0133b5c0ec13fd3ac433fa0fdf1c
SHA2564167eb7dec8086085b99f10cd9f9479c71c23b09450264bd14fd2c3fd14e98da
SHA512d99f0642b684ba1b2081cbe6ce3ae58bfd3d92935821a5f534243bbeecd5b8da57d9226db52c3ee0ff8578332a36f95383f8f6e293cffff68c4bb02c989b6857
-
Filesize
22KB
MD51196f20ca8bcaa637625e6a061d74c9e
SHA1d0946b58676c9c6e57645dbcffc92c61eca3b274
SHA256cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29
SHA51275e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3
-
Filesize
14KB
MD5b807ce7552e96dc1928775956b9f422c
SHA1d25122157365130bebae6497617d28cd86e8c638
SHA2563f0778538202a35483c084fb0b109f693a9853f64d6452daa5c92ac75620aadc
SHA512bb06ca5784e77ceb15331c5c6a9abad27364b1c5b800f229cd7b6d955fb120cbd7879c299508b606760f714b17a4a50aba333ccf6da7fb9bcd88b50772f64f6d
-
Filesize
36KB
MD5be309cfc568c998921ca5a29c8b1d913
SHA11a146dfeb395ef533e737b123a148d4b1518c2ce
SHA256e9ff0bf5037af12db72a5c882927b60b99207551378987c4b9a7025867a120ee
SHA51244036f0547b71e1ed62b8284f33a38d485188f0076fccff0d4c2a6e06446dacd03bfd8f319c0a2027aafe43b150e2d68c2c9a34c2f79385f69502dd3e805d007
-
Filesize
660B
MD585f7b282c2c872960b141f43c1cbef44
SHA170d46f79486ebf5eef6d1411f758e35a4aa86f21
SHA25642b9fcc39108fbc4217edd0779a3e0fcdfe9f82bfddd15daad9a499519bd6f72
SHA51231f60e96d2921b049c9b540daf10439746f639528acc7e560efa8d567b0b1b850abec39926d2101798e8b7fcc41eed03cd24c8e3ff339b83e45389769ec756b9
-
Filesize
2KB
MD5884fc70d400754ba538460c6b211e553
SHA1ae0db46703dc9645bcdf8d49d5589ce5386c766e
SHA2569cbf8592961d0fa841551b30485cd9549d8d03aeb648a6ee4f533381947ca344
SHA5125082acfc398d3d610af40a587e2c1855da146163b7684a9dc0d354a66db899ff5bb5f95263259744aa15d1eaf9c1f3fb1fde7c97a7bc1c13d914660a4c3b9695
-
Filesize
760B
MD5fb01245159e726799b389b9e22b35db5
SHA1032f5c0485f5647e8670e30afa4abff42618a4cc
SHA256cce0bef91c50e3577e849f2d8aa925294adb6c2627a433f4421a4cf64e5b09b6
SHA51211fd32ce26e69c657847c007f75f6bd1bd54f3477cd74713ec081f79424d4566f6802bba9f2fc738f914398ccbaefc4ded61810ae95dc71530ef634d721d057e
-
C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\Microsoft Visual C++ 2015-2022 Runtime Libraries (x64).prq
Filesize797B
MD515bbd6d4f89b49685a02e8b3a7f0776b
SHA1460db26b972bb8eeeb75147b82c92c1056e0cf79
SHA25697076594c13a9afe98f8f8d820ee05a3c922fd11c449e1255633519b3d4778c0
SHA512ed0e1d51b211334c1db7e102b39451611eb2fdd402e61348c0dfb192cb29de6c5bb7943046d5ad3b44ecbfcbfc19e57dc21acccbf4de139c261c3158f8075a23
-
Filesize
660B
MD51b90da2f95d5a5983324c641f98cbd78
SHA150b26e0c99fc7045e5002384bc5609cec22dc5d8
SHA256cfc48ef170c0cb1c75c7ab114399611100bc07ecd67d43f56c49b900ba2d2e2d
SHA5128b3e3d0ea5dbbc8d0a32468e9a0fdf7264089970b1077cbf775a4aaf2f531678d51abb3f09ec58cdeb8018468f6b55b1307472b1ba7455b04b3dcfddf126d1cd
-
Filesize
350B
MD5509d79ddd873feff49a6e6c3e55be927
SHA1761cedcde5966c0dfb9009e29dae81985dc865fc
SHA256cb2b17da6d38245317b3edbdeec837fddd44dc00a1637ed5e28458c9e4e16cea
SHA512b2ea337f0d45645bf8f69294a3e7f1edb80ab0379ea785c3ae48ccf51e74fa84e8c9c4084e0b99f2e6891072d2c68ce43ec99f574ca9aaac2d3aa9ba562a18a5
