8d6b2a634a81e4c09d0c623a24c4937d6032ed9da638c9015b7aab23fa255988

Analysis

max time kernel
101s
max time network
76s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Size

14.0MB
MD5

27f56fe9c8bb63aadfa43ce4e34eec40
SHA1

5d271dc411d8470cb2b6e3000eab86d529434d41
SHA256

31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc
SHA512

d96daa8f91bbb2c1fe2ac45ffb7e3ec8c77c0925f4904097dc919c585509d971f52c71a10e584881962ecfa25ae4ce10c2be999f1d65cf831558872dfb39c656
SSDEEP

196608:t9iQpZfwAwdwpTyXvXPbHoPh2KNrM6ZkjmpxqZBrSnM77M:b+wOv/zoPh2KfmkwUMfM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1836	vcredist_x86.exe
1884	VCREDI~3.EXE

Loads dropped DLL 30 IoCs

pid	Process
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
1836	vcredist_x86.exe
1836	vcredist_x86.exe
1836	vcredist_x86.exe
900	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	VCREDI~3.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\OpenSource License.txt	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatform.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPLauncherPlugin92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPlatformPlugin92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\default.xtheme	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XBasicLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XClassLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XHttpLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPLauncherPlugin92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\OpenSource License.txt	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XBasicLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPEngineUninstaller.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformAX92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformAX92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\default.xtheme	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XMemPoolLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPlatformPlugin92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPEngineUninstaller.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XClassLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XHttpLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XMemPoolLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatform.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe

