245c243a6b942dba31ab175991ab7adadd6b6fc2039c5f52abf518291323cec7

Analysis

max time kernel
298s
max time network
260s
platform
windows10-1703_x64
resource
win10-20231023-de
resource tags

arch:x64arch:x86image:win10-20231023-delocale:de-deos:windows10-1703-x64systemwindows
submitted
21/11/2023, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ComSoft-Basic-5.exe
Size

168.7MB
MD5

6aa07c314dad5828ea92d87ee23c8f5d
SHA1

61a4fa0a9b66ff7cfa933f342f4f33d01cd8b47f
SHA256

245c243a6b942dba31ab175991ab7adadd6b6fc2039c5f52abf518291323cec7
SHA512

1e1e22b6b82b17da6c5073e8ea4370745ceb20bed9f5e9d93bc783208de70aef1a6d1c1cc4386474726cc96fb197d9088fdf1ba0edba4946f63b589e4ce31f3c
SSDEEP

3145728:AhcGV6UyYWyAsohy3uQ4hx+rrna5zijvYjd+qtHXL/TfjXaVZ4A2GjwKH:6R1yYWWD4wna5mgjt7DjXaV7OKH

Score

8^/10

discovery upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 5 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A7A6D8E35527A32CC6FDABA7C2132B6FFE488617\Blob = 030000000100000014000000a7a6d8e35527a32cc6fdaba7c2132b6ffe4886172000000001000000eb040000308204e7308203cfa00302010202101508574c63541722f1e0b57605f089fb300d06092a864886f70d01010505003081b6310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f7270612028632930393130302e06035504031327566572695369676e20436c617373203320436f6465205369676e696e6720323030392d32204341301e170d3039303830343030303030305a170d3132303830333233353935395a3081a4310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d6265726731123010060355040713094c656e7a6b697263683111300f060355040a1408546573746f204147313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e2076323111300f06035504031408546573746f20414730819f300d06092a864886f70d010101050003818d0030818902818100dcf6cad15488a9a9d192fd8e418f386616b6343b1225e096843c466f09b629f1c56f4fa0c48e106475bbdaf00ef9cc8f77a8aa75ceed5e666a33dbb6ef6889efadc65483d5d8068bba0ebf72450113727670499df4857519edf1e97bfad73dcb654949dc8d38763372e31159d3ff1af2e4bb87369b4a18982a4e4ab540042b290203010001a38201833082017f30090603551d1304023000300e0603551d0f0101ff04040302078030440603551d1f043d303b3039a037a0358633687474703a2f2f637363332d323030392d322d63726c2e766572697369676e2e636f6d2f435343332d323030392d322e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307506082b0601050507010104693067302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303f06082b060105050730028633687474703a2f2f637363332d323030392d322d6169612e766572697369676e2e636f6d2f435343332d323030392d322e636572301f0603551d2304183016801497d06ba82670c8a13f941f082dc4359ba4a11ef2301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d010105050003820101004a771eef0950a5b7932ad65178ce614030cb6fcd32bf3519b11622d58054db0fcc426cfb6e2dcff6647ae4afa6306617557af67f17611700e2944024325a39e2425cc931266fbff8c264aaefb18cb1331938ecff248fcf80702448da55fb922f14b066248bf06cf3470644fb9fabd136b9361c7722fb4a116b99863c6a4d2618d5a31ccd98b4b85f31622d7406a70042bdf40c8c3a7ea8aaee38323fcec939795c81aa4bdff97ec1cf5d7df49e07fe294b5fd30fc09a6bd8d41950dac5e1ac694d51bfb9a3231560194ed1c389c089d9f35ea13783bae47da8c40f243e53cc88f38f5ad787f0b146e47a36d891b133f190c0c9709bab355edd1f47a7084b1fa2	nsjE6D4.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A7A6D8E35527A32CC6FDABA7C2132B6FFE488617\Blob = 0f0000000100000014000000dc85c3747d8432b7ff4cb047875ee54bb4e5ed05030000000100000014000000a7a6d8e35527a32cc6fdaba7c2132b6ffe4886172000000001000000eb040000308204e7308203cfa00302010202101508574c63541722f1e0b57605f089fb300d06092a864886f70d01010505003081b6310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f7270612028632930393130302e06035504031327566572695369676e20436c617373203320436f6465205369676e696e6720323030392d32204341301e170d3039303830343030303030305a170d3132303830333233353935395a3081a4310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d6265726731123010060355040713094c656e7a6b697263683111300f