Malware Analysis Report

2025-05-06 01:19

Sample ID 241109-1dxg4a1rgw
Target VOCALOID6_Editor_6.3.0.exe
SHA256 cb54085178b9605c8135604001e19adeae487d6a1a837dc71c39239ed012613f
Tags
discovery persistence defense_evasion privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cb54085178b9605c8135604001e19adeae487d6a1a837dc71c39239ed012613f

Threat Level: Shows suspicious behavior

The file VOCALOID6_Editor_6.3.0.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence defense_evasion privilege_escalation

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Adds Run key to start application

Blocklisted process makes network request

Indicator Removal: File Deletion

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:32

Reported

2024-11-09 21:37

Platform

win7-20240903-en

Max time kernel

89s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
N/A N/A C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
N/A N/A C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{24b99d74-a81e-4765-aefe-be853ac47482} = "\"C:\\ProgramData\\Package Cache\\{24b99d74-a81e-4765-aefe-be853ac47482}\\windowsdesktop-runtime-6.0.12-win-x64.exe\" /burn.runonce" C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce" C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ ISSetupPrerequisistes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VOCALOID6_Editor_6.3.0.exe\"" C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\MSIEXEC.EXE N/A
N/A N/A C:\Windows\system32\MSIEXEC.EXE N/A
N/A N/A C:\Windows\system32\MSIEXEC.EXE N/A
N/A N/A C:\Windows\system32\MSIEXEC.EXE N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\G: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\P: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\R: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\O: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\Z: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\Q: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\V: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\W: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\I: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\J: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\M: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\N: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\X: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\T: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\U: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\Y: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Net.NameResolution.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-core-processthreads-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\pl\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.FileSystem.Watcher.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Text.RegularExpressions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\pt-BR\PresentationCore.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\es\UIAutomationTypes.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\zh-Hant\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\es\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Security.SecureString.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Security.Principal.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\Microsoft.NETCore.App.runtimeconfig.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\PresentationFramework-SystemCore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\UIAutomationClientSideProviders.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Threading.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Private.Xml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\cs\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\PresentationFramework.AeroLite.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Diagnostics.Tracing.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\it\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\zh-Hans\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\de\System.Windows.Forms.Design.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\.version C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ru\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\tr\PresentationFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\UIAutomationClient.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Data.Common.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ru\UIAutomationTypes.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\it\WindowsFormsIntegration.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\fr\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Formats.Asn1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\zh-Hant\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\Microsoft.VisualBasic.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\zh-Hans\System.Windows.Forms.Primitives.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\fr\UIAutomationTypes.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Xml.Serialization.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Xml.XDocument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\it\ReachFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Reflection.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Collections.Immutable.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Web.HttpUtility.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\LICENSE.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\es\ReachFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Net.Mail.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ru\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\pl\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\Microsoft.VisualBasic.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.Compression.FileSystem.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\System.Diagnostics.EventLog.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\UIAutomationProvider.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\Microsoft.WindowsDesktop.App.runtimeconfig.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Globalization.Calendars.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.Runtime.Serialization.Xml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\cs\PresentationFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\vcruntime140_cor3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ko\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.Compression.Brotli.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\System.Security.Cryptography.Xml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.12\ja\UIAutomationClientSideProviders.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\System.IO.Pipes.AccessControl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.12\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\ThirdPartyNotices.txt C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f77430b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5128.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe N/A
File created C:\Windows\Installer\f774314.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9939.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4C40.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f774308.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77433b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI447F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f774308.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5975.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI93F6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7742f9.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7742ff.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77430e.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f774311.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f774311.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f774314.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f774328.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7742f9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4CEF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77430b.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f774310.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f774328.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
File created C:\Windows\Installer\f7742fc.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7742fc.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77430e.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f774325.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI48A7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f774305.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4EF6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77430a.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f774325.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9A63.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
File created C:\Windows\Installer\f7742fe.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7742ff.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f774302.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4E57.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI95FB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f774324.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f774302.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f774304.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f774305.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\33 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\34 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31\52C64B7E C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\33 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\34 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\35 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\32 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64\ = "{0712F23C-FBAC-436C-9DDB-125F32D15033}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\57551FB77DE5D216E4457A8034D0EF38\C32F2170CABFC634D9BD21F5231D0533 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.51.52100_x64\Version = "48.51.52100" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\ProductName = "Microsoft .NET Host - 6.0.12 (x64)" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{0025DD72-A959-45B5-A0A3-7EFEB15A8050}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64 C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\094F9C7997352096B7082D27C35AD959\E9AA512E2FD5CB44D9F61E1A0B3C84BF C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\PackageCode = "901C43977048E1D48B1CB3E9E488E16D" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{24b99d74-a81e-4765-aefe-be853ac47482}\Dependents C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\PackageCode = "4636416B02CCB1B408C62C5F856366FD" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\Provider C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{24b99d74-a81e-4765-aefe-be853ac47482}\Dependents\{24b99d74-a81e-4765-aefe-be853ac47482} C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\ = "{8bdfe669-9705-4184-9368-db9ce581e0e7}" C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\676627E34F5BAD849B9F871AB5F7A807\Provider C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Dependents C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\676627E34F5BAD849B9F871AB5F7A807 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Version = "14.36.32532.0" C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{24b99d74-a81e-4765-aefe-be853ac47482}\Version = "6.0.12.31928" C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{3E726676-B5F4-48DA-B9F9-78A15B7F8A70}v48.51.52100\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\\packages\\vcRuntimeMinimum_amd64\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2A1D5C7710A520B4CF71F18CEA425338\1CD76FB15BB85FA4EB02B3359D35D210 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Version = "237272852" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C32F2170CABFC634D9BD21F5231D0533\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E9AA512E2FD5CB44D9F61E1A0B3C84BF\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{E215AA9E-5DF2-44BC-9D6F-E1A1B0C348FB}v48.51.51943\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_48.51.52100_x64 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\676627E34F5BAD849B9F871AB5F7A807\ProductName = "Microsoft Windows Desktop Runtime - 6.0.12 (x64)" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EA0C5AE0E23539C708618982000C701F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\PackageName = "vc_runtimeAdditional_x64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.51.52100_x64\ = "{3E726676-B5F4-48DA-B9F9-78A15B7F8A70}" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.51.51943_x64\DisplayName = "Microsoft .NET Host FX Resolver - 6.0.12 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1CD76FB15BB85FA4EB02B3359D35D210\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\MSIEXEC.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe
PID 1608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe
PID 1608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe
PID 1608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe
PID 1608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe
PID 1608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe
PID 1608 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe
PID 3048 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe C:\Windows\system32\MSIEXEC.EXE
PID 3048 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe C:\Windows\system32\MSIEXEC.EXE
PID 3048 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe C:\Windows\system32\MSIEXEC.EXE
PID 3048 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe C:\Windows\system32\MSIEXEC.EXE
PID 3048 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe C:\Windows\system32\MSIEXEC.EXE
PID 3048 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe C:\Windows\system32\MSIEXEC.EXE
PID 3048 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe C:\Windows\system32\MSIEXEC.EXE
PID 1060 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2236 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2236 wrote to memory of 1596 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
PID 2236 wrote to memory of 1596 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
PID 2236 wrote to memory of 1596 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
PID 2236 wrote to memory of 1596 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
PID 2236 wrote to memory of 1596 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
PID 2236 wrote to memory of 1596 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
PID 2236 wrote to memory of 1596 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
PID 1596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe
PID 1596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe
PID 1596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe
PID 1596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe
PID 1596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe
PID 1596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe
PID 1596 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe
PID 1032 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 1032 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 1032 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 1032 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 1032 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 1032 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 1032 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2676 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2676 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2676 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2676 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2676 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2676 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2676 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2828 wrote to memory of 2732 N/A C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2828 wrote to memory of 2732 N/A C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2828 wrote to memory of 2732 N/A C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2828 wrote to memory of 2732 N/A C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2828 wrote to memory of 2732 N/A C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2828 wrote to memory of 2732 N/A C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 2828 wrote to memory of 2732 N/A C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe
PID 1060 wrote to memory of 2664 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2664 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2664 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2664 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2664 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2664 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 2664 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1060 wrote to memory of 1564 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe

"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"

C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe

C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6_Editor_6.3.0.exe /q"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}" /IS_temp

C:\Windows\system32\MSIEXEC.EXE

"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\VOCALOID6 Editor.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="VOCALOID6_Editor_6.3.0.exe" IS_RUNTIME_FILES_LOCATION="C:\Users\Admin\AppData\Local\Temp\{4FE1C2E5-333E-4ADF-8ABE-CCC837BE1F7F}"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5CD0C98CE174D700B624813403FCB686 C

C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe

"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /embed"{AC2262B2-A183-4D3A-9348-FBCB66D8277B}" /hide_splash /hide_progress /runprerequisites"Editor" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST\""

C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe

C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\VOCALOID6_Editor_6.3.0.exe /q"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}" /embed"{AC2262B2-A183-4D3A-9348-FBCB66D8277B}" /hide_splash /hide_progress /runprerequisites"Editor" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST\"" /eprq /IS_temp

C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe

"C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe" /install /quiet /norestart

C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe

"C:\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{0DB97513-E9E4-4FC8-B469-D7D466AADE1D}\windowsdesktop-runtime-6.0.12-win-x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart

C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe

"C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.be\windowsdesktop-runtime-6.0.12-win-x64.exe" -q -burn.elevated BurnPipe.{9DE61085-9164-4089-ADA7-2BD9032F2970} {AA920AA7-FBA4-451D-B3DF-4184AC7527BC} 2828

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F85600F44627DB0E3133CFBB87880117

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B1DDD5DCBAA4A03803F5D46F46939FA7

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C15E0F71540CFB2458D0C1DE20FC15DC

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1C710EC45715C5285F974A13A7AB81B2

