22169bbfd953cbcb2522a4efd365f51058fc93143f239a74025193d333400ff3

Analysis

max time kernel
102s
max time network
107s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
08/02/2023, 16:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

nextion-setup-v1-65-1.exe
Size

48.1MB
MD5

7d2abf92eaa7b5bb45cd05971c662bd5
SHA1

1641704d60559540cecf3145c45da65c87810d14
SHA256

22169bbfd953cbcb2522a4efd365f51058fc93143f239a74025193d333400ff3
SHA512

7248d9c6aba7dba03f2f9e2200755ab1d5983bef2f91b7e1a48ca393071911066fd683407db7d5ab0396eef176e79c3d1074da9439a5a1e212b4c5bed25677d4
SSDEEP

1572864:+Hrhoua9l6BIZMhpzCig2lpgGalz98Z3J200LFi:+HrmSMENBrFqeZbuY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	Nextion Editor.exe

Loads dropped DLL 14 IoCs

pid	Process
3552	MsiExec.exe
3552	MsiExec.exe
3552	MsiExec.exe
4572	MsiExec.exe
4572	MsiExec.exe
4572	MsiExec.exe
3552	MsiExec.exe
3552	MsiExec.exe
2200	Nextion Editor.exe
2200	Nextion Editor.exe
2200	Nextion Editor.exe
2200	Nextion Editor.exe
2200	Nextion Editor.exe
2200	Nextion Editor.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Nextion Editor.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Nextion Editor.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Nextion Editor.exe
File opened (read-only)	\??\X:	Nextion Editor.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	Nextion Editor.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	Nextion Editor.exe
File opened (read-only)	\??\S:	Nextion Editor.exe
File opened (read-only)	\??\Y:	Nextion Editor.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	Nextion Editor.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	Nextion Editor.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	Nextion Editor.exe
File opened (read-only)	\??\B:	Nextion Editor.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	Nextion Editor.exe
File opened (read-only)	\??\P:	Nextion Editor.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	Nextion Editor.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	Nextion Editor.exe
File opened (read-only)	\??\L:	Nextion Editor.exe
File opened (read-only)	\??\N:	Nextion Editor.exe
File opened (read-only)	\??\R:	Nextion Editor.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	Nextion Editor.exe
File opened (read-only)	\??\W:	Nextion Editor.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	Nextion Editor.exe
File opened (read-only)	\??\U:	Nextion Editor.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	Nextion Editor.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nextion Editor\en1_com.bin	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\480320\1.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\480800\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\PictureBox.exe	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\h0-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\400240\4.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\layout_defaut.ini	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\input.bin	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\asp1.dll	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\800480\1.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\240320\4.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\en1_va.bin	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\800480\4.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\320240\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\240400\4.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\1024600\1.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\240320\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\6001024\2.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\VideoBox\ffmpegmaker.exe	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\asp100.dll	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\en0_va.bin	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\1024600\4.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\400240\2.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\480320\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\cd100.dll	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\h0-1.dll	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\400240\1.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\cd0.dll	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\1024600\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\272480\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\320480\1.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\480272\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\480800\2.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\6001024\1.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\3.cc	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\320480\4.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\480800\4.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\6001024\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\480320\2.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\ResView.exe	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\other1.sa	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\272480\1.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\320240\2.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\GmovMaker.exe	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\image\ui\file.png	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\h1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\h1-100.dll	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\syscom.bin	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\cd1.dll	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\240320\2.