Drops file in Windows directory 46 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f778c3c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI96C5.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145147743.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145147743.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\mfc80CHS.dll	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\mfc80ESP.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145209022.0\8.0.50727.4053.cat	msiexec.exe
File created	C:\Windows\Installer\f778c3e.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231031145207789.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145147743.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145208913.0\8.0.50727.4053.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145208788.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723.manifest	msiexec.exe
File created	C:\Windows\Installer\f778c39.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\mfc80ENU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145208788.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231031145209022.0	msiexec.exe
File opened for modification	C:\Windows\VCREDI~3.EXE	vcredist_x86.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\mfc80FRA.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E74.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145147743.0\mfc80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145209022.0\8.0.50727.4053.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231031145147743.0	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145147743.0\mfcm80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\mfc80JPN.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145208975.0\8.0.50727.4053.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231031145208788.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231031145208975.0	msiexec.exe
File opened for modification	C:\Windows\Installer\f778c3c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f778c39.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145147743.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\mfc80ITA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145208788.0\vcomp.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20231031145208913.0	msiexec.exe
File created	C:\Windows\TMP4351$.TMP	vcredist_x86.exe
File created	C:\Windows\VCREDI~3.EXE	vcredist_x86.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145208913.0\8.0.50727.4053.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145208975.0\8.0.50727.4053.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20231031145207789.0\mfc80DEU.dll	msiexec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\TypeLib	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\3e43b73803c7c394f8a6b2f0402e19c2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\XPlatformAX92.DLL\AppID = "{A733AAE8-110A-4D4E-BC83-9328FEC01C1B}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\Version = "134276921"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92.1\ = "XPlatformAXCtrl92 Class"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\ProgID\ = "XPlatformAX.XPlatformAXCtrl92.1"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.4053",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f004f007700390052005a004800670055003f005d004a004b0073002700780077005a0043003200560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\ProxyStubClsid32	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\ = "XPlatformAXCtrl92 Class"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\MiscStatus\1\ = "131473"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\TypeLib\ = "{4CBCE6F5-1E75-4813-897A-432959766B20}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib\ = "{4CBCE6F5-1E75-4813-897A-432959766B20}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\Control	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\0	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3e43b73803c7c394f8a6b2f0402e19c2\VC_Redist	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\InprocServer32\ThreadingModel = "Both"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib\ = "{4CBCE6F5-1E75-4813-897A-432959766B20}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\CurVer	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\VersionIndependentProgID\ = "XPlatformAX.XPlatformAXCtrl92"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\MiscStatus\ = "0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\Version\ = "1.0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib\Version = "1.0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\ProgID	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\HELPDIR\	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ = "IXPlatformAXCtrl92"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.4053",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f004f007700390052005a004800670055003f005d004a004b0073002700780077005a0043003200560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.4053",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f004f007700390052005a004800670055003f005d004a004b0073002700780077005a0043003200560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92.1	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\ProxyStubClsid32	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib\Version = "1.0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\HELPDIR	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\CLSID\ = "{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\0\win32\ = "C:\\Program Files (x86)\\TOBESOFT\\XPLATFORM\\9.2\\XPlatformAX92.dll"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.4053",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 3f004f007700390052005a004800670055003f005d004a004b0073002700780077005a0043003200560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3e43b73803c7c394f8a6b2f0402e19c2\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\CurVer\ = "XPlatformAX.XPlatformAXCtrl92.1"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
772	msiexec.exe
772	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeSecurityPrivilege	772	msiexec.exe
Token: SeCreateTokenPrivilege	1220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1220	msiexec.exe
Token: SeLockMemoryPrivilege	1220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1220	msiexec.exe
Token: SeMachineAccountPrivilege	1220	msiexec.exe
Token: SeTcbPrivilege	1220	msiexec.exe
Token: SeSecurityPrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeLoadDriverPrivilege	1220	msiexec.exe
Token: SeSystemProfilePrivilege	1220	msiexec.exe
Token: SeSystemtimePrivilege	1220	msiexec.exe
Token: SeProfSingleProcessPrivilege	1220	msiexec.exe
Token: SeIncBasePriorityPrivilege	1220	msiexec.exe
Token: SeCreatePagefilePrivilege	1220	msiexec.exe
Token: SeCreatePermanentPrivilege	1220	msiexec.exe
Token: SeBackupPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeShutdownPrivilege	1220	msiexec.exe
Token: SeDebugPrivilege	1220	msiexec.exe
Token: SeAuditPrivilege	1220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1220	msiexec.exe
Token: SeChangeNotifyPrivilege	1220	msiexec.exe
Token: SeRemoteShutdownPrivilege	1220	msiexec.exe
Token: SeUndockPrivilege	1220	msiexec.exe
Token: SeSyncAgentPrivilege	1220	msiexec.exe
Token: SeEnableDelegationPrivilege	1220	msiexec.exe
Token: SeManageVolumePrivilege	1220	msiexec.exe
Token: SeImpersonatePrivilege	1220	msiexec.exe
Token: SeCreateGlobalPrivilege	1220	msiexec.exe
Token: SeBackupPrivilege	800	vssvc.exe
Token: SeRestorePrivilege	800	vssvc.exe
Token: SeAuditPrivilege	800	vssvc.exe
Token: SeBackupPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeRestorePrivilege	2528	DrvInst.exe
Token: SeRestorePrivilege	2528	DrvInst.exe
Token: SeRestorePrivilege	2528	DrvInst.exe
Token: SeRestorePrivilege	2528	DrvInst.exe
Token: SeRestorePrivilege	2528	DrvInst.exe
Token: SeRestorePrivilege	2528	DrvInst.exe
Token: SeRestorePrivilege	2528	DrvInst.exe
Token: SeLoadDriverPrivilege	2528	DrvInst.exe
Token: SeLoadDriverPrivilege	2528	DrvInst.exe
Token: SeLoadDriverPrivilege	2528	DrvInst.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1220	msiexec.exe
1220	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1836	2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2168 wrote to memory of 1836	2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2168 wrote to memory of 1836	2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2168 wrote to memory of 1836	2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2168 wrote to memory of 1836	2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2168 wrote to memory of 1836	2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2168 wrote to memory of 1836	2168	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 1836 wrote to memory of 1884	1836	vcredist_x86.exe	29
PID 1836 wrote to memory of 1884	1836	vcredist_x86.exe	29
PID 1836 wrote to memory of 1884	1836	vcredist_x86.exe	29
PID 1836 wrote to memory of 1884	1836	vcredist_x86.exe	29
PID 1836 wrote to memory of 1884	1836	vcredist_x86.exe	29
PID 1836 wrote to memory of 1884	1836	vcredist_x86.exe	29
PID 1836 wrote to memory of 1884	1836	vcredist_x86.exe	29
PID 1884 wrote to memory of 1220	1884	VCREDI~3.EXE	30
PID 1884 wrote to memory of 1220	1884	VCREDI~3.EXE	30
PID 1884 wrote to memory of 1220	1884	VCREDI~3.EXE	30
PID 1884 wrote to memory of 1220	1884	VCREDI~3.EXE	30
PID 1884 wrote to memory of 1220	1884	VCREDI~3.EXE	30
PID 1884 wrote to memory of 1220	1884	VCREDI~3.EXE	30
PID 1884 wrote to memory of 1220	1884	VCREDI~3.EXE	30
PID 772 wrote to memory of 900	772	msiexec.exe	37
PID 772 wrote to memory of 900	772	msiexec.exe	37
PID 772 wrote to memory of 900	772	msiexec.exe	37
PID 772 wrote to memory of 900	772	msiexec.exe	37
PID 772 wrote to memory of 900	772	msiexec.exe	37
PID 772 wrote to memory of 900	772	msiexec.exe	37
PID 772 wrote to memory of 900	772	msiexec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
"C:\Users\Admin\AppData\Local\Temp\31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe
  "C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe" /Q /T:C:\Windows
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\VCREDI~3.EXE
    C:\Windows\VCREDI~3.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec /i vcredist.msi
      4⤵
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1220