C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe" /q /norestart

C:\Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /q /norestart

C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe

"C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{BBC55D80-AA8A-4E96-A956-470955167216} {6197D4DD-D3B3-4315-8255-3A5B32E04AA7} 600

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004BC" "00000000000005E0"

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=500 -burn.embedded BurnPipe.{89B46264-6278-429C-8709-987856F05E48} {85D40D3D-EC48-4152-A2E3-EF16B9F4B4D3} 2972

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=500 -burn.embedded BurnPipe.{89B46264-6278-429C-8709-987856F05E48} {85D40D3D-EC48-4152-A2E3-EF16B9F4B4D3} 2972

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{86ED072D-D3A0-4C34-8430-ECB9921F2440} {358C7505-7957-4784-8734-A0F635FFB668} 2628

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\~D54B.tmp

MD5 6d3271c739103d849fcceb07a86dbff8
SHA1 880e9f0b6373582ed50a0ec42ddfde85463832d2
SHA256 34b2395b16519a8ed5a2e782c5e9381b50abb7efcaa3eed874fc48a8ac1b2da9
SHA512 6e07eee1ed956e5c12c15df7c0c2913a4852aadce0490d6951a8db45a83061126b78fd69954d085f31c69b676fade58b1a7d49e1fba9bb8d4013e03ed3d24472

C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\_ISMSIDEL.INI

MD5 aee84ed9c421e202c8f630c52aceec2f
SHA1 84e7c6e8d275f6571bd711fae21394322e34312d
SHA256 5cafa41ab2ae11dd150cc9d01e8b7170d3af1880653571c6859bd879fe82c373
SHA512 2a2c8c1f33fbd47ca381df357a65b85b71eeb896cb6117dd3950076989ca39fbaba17e891fcb25a79f8a3967f4de3c5e6d21b05b6f1107f4a213122684911501

C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\0x0409.ini

MD5 1196f20ca8bcaa637625e6a061d74c9e
SHA1 d0946b58676c9c6e57645dbcffc92c61eca3b274
SHA256 cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29
SHA512 75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

C:\Users\Admin\AppData\Local\Temp\issF115.tmp

MD5 fdd10a5a9ac6360ee3caba1a704b2f59
SHA1 a8169bb8e4c6611eda2c59686a748d403f2104d5
SHA256 1fb7b2bb5a334e83437b60420db6e63970ba404aaea291a7af2dcb064061e262
SHA512 363b90205ae882845ff4a0d1253f3fcc8eb3bef5cd8151f943f243685c36d54f179fab4d587e3413688b4304b8270dd5fc04f01634fe34fd8a93f08a94e33ab3

C:\Users\Admin\AppData\Local\Temp\{79331B91-A65C-46B7-8DD8-31B1437EF319}\1033.MST

MD5 be309cfc568c998921ca5a29c8b1d913
SHA1 1a146dfeb395ef533e737b123a148d4b1518c2ce
SHA256 e9ff0bf5037af12db72a5c882927b60b99207551378987c4b9a7025867a120ee
SHA512 44036f0547b71e1ed62b8284f33a38d485188f0076fccff0d4c2a6e06446dacd03bfd8f319c0a2027aafe43b150e2d68c2c9a34c2f79385f69502dd3e805d007

C:\Users\Admin\AppData\Local\Temp\CabFFE4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar16D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\MSI28A.tmp

MD5 a74e09608e2cff5885c99735ef8d7ddf
SHA1 77898bf942b9024727cc4da2e1148a809e967469
SHA256 17c6051e3a1a2000019ae0ef0b51d2896250f742eedfa45b98d570b9b42da6ae
SHA512 6fb770b579b8baba0a4685719ae384d3047ac796d7e03f11cfb77a607738be8fc0471809119b1c786d56a2eda8f47b25865e01dd8ae3235ff757248dbbbd32c5

C:\Users\Admin\AppData\Local\Temp\MSI188B.tmp

MD5 b1143a2201943febfca2595b00a86407
SHA1 094149e6743583008524d7e0ec4ceb0fc7f0746e
SHA256 f67ca8337a1ebed31f5b8008e43997f99e2a434d661d91d997fd95f718a33dc9
SHA512 52b8230e2ee323673c37bec00ee2365c779e909bf7114d74c962c52775255e9ddbd8507980acd1c706c1ed302638d90ec12758961725d8463c92249ad99f48d2

C:\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\_ISMSIDEL.INI

MD5 e6e4a274381c3796b324e2a623e3c05e
SHA1 f4eae4ca1ff8f9fddfc38205911466c868ddc568
SHA256 8ef487cef512b05eddfab4ffd314e9392db24a853866b9ca213b9702b9e04ca5
SHA512 b745bbfa3b64fe8ab275adb80fda0ff1a4b3a8f408f4e668b8240fa56d5764de47f22efe7477a42392f5b10351a3eada8f7b7042578140deff8b920785133671

\Windows\Temp\{33646182-D2FF-4993-914F-B24565C41CBE}\.cr\windowsdesktop-runtime-6.0.12-win-x64.exe

MD5 29fbc5cabda5a2afdc4ca20e78e7f61a
SHA1 535dba4d2ebb82f0dd217f4876d25e6430146645
SHA256 aff17ea5884da8f7e7d10f9fd6a6e4e8d43b9e34d28df55f08328e0d84a7ecf7
SHA512 4ddb847a9747f857ad37216e42224320003e99f73929c617c6946d2352e6fe8528faf225d1be3bd650f7ac533246a8303a48628a0de689f3b273955cf9fcbab2

\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.ba\wixstdba.dll

MD5 4356ee50f0b1a878e270614780ddf095
SHA1 b5c0915f023b2e4ed3e122322abc40c4437909af
SHA256 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512 b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\.ba\bg.png

MD5 9eb0320dfbf2bd541e6a55c01ddc9f20
SHA1 eb282a66d29594346531b1ff886d455e1dcd6d99
SHA256 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA512 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\dotnet_runtime_6.0.12_win_x64.msi

MD5 ed04f657c593c878184f2cacd259d89d
SHA1 b3b9ef6c6a7d7b26e1db8a25c9cfca801b4510e2
SHA256 c271c90769d282c35da7496b217d8c1b7e1f110f98c910263fd0a511f06b7b6c
SHA512 e5540046b4fad6b2848a8a5ec895e1482d1b185ff580e086f998217c4f1af8e101c66724c35f1149014e4bd3037814ebc0f9246f943f129df3f65bb401a9c5aa

C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\dotnet_host_6.0.12_win_x64.msi

MD5 753735368ed5ab04df161907268651c5
SHA1 e68772a1f4f752a5d11340fb9724643f764ef06c
SHA256 26a5442a404027b6cacf87381d2f7219f9c8c05f8ea380000d27290bd79c2cfc
SHA512 3746c4801fb9e6b3fa2e0f3245756bdf7a725bb64c53539b25ab133b959a9318d92151157f2a09bf06b9618ebd66e1bf3b15e53173d9ce10b77c17ca3db012e9

C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\dotnet_hostfxr_6.0.12_win_x64.msi

MD5 288f19e824eafccf3654eeebf69c03f1
SHA1 14d49baab39001a3459be19f9e760e467b39c90d
SHA256 264d63dcaa7052dcf9539fedc99f5a56da6234e3a69433a6cdeaa50cfc143e8f
SHA512 3ca3f18db329164f46aab9b8228dc5e79ded4fce571b848556fccc28970829ffb38070daf593c617ba2acdff859f48fc49ccaf77d052f76004cba200f5b2735c

C:\Windows\Temp\{267ABBE1-5985-44F3-A0AA-65271550DADE}\windowsdesktop_runtime_6.0.12_win_x64.msi

MD5 224844b83b90ae86a10a48240d7b410a
SHA1 9c773d4a08542284ea3c1fa923ecb0509dd69279
SHA256 c610983fcb3e7d6ba33c5882da3e3b95d13a18c0a974421a67cdf54430c4546e
SHA512 ae7c109331b758b48df9b7b3958762da7a6412b6f1483fba18cc01832f053c1a39ccd91fdaa217f0b9e15716d1f2ec5798815ebfdfa00d8d3147a6827d8af603

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_000_dotnet_runtime_6.0.12_win_x64.msi.log

MD5 35591d186a408c8af0dbe1a83130fc49
SHA1 0c8d657c3be2c6a77392ecc5e0e79c058bed9123
SHA256 0adfa59ab098a539364bde9eb1f5f37cf31f38217422301fd8098300f21470f0
SHA512 750d6af6f7b394f6426fcef9c72c9d27db0e10b6884622e098404a51a5b43182fd37a43d5e3a8a57a3fca874e25d7b29e0fc5598eda9fc6eb92675736238c641

C:\Config.Msi\f7742fd.rbs

MD5 a89c5b303d8c8b36945783f81f7cce7b
SHA1 4743ed35c4b53d8a43beef277e3ecf91ec46b88c
SHA256 16e9a94323e07c2fd7a706fa56e1ac5544cf9c1411edfb330806ab1558ae2bc7
SHA512 2cc73014d81430adfaa4056f16c2b6ffbc62b0b5823974760a5fc7d0de477a0cd96af3eabe6e6251a117c2621eeb70a82222d1d1c54019f233ad786f62888280

\Windows\Installer\MSI48A7.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_001_dotnet_hostfxr_6.0.12_win_x64.msi.log

MD5 ecf193ee840e6e3ea79ef1b23f8ce596
SHA1 61e9935dace4f7fbea72e7a3dd1f99967acc33ef
SHA256 630694782f49b8e15ee72e150e1d191a11fb059a62cb46bffcc7d6c9c7e05f34
SHA512 dd326c3583aa49ee29be6843e64ea57d0d24d5f965a3c1eb7434f56e800e2bbef4eb43ec26a1977074e29d2b9aea771e9dd3a31415c9b6be8eb6d14a11663324