-
Filesize
46B
MD5c10f0c1c213324eb2d479d8617a58197
SHA15d830ffc7950e47de2a7f9efafca8425c37a382c
SHA25606d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be
SHA5126b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702
-
C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe
Filesize24.2MB
MD5077f0abdc2a3881d5c6c774af821f787
SHA1c483f66c48ba83e99c764d957729789317b09c6b
SHA256917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA51270a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\ISRT.dll
Filesize429KB
MD5ac59556efcf722e2c6d494574e90cf1c
SHA1a1fc28ce3078697b7a48d064bc20b26c8e54c9e6
SHA25605e4939fabed71a2fd49d183046fb50506b9f585ff19375032a4dfe1cc29a243
SHA5127b195208780dcbecaf085efc4c5c5ce351e69de448a3c6b4473a7ae70600c9ed59806d3deca787cf75cff6d2277a3b5a4e7f0a170249f2986b6babf1a9076252
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\String1033.txt
Filesize182KB
MD505ab8f657b3ae396bb3902246772863e
SHA11a1a9f07d45070901cd3f9d81ef4cc774fb554c3
SHA25622bbcf26f39361d5d42e1b5da3af565abbcc450d2db3179d94e35f6a31dcc203
SHA512c27a6632efe56b9f4dcd5b43a3d539361084156f85eb1e90921bcfe0aa1aae46ab2d8df1ab88ceeecd88fbcc9ebd9ea87fb8f16d4be8fdb486e3d315104c9726
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_isres_0x0409.dll
Filesize1.8MB
MD5503e4b3faf3f7cd6f3401c4c63b3d12a
SHA14bb249f9178b0c7c22824822a9c8635b57ae2e2f
SHA2560296fab05dacd37ec7b5214130063a80efcbe4611e034354f18e44baba91d295
SHA512e953d4486a28e398178abfdef8544024841bada2969b54c82a05c6e3a2f9e2ffe00c6892d940ae7df8aa3489d556733d8aa6ed779f62bb26eb51096338296f1c
-
C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\setup.inx
Filesize252KB
MD5c43b124fc99e2f8dd1dfc031b880ea03
SHA1d2eefeff1a824e179f118d45af9d9ad97122eb22
SHA2560b7a91562eb9b55b5ef0b9e9b21dc9cded1b803260faf9ce7dc843601d69a111
SHA51279ad66e3245671c460988715d3a56682cc00c08c150a5d607675e1e8cd00a6d14443d586285152011e08d61fbcae716cf4d7414ec15094029ff944264e5bed58
-
Filesize
5KB
MD56d3271c739103d849fcceb07a86dbff8
SHA1880e9f0b6373582ed50a0ec42ddfde85463832d2
SHA25634b2395b16519a8ed5a2e782c5e9381b50abb7efcaa3eed874fc48a8ac1b2da9
SHA5126e07eee1ed956e5c12c15df7c0c2913a4852aadce0490d6951a8db45a83061126b78fd69954d085f31c69b676fade58b1a7d49e1fba9bb8d4013e03ed3d24472
-
Filesize
816B
MD5303fa7609937b50627b2427b65cdbe55
SHA19c501629bf3e051df1e0b5886245f7191fe04d85
SHA2562c1fa1da136f55332d41f9751fad5fbfa6b4e8254d87f00bb8bbe58831ceaf51
SHA5122d0c43f5e2c6a0b241717417dc631e897f15bae74080bd22cec7d78a9519a6ab221335f7de22a365cca42e063bf8b2f612260827bcb571c5b022fbf9e7b3bd9c
-
Filesize
431KB
MD57e5810ea73e00f712c33471f9148f10b
SHA13e22e869b8f0f5acb87fbca3dd40d2fc4b72e78a
SHA256cce0370bfdb053b3b2e6b90e87a903f3de525f3c84adb0fe67d6f3e6a26e4fe6
SHA512d7dc5e9bd7f9b68ad7824ff44cc0fdb62c69456658c55a439247874b32daac35a1895e2a97018e82d4b5c65fef97d99312bf528a8fa3449b8f5604b4d7717630
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3