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\400240\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\model0.sa	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\Nextion Editor.exe	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\240400\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\320240\1.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\2.cc	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\h1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\272480\4.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\6001024\4.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\320480\3.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\240400\1.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\240400\2.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\480272\1.page	msiexec.exe
File created	C:\Program Files (x86)\Nextion Editor\keyboarden\480272\2.page	msiexec.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e574cc8.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{34B1306F-7067-4781-901B-AF674AC33A57}	msiexec.exe
File created	C:\Windows\Installer\{34B1306F-7067-4781-901B-AF674AC33A57}\ext.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{34B1306F-7067-4781-901B-AF674AC33A57}\ext_2.exe	msiexec.exe
File created	C:\Windows\Installer\e574cca.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI57D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{34B1306F-7067-4781-901B-AF674AC33A57}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{34B1306F-7067-4781-901B-AF674AC33A57}\ext.exe	msiexec.exe
File created	C:\Windows\Installer\{34B1306F-7067-4781-901B-AF674AC33A57}\iteadico.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{34B1306F-7067-4781-901B-AF674AC33A57}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\{34B1306F-7067-4781-901B-AF674AC33A57}\ext_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{34B1306F-7067-4781-901B-AF674AC33A57}\ext_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{34B1306F-7067-4781-901B-AF674AC33A57}\iteadico.exe	msiexec.exe
File created	C:\Windows\assembly\Desktop.ini	Nextion Editor.exe
File opened for modification	C:\Windows\Installer\e574cc8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D55.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5574.tmp	msiexec.exe
File created	C:\Windows\Installer\{34B1306F-7067-4781-901B-AF674AC33A57}\ext_2.exe	msiexec.exe
File opened for modification	C:\Windows\assembly	Nextion Editor.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Nextion Editor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gmov	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gmov\ = "ITEAD.Nextion Editor_1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.video\ITEAD.Nextion Editor_1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xi	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Nextion Editor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Nextion Editor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Nextion Editor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_1\shell\open\command\command = 5800680051007800340074005e004e007d003d0040003f00550043004900730038002400260044003e00530049007100640032005900480067005f00390041004e003000660053003800280055006b0070002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_2\shell\open\ = "&Open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F6031B437607187409B1FA76A43CA375\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Nextion Editor.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Nextion Editor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor\shell\open\command\command = 5800680051007800340074005e004e007d003d0040003f00550043004900730038002400260044003e0043002e007900560063005800390079004b003d005b007b0034003f0036002c0058003800460063002000220025003100220000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_2\shell\open\command\ = "\"C:\\Program Files (x86)\\Nextion Editor\\ResView.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\PackageCode = "11A2DB0FFE39C1B47AEC3F41EB5A7CB1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	Nextion Editor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\ProductIcon = "C:\\Windows\\Installer\\{34B1306F-7067-4781-901B-AF674AC33A57}\\iteadico.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DDB50B68C4D53554FAD66B44DBE71AC1\F6031B437607187409B1FA76A43CA375	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Nextion Editor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Nextion Editor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor\shell\open\command\ = "\"C:\\Program Files (x86)\\Nextion Editor\\Nextion Editor.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.HMI\ITEAD.Nextion Editor	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gmov\ITEAD.Nextion Editor_1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.video\ = "ITEAD.Nextion Editor_1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_2\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_2\shell\ = "open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor\DefaultIcon\ = "C:\\Windows\\Installer\\{34B1306F-7067-4781-901B-AF674AC33A57}\\ext.exe,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Nextion Editor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Nextion Editor.