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86D03254DED724D07400CEA71576BB0E
  2⤵
  - Loads dropped DLL
  PID:900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "000000000000059C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\OpenSource License.txt

Filesize
16KB

MD5
1887d7610a7a2395eff113688fa2e177

SHA1
b71019dae177f9a032641917f9fa2782ae115696

SHA256
dee85807bfe229ac3ad8c27ddbd2ccb4e4c300ae32d683a3d13d121f88704285

SHA512
22cbc7b0ba6c3a26b6456ed8f69fe99fad4c35f91a912865c63d2695312fd301ab6531ab63a09e05f8ecfd6cbe65cf0e8d0f83107b63213ad08d20dfcf8b037a

Download Submit
C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPLauncherPlugin92.dll

Filesize
640KB

MD5
5b59a97ff3b9f4b5ec5071fa0a6e945b

SHA1
635d7998c89fe18527c44bdcb32a053b1f289852

SHA256
2ed749aa19cc19d75081e672f51c3a088c6c4a4b5257c0d974ac8acf93bce075

SHA512
5bd4dbc10cf083021432b56aa4dc32a2b0b1b13737a97122d90705f319b41ad588f6c8fa57f33cd3b7efab5401a40a35d675183f24e682bb18cc34fa0a412936

Download Submit
C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
2.6MB

MD5
6402438591b548121f54b0706a2c6423

SHA1
e052789ebad7dc8d6f8505a9295b0576babd125e

SHA256
d6832398e3bc9156a660745f427dc1c2392ce4e9a872e04f41f62d0c6bae07a8

SHA512
c615e6337a9507bfaaff14e23043e206351d48bf7ba1d0c244c4bc8a08f411b4aa27f9a9074a87b320007b3cfca448306752fd343392bdde83b851b0e7daadef

Download Submit
C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
2.6MB

MD5
6402438591b548121f54b0706a2c6423

SHA1
e052789ebad7dc8d6f8505a9295b0576babd125e

SHA256
d6832398e3bc9156a660745f427dc1c2392ce4e9a872e04f41f62d0c6bae07a8

SHA512
c615e6337a9507bfaaff14e23043e206351d48bf7ba1d0c244c4bc8a08f411b4aa27f9a9074a87b320007b3cfca448306752fd343392bdde83b851b0e7daadef

Download Submit
C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
2.6MB

MD5
6402438591b548121f54b0706a2c6423

SHA1
e052789ebad7dc8d6f8505a9295b0576babd125e

SHA256
d6832398e3bc9156a660745f427dc1c2392ce4e9a872e04f41f62d0c6bae07a8

SHA512
c615e6337a9507bfaaff14e23043e206351d48bf7ba1d0c244c4bc8a08f411b4aa27f9a9074a87b320007b3cfca448306752fd343392bdde83b851b0e7daadef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08e54a83c10679ab653303a037bc170e

SHA1
b929be5bf2d6b917ca9304a127470c8a4f31d039

SHA256
a9cb97c38884022a3845ce12237853e4291185932316b4b3ac3730f0c1a362ec

SHA512
97536b045ecc9664d35a22043c31b428f128914f1b2444455bbb0e1aaf6a75d9d6b946b4d450ff022a7faaf8ab692efab7edcf040885513bb0c80734310ff880

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8C96.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
247KB

MD5
d5dd8a90812067e0ccb23a7299f82562

SHA1
5787391891cef8295666bce637d10e992d021d81

SHA256
71a4560b0eb5e45c385ce3aef154d97fa944b762f9aff3b3b9364d42bd1d5afd

SHA512
d38d3bcb8a640538a3a1b4052727d8d291d8d17218ba1abcaab1dca615bd83d3317a4bed89e495fadfbe6d20791562e5a8032284ae1cfeadc0020337ea0fe673

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
2.6MB

MD5
f194e681c552647c95441877b5552415

SHA1
285c6b1dbbc2d1525c9b1c276a4901b98d49b202

SHA256
6d4f42d5856384c2566ed79bdc587993208013640b035b04540de9f05ee597d6

SHA512
8ed21ce7829a1cb6c2dd4eff2e3701171aeba5b7e4337eaf0ddff86ea3fda812198a2e3fb4f1873b129944bdc8ddb09ebbd78e5c2b9811900cb853ef2afdab8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBasicLib92.dll