C:\Config.Msi\f774303.rbs

MD5 5f520a5826b5bc4c08f057a0d2e199a9
SHA1 834cc6b8a7ceb33db82cbe1ea88c33214c69e90a
SHA256 7ed0d7d3b3bc87ecb5b37ce806d23ff52560d9f76d8d4628b4025969e3544d8a
SHA512 d875ea460d40545945b39ff6ef7540d69c3758e1f4adaeda3c3bcd961bbadbf9282367d921eb11ce22c84037a61e70e9b9823deb6f76c5b3cdf63668f765b914

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_002_dotnet_host_6.0.12_win_x64.msi.log

MD5 c70d5f1b73699ff91c66ed182d8e15ee
SHA1 271f87d3858b9941b6b20e9ed869d2b24a19b7f6
SHA256 694ba7370d51014538840723dd76978707caf6ebd26f68adeb3ef84d357da919
SHA512 5e504e4a72d969e742feca5c3d7233fb9afebf4c6e9f251f89be8306b827403049239b8cedcfb91c9268491569914e7f92ff27689e778153bee33c3ec401e96e

\Program Files\dotnet\dotnet.exe

MD5 3aff413d3c0a1615d2c1badb538544f9
SHA1 504e19e5e2b6a2d7e8e62b7eb5cd65551c2eb071
SHA256 2d38778abe2ada4ff1acc0cc4a93261fd059888b19c49afa53be6a0a2fff2b24
SHA512 6567aaa771d322dfba29bb8e472872c0eec210faf846f988003775045b47461222e10401babb0027758ae1ea5459963b7e089196d9781732dac38379936eb953

C:\Program Files\dotnet\LICENSE.txt

MD5 31c5a77b3c57c8c2e82b9541b00bcd5a
SHA1 153d4bc14e3a2c1485006f1752e797ca8684d06d
SHA256 7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d
SHA512 ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

C:\Program Files\dotnet\ThirdPartyNotices.txt

MD5 f77a4aecfaf4640d801eb6dcdfddc478
SHA1 7424710f255f6205ef559e4d7e281a3b701183bb
SHA256 d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7
SHA512 1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

C:\Config.Msi\f774309.rbs

MD5 b8b16c93685d552facb8a33a7558df89
SHA1 61eb66a6eb06b5fcb67a545f8d6478fb4615debe
SHA256 bfea4cef045c2ab81a3cc0cd84cf4fbfc252c06b4fc19fb0d3e3117273687565
SHA512 a6b6dc8b4a05cefd909ba2eea2a7b439f90172703a6ba6c3197c02988e465927215934e0f806e4695751fb1333eb84eb3d72c2a3f5157f425d388b4afdab7e7e

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.12_(x64)_20241109213527_003_windowsdesktop_runtime_6.0.12_win_x64.msi.log

MD5 9cfe216fcf392bff223f6d044488f945
SHA1 2d3e6fb793383d32ceab9aa64af6b172fdab81c3
SHA256 b6df92ebb1de4724df38b0f28c1625a4a3de1e8aa9a925e6c1da4d2f50c568d9
SHA512 bd46f4f35a015cdf711a25469ee0efbde5f8c0e3b1d346ce9c1e5aeacae379bcabfafb8f3ce787458531f4a918c5d51571825fbba13c83abeffd15465e2b7567

C:\Config.Msi\f77430f.rbs

MD5 65a86dd545146f6b1876efe29305ac00
SHA1 ed580dd1f5052db9675676afee092c02c820b560
SHA256 02347f6a8e381ae3e490802e6bc269b0ca5d2f4ba9762264f158cd14e5e2d6c8
SHA512 2cc873f6775bd800fe5e5be8a485456da831bca893d3b73c67f0c031095efd870ffbab383494bf2d507bb88125de2f563a20d41ad8abd3406ef35bdcae8f9ca9

\Users\Admin\AppData\Local\Temp\{0BC2449A-5C55-447C-92AF-812B74C5E78C}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe

MD5 077f0abdc2a3881d5c6c774af821f787
SHA1 c483f66c48ba83e99c764d957729789317b09c6b
SHA256 917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA512 70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

\Windows\Temp\{E1298FEF-8D99-43D9-A115-F8903D724883}\.cr\VC_redist.x64.exe

MD5 35e545dac78234e4040a99cbb53000ac
SHA1 ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA256 9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512 bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\WindowsUpdate.log

MD5 f0013f01ea6f7a727597a6e3895ff371
SHA1 8db01687cddfd01b25c9fd4c200b8d0dca7413c8
SHA256 3e6ad41f21175c11c9375ec3d9a79a12a9eed043673b28aea43cfe41e493db6f
SHA512 9b6acc6c4e5c679b4ae1ac070f42587f778e5b57f5e70d1020a5effa949a8d88e3ab728bbbf2da0b4ea38380c65ab62148df6641d94e73f10a1cbda5a62356c6

C:\ProgramData\Package Cache\{24b99d74-a81e-4765-aefe-be853ac47482}\state.rsm

MD5 aa86a7f2d687a5cef2392e2a82d8ae37
SHA1 070ce2c91470a098cf1e9e6b4d3940df319cb06c
SHA256 18ee2952f9f737226315991724b7f3554dd1247794e12e33cef40b504af0c47d
SHA512 e27262bd50a13560a70834471bc7e8f14e07dbcb719ac8aafae1a08f3d8f8789f3fa6d3d6556f958929019d53cbd0b897ea3970af7dfe868e5c18fa71ec43e57

C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\vcRuntimeMinimum_x64

MD5 a4075b745d8e506c48581c4a99ec78aa
SHA1 389e8b1dbeebdff749834b63ae06644c30feac84
SHA256 ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93
SHA512 0b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada

C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\cab5046A8AB272BF37297BB7928664C9503

MD5 c2df6cb9082ac285f6acfe56e3a4430a
SHA1 591e03bf436d448296798a4d80f6a39a00502595
SHA256 b8b4732a600b741e824ab749321e029a07390aa730ec59401964b38105d5fa11
SHA512 9f21b621fc871dd72de0c518174d1cbe41c8c93527269c3765b65edee870a8945ecc2700d49f5da8f6fab0aa3e4c2db422b505ffcbcb2c5a1ddf4b9cec0e8e13

C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\vcRuntimeAdditional_x64

MD5 dd070483eda0af71a2e52b65867d7f5d
SHA1 2b182fc81d19ae8808e5b37d8e19c4dafeec8106
SHA256 1c450cacdbf38527c27eb2107a674cd9da30aaf93a36be3c5729293f6f586e07
SHA512 69e16ee172d923173e874b12037629201017698997e8ae7a6696aab1ad3222ae2359f90dea73a7487ca9ff6b7c01dc6c4c98b0153b6f1ada8b59d2cec029ec1a

C:\Windows\Temp\{2EC1584A-A2FD-4EDC-8DBA-460F12D306C8}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

MD5 46efc5476e6d948067b9ba2e822fd300
SHA1 d17c2bf232f308e53544b2a773e646d4b35e3171
SHA256 2de285c0fc328d30501cad8aa66a0ca9556ad5e30d03b198ebdbc422347db138
SHA512 58c9b43b0f93da00166f53fda324fcf78fb1696411e3c453b66e72143e774f68d377a0368b586fb3f3133db7775eb9ab7e109f89bb3c5e21ddd0b13eaa7bd64c

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20241109213544_000_vcRuntimeMinimum_x64.log

MD5 5d4d1ef8b47229372eb87f1beb3ca47c
SHA1 8bf961a3db90d3e759bce2dc85d5f260bc3c2926
SHA256 ee7235f3da884a11729346f89b52892428ec1d28e969f1385e4747a6da97a2a9
SHA512 c047c0ad734b7a70c4d14284c11087a8bd7930ded6e7094b4c22c7c151e86e9f17a9b6bc695d5ffaec994445c0bf82a1d8bfc540db10ea7d210e038167b28c3b

C:\Config.Msi\f774317.rbs

MD5 385cb0d0d1fc4319941353ec7b523384
SHA1 a7715ecdf49e162846f8929c745ac4b01f522c30
SHA256 6574403e598944e3f63de6be2a3c90ca6a0155b1edd34392514c77905c11f895
SHA512 cef0f7027a490736cc6667ea691fe29e19d23db988aff39b396fb4bb3e7c2aebe98b9e7f3aff049049bd5e41aec562705ba5139afde6d4155483ca389108a6b4

C:\Config.Msi\f774323.rbs

MD5 3795117174739287be65293da4ae49ba
SHA1 1c4f572384ad4dcc8c84f697a0c809f232c69f4a
SHA256 0d558c337b3878c72aa3202638da5b4dd19889ef659f02155bd185f93b88aa9d
SHA512 b952a477d5478c7e14b5413a53cc173910d106196fc447ec6a72c1d2a7ad611102871e4e977fc28e7f4b9b9268c84f44a3b69af1fd13eff0c5dda4c52c51aab2

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20241109213544_001_vcRuntimeAdditional_x64.log

MD5 7005d3dcdb30ca3bf59b9c68dfbbb365
SHA1 c444e26b635626707a33c88efd4a0490ac65fac6
SHA256 73c3c6a4b835b2e905ef49b5c74557cafd61c3145702901f42ac06e22e18caf3
SHA512 1837fb262249ec9a7d4688bd0028697968b48ef964e42456bf4532a0b5f7788c57a77e6ad70f4b44260a20e729cdae53b3847c51143cd63dca5856cf127101d4

C:\Config.Msi\f77432b.rbs

MD5 d318a3b9d85b8c4d424edd653cf81b64
SHA1 234c9e7ba8f42dceb938eb0ad9e410d6fa571259
SHA256 bf933256697469d17d94e53a4191aff49b758bde7d2d43fcb83791574c7c9b98
SHA512 7269036d5206d61f79182b2e3a4843eca803e6ae138d855e5eb7a00f00ba74742fede76e9ab97e92832ab214e81f2e0ab94ce4063785c1a9305746f09c826838