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Nextion Editor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor\shell\ = "open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_1\shell\ = "open"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.video\ITEAD.Nextion Editor_1\ShellNew	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Nextion Editor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Nextion Editor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Nextion Editor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_1\DefaultIcon	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Nextion Editor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.video	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Nextion Editor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_1\DefaultIcon\ = "C:\\Windows\\Installer\\{34B1306F-7067-4781-901B-AF674AC33A57}\\ext_1.exe,0"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Nextion Editor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Nextion Editor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ITEAD.Nextion Editor_1\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xi\ITEAD.Nextion Editor_2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\Version = "50397239"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F6031B437607187409B1FA76A43CA375\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Nextion Editor.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Nextion Editor.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	msiexec.exe
3008	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3612	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3612	msiexec.exe
Token: SeSecurityPrivilege	3008	msiexec.exe
Token: SeCreateTokenPrivilege	3612	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3612	msiexec.exe
Token: SeLockMemoryPrivilege	3612	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3612	msiexec.exe
Token: SeMachineAccountPrivilege	3612	msiexec.exe
Token: SeTcbPrivilege	3612	msiexec.exe
Token: SeSecurityPrivilege	3612	msiexec.exe
Token: SeTakeOwnershipPrivilege	3612	msiexec.exe
Token: SeLoadDriverPrivilege	3612	msiexec.exe
Token: SeSystemProfilePrivilege	3612	msiexec.exe
Token: SeSystemtimePrivilege	3612	msiexec.exe
Token: SeProfSingleProcessPrivilege	3612	msiexec.exe
Token: SeIncBasePriorityPrivilege	3612	msiexec.exe
Token: SeCreatePagefilePrivilege	3612	msiexec.exe
Token: SeCreatePermanentPrivilege	3612	msiexec.exe
Token: SeBackupPrivilege	3612	msiexec.exe
Token: SeRestorePrivilege	3612	msiexec.exe
Token: SeShutdownPrivilege	3612	msiexec.exe
Token: SeDebugPrivilege	3612	msiexec.exe
Token: SeAuditPrivilege	3612	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3612	msiexec.exe
Token: SeChangeNotifyPrivilege	3612	msiexec.exe
Token: SeRemoteShutdownPrivilege	3612	msiexec.exe
Token: SeUndockPrivilege	3612	msiexec.exe
Token: SeSyncAgentPrivilege	3612	msiexec.exe
Token: SeEnableDelegationPrivilege	3612	msiexec.exe
Token: SeManageVolumePrivilege	3612	msiexec.exe
Token: SeImpersonatePrivilege	3612	msiexec.exe
Token: SeCreateGlobalPrivilege	3612	msiexec.exe
Token: SeCreateTokenPrivilege	3612	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3612	msiexec.exe
Token: SeLockMemoryPrivilege	3612	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3612	msiexec.exe
Token: SeMachineAccountPrivilege	3612	msiexec.exe
Token: SeTcbPrivilege	3612	msiexec.exe
Token: SeSecurityPrivilege	3612	msiexec.exe
Token: SeTakeOwnershipPrivilege	3612	msiexec.exe
Token: SeLoadDriverPrivilege	3612	msiexec.exe
Token: SeSystemProfilePrivilege	3612	msiexec.exe
Token: SeSystemtimePrivilege	3612	msiexec.exe
Token: SeProfSingleProcessPrivilege	3612	msiexec.exe
Token: SeIncBasePriorityPrivilege	3612	msiexec.exe
Token: SeCreatePagefilePrivilege	3612	msiexec.exe
Token: SeCreatePermanentPrivilege	3612	msiexec.exe
Token: SeBackupPrivilege	3612	msiexec.exe
Token: SeRestorePrivilege	3612	msiexec.exe
Token: SeShutdownPrivilege	3612	msiexec.exe
Token: SeDebugPrivilege	3612	msiexec.exe
Token: SeAuditPrivilege	3612	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3612	msiexec.exe
Token: SeChangeNotifyPrivilege	3612	msiexec.exe
Token: SeRemoteShutdownPrivilege	3612	msiexec.exe
Token: SeUndockPrivilege	3612	msiexec.exe
Token: SeSyncAgentPrivilege	3612	msiexec.exe
Token: SeEnableDelegationPrivilege	3612	msiexec.exe
Token: SeManageVolumePrivilege	3612	msiexec.exe
Token: SeImpersonatePrivilege	3612	msiexec.exe
Token: SeCreateGlobalPrivilege	3612	msiexec.exe
Token: SeCreateTokenPrivilege	3612	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3612	msiexec.exe
Token: SeLockMemoryPrivilege	3612	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1784	nextion-setup-v1-65-1.exe
3612	msiexec.exe
3612	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2200	Nextion Editor.exe
2200	Nextion Editor.exe
2200	Nextion Editor.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 3612	1784	nextion-setup-v1-65-1.exe	66
PID 1784 wrote to memory of 3612	1784	nextion-setup-v1-65-1.exe	66
PID 3008 wrote to memory of 3552	3008	msiexec.exe	69
PID 3008 wrote to memory of 3552	3008	msiexec.exe	69
PID 3008 wrote to memory of 3552	3008	msiexec.exe	69
PID 3008 wrote to memory of 4608	3008	msiexec.exe	73
PID 3008 wrote to memory of 4608	3008	msiexec.exe	73
PID 3008 wrote to memory of 4572	3008	msiexec.exe	75
PID 3008 wrote to memory of 4572	3008	msiexec.exe	75
PID 3008 wrote to memory of 4572	3008	msiexec.exe	75
PID 3552 wrote to memory of 2200	3552	MsiExec.exe	77
PID 3552 wrote to memory of 2200	3552	MsiExec.exe	77
PID 3552 wrote to memory of 2200	3552	MsiExec.exe	77