Filesize
2.2MB

MD5
e47d66dfbba10f9cf53d6014cad73b5b

SHA1
239706d9a0f555f970fa3c1c7f489d6294b78e99

SHA256
4d85686951bde29577d410fdf7f4ab0f50432ecd2d745c1eb185625394aaff9c

SHA512
4f24484612e8e6691005eea7965cc466c5d1ef6202933f310346b8acf23704bab42cc629106f05f99f59784f9213c5f98d6dd7c9ed5c8c1cc29f8c455781c59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClassLib92.dll

Filesize
480KB

MD5
0a3a2af0187e10f6d097eee126a562ff

SHA1
90dfab0d26d60a1cd961559797bd38d4bff489cb

SHA256
3bccb804fa9b174b97a2c69cb4018dcfc1b32ab9a677d676d7d749619ddd4fac

SHA512
1f614cff5d4b6e8839c182f38ab6f824d1f539b19cbb28fd379511aa5c51055afa7a775ddff12e9cece498a1df6ea72ea2447e3bdadb7454b95621e3de40e4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XHttpLib92.dll

Filesize
208KB

MD5
21c523620bc089139003a2d30b8e2948

SHA1
0e719c93345f6d768b2b78d08c90168dc5ca1811

SHA256
d78eedea52dd5771deefd183debafb27e7b180b89c0803da953ea759557a4ef1

SHA512
1c6b915bbca6ddbf18a5ff436c264fa909b0123197bf6f7085b43dbe50a56c9f9dfc662a1ed124624dd1505ffda92552a8321cd6da98694ecd56b72a363e9559

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMemPoolLib92.dll

Filesize
24KB

MD5
bbbc1b4082fd2cf775f25df2f3c2ffd6

SHA1
08377c226d0b008e8534c822cd4dc8eb77c352bb

SHA256
58fb7d84f128797b721c5982db51fe4a0c25c8890d63fabadef6442ba4633f10

SHA512
8157964a6df1dab7250ddfabf530b36f0a25746c77fd5988d9a1f5e04a940c1b4367cfc4ebd28e5fbf0cb6902382eb6a7f8386f08decd46814ab496efbe5976e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPlatform.exe

Filesize
394KB

MD5
7fa3df4ff73974d6c8d283da8c7238ca

SHA1
b10f2c96ef9fe6dbf3bc85dfa049ad62512806ec

SHA256
518f51f76bad5d06957e1e353cf398a0b9a51819033f9d69bd6ed2c0e41e3588

SHA512
6f710f957fa044a1962a2a6a5d3b1a27f947ebcfccb39fb85787c779e4bf292f35e247305e5d3d69d6d8d1617dbb90643422a8515c2fa61da515dc44366b2cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPlatformAX92.dll

Filesize
162KB

MD5
ea0fd03b9c5578aed0c45c543c758331

SHA1
087f6dbf5621a1a331fbb99bbf60d6c6af789daf

SHA256
38d875cfe7140cd2012b7eeee6c0d7a6b7b4b8a61652806d51e3f15de445b408

SHA512
adabecaa246226405c288647757dd503a4da5f328dd572747408a3a127553e6b61cfebac6ffa7013a0450c12d66e0789e0199fa1b0e8c8a7fdae59b40d44c57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPlatformLib92.dll

Filesize
4.3MB

MD5
79b00326c14ce61458661959dfd09892

SHA1
45db39c6195dd6a52a60674172b432dfb29cc937

SHA256
67db95b288d5d5dd00c3021d9d2951605d0c20dd40bef949f2fac09b6c599a9f

SHA512
ef84f95498db6b06e800fc6ca39d5326406246054dcfb1743a385e32c5e66a7f8ea96bf44cf2f069ab2f392020b91f7a472670bb65b5987c5286203f0112484f

Download Submit
C:\Users\Admin\AppData\Local\Temp\npXPlatformPlugin92.dll

Filesize
88KB

MD5
62114054fa5cf6ebfd0b0768e9785357

SHA1
588807895f0f6fbf7150fd4db37ef27fd9579d16

SHA256
921618f252d7c6bd4fb093079b8ec5bf0c125d768caef66d64c49c3e5f16195b

SHA512
f0c6ef876ff413d427fc6283838a321ac4579505aa3c9dc7bb91e8d05e5358620b1f9a684a25ba401ee8df8851e6db71a30e11b1f8e1e9f58a9b0f1329511938

Download Submit
C:\Windows\Installer\MSI96C5.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\f778c39.msi