060355040a1408546573746f204147313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e2076323111300f06035504031408546573746f20414730819f300d06092a864886f70d010101050003818d0030818902818100dcf6cad15488a9a9d192fd8e418f386616b6343b1225e096843c466f09b629f1c56f4fa0c48e106475bbdaf00ef9cc8f77a8aa75ceed5e666a33dbb6ef6889efadc65483d5d8068bba0ebf72450113727670499df4857519edf1e97bfad73dcb654949dc8d38763372e31159d3ff1af2e4bb87369b4a18982a4e4ab540042b290203010001a38201833082017f30090603551d1304023000300e0603551d0f0101ff04040302078030440603551d1f043d303b3039a037a0358633687474703a2f2f637363332d323030392d322d63726c2e766572697369676e2e636f6d2f435343332d323030392d322e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307506082b0601050507010104693067302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303f06082b060105050730028633687474703a2f2f637363332d323030392d322d6169612e766572697369676e2e636f6d2f435343332d323030392d322e636572301f0603551d2304183016801497d06ba82670c8a13f941f082dc4359ba4a11ef2301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d010105050003820101004a771eef0950a5b7932ad65178ce614030cb6fcd32bf3519b11622d58054db0fcc426cfb6e2dcff6647ae4afa6306617557af67f17611700e2944024325a39e2425cc931266fbff8c264aaefb18cb1331938ecff248fcf80702448da55fb922f14b066248bf06cf3470644fb9fabd136b9361c7722fb4a116b99863c6a4d2618d5a31ccd98b4b85f31622d7406a70042bdf40c8c3a7ea8aaee38323fcec939795c81aa4bdff97ec1cf5d7df49e07fe294b5fd30fc09a6bd8d41950dac5e1ac694d51bfb9a3231560194ed1c389c089d9f35ea13783bae47da8c40f243e53cc88f38f5ad787f0b146e47a36d891b133f190c0c9709bab355edd1f47a7084b1fa2	DrvInst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A7A6D8E35527A32CC6FDABA7C2132B6FFE488617	nsjE6D4.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\C37A899B93AFF3423E80ED6164110E46AEB3999E\Blob = 030000000100000014000000c37a899b93aff3423e80ed6164110e46aeb3999e190000000100000010000000be2eda3ed7750ac92f6480ff2cfd3f8814000000010000001400000090c08036f83387b654d3129427f6c84bf2c84a6f0400000001000000100000005643d4d4270c6a9e50a324c7e5191bad0f000000010000002000000079d7a6cc419f2fe16482504c6cba459c405c2d23358cbb40d7124adbc275d3a4200000000100000001070000308206fd308204e5a003020102021009b5b27965384a92d147a6386657549b300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303930363030303030305a170d3235313031373233353935395a308181310b3009060355040613024445311b301906035504080c12426164656e2d57c3bc727474656d626572673119301706035504071310546974697365652d4e65757374616474311c301a060355040a0c13546573746f205345202620436f2e204b476141311c301a06035504030c13546573746f205345202620436f2e204b476141308201a2300d06092a864886f70d01010105000382018f003082018a0282018100bb3e038776eb98531b8372f1687def77f9f420f74ab8d6b76e6d90b6c0575f81bfc60bdf4d1c74dd6f567bc28b5c3b4c97bf89c0b04e3e5eff3be8ffe18b51fb6cb35bcae29495e8ae060c243b2d7b3923c3c6dfedbea8379d0ac8aa35bfac5477e19df959a6d85b9149f6e13d6d2838a3bb3b10dec7f17a306d9efec55602ffecf29ea54acc61428a96a04b1094751ea3c11b28150c15e27c084a30348d6bafd1ad7f9854431768dfa78d06b829ca9d4c31ae389fe2f3e9175f16701120e5fc1383cc1382809f02e65e4c7af56ef4e60ac704188c3e2fc458ef5ff0fa571befa4036ed0a4849d29313d20bd7b75f0ba3fce9dc7928fb9b3b8fbfbe1266cd214b091bdb171a355d74eba14045604b582753ce0308a725fe5fba30521eafe9377591f76314913dcfdea0840e1cd7b799d1c529059b3510bf22d551a6171f36d809b1531f7f714d33992bfee54a29ec108a20854e1a63767b2022c8d5a51709b013f09091c24878c644df7019b486317e8ddf50024457da9a8ac8a28225241f3150203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e0416041490c08036f83387b654d3129427f6c84bf2c84a6f300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100122dfe2fefe6a90d138182bc5050877c95e9eb8cfc0dde3cde8ddf1774c0613a1911eeb4abbbdb5b7c4ca598e069e746121d8d944b1f4fc9ec70e924846c0e45f962b102ff1f985756d4228fd2b763f9442876045e230dcc55e8d8242bc4bf4c2148f7eb254401eb9896cd55bbdabce6eb4b