C:\Config.Msi\f77433a.rbs

MD5 ca56cf39d757fa79497b5ba7b09c0e8b
SHA1 da076ca16008725c2190bba984c2fe881f3fe227
SHA256 33b15c7be9f305c8c57495c8c9fb24537be70f4d0c073d57a548615fde5b771b
SHA512 50498d7fd7fae0b69a64e26eaa7ff2ad9db5fad806f182b6a9b99ac197a2f7541c198b61ba13a0cd761ee815f847797fc9cf96c9daae59eaf680133c434e1e81

memory/1012-1196-0x0000000001220000-0x0000000001297000-memory.dmp

memory/2628-1233-0x0000000001220000-0x0000000001297000-memory.dmp

memory/616-1234-0x0000000001220000-0x0000000001297000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:32

Reported

2024-11-09 21:38

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.be\VC_redist.x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ ISSetupPrerequisistes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VOCALOID6_Editor_6.3.0.exe\"" C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\MSIEXEC.EXE N/A
N/A N/A C:\Windows\system32\MSIEXEC.EXE N/A
N/A N/A C:\Windows\system32\MSIEXEC.EXE N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\Q: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\V: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\S: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\X: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\R: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\U: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\G: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\N: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\J: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\P: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\K: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\O: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\T: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\W: C:\Windows\system32\MSIEXEC.EXE N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\600b0ebf-2ce4-41ac-b89e-5796b2464cc8\600b0ebf-2ce4-41ac-b89e-5796b2464cc8.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\StylePreset\Editor\33f80595-092a-46e0-a34f-4a4f9c3612f7.vsstyle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\84f46d9d-b4ac-4ddd-8f2b-ac8f06201986\84f46d9d-b4ac-4ddd-8f2b-ac8f06201986.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\C11F80B5-C272-4ACC-9FD6-CEED53C0F21F\audio\Count_up_3.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\C49C0809-0412-46A8-9BE9-250098ADC7BE\C49C0809-0412-46A8-9BE9-250098ADC7BE.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\D8160517-D4C6-426A-A22A-5030432A4091\D8160517-D4C6-426A-A22A-5030432A4091.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\E8A69CE8-F9BA-422B-B83B-8F27CCAEC1F3\E8A69CE8-F9BA-422B-B83B-8F27CCAEC1F3.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\FEBF4502-E135-4A7C-8CF3-61B479D53C04\FEBF4502-E135-4A7C-8CF3-61B479D53C04.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\3f2e695a-45ba-4bc4-8945-8e1394cb8d29\3f2e695a-45ba-4bc4-8945-8e1394cb8d29.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\912D56A7-2276-4B63-9610-852FD2C178EB\audio\1_012_count_down_5.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\BECA8862-7EDA-4270-82FC-49E9C7132F65\BECA8862-7EDA-4270-82FC-49E9C7132F65.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\C659ED64-4104-4D8D-8DD6-8A79A230AB6B\C659ED64-4104-4D8D-8DD6-8A79A230AB6B.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\D5E6C364-7A08-405A-BE48-F90DB2C5C0A2\audio\151_LOOK_OUT.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\63D167C3-F0D6-4A39-80C0-175B6360BED0\audio\b_001_yeah-uh-_a.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\be1f52ec-d703-4bf6-a864-925be2e00178\audio\be1f52ec-d703-4bf6-a864-925be2e00178.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\29A7F448-5993-4804-9C37-7D20B5F7CC58\29A7F448-5993-4804-9C37-7D20B5F7CC58.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\ffd28051-0173-49c8-90a5-3286d6a2ff9b\ffd28051-0173-49c8-90a5-3286d6a2ff9b.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\414D6D32-F85D-448E-8BAF-E8876970A937\audio\205_CLAP_CLAP_CLAP.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\538B3AC6-4556-4369-9617-2FE45A4D07EE\audio\b_009_whats_up_a.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\ddb291df-49cc-41a5-a80c-07e2c37078c7\audio\ddb291df-49cc-41a5-a80c-07e2c37078c7.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\edb1fe06-5e90-4920-a3fd-64ce2f889085\audio\edb1fe06-5e90-4920-a3fd-64ce2f889085.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\07d87150-a4c3-45c2-889f-501aef0ecc41\property.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\1689FB34-5DAD-480C-968A-274AE9521108\1689FB34-5DAD-480C-968A-274AE9521108.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\175845a4-33a7-4471-baa8-b3fe71d58dfa\property.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\5370B1C4-E18E-442D-A657-3F84C778CA8D\audio\a_031_what_a.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\74697C19-B5DF-46E7-B014-84C2AF62B8FF\74697C19-B5DF-46E7-B014-84C2AF62B8FF.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\BC8604E3-60CA-41EA-B17A-A82FFE603FF2\audio\129_WORSE.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\c3502770-eda0-4da1-869c-069241509606\c3502770-eda0-4da1-869c-069241509606.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\StylePreset\Editor\6217dd0b-57a0-492a-bacb-8644204b5479.vsstyle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\13333b0f-3f62-4508-9dca-94644f2f71e1\13333b0f-3f62-4508-9dca-94644f2f71e1.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\1B6580D9-8E5A-4A9F-9D39-CD56F3F1527F\1B6580D9-8E5A-4A9F-9D39-CD56F3F1527F.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\395d5c82-a80f-464d-908e-d217b95ecd03\audio\395d5c82-a80f-464d-908e-d217b95ecd03.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\413c550d-7d1a-4659-9dd1-3548ed4d94ac\413c550d-7d1a-4659-9dd1-3548ed4d94ac.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\490B086B-4497-4D5A-83B0-84AE96B96910\490B086B-4497-4D5A-83B0-84AE96B96910.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\ae190ac7-67c0-4d7a-866a-200215babd3f\property.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\b90024eb-5277-4bfb-99fc-bff2296fc489\property.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\f8bf59ac-6d14-4a3f-945b-74538855a6d6\audio\f8bf59ac-6d14-4a3f-945b-74538855a6d6.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\StylePreset\Editor\4d618bf7-a296-4eea-8f89-8d5045a4778e.vsstyle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\0EBF566B-8A42-49B2-AF64-FEDCF06494F3\0EBF566B-8A42-49B2-AF64-FEDCF06494F3.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\1AF7C420-92CF-4F4C-9E7F-722BB9C22E24\audio\VocalEffectKit_12_Ph.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\1f41ae35-b5b7-4dbc-9ab3-64c0fd226b93\property.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\6D607BBA-64F5-4BBF-BEB0-03C040C75FFF\6D607BBA-64F5-4BBF-BEB0-03C040C75FFF.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\94cac05b-7799-48ce-ba9c-495bb3c40f38\94cac05b-7799-48ce-ba9c-495bb3c40f38.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\StylePreset\Editor\b2f5145e-884e-4197-b26d-d7231299d227.vsstyle C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\09393557-f216-4a46-a77d-6781729a48a2\audio\09393557-f216-4a46-a77d-6781729a48a2.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\1e503f20-1956-434e-b00d-961cdd6b1a68\audio\1e503f20-1956-434e-b00d-961cdd6b1a68.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Resource\AttackRelease\Icon\YMH_041.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\59BF9B32-6704-4A37-9792-B6E9446A9D08\59BF9B32-6704-4A37-9792-B6E9446A9D08.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\9299eb11-f60c-4a1f-9a7e-89e8a0f0ab79\audio\9299eb11-f60c-4a1f-9a7e-89e8a0f0ab79.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\E2AC6E61-FC74-450E-BCF3-737AD490BE83\E2AC6E61-FC74-450E-BCF3-737AD490BE83.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\F897D086-73B8-44AF-BAF2-B887269E491A\audio\2_054_Who.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Resource\Voice\BP9GAGA4H6WMXP9D\setup.bmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\006BB12D-24A1-4E59-B8AE-E3F2330CCC68\006BB12D-24A1-4E59-B8AE-E3F2330CCC68.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\18DA24D0-35A7-4291-9CD9-F2AED115968C\audio\a_037_joh_a.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\2DF047FE-DC32-4457-B259-A8D521BA7988\audio\107_AHUG_AHUG_AHUG.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\418AA13A-3D31-4BF8-AED8-96B9A77C242B\418AA13A-3D31-4BF8-AED8-96B9A77C242B.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\4E649CEF-FE76-4E68-86B8-DC568A3F6A30\4E649CEF-FE76-4E68-86B8-DC568A3F6A30.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\8609362d-daf1-42c2-981a-9fc3901ce9c1\audio\8609362d-daf1-42c2-981a-9fc3901ce9c1.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\B66BF901-0572-4AD2-B3AD-A1A31D4EECB8\B66BF901-0572-4AD2-B3AD-A1A31D4EECB8.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\BE27D73E-A0B2-4373-A0B1-EF6B92D39752\audio\2_021_yeaaah.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\ED9B472A-A729-4B0E-BD67-DB892961A338\ED9B472A-A729-4B0E-BD67-DB892961A338.vsclip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\518a4bf0-b5dc-4653-8349-5a2638038632\audio\518a4bf0-b5dc-4653-8349-5a2638038632.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\88D186DD-C05D-4871-B7F8-33AF7148D86D\audio\m2_voice_49.wav C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\VOCALOID6\Media\Editor\C91FF134-5CB7-4199-8041-E6476E4FCB0E\C91FF134-5CB7-4199-8041-E6476E4FCB0E.vsclip C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e58c532.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{77F28B29-873E-4CCF-8D6E-0ABD971EC467} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE4ED.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\_93931A50_8680_48E0_883A_3562CB1329BE C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5C73.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58c52f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58c530.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58c530.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI48E9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\_93931A50_8680_48E0_883A_3562CB1329BE C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI21B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4E97.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58c52f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE01A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\1033.MST C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\1033.MST C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.be\VC_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vpr\VOCALOID6.vpr\ShellNew C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Yamaha.VOCALOID.VST.VSTPluginController\ = "Yamaha.VOCALOID.VST.VSTPluginController" C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Yamaha.VOCALOID.VST.VSTPluginController\CLSID\ = "{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}" C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3333F4827406A2540A767577CF322B53 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3333F4827406A2540A767577CF322B53\92B82F77E378FCC4D8E6A0DB79E14C76 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell\Open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell\Open\command\ = "\"C:\\Program Files\\VOCALOID6\\Editor\\VOCALOID6.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vpr C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\ProgID\ = "Yamaha.VOCALOID.VST.VSTPluginController" C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\Version = "100859904" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Yamaha.VOCALOID.VST.VSTPluginController\CLSID C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\92B82F77E378FCC4D8E6A0DB79E14C76 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\92B82F77E378FCC4D8E6A0DB79E14C76\Editor C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell\Open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Yamaha.VOCALOID.VST.VSTPluginController C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\Transforms = "C:\\Windows\\Installer\\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\\1033.MST" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\ProgID C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\ProductName = "VOCALOID6 Editor" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell\ = "Open" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003} C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\ProductIcon = "C:\\Windows\\Installer\\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\\ARPPRODUCTICON.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vpr\VOCALOID6.vpr C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\InProcServer32\ = "C:\\Program Files\\VOCALOID6\\Editor\\VOCALOID6Plugin.comhost.dll" C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\AuthorizedLUAApp = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\shell\Open\command\command = 470061006f0056004e006000510048006300400041006100480069006500600072006a00450049003e002e00640035004a0026006800530068004a003f006200560077005000430049005000470073006e002000220025003100220000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vpr\ = "VOCALOID6.vpr" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\Language = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\PackageName = "VOCALOID6 Editor.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VOCALOID6.vpr\DefaultIcon\ = "C:\\Windows\\Installer\\{77F28B29-873E-4CCF-8D6E-0ABD971EC467}\\_93931A50_8680_48E0_883A_3562CB1329BE,0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C63AA6F-CD14-4C55-B8AD-E5C9AA15E003}\ = "CoreCLR COMHost Server" C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92B82F77E378FCC4D8E6A0DB79E14C76\PackageCode = "C089FDFCAEA1D364B9CDF042A688EC5D" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\MSIEXEC.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\MSIEXEC.EXE N/A
N/A N/A C:\Windows\system32\MSIEXEC.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe
PID 1676 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe
PID 1676 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe
PID 3124 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe C:\Windows\system32\MSIEXEC.EXE
PID 3124 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe C:\Windows\system32\MSIEXEC.EXE
PID 2068 wrote to memory of 4264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2068 wrote to memory of 4264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2068 wrote to memory of 4264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4264 wrote to memory of 1384 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
PID 4264 wrote to memory of 1384 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
PID 4264 wrote to memory of 1384 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe
PID 1384 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe
PID 1384 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe
PID 1384 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe
PID 4268 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe
PID 4268 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe
PID 4268 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe
PID 224 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe
PID 224 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe
PID 224 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe
PID 3924 wrote to memory of 3684 N/A C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.be\VC_redist.x64.exe
PID 3924 wrote to memory of 3684 N/A C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.be\VC_redist.x64.exe
PID 3924 wrote to memory of 3684 N/A C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.be\VC_redist.x64.exe
PID 4268 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2744 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2068 wrote to memory of 2744 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2068 wrote to memory of 2744 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2068 wrote to memory of 5100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2068 wrote to memory of 5100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2068 wrote to memory of 5100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5100 wrote to memory of 2756 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp
PID 5100 wrote to memory of 2756 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp
PID 5100 wrote to memory of 3696 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp
PID 5100 wrote to memory of 3696 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp
PID 2744 wrote to memory of 1584 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 1584 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 4792 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 4792 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 720 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 720 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 4912 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 4912 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 3940 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 3940 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 4368 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 4368 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 2984 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 2984 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 1908 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 1908 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 4532 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 4532 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 952 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 2744 wrote to memory of 952 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe
PID 3124 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe

"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe"

C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe

C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6_Editor_6.3.0.exe /q"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}" /IS_temp

C:\Windows\system32\MSIEXEC.EXE

"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\VOCALOID6 Editor.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="VOCALOID6_Editor_6.3.0.exe" IS_RUNTIME_FILES_LOCATION="C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 20A4B7D29195959B82E92183A863B446 C

C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe

"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /embed"{990E389C-A68B-416E-991F-4E2E96A10070}" /hide_splash /hide_progress /runprerequisites"Editor" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\1033.MST\""

C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe

C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\VOCALOID6_Editor_6.3.0.exe /q"C:\Users\Admin\AppData\Local\Temp\VOCALOID6_Editor_6.3.0.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}" /embed"{990E389C-A68B-416E-991F-4E2E96A10070}" /hide_splash /hide_progress /runprerequisites"Editor" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\1033.MST\"" /eprq /IS_temp

C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe" /q /norestart

C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576 /q /norestart

C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.be\VC_redist.x64.exe

"C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{50405421-A765-469A-BC89-B4CB1D051FE4} {EBE789B4-5B75-4E3D-8106-A271E842DCF6} 3924

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 78A043472644D950665F9918619C3D36

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B7B0EB179A8806CCFB04335B935812AE E Global\MSI0000

C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp

C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E7D8A5B0-4C37-498B-A6EE-A0838F17BDBD}

C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp

C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B599EA7B-48AA-4282-A674-56EEA46A6460}

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8320CA09-BF58-4E11-836E-27A95AE01AD4}

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{140BAA28-B27F-4871-8753-6673FB296997}

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1699DD88-6BEA-4E4E-9CF8-7CC7602DCB68}

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF236989-E706-47C1-803A-971BFBBD697C}

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A7738412-2D5C-4136-850A-3F8353113273}

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{86FB7D49-FEF4-4544-8A6D-E72319806F3A}

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C2581955-6E2F-41EF-9919-B8FFF9FB64EC}

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3FD6C05E-CE79-402B-8598-E3CFA0446001}

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C125D510-2701-4054-8FD8-B9311D293A35}

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_is4FDD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C80667CD-F64E-4B0D-9AEA-43555A5FFCD0}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 246.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~D841.tmp

MD5 6d3271c739103d849fcceb07a86dbff8
SHA1 880e9f0b6373582ed50a0ec42ddfde85463832d2
SHA256 34b2395b16519a8ed5a2e782c5e9381b50abb7efcaa3eed874fc48a8ac1b2da9
SHA512 6e07eee1ed956e5c12c15df7c0c2913a4852aadce0490d6951a8db45a83061126b78fd69954d085f31c69b676fade58b1a7d49e1fba9bb8d4013e03ed3d24472

C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\_ISMSIDEL.INI

MD5 85f7b282c2c872960b141f43c1cbef44
SHA1 70d46f79486ebf5eef6d1411f758e35a4aa86f21
SHA256 42b9fcc39108fbc4217edd0779a3e0fcdfe9f82bfddd15daad9a499519bd6f72
SHA512 31f60e96d2921b049c9b540daf10439746f639528acc7e560efa8d567b0b1b850abec39926d2101798e8b7fcc41eed03cd24c8e3ff339b83e45389769ec756b9

C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\0x0409.ini

MD5 1196f20ca8bcaa637625e6a061d74c9e
SHA1 d0946b58676c9c6e57645dbcffc92c61eca3b274
SHA256 cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29
SHA512 75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

C:\Users\Admin\AppData\Local\Temp\iss6C3.tmp

MD5 fdd10a5a9ac6360ee3caba1a704b2f59
SHA1 a8169bb8e4c6611eda2c59686a748d403f2104d5
SHA256 1fb7b2bb5a334e83437b60420db6e63970ba404aaea291a7af2dcb064061e262
SHA512 363b90205ae882845ff4a0d1253f3fcc8eb3bef5cd8151f943f243685c36d54f179fab4d587e3413688b4304b8270dd5fc04f01634fe34fd8a93f08a94e33ab3

C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\1033.MST

MD5 be309cfc568c998921ca5a29c8b1d913
SHA1 1a146dfeb395ef533e737b123a148d4b1518c2ce
SHA256 e9ff0bf5037af12db72a5c882927b60b99207551378987c4b9a7025867a120ee
SHA512 44036f0547b71e1ed62b8284f33a38d485188f0076fccff0d4c2a6e06446dacd03bfd8f319c0a2027aafe43b150e2d68c2c9a34c2f79385f69502dd3e805d007

C:\Users\Admin\AppData\Local\Temp\MSI17AA.tmp

MD5 a74e09608e2cff5885c99735ef8d7ddf
SHA1 77898bf942b9024727cc4da2e1148a809e967469
SHA256 17c6051e3a1a2000019ae0ef0b51d2896250f742eedfa45b98d570b9b42da6ae
SHA512 6fb770b579b8baba0a4685719ae384d3047ac796d7e03f11cfb77a607738be8fc0471809119b1c786d56a2eda8f47b25865e01dd8ae3235ff757248dbbbd32c5

C:\Users\Admin\AppData\Local\Temp\MSI5698.tmp

MD5 b1143a2201943febfca2595b00a86407
SHA1 094149e6743583008524d7e0ec4ceb0fc7f0746e
SHA256 f67ca8337a1ebed31f5b8008e43997f99e2a434d661d91d997fd95f718a33dc9
SHA512 52b8230e2ee323673c37bec00ee2365c779e909bf7114d74c962c52775255e9ddbd8507980acd1c706c1ed302638d90ec12758961725d8463c92249ad99f48d2