Filesize
2.6MB

MD5
f194e681c552647c95441877b5552415

SHA1
285c6b1dbbc2d1525c9b1c276a4901b98d49b202

SHA256
6d4f42d5856384c2566ed79bdc587993208013640b035b04540de9f05ee597d6

SHA512
8ed21ce7829a1cb6c2dd4eff2e3701171aeba5b7e4337eaf0ddff86ea3fda812198a2e3fb4f1873b129944bdc8ddb09ebbd78e5c2b9811900cb853ef2afdab8c

Download Submit
C:\Windows\VCREDI~3.EXE

Filesize
2.6MB

MD5
c5c698758bd9da02cc2ef94dcf1b4637

SHA1
1d6773537b0baba779090c7fa29be43d2130c3dd

SHA256
e1df4fda1f4f6a5d9faa94cc53e77458a53c56a87df4f1062708095150c86dbf

SHA512
c238860204de3933c7c41ba5f621f957d602286fa3a19a1bf4b6b272d8b417a20f5351ccf6ae5b46dde6ae938c7158e0f11d610e7a76a3530ba6825a96c9196b

Download Submit
C:\Windows\VCREDI~3.EXE

Filesize
2.6MB

MD5
c5c698758bd9da02cc2ef94dcf1b4637

SHA1
1d6773537b0baba779090c7fa29be43d2130c3dd

SHA256
e1df4fda1f4f6a5d9faa94cc53e77458a53c56a87df4f1062708095150c86dbf

SHA512
c238860204de3933c7c41ba5f621f957d602286fa3a19a1bf4b6b272d8b417a20f5351ccf6ae5b46dde6ae938c7158e0f11d610e7a76a3530ba6825a96c9196b

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformAX92.dll

Filesize
162KB

MD5
ea0fd03b9c5578aed0c45c543c758331

SHA1
087f6dbf5621a1a331fbb99bbf60d6c6af789daf

SHA256
38d875cfe7140cd2012b7eeee6c0d7a6b7b4b8a61652806d51e3f15de445b408

SHA512
adabecaa246226405c288647757dd503a4da5f328dd572747408a3a127553e6b61cfebac6ffa7013a0450c12d66e0789e0199fa1b0e8c8a7fdae59b40d44c57d

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
2.6MB

MD5
6402438591b548121f54b0706a2c6423

SHA1
e052789ebad7dc8d6f8505a9295b0576babd125e

SHA256
d6832398e3bc9156a660745f427dc1c2392ce4e9a872e04f41f62d0c6bae07a8

SHA512
c615e6337a9507bfaaff14e23043e206351d48bf7ba1d0c244c4bc8a08f411b4aa27f9a9074a87b320007b3cfca448306752fd343392bdde83b851b0e7daadef

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
2.6MB

MD5
6402438591b548121f54b0706a2c6423

SHA1
e052789ebad7dc8d6f8505a9295b0576babd125e

SHA256
d6832398e3bc9156a660745f427dc1c2392ce4e9a872e04f41f62d0c6bae07a8

SHA512
c615e6337a9507bfaaff14e23043e206351d48bf7ba1d0c244c4bc8a08f411b4aa27f9a9074a87b320007b3cfca448306752fd343392bdde83b851b0e7daadef

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
2.6MB

MD5
6402438591b548121f54b0706a2c6423

SHA1
e052789ebad7dc8d6f8505a9295b0576babd125e

SHA256
d6832398e3bc9156a660745f427dc1c2392ce4e9a872e04f41f62d0c6bae07a8

SHA512
c615e6337a9507bfaaff14e23043e206351d48bf7ba1d0c244c4bc8a08f411b4aa27f9a9074a87b320007b3cfca448306752fd343392bdde83b851b0e7daadef

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
2.6MB

MD5
6402438591b548121f54b0706a2c6423

SHA1
e052789ebad7dc8d6f8505a9295b0576babd125e

SHA256
d6832398e3bc9156a660745f427dc1c2392ce4e9a872e04f41f62d0c6bae07a8

SHA512
c615e6337a9507bfaaff14e23043e206351d48bf7ba1d0c244c4bc8a08f411b4aa27f9a9074a87b320007b3cfca448306752fd343392bdde83b851b0e7daadef

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
2.6MB

MD5
6402438591b548121f54b0706a2c6423

SHA1
e052789ebad7dc8d6f8505a9295b0576babd125e

SHA256
d6832398e3bc9156a660745f427dc1c2392ce4e9a872e04f41f62d0c6bae07a8

SHA512
c615e6337a9507bfaaff14e23043e206351d48bf7ba1d0c244c4bc8a08f411b4aa27f9a9074a87b320007b3cfca448306752fd343392bdde83b851b0e7daadef