C:\Users\Admin\AppData\Local\Temp\nextion-setup-v1-65-1.exe
"C:\Users\Admin\AppData\Local\Temp\nextion-setup-v1-65-1.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\ITEAD\Nextion Editor 3.1.55\install\nextion-setup.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\nextion-setup-v1-65-1.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F7AEAF62F99FC582B20B6CFDE915727B C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Program Files (x86)\Nextion Editor\Nextion Editor.exe
    "C:\Program Files (x86)\Nextion Editor\Nextion Editor.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2200
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4608
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CB40055BB088D5C63596BB0E28A2066C
  2⤵
  - Loads dropped DLL
  PID:4572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nextion Editor\ACTR.dll

Filesize
9.4MB

MD5
a7a87b9e37761867d23efe6afdd6f135

SHA1
7b5e66f49e917786642eff319e976ee807346277

SHA256
50370bdd15bbab77d46a7017e08eff0250f4190c5801cbeec8a685bc28046a7c

SHA512
a93f0b7cd04d138cb52d1ffcca00e3572196a6c788f748920bb3c206cdb94fe520b14d3dd9db05310bf1188bde58ab97801575318f2ed48c10443da9644413aa

Download Submit
C:\Program Files (x86)\Nextion Editor\Nextion Editor.exe

Filesize
281KB

MD5
ec439528223c6ef096ce0650649b0b8d

SHA1
a945bce4abdfc581eb3e4e0ddfddec13e21e551d

SHA256
a2e3df15ba16085b978a0d00c8414c469dee396eaa080703aed2d56704c65112

SHA512
acfbf3a63d57b930dcb6f6d135fb58ced6c1e75e2553ec8cb17ec9c10b066d7cbc29708a5e7842f3537372e0b30195158c74f963a1f3fdfc0a4418dee699f661

Download Submit
C:\Program Files (x86)\Nextion Editor\Nextion Editor.exe

Filesize
281KB

MD5
ec439528223c6ef096ce0650649b0b8d

SHA1
a945bce4abdfc581eb3e4e0ddfddec13e21e551d

SHA256
a2e3df15ba16085b978a0d00c8414c469dee396eaa080703aed2d56704c65112

SHA512
acfbf3a63d57b930dcb6f6d135fb58ced6c1e75e2553ec8cb17ec9c10b066d7cbc29708a5e7842f3537372e0b30195158c74f963a1f3fdfc0a4418dee699f661

Download Submit
C:\Program Files (x86)\Nextion Editor\layout_defaut.ini

Filesize
3KB

MD5
a6b940b1b421cd65b89240c50db31d0f

SHA1
a95e3b971dc8e2b06f9c75ded0bca2cea9456925

SHA256
e547e9b7ab7caf9dad0330331fb1ea211ce8fa57d86d85db14de46cb8c5b68f8

SHA512
b8269338d1286fb248b005bdf50e1054ffcc0dcceb79a5ae470a0f93f8946fc83a8eaeb3a36d573f6043ae48dead72dbfd17c303660e850e0ba7cd0e7902fd40

Download Submit
C:\Program Files (x86)\Nextion Editor\model1.sa

Filesize
3KB

MD5
53dae0ef1d3ea2f70a669c9d89f1a05c

SHA1
b1444718aee768d68bd351959386e065af42f4d8

SHA256
786c3540668aee61ac79a0b802441d3863341d5f8f22f2403c589dd880271bd6

SHA512
4f209cff1d76bda1b013116a883bfaf20451defe40a759edfb3ec8c936fa8ceff11a4eb1c79ed3a40a849a1b979226cf50381bc1ba6999680c17316eabd06358

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6B40.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6BCE.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAA8D.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB0B8.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB2BD.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Roaming\ITEAD\Nextion Editor 3.1.55\install\disk1.cab

Filesize
47.1MB

MD5
da8aea8835d68eb7f1239dcb58168446

SHA1
842d6d7b265f18807d23e52e8221c7a06c9ff03b

SHA256
9270624c346cfb3286f7dd74cb4b10d25556dcfe82662f3aaabac6b5ea61dabf

SHA512
852c753a10ec383cd22af987c894a746465ad421d13b04c3f16ea93ee7e2b1aec22417492707d300502cc6f1a057b162c03afd1088786510d9a0c046c8c41c02