C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\_ISMSIDEL.INI

MD5 1b90da2f95d5a5983324c641f98cbd78
SHA1 50b26e0c99fc7045e5002384bc5609cec22dc5d8
SHA256 cfc48ef170c0cb1c75c7ab114399611100bc07ecd67d43f56c49b900ba2d2e2d
SHA512 8b3e3d0ea5dbbc8d0a32468e9a0fdf7264089970b1077cbf775a4aaf2f531678d51abb3f09ec58cdeb8018468f6b55b1307472b1ba7455b04b3dcfddf126d1cd

C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\{B3DA4C36-3522-40F9-A5FC-448C6F9CB6D3}\VC_redist.x64.exe

MD5 077f0abdc2a3881d5c6c774af821f787
SHA1 c483f66c48ba83e99c764d957729789317b09c6b
SHA256 917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA512 70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

C:\Windows\Temp\{84537A3F-7280-463C-9633-F03E77B3E005}\.cr\VC_redist.x64.exe

MD5 35e545dac78234e4040a99cbb53000ac
SHA1 ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA256 9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512 bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{8145885A-67C9-41F1-AA92-C459E4DB0472}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\_ISMSIDEL.INI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\Microsoft Visual C++ 2015-2022 Runtime Libraries (x64).prq

MD5 15bbd6d4f89b49685a02e8b3a7f0776b
SHA1 460db26b972bb8eeeb75147b82c92c1056e0cf79
SHA256 97076594c13a9afe98f8f8d820ee05a3c922fd11c449e1255633519b3d4778c0
SHA512 ed0e1d51b211334c1db7e102b39451611eb2fdd402e61348c0dfb192cb29de6c5bb7943046d5ad3b44ecbfcbfc19e57dc21acccbf4de139c261c3158f8075a23

C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\_ISMSIDEL.INI

MD5 509d79ddd873feff49a6e6c3e55be927
SHA1 761cedcde5966c0dfb9009e29dae81985dc865fc
SHA256 cb2b17da6d38245317b3edbdeec837fddd44dc00a1637ed5e28458c9e4e16cea
SHA512 b2ea337f0d45645bf8f69294a3e7f1edb80ab0379ea785c3ae48ccf51e74fa84e8c9c4084e0b99f2e6891072d2c68ce43ec99f574ca9aaac2d3aa9ba562a18a5

C:\Users\Admin\AppData\Local\Temp\{C78220AE-52A6-442B-803F-BFB38CBEDD94}\_ISMSIDEL.INI

MD5 c10f0c1c213324eb2d479d8617a58197
SHA1 5d830ffc7950e47de2a7f9efafca8425c37a382c
SHA256 06d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be
SHA512 6b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702

C:\Users\Admin\AppData\Local\Temp\MSI81951.LOG

MD5 f2823cb97683f6010ed2724fd5ce25f8
SHA1 569cef87990811d4b75744066b827de036d6ad40
SHA256 1ee4906ef9ddac7b48a11379a3ea7f881bc4f486c53a3925b0a21ebddb3a6781
SHA512 b93ee480b0d781692bcf2fa11bd755da6822db50540a76b6772fccd2ac5974a6bf7a0d40583dfdc41f43fa4fbc79d3075d9287833d3985c9ca95d7857ca8704e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_B0DC81B52DC0E20DB5F04AB84DEAAA9B

MD5 6d78c5cdd8e63ad8010797aa2017b238
SHA1 f2bd9c37dad68a8d47075d53cc8cbed4e3befbd1
SHA256 06956b410c188891a2312ad83f16eb816dbf4d0e9dc7c377f0b976dfb9ba8461
SHA512 53019709e0d90d7891bec5189dc0de539a3abee5cfb322d44b5034031da5a9749ad20ccb6ba4d08265190e86c1890d2752b4e0f655e05904792722928dbaf977

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_B0DC81B52DC0E20DB5F04AB84DEAAA9B

MD5 161f26b50fc6970fa2f4ff07b6afa4f4
SHA1 d4fc7337c4c8e14da61832c5c3ac72e4da1f8c28
SHA256 930949a7158eeb3b6efb6745ace73e71464d3f3bf514ba63e4ad39b775286827
SHA512 b4e8fefd68bed9effb3e67a3fd3cc8823379a2941c863bb175eba113187efb5daab82fd6d24aa06800c8809f7af3dd4b3424e403fcecc5e53a3e93e06031cb11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

MD5 d311d0bc764f0f8102d7135bc83b4593
SHA1 bc710f58804d00a7ebaa4d2ddd882279ed05e5d2
SHA256 b94a81fa3cb01a903368b02ff1fbecc6f019d732f693776d62788b38fbbaa490
SHA512 3a8462b95924ee562b5e074420bdeb658875c4540411952c556c1e7c80e26216074a642402307254b4683c7d61fe4ccac6c56a46719de90df6b64e1cf69dae11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

MD5 c519484a3c1564a39846c67aadcfb893
SHA1 b7dd9232c93a50ef6c2466cb0071d5ebf28477b8
SHA256 23e257343e432e941167c6262065f47a12a1f74969bf5a5357cba206a72c2a54
SHA512 968b3d3219a45829b6022ea72912c3402861d92bfcb4c8f691192544b518127289923ee72ab660c0e855f201453adb833cdda0ccb5fa919bbd8010e6742b6784

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

MD5 a49813a199dca7806e0d9e75afccf1ed
SHA1 509ff362730afd40ea482c760fb6a561af75e3f4
SHA256 fb0dc1baaa57ec867bd9332adec22afcf205192d60e923d63a152b9ee5379bd1
SHA512 686b7df717e7f247c682a072fd047d8acca25609d119a75e6ebdf750d66622e848aeee4605c7523c62611ca3184870bd5b6a3bb26d05ba259d6d89cd774e5706

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

MD5 bf4444ab7e8d10928e1b0c004bd1f974
SHA1 e99c816a58d9557e679a0ab62c0c539ccc3b9997
SHA256 99de2c507ec253417e14b2d329d370e7e3e0ae12e5348c2e6f03d00aca8d1d56
SHA512 b5491eaf86cfb19e2a103b0cb3b41de519a98164565aca14b612bd97685876d327f43d8ce8b10420545b44db86bbf24b665cc92a91ea1b27c291ecf18c6036e7

C:\Windows\Installer\MSIE4ED.tmp

MD5 7e5810ea73e00f712c33471f9148f10b
SHA1 3e22e869b8f0f5acb87fbca3dd40d2fc4b72e78a
SHA256 cce0370bfdb053b3b2e6b90e87a903f3de525f3c84adb0fe67d6f3e6a26e4fe6
SHA512 d7dc5e9bd7f9b68ad7824ff44cc0fdb62c69456658c55a439247874b32daac35a1895e2a97018e82d4b5c65fef97d99312bf528a8fa3449b8f5604b4d7717630

C:\Users\Admin\AppData\Local\Temp\~E569.tmp

MD5 303fa7609937b50627b2427b65cdbe55
SHA1 9c501629bf3e051df1e0b5886245f7191fe04d85
SHA256 2c1fa1da136f55332d41f9751fad5fbfa6b4e8254d87f00bb8bbe58831ceaf51
SHA512 2d0c43f5e2c6a0b241717417dc631e897f15bae74080bd22cec7d78a9519a6ab221335f7de22a365cca42e063bf8b2f612260827bcb571c5b022fbf9e7b3bd9c

C:\Users\Admin\AppData\Local\Temp\wacE58A.tmp

MD5 a73f181849d157bfa4c802a54be7bf06
SHA1 d87302abad182b74864b0a0bd886a311acbfc024
SHA256 037f8de004e6e6bfcbc9b719a6a9198c4397e4561cc0107108e00233f94886d0
SHA512 43b03dd2dc743324461dc16a12199eabaa19099626e5a54294ec76549084c05f8ce24f6e22b6e8c7871c5eb4ecf4449e8a4e36f0371f3c4772bc6a7d8fd30975

C:\Program Files\Common Files\VOCALOID6\Media\Editor\18909f6c-ec11-4ee4-b879-2a7e81e6adb2\18909f6c-ec11-4ee4-b879-2a7e81e6adb2.vsclip

MD5 3127bf31e4188cf1caa4840c416c660d
SHA1 52621bfea13d865a1be95666c66ffa8ad01cab7f
SHA256 e867af097da6986e5c1e09274ea145230cc51e06569f3f4ffe992d2c5b19dd46
SHA512 0b7869dd147eb40ed1bc4d9f4ae4bf96d3bbbea76990d1f499830aaf7530ac19198dea3ccd1653d15a7af4a1ca72a6a5a912723e4d8057d5ca458c9213723cc6

C:\Program Files\Common Files\VOCALOID6\Media\Editor\1e9f9466-8e9b-451e-99f2-7be6166c6905\1e9f9466-8e9b-451e-99f2-7be6166c6905.vsclip

MD5 bc1755db28846936428133f2a1dfac51
SHA1 0aa3ee6e354441318689a835cc6dd1a409841b91
SHA256 ef1f7163da8e4f2d08d022f4d1b84a487eeff01b3f9c402aced70b7bfc48ef0a
SHA512 1bfde0be277202c705e9ce4f4c60c816fe7f641f58e53a3b561c3aa39cdbbf5f8c37b6ac0eb76776dcf2cd874aa45181a085aac65724628adf8bb998cc69e1b4

C:\Program Files\Common Files\VOCALOID6\Media\Editor\481df1b5-9569-4d06-8355-3b0976f6d4f8\481df1b5-9569-4d06-8355-3b0976f6d4f8.vsclip

MD5 beca7f74e8c9d7e43ba936d9327654d9
SHA1 2c5c32b8e3612d0090a47270461ae53798d50dec
SHA256 a27f1525fd3886248de2d2c211982437f2ddf6726f45c17191f06c2911b23690
SHA512 656fb8aad68dc4efec9e5116044dce0edb535ce2286247ef9abd801a8c91b23b97442289f79b601b1b4922da8c1790695463aba7e06eb0ddb59572f4a9a83c1c