Download Submit
\Users\Admin\AppData\Local\Temp\XBasicLib92.dll

Filesize
2.2MB

MD5
e47d66dfbba10f9cf53d6014cad73b5b

SHA1
239706d9a0f555f970fa3c1c7f489d6294b78e99

SHA256
4d85686951bde29577d410fdf7f4ab0f50432ecd2d745c1eb185625394aaff9c

SHA512
4f24484612e8e6691005eea7965cc466c5d1ef6202933f310346b8acf23704bab42cc629106f05f99f59784f9213c5f98d6dd7c9ed5c8c1cc29f8c455781c59a

Download Submit
\Users\Admin\AppData\Local\Temp\XBasicLib92.dll

Filesize
2.2MB

MD5
e47d66dfbba10f9cf53d6014cad73b5b

SHA1
239706d9a0f555f970fa3c1c7f489d6294b78e99

SHA256
4d85686951bde29577d410fdf7f4ab0f50432ecd2d745c1eb185625394aaff9c

SHA512
4f24484612e8e6691005eea7965cc466c5d1ef6202933f310346b8acf23704bab42cc629106f05f99f59784f9213c5f98d6dd7c9ed5c8c1cc29f8c455781c59a

Download Submit
\Users\Admin\AppData\Local\Temp\XBasicLib92.dll

Filesize
2.2MB

MD5
e47d66dfbba10f9cf53d6014cad73b5b

SHA1
239706d9a0f555f970fa3c1c7f489d6294b78e99

SHA256
4d85686951bde29577d410fdf7f4ab0f50432ecd2d745c1eb185625394aaff9c

SHA512
4f24484612e8e6691005eea7965cc466c5d1ef6202933f310346b8acf23704bab42cc629106f05f99f59784f9213c5f98d6dd7c9ed5c8c1cc29f8c455781c59a

Download Submit
\Users\Admin\AppData\Local\Temp\XClassLib92.dll

Filesize
480KB

MD5
0a3a2af0187e10f6d097eee126a562ff

SHA1
90dfab0d26d60a1cd961559797bd38d4bff489cb

SHA256
3bccb804fa9b174b97a2c69cb4018dcfc1b32ab9a677d676d7d749619ddd4fac

SHA512
1f614cff5d4b6e8839c182f38ab6f824d1f539b19cbb28fd379511aa5c51055afa7a775ddff12e9cece498a1df6ea72ea2447e3bdadb7454b95621e3de40e4cc

Download Submit
\Users\Admin\AppData\Local\Temp\XClassLib92.dll

Filesize
480KB

MD5
0a3a2af0187e10f6d097eee126a562ff

SHA1
90dfab0d26d60a1cd961559797bd38d4bff489cb

SHA256
3bccb804fa9b174b97a2c69cb4018dcfc1b32ab9a677d676d7d749619ddd4fac

SHA512
1f614cff5d4b6e8839c182f38ab6f824d1f539b19cbb28fd379511aa5c51055afa7a775ddff12e9cece498a1df6ea72ea2447e3bdadb7454b95621e3de40e4cc

Download Submit
\Users\Admin\AppData\Local\Temp\XClassLib92.dll

Filesize
480KB

MD5
0a3a2af0187e10f6d097eee126a562ff

SHA1
90dfab0d26d60a1cd961559797bd38d4bff489cb

SHA256
3bccb804fa9b174b97a2c69cb4018dcfc1b32ab9a677d676d7d749619ddd4fac

SHA512
1f614cff5d4b6e8839c182f38ab6f824d1f539b19cbb28fd379511aa5c51055afa7a775ddff12e9cece498a1df6ea72ea2447e3bdadb7454b95621e3de40e4cc

Download Submit
\Users\Admin\AppData\Local\Temp\XHttpLib92.dll

Filesize
208KB

MD5
21c523620bc089139003a2d30b8e2948

SHA1
0e719c93345f6d768b2b78d08c90168dc5ca1811

SHA256
d78eedea52dd5771deefd183debafb27e7b180b89c0803da953ea759557a4ef1

SHA512
1c6b915bbca6ddbf18a5ff436c264fa909b0123197bf6f7085b43dbe50a56c9f9dfc662a1ed124624dd1505ffda92552a8321cd6da98694ecd56b72a363e9559

Download Submit
\Users\Admin\AppData\Local\Temp\XHttpLib92.dll

Filesize
208KB

MD5
21c523620bc089139003a2d30b8e2948

SHA1
0e719c93345f6d768b2b78d08c90168dc5ca1811

SHA256
d78eedea52dd5771deefd183debafb27e7b180b89c0803da953ea759557a4ef1

SHA512
1c6b915bbca6ddbf18a5ff436c264fa909b0123197bf6f7085b43dbe50a56c9f9dfc662a1ed124624dd1505ffda92552a8321cd6da98694ecd56b72a363e9559