Download Submit
C:\Users\Admin\AppData\Roaming\ITEAD\Nextion Editor 3.1.55\install\nextion-setup.msi

Filesize
632KB

MD5
f5e51d3235a983615213ce9afb39c198

SHA1
a2df173bd49ce2a35df39d8a3aa8bc513570fb57

SHA256
023726863c5d58b43f6e35740c9085d6c5dbf343058b4acb1061883ae5e8f133

SHA512
f386a7fe47602421626ceb4d411768d736562b3a766d757949dc8faca47120ab55f71f12a364c6fe8b161b780686fea8ad4746fed060814b46031628c393c38a

Download Submit
C:\Windows\Installer\MSI4D55.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Windows\Installer\MSI55E2.tmp

Filesize
287KB

MD5
30ee500e69f06a463f668522fc789945

SHA1
c67a201b59ca2388e8ef060de287a678f1fae705

SHA256
849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277

SHA512
87a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d

Download Submit
C:\Windows\Installer\MSI57D8.tmp

Filesize
287KB

MD5
30ee500e69f06a463f668522fc789945

SHA1
c67a201b59ca2388e8ef060de287a678f1fae705

SHA256
849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277

SHA512
87a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
7d0c38f3aa92c7a51d9758397cb0b2a8

SHA1
1dee35d578462aebde3061773f216dc00e2a578d

SHA256
69c86f87700f8785033a84f7da1c0af33390906dfddedfefbea1d04b99e241c8

SHA512
630f5acff81c03c236ca04b3d226014c11e281753fdbbcc16a1c88d66f861a3f3ea46fd21e2bffef498e1c19923b34e47dca89cfc044bc9ed5e085a2f1c53dbc

Download Submit
\??\Volume{b79df8d1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{06330eb7-87bf-4aba-878b-18e5835aa930}_OnDiskSnapshotProp

Filesize
5KB

MD5
2481697be729a0ff69ac2f802667a9e6

SHA1
f5a6368e90454dcda0564a5b0ed239d6042cf5cd

SHA256
da7a9f7caea0867aa6e4c7c1ead1eaffce559a840ee2542fde38c95bf103c9bf

SHA512
4546e6a06fdcf6f2e5a58ccf96c5522cc60fdc665dc04ca6ad5bd53113365950f4c4c13d179a219e8af58eb6f773c5b222a74dac054845766e955fd09105c368

Download Submit
\Users\Admin\AppData\Local\Temp\MSI6B40.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
\Users\Admin\AppData\Local\Temp\MSI6BCE.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
\Users\Admin\AppData\Local\Temp\MSIAA8D.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB0B8.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB2BD.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
\Users\Admin\AppData\Roaming\Nextion Editor\AppDllPass.bin

Filesize
10KB

MD5
fa023dbcf21b5cedb7db1778572458cf

SHA1
9f4409569d6d4745c191de40ec4fbf8b2d678268

SHA256
76a5c471a3e09956a88fbb18b56836b29dc15d4a683892a32b02b1887f00a15c

SHA512
ccb424d450b515759f9f58a64960591c9f4e180ad85f657fb628e03bb623f1488c91c0b7ccf53cf2b4b549f35d7c611143a80f54f564c25e329f6f7f29436b66

Download Submit
\Users\Admin\AppData\Roaming\Nextion Editor\ApplicationRUN.s0

Filesize
103KB

MD5
49fbd9927dc00c29ed521904d0ab3b51

SHA1
1bbcb77770093d9d5c35fbb9fc3800e5a519d405

SHA256
5794a831e35a6414eee62da597bdcf8544babc3f02b030cf1d897873499c7ad3

SHA512
56be51e72de3e4ea44f2f7c9eeb2559891b47844ef9d96f57e217c8c01faa434417047ae6496d09600b7cdefda42a4ef6b457161afc5d7e5706001f66594f823