C:\Program Files\Common Files\VOCALOID6\Media\Editor\4e9e8d7a-38ee-4af8-b9c0-8b3ebc7e91e4\4e9e8d7a-38ee-4af8-b9c0-8b3ebc7e91e4.vsclip

MD5 ed69ed3a5c5a8ccc3e1000a5aa2fa7e4
SHA1 8d9f0c8135af96d6483ded36d72732b168288cb9
SHA256 6360210e2a8bbbe504444379e3f5f09fc9cade69e099e42219aa52a8130724d5
SHA512 460c3cfb1051d88a60e16db92530fb191f99ac34f2bb4781d698783314f657bb58489a34265ce01ac3a729ed591f64b2cf5ea8beda34d9bafc07273eb7fb24a0

C:\Program Files\Common Files\VOCALOID6\Media\Editor\52aea056-bd3e-4720-b250-7928595a6300\52aea056-bd3e-4720-b250-7928595a6300.vsclip

MD5 59c43d9bff06c935ffed11381e7490d2
SHA1 461bc0732b091bb253d0b2bd4b63121a13935b62
SHA256 266dac91dd012c4f89b15ffa2f89c1717f6128f46a4eca3ad6e5a93ce2486353
SHA512 f85ce60adca328a9d424e2934fe10a4c3ffcf8ff1343ff8e521e90406cc2dd1c95e813c872eb906dc8c43a0fc8e8eb80050b791900c3e25f6afd33c4eefe8e38

C:\Program Files\Common Files\VOCALOID6\Media\Editor\588a3384-0982-4002-992c-4eb425f48992\588a3384-0982-4002-992c-4eb425f48992.vsclip

MD5 3c9d0a8fce0a304bced39eab2a5a28ee
SHA1 3c50f28d90ee461912486077e6b742381ee9efac
SHA256 a2826a7fa411f4a0d7a331fb11efca601d619c57ae769e5388a3ffde5e442728
SHA512 d9ff8aa3d671da148805b72821686e40eeb2c65b4fdc2f9a9b86519c86a8c4189ade6a09e0ad841c4bbe14d17b3c046075633c2eb75073ce0ef2219f62a5bd64

C:\Program Files\Common Files\VOCALOID6\Media\Editor\8694f31a-b087-483e-adfe-29e28aee6ac0\8694f31a-b087-483e-adfe-29e28aee6ac0.vsclip

MD5 57cffcba5df553665d6e900ce85302b6
SHA1 cb002080c3ee879c8724c34aa4f44baf32ff5678
SHA256 3ad6dede1e4deb4a478c3983890f29739bea1e9cc2fc0309598a28f8e3851cdf
SHA512 44799c64dbe15b5f99098188e66e56f8188424948431e642aea8a6ae4a7c24d1605ce49b9a711145eb1f13cf84ca94084dfb8b4a1d810735d8650116aaa20c53

C:\Program Files\Common Files\VOCALOID6\Media\Editor\8822c71b-47a6-4318-a032-e57a1b740cb2\8822c71b-47a6-4318-a032-e57a1b740cb2.vsclip

MD5 1e2fe51f28326c28b9582f476b41643d
SHA1 cc2760abb825744f0da7e6dc3d2a6ce7b0ab921f
SHA256 cf75ce306ccec78630596503204ad6a8513a07bb40344d4e12941a944eacc463
SHA512 4041f11af4ee284bde436a9de8272523d411f735a47298a5c6d8f1ad27c8bedea0b496b1a00815df606048894e71498429113735341202c4abdf48c0575fbf12

C:\Program Files\Common Files\VOCALOID6\Media\Editor\9ef77e48-7b5b-4e09-b4ff-dde83ca44729\9ef77e48-7b5b-4e09-b4ff-dde83ca44729.vsclip

MD5 65a2b413c89b52b9be68910bb393b7d1
SHA1 7f6d44c5ace284e205d149465d262527507e0b0f
SHA256 1f1e29a3006cdb03a1285861f2facd3dcf798f929ec7b2adf5088e0d510773df
SHA512 57bd0d19c89430336639d2bf759693f217ff8f9f2789f0bdf3d5201b521c6161c927100c57dd5378d97c9622f2c2233f124c4f00b8b8a1c49b63a92d82dc3f11

C:\Program Files\Common Files\VOCALOID6\Media\Editor\a5a70597-5a98-4cfa-b35d-6fc794b33bf9\a5a70597-5a98-4cfa-b35d-6fc794b33bf9.vsclip

MD5 4778a49dc00b734af56e8cb20fb9ac64
SHA1 2badf94e0d5166f2d35bb03c6a7f82b24d300f37
SHA256 ee6b448d7c6642840f9f017783d0b442faed6f56eebbd8a3e79e71f2c74a0d85
SHA512 693141d97cb6ad88923d2bfb5acc3907e78ed2c304416d28cce562f5e8b9737b78856b1add12d7f737c3a82f9c80a99696213f4ac6eede79061c8ff8607445d2

C:\Program Files\Common Files\VOCALOID6\Media\Editor\a9427b36-005d-414a-8748-a131db2c3abb\a9427b36-005d-414a-8748-a131db2c3abb.vsclip

MD5 af99e9b05767ee8dfaf4afe4ef670b19
SHA1 3cc95490df3351982a37e27111c77685413025fd
SHA256 f76a83882ebfa4dca2e2f2c760fcea092acd65be378053833759b323a63dd375
SHA512 bb78e98e50d331d10a0fcec9926a7ce7c094a2b2da1f427e42bf2fc71cbbf395d2c31630a49b9cccbe2e253723986fa20e1229ad404f4762126a3c8aa3e6208e

C:\Program Files\Common Files\VOCALOID6\Media\Editor\b48609c6-784e-4e04-8132-cdc17687b765\b48609c6-784e-4e04-8132-cdc17687b765.vsclip

MD5 1bef83375ff519096f4db83954a14b64
SHA1 ac29603230e294a87ed1daa63967def206bd3b16
SHA256 57443c51d0f4083bce712ff10b7db3fa50624c6dbf2508bba8f47deaaa75cdf0
SHA512 49a07ee3def07f7c873dbede8a0ec88d9bad69fd318dde88bcb234c12d54829afd7e2d29212d59e7d9070cb57faab5862eb37e180b9d9cfbe394011b14e6d7df

C:\Program Files\Common Files\VOCALOID6\Media\Editor\bccfaace-0c86-4628-be69-37a66d78e296\bccfaace-0c86-4628-be69-37a66d78e296.vsclip

MD5 c61fc0759796506c29fd04c9f4c93fd2
SHA1 c6c7b4b8cd928a28255135f2c5ebe704b3ba7f24
SHA256 e1737a734302e23111d73b1e6c27ff175cdd845ca6de501b3b602be019896e97
SHA512 7df5fef783da19c2adacdf33d55fa1fb84f716f1c28210ff68d16601e2dbfd2cf34035fa22c6cbbc3eefa8ec8228ab8286165d5ed15e56de42719d46e651eebb

C:\Program Files\Common Files\VOCALOID6\Media\Editor\ce5c1fba-e3e9-4865-b860-a65cf54dc1bd\ce5c1fba-e3e9-4865-b860-a65cf54dc1bd.vsclip

MD5 0fe0fb34ffeef16450ce540eefd7dcc1
SHA1 c47e2ed92ee3d17a06af9cc12b271166942f0687
SHA256 32f17b4f1edbf1e23e5f8ceced915218ad47c451b4aac453584049714dd8b2f5
SHA512 0e220d02d61b3222141b2f191c952eec20ead90fe9695e66091e698b4c9c6aa1420d24f41fa76323d4a467932b051843acb0fec44f1c0edd3baa17041e41ef18

C:\Program Files\Common Files\VOCALOID6\Media\Editor\e2849f6f-8de0-4762-8c59-dbd78c61022d\e2849f6f-8de0-4762-8c59-dbd78c61022d.vsclip

MD5 9e651c10042948e5f287f145570c9ed8
SHA1 860fff704e5f2bfa4a6a91c2e619634a5ac7906a
SHA256 b9857e23821dd017275ad0d803be8c7954bf23fa2c283f8995fbeb4fda667b19
SHA512 3671ea1aaae467c2bb7137319be89e69254b24db156fe42b57416252c8bb54411f23385a50e617ed2aa588b258c5cf6c09975beea3ae3c378a64cec979de709c

C:\Program Files\Common Files\VOCALOID6\Media\Editor\fe81ea40-d60e-4e6c-804a-52a719725b0f\fe81ea40-d60e-4e6c-804a-52a719725b0f.vsclip

MD5 0ddcb20699241cadd7cde0e8f2c5957a
SHA1 0659636f0caa48000c9313c17adf38420f6f181b
SHA256 8cc71bda44b635bf97d68a6ff6f4bbf638aafdc5fdfc59c57cbfa61aeef4d525
SHA512 a752cb1e13acd8298f7f413b9fe715cf9a691023e47030ab4c264b695328ecb66f1c6b64aa4f9fccbc081f6cfa53cd6fb9c14c6567c5a50202104146f0ac64ff

C:\Program Files\Common Files\VOCALOID6\Resource\Voice\BKGHF6Y5PHTN4KD6\setup.bmp

MD5 8329424b323f4501efe48ead6208cdf4
SHA1 ccabb9aa3ffaa24497d7026d452da4e7e5630015
SHA256 1b9b732dfc9f9bdd85477626871f87498e18a8069347130b73a239f7c5ab7a33
SHA512 c6860e2780f4d40271e6bc7ceba97b59d8b6edf249d0350605521b212f5b0882d74a5ef933e8f867969adbb877674ff245121aa2f920b24902dc53b6f4fa9334