7865fce498380c9c946a2a4791123620b1528340a932dad29c6ef4a922cbf3c79159e9291308c50b59c82597fcc7e5e22716de2757a9cd8278fc0b30b7f7bada9834e5c129858f1d9d61ee9b9eb55980c0a13dad079aa2d5b45a43652dd3b7497f2c1f021f6171ba640919227288acb32bb356ca5568e242d64d5c142e8f6ca45daade3b6de8385e9158aada5693aff8242641607ce0de95b4820e9c8b97f74df281454ec0cd8aac61b77a7c55f740a523014d06df3767a7c90c94343ae656ea6f8c696db0c6df67938ccb3debf7925c2e92042b27c29623e09be9c3b5621cb60504b618137112f2e6981ee8b95ea1380e667c99d94aaa1c32e088c76ed93757e96bd3a8d88bb061fa6b40801fac2b23f116b820c2bba1a51a5bbfab01d8d85dbf070aeb4a111d5b5d19ddb5be210145fa5c901fa908b7b36ea4482758d24a68c47bb26769d19941a3af11dec31f99ce282e0366d2d383c404a1cf8f64405c6a84a9de658031f567de67c7fbf0824e4ee461e211442f2e09ac16115cec8849c0de296e276d42566f4abc1aeec74b	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4BB18B6C70D1544113A52EE52FDAB5235993A5DC\Blob = 0300000001000000140000004bb18b6c70d1544113a52ee52fdab5235993a5dc040000000100000010000000a8a619be72fac4059a6c2f86a7aed0d514000000010000001400000002989a1385db7efcf780daefe9abacb23d359fa61900000001000000100000001daeab0d37808d1072400123207a2f440f000000010000002000000044dec0c4d65b0cb2be07d3d6c6cb23b72120db46c02ee431c225ec0dfbfdef2b2000000001000000e6040000308204e2308203caa00302010202105056c65df351ade6cfe24c4f5d88e0e1300d06092a864886f70d01010b0500307f310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b3130302e0603550403132753796d616e74656320436c61737320332053484132353620436f6465205369676e696e67204341301e170d3136313031383030303030305a170d3139313031383233353935395a307a310b3009060355040613024445311b301906035504080c12426164656e2d57c3bc727474656d626572673112301006035504070c094c656e7a6b69726368311c301a060355040a0c13546573746f205345202620436f2e204b476141311c301a06035504030c13546573746f205345202620436f2e204b47614130820122300d06092a864886f70d01010105000382010f003082010a0282010100b0fad3bae84050177037e0d4a03a5184b8089dfdb8ad84d6cecf2e3b01a07bf24f3733ebce3b30ee630dbdccde1acb265aec240f18e276ada418f9d580731c13b751761c495297280857ea2092db146751dbbe602820395e9d218af5d40f68356fb61e81c159d2308d20d41123817eb578be5c880dfb7504c299522a1a8a7a529d4563a20dab882156434262c22fabda6614477b00c11d22215037f72ba016de70b00886a47ce6904b99444cb7572008a6ab85209874c7ad822484bc2577fbd41eb0800b425e6b808da3bec0b5987e9db49dce00085ee2b04ba62575f739afa421ae95ebc236d07ff81c411406538b88ef2f059065759a7590271bfc815790330203010001a382015d3082015930090603551d1304023000300e0603551d0f0101ff040403020780302b0603551d1f042430223020a01ea01c861a687474703a2f2f73762e73796d63622e636f6d2f73762e63726c30610603551d20045a30583056060667810c010401304c302306082b06010505070201161768747470733a2f2f642e73796d63622e636f6d2f637073302506082b0601050507020230190c1768747470733a2f2f642e73796d63622e636f6d2f72706130130603551d25040c300a06082b06010505070303305706082b06010505070101044b3049301f06082b060105050730018613687474703a2f2f73762e73796d63642e636f6d302606082b06010505073002861a687474703a2f2f73762e73796d63622e636f6d2f73762e637274301f0603551d23041830168014963b53f0793397af7d83ef2e2bcccab7861e7266301d0603551d0e0416041402989a1385db7efcf780daefe9abacb23d359fa6300d06092a864886f70d01010b050003820101007be99d9bde491aeb058b8d416c57ca3ce1a91f3e070bafdd3a0bb59971fe446e99cdcf618b0adefef2f552c8f1b723e339dfa67ab06c8494e9d0c17d39f89931ad37b62936657add7b83f01530d2439a2a7bb6d3ffec2d0ec2d239ccd0841039a9cb800e29ff9a794c2c6ae4c72a972ee29e0ee8c6e37a4be9a1d6121f297ff776555057b0d3dcc8cdc6ca84a80ff83f387a2cd4eaafdfda1a7859155bdeb914d8a90bc93a88c136b85d529ff2b1ab3806bad1e4300d93483b7055456413f7ca603bdb5bd9c068372716484e48c98fb2d25522941ac81e832f1bbd8fbd9573ec2c05236ab2d55db18634ce2c5dd9c77fa31adb1b2590c3e6135b8ba9fd4fc30b	DrvInst.exe

ACProtect 1.3x - 1.4x DLL software 8 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000600000001ad78-410.dat	acprotect
behavioral1