Download Submit
\Users\Admin\AppData\Local\Temp\XHttpLib92.dll

Filesize
208KB

MD5
21c523620bc089139003a2d30b8e2948

SHA1
0e719c93345f6d768b2b78d08c90168dc5ca1811

SHA256
d78eedea52dd5771deefd183debafb27e7b180b89c0803da953ea759557a4ef1

SHA512
1c6b915bbca6ddbf18a5ff436c264fa909b0123197bf6f7085b43dbe50a56c9f9dfc662a1ed124624dd1505ffda92552a8321cd6da98694ecd56b72a363e9559

Download Submit
\Users\Admin\AppData\Local\Temp\XMemPoolLib92.dll

Filesize
24KB

MD5
bbbc1b4082fd2cf775f25df2f3c2ffd6

SHA1
08377c226d0b008e8534c822cd4dc8eb77c352bb

SHA256
58fb7d84f128797b721c5982db51fe4a0c25c8890d63fabadef6442ba4633f10

SHA512
8157964a6df1dab7250ddfabf530b36f0a25746c77fd5988d9a1f5e04a940c1b4367cfc4ebd28e5fbf0cb6902382eb6a7f8386f08decd46814ab496efbe5976e

Download Submit
\Users\Admin\AppData\Local\Temp\XMemPoolLib92.dll

Filesize
24KB

MD5
bbbc1b4082fd2cf775f25df2f3c2ffd6

SHA1
08377c226d0b008e8534c822cd4dc8eb77c352bb

SHA256
58fb7d84f128797b721c5982db51fe4a0c25c8890d63fabadef6442ba4633f10

SHA512
8157964a6df1dab7250ddfabf530b36f0a25746c77fd5988d9a1f5e04a940c1b4367cfc4ebd28e5fbf0cb6902382eb6a7f8386f08decd46814ab496efbe5976e

Download Submit
\Users\Admin\AppData\Local\Temp\XMemPoolLib92.dll

Filesize
24KB

MD5
bbbc1b4082fd2cf775f25df2f3c2ffd6

SHA1
08377c226d0b008e8534c822cd4dc8eb77c352bb

SHA256
58fb7d84f128797b721c5982db51fe4a0c25c8890d63fabadef6442ba4633f10

SHA512
8157964a6df1dab7250ddfabf530b36f0a25746c77fd5988d9a1f5e04a940c1b4367cfc4ebd28e5fbf0cb6902382eb6a7f8386f08decd46814ab496efbe5976e

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatform.exe

Filesize
394KB

MD5
7fa3df4ff73974d6c8d283da8c7238ca

SHA1
b10f2c96ef9fe6dbf3bc85dfa049ad62512806ec

SHA256
518f51f76bad5d06957e1e353cf398a0b9a51819033f9d69bd6ed2c0e41e3588

SHA512
6f710f957fa044a1962a2a6a5d3b1a27f947ebcfccb39fb85787c779e4bf292f35e247305e5d3d69d6d8d1617dbb90643422a8515c2fa61da515dc44366b2cdb

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatform.exe

Filesize
394KB

MD5
7fa3df4ff73974d6c8d283da8c7238ca

SHA1
b10f2c96ef9fe6dbf3bc85dfa049ad62512806ec

SHA256
518f51f76bad5d06957e1e353cf398a0b9a51819033f9d69bd6ed2c0e41e3588

SHA512
6f710f957fa044a1962a2a6a5d3b1a27f947ebcfccb39fb85787c779e4bf292f35e247305e5d3d69d6d8d1617dbb90643422a8515c2fa61da515dc44366b2cdb

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatformAX92.dll

Filesize
162KB

MD5
ea0fd03b9c5578aed0c45c543c758331

SHA1
087f6dbf5621a1a331fbb99bbf60d6c6af789daf

SHA256
38d875cfe7140cd2012b7eeee6c0d7a6b7b4b8a61652806d51e3f15de445b408

SHA512
adabecaa246226405c288647757dd503a4da5f328dd572747408a3a127553e6b61cfebac6ffa7013a0450c12d66e0789e0199fa1b0e8c8a7fdae59b40d44c57d

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatformAX92.dll

Filesize
162KB

MD5
ea0fd03b9c5578aed0c45c543c758331

SHA1
087f6dbf5621a1a331fbb99bbf60d6c6af789daf

SHA256
38d875cfe7140cd2012b7eeee6c0d7a6b7b4b8a61652806d51e3f15de445b408

SHA512
adabecaa246226405c288647757dd503a4da5f328dd572747408a3a127553e6b61cfebac6ffa7013a0450c12d66e0789e0199fa1b0e8c8a7fdae59b40d44c57d