C:\Program Files\Common Files\VOCALOID6\Resource\Voice\BLECA76YHKRGXLB7\setup.bmp

MD5 d58164d41e9c65beab935509be355c64
SHA1 04e01693ad939e2cfb287eb1d1f074c7e5ed7cfa
SHA256 7e3161aaa6fafb13cc4965ba75c9eb93c6eaf39fc18c7d351a9d5b386144d88e
SHA512 0ec7e24e0e557b521f8acf8ca825e2284e5520765be47ae6ff32a27ed7b134479abe1ecdac626a76aaa31916aef3f9b48987d890769a852c0a160320a66d4cfb

C:\Program Files\Common Files\VOCALOID6\Resource\Voice\BLGHFDK5P3TN4LBC\setup.bmp

MD5 275a1391944531c65ed1092a31e6d7e4
SHA1 32cb644690b2ad8dec076a3d630e1d50b1ba42c7
SHA256 cd4d159b44b47d3d5d41543d1ff2ace84941cd7c61c8ddfffad2e939dffb5101
SHA512 7c4bc8c85255aff74629937e52349dcefbcb4ab6cbaed9d4270199136038a989eaafe4f18e1c3dd176409ceafa4a553387bb1f6f532364f5b5948d6391f7dee7

C:\Program Files\Common Files\VOCALOID6\Resource\Voice\BLLN57S9CKYTPLCB\setup.bmp

MD5 004701e6ddadbf073080e275187db638
SHA1 b3dc7a665ef868b779359fb17101e448005d2a60
SHA256 480565bb3f64b242e1c7ad4c67e2bb5c099ba92f268ba3708eccb55026ca1a24
SHA512 4bde31a198055466fa1bdf24aa10b3dd2776cee973e3a57ff2545b592f8aa6b13cd0cb76a28761f1d6b4057f8121e9c5d35ffff1ac9d9a5c8931b2080eaedcb5

C:\Program Files\Common Files\VOCALOID6\Resource\Voice\BMLBDERXM4YF2MBE\setup.bmp

MD5 a49a37068286ea3d949a00d8454686a5
SHA1 f912cb2ab0150bc8f0bff9f8c045f6c6d66200be
SHA256 2f14ac01fdf2b234f371e63c1660870ea6f03afe6efbb96b4887951c6745a7b0
SHA512 1d09056f08c9cf3603392171e15fc2f7b0219daf0986a0f7ddac9e15a11440837276c4861e9ab9b01ac472a9b478b94ffe096874c0964e55b320f3431f0ca1a6

C:\Program Files\VOCALOID6\Editor\VOCALOID6Plugin.comhost.dll

MD5 2ee29628c601b21205b628920b881c9b
SHA1 a41de07cb67ce5d90d2e1953acf6ad07bb5ba763
SHA256 975f110fa114108f73d7db2fb6b889387b379a9df226621c4f82429f7a435cdf
SHA512 bfdf0e779fb9c1f8080528631b28b01097d39cda9037f6a15bcc4aea8134f3254f6c63d93243104144b1c999c495ea6e54086808ddd68389daf569dd3e988b06

C:\Program Files\VOCALOID6\Editor\VOCALOID6Plugin.runtimeconfig.json

MD5 5d6ab666fb94e136578929a9e2469705
SHA1 59117c4e2c67fbcad255633f37a720a9ddb68351
SHA256 9e72299350f7636bc7be5437b9ab52c244105a019f1be081562289d98bb83c9a
SHA512 c5da9d0c31ae491ac908e1d69f0afc3496219637e290ffabf568e2505f3211d7c195293e8e27a7396d3f152a71e3b0047b8f8867cd90912c4d9935536577a613

C:\Program Files\VOCALOID6\Editor\VOCALOID6Plugin.deps.json

MD5 8d66629aa455ec0ef90d750dd51f438a
SHA1 36b934a298be4803eee637063b3876551e725339
SHA256 344c4729becdd414b8e446794cae2415451d270ff6de1f645b163c092d108eff
SHA512 daaeb0a09870984f68d7deac6dc7d8b9c604a4a7daf5cb09571457fb62c3dbb95149e47768430a9c279451e04c3e69cc9c4ea6c5cc3f6c4372b6f13296004ed9

C:\Program Files\VOCALOID6\Editor\VOCALOID6Plugin.dll

MD5 b1c20d2f1a70a96946af73495ab70f55
SHA1 0385c8c2fe0c4fc6396b974638e25ebc0332e775
SHA256 9bbf4cde5e61d5a628423c0a3e478d645b4dde687ac56721655ede03ed99da2f
SHA512 49283eb9e7220e09c8fca51879a7da713ab9151d05631cd14295781213e36be43415349c02f0039013eb517188cca768bfc22a5c789896e72bc7bbb244c2b1ad

C:\Config.Msi\e58c531.rbs

MD5 9810d857aae84985aea41a5ab76558f1
SHA1 bc78cad99207a260b2ad08bf7a659371d278cc92
SHA256 a3ad30b695dbe4d46ce37742d654f987612c70340dfbd57115d2844a380ef5a1
SHA512 04e087cf9e4f7dd902e545d8b3d5a9cbd159ee7555c43757e7683a00fc300ddbefb12abd1c1fa43b1747cfee6c58ed605e1d82a905522dc4cefc4873f7915c36

C:\Users\Admin\AppData\Local\Temp\{34B0A9C4-ABFD-4A62-8826-0E43FCFB4067}\IsConfig.ini

MD5 409d16bccfdec3afb8aa4f9ad8f8a191
SHA1 cb5e5c3a91dc0133b5c0ec13fd3ac433fa0fdf1c
SHA256 4167eb7dec8086085b99f10cd9f9479c71c23b09450264bd14fd2c3fd14e98da
SHA512 d99f0642b684ba1b2081cbe6ce3ae58bfd3d92935821a5f534243bbeecd5b8da57d9226db52c3ee0ff8578332a36f95383f8f6e293cffff68c4bb02c989b6857

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\setup.inx

MD5 c43b124fc99e2f8dd1dfc031b880ea03
SHA1 d2eefeff1a824e179f118d45af9d9ad97122eb22
SHA256 0b7a91562eb9b55b5ef0b9e9b21dc9cded1b803260faf9ce7dc843601d69a111
SHA512 79ad66e3245671c460988715d3a56682cc00c08c150a5d607675e1e8cd00a6d14443d586285152011e08d61fbcae716cf4d7414ec15094029ff944264e5bed58

memory/2744-4279-0x0000000010000000-0x0000000010114000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\ISRT.dll

MD5 ac59556efcf722e2c6d494574e90cf1c
SHA1 a1fc28ce3078697b7a48d064bc20b26c8e54c9e6
SHA256 05e4939fabed71a2fd49d183046fb50506b9f585ff19375032a4dfe1cc29a243
SHA512 7b195208780dcbecaf085efc4c5c5ce351e69de448a3c6b4473a7ae70600c9ed59806d3deca787cf75cff6d2277a3b5a4e7f0a170249f2986b6babf1a9076252

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\_isres_0x0409.dll

MD5 503e4b3faf3f7cd6f3401c4c63b3d12a
SHA1 4bb249f9178b0c7c22824822a9c8635b57ae2e2f
SHA256 0296fab05dacd37ec7b5214130063a80efcbe4611e034354f18e44baba91d295
SHA512 e953d4486a28e398178abfdef8544024841bada2969b54c82a05c6e3a2f9e2ffe00c6892d940ae7df8aa3489d556733d8aa6ed779f62bb26eb51096338296f1c

memory/2744-4283-0x0000000003B60000-0x0000000003D27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{F131C5D9-D2A7-40CC-AF31-D7FDAE438D9D}\{4F1AE5B0-A88B-4B30-8413-E232DE366341}\String1033.txt

MD5 05ab8f657b3ae396bb3902246772863e
SHA1 1a1a9f07d45070901cd3f9d81ef4cc774fb554c3
SHA256 22bbcf26f39361d5d42e1b5da3af565abbcc450d2db3179d94e35f6a31dcc203
SHA512 c27a6632efe56b9f4dcd5b43a3d539361084156f85eb1e90921bcfe0aa1aae46ab2d8df1ab88ceeecd88fbcc9ebd9ea87fb8f16d4be8fdb486e3d315104c9726

C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\0x0411.ini

MD5 b807ce7552e96dc1928775956b9f422c
SHA1 d25122157365130bebae6497617d28cd86e8c638
SHA256 3f0778538202a35483c084fb0b109f693a9853f64d6452daa5c92ac75620aadc
SHA512 bb06ca5784e77ceb15331c5c6a9abad27364b1c5b800f229cd7b6d955fb120cbd7879c299508b606760f714b17a4a50aba333ccf6da7fb9bcd88b50772f64f6d

C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\_ISMSIDEL.INI

MD5 884fc70d400754ba538460c6b211e553
SHA1 ae0db46703dc9645bcdf8d49d5589ce5386c766e
SHA256 9cbf8592961d0fa841551b30485cd9549d8d03aeb648a6ee4f533381947ca344
SHA512 5082acfc398d3d610af40a587e2c1855da146163b7684a9dc0d354a66db899ff5bb5f95263259744aa15d1eaf9c1f3fb1fde7c97a7bc1c13d914660a4c3b9695

C:\Users\Admin\AppData\Local\Temp\{B9565075-55F3-4930-8DB8-2CB2F9A81DE8}\_ISMSIDEL.INI

MD5 fb01245159e726799b389b9e22b35db5
SHA1 032f5c0485f5647e8670e30afa4abff42618a4cc
SHA256 cce0bef91c50e3577e849f2d8aa925294adb6c2627a433f4421a4cf64e5b09b6
SHA512 11fd32ce26e69c657847c007f75f6bd1bd54f3477cd74713ec081f79424d4566f6802bba9f2fc738f914398ccbaefc4ded61810ae95dc71530ef634d721d057e