Download Submit
\Users\Admin\AppData\Roaming\Nextion Editor\ApplicationRUN.s0

Filesize
103KB

MD5
49fbd9927dc00c29ed521904d0ab3b51

SHA1
1bbcb77770093d9d5c35fbb9fc3800e5a519d405

SHA256
5794a831e35a6414eee62da597bdcf8544babc3f02b030cf1d897873499c7ad3

SHA512
56be51e72de3e4ea44f2f7c9eeb2559891b47844ef9d96f57e217c8c01faa434417047ae6496d09600b7cdefda42a4ef6b457161afc5d7e5706001f66594f823

Download Submit
\Users\Admin\AppData\Roaming\Nextion Editor\ApplicationRUN.s0

Filesize
103KB

MD5
49fbd9927dc00c29ed521904d0ab3b51

SHA1
1bbcb77770093d9d5c35fbb9fc3800e5a519d405

SHA256
5794a831e35a6414eee62da597bdcf8544babc3f02b030cf1d897873499c7ad3

SHA512
56be51e72de3e4ea44f2f7c9eeb2559891b47844ef9d96f57e217c8c01faa434417047ae6496d09600b7cdefda42a4ef6b457161afc5d7e5706001f66594f823

Download Submit
\Users\Admin\AppData\Roaming\Nextion Editor\ApplicationRUN.s0

Filesize
103KB

MD5
49fbd9927dc00c29ed521904d0ab3b51

SHA1
1bbcb77770093d9d5c35fbb9fc3800e5a519d405

SHA256
5794a831e35a6414eee62da597bdcf8544babc3f02b030cf1d897873499c7ad3

SHA512
56be51e72de3e4ea44f2f7c9eeb2559891b47844ef9d96f57e217c8c01faa434417047ae6496d09600b7cdefda42a4ef6b457161afc5d7e5706001f66594f823

Download Submit
\Users\Admin\AppData\Roaming\Nextion Editor\work\a-202328165618627\achmi.bin

Filesize
118KB

MD5
bbd4664a6a3d369e3ebfb28ec3477131

SHA1
59f36efaedd7f7c0c07d4ca68a91a8a1bd3c171e

SHA256
d1deae37a92234cebc3e8e259370397bf7ce7c7242b3148f56bc555726da8134

SHA512
8ccdab4c847d6865fb207500e84775ab12cfbf2e3623e0094e4ff751c6d3baa9272ba89a0062abbf0b1d56a62374ef254ac698a4e2885e090b412fb670df7206

Download Submit
\Windows\Installer\MSI4D55.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
\Windows\Installer\MSI55E2.tmp

Filesize
287KB

MD5
30ee500e69f06a463f668522fc789945

SHA1
c67a201b59ca2388e8ef060de287a678f1fae705

SHA256
849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277

SHA512
87a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d

Download Submit
\Windows\Installer\MSI57D8.tmp

Filesize
287KB

MD5
30ee500e69f06a463f668522fc789945

SHA1
c67a201b59ca2388e8ef060de287a678f1fae705

SHA256
849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277

SHA512
87a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d

Download Submit
memory/1784-146-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-150-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-153-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-154-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-155-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-156-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-158-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-157-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-159-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-160-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-161-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-162-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-163-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-164-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-168-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-166-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-167-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-165-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-170-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-169-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-171-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-121-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-148-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-122-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-123-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-124-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-125-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-126-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-127-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-128-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-129-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-130-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-131-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-132-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-133-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-134-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-151-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-152-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-149-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-147-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-120-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-145-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-135-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-136-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-144-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-143-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-142-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-141-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-140-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-139-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-138-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1784-137-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/2200-381-0x0000000073330000-0x00000000738E0000-memory.dmp

Filesize
5.7MB

Download
memory/2200-542-0x00000000032AA000-0x00000000032AF000-memory.dmp

Filesize
20KB

Download
memory/2200-541-0x0000000073330000-0x00000000738E0000-memory.dmp

Filesize
5.7MB

Download
memory/2200-471-0x00000000032AA000-0x00000000032AF000-memory.dmp

Filesize
20KB

Download
memory/2200-469-0x0000000073330000-0x00000000738E0000-memory.dmp

Filesize
5.7MB

Download
memory/2200-437-0x00000000032AA000-0x00000000032AF000-memory.dmp

Filesize
20KB

Download
memory/3552-191-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-181-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-190-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-192-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-189-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-185-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-180-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-188-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-182-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-187-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-184-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3552-179-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download