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatformLib92.dll

Filesize
4.3MB

MD5
79b00326c14ce61458661959dfd09892

SHA1
45db39c6195dd6a52a60674172b432dfb29cc937

SHA256
67db95b288d5d5dd00c3021d9d2951605d0c20dd40bef949f2fac09b6c599a9f

SHA512
ef84f95498db6b06e800fc6ca39d5326406246054dcfb1743a385e32c5e66a7f8ea96bf44cf2f069ab2f392020b91f7a472670bb65b5987c5286203f0112484f

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatformLib92.dll

Filesize
4.3MB

MD5
79b00326c14ce61458661959dfd09892

SHA1
45db39c6195dd6a52a60674172b432dfb29cc937

SHA256
67db95b288d5d5dd00c3021d9d2951605d0c20dd40bef949f2fac09b6c599a9f

SHA512
ef84f95498db6b06e800fc6ca39d5326406246054dcfb1743a385e32c5e66a7f8ea96bf44cf2f069ab2f392020b91f7a472670bb65b5987c5286203f0112484f

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatformLib92.dll

Filesize
4.3MB

MD5
79b00326c14ce61458661959dfd09892

SHA1
45db39c6195dd6a52a60674172b432dfb29cc937

SHA256
67db95b288d5d5dd00c3021d9d2951605d0c20dd40bef949f2fac09b6c599a9f

SHA512
ef84f95498db6b06e800fc6ca39d5326406246054dcfb1743a385e32c5e66a7f8ea96bf44cf2f069ab2f392020b91f7a472670bb65b5987c5286203f0112484f

Download Submit
\Users\Admin\AppData\Local\Temp\npXPLauncherPlugin92.dll

Filesize
640KB

MD5
5b59a97ff3b9f4b5ec5071fa0a6e945b

SHA1
635d7998c89fe18527c44bdcb32a053b1f289852

SHA256
2ed749aa19cc19d75081e672f51c3a088c6c4a4b5257c0d974ac8acf93bce075

SHA512
5bd4dbc10cf083021432b56aa4dc32a2b0b1b13737a97122d90705f319b41ad588f6c8fa57f33cd3b7efab5401a40a35d675183f24e682bb18cc34fa0a412936

Download Submit
\Users\Admin\AppData\Local\Temp\npXPLauncherPlugin92.dll

Filesize
640KB

MD5
5b59a97ff3b9f4b5ec5071fa0a6e945b

SHA1
635d7998c89fe18527c44bdcb32a053b1f289852

SHA256
2ed749aa19cc19d75081e672f51c3a088c6c4a4b5257c0d974ac8acf93bce075

SHA512
5bd4dbc10cf083021432b56aa4dc32a2b0b1b13737a97122d90705f319b41ad588f6c8fa57f33cd3b7efab5401a40a35d675183f24e682bb18cc34fa0a412936

Download Submit
\Users\Admin\AppData\Local\Temp\npXPlatformPlugin92.dll

Filesize
88KB

MD5
62114054fa5cf6ebfd0b0768e9785357

SHA1
588807895f0f6fbf7150fd4db37ef27fd9579d16

SHA256
921618f252d7c6bd4fb093079b8ec5bf0c125d768caef66d64c49c3e5f16195b

SHA512
f0c6ef876ff413d427fc6283838a321ac4579505aa3c9dc7bb91e8d05e5358620b1f9a684a25ba401ee8df8851e6db71a30e11b1f8e1e9f58a9b0f1329511938

Download Submit
\Users\Admin\AppData\Local\Temp\npXPlatformPlugin92.dll

Filesize
88KB

MD5
62114054fa5cf6ebfd0b0768e9785357

SHA1
588807895f0f6fbf7150fd4db37ef27fd9579d16

SHA256
921618f252d7c6bd4fb093079b8ec5bf0c125d768caef66d64c49c3e5f16195b

SHA512
f0c6ef876ff413d427fc6283838a321ac4579505aa3c9dc7bb91e8d05e5358620b1f9a684a25ba401ee8df8851e6db71a30e11b1f8e1e9f58a9b0f1329511938

Download Submit
\Windows\Installer\MSI96C5.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
memory/2168-108-0x0000000004400000-0x0000000004479000-memory.dmp

Filesize
484KB

Download
memory/2168-91-0x0000000003D30000-0x00000000041CA000-memory.dmp

Filesize
4.6MB

Download
memory/2168-95-0x00000000041D0000-0x00000000043FF000-memory.dmp

Filesize
2.2MB

Download
memory/2168-103-0x0000000002B60000-0x0000000002B94000-memory.dmp

Filesize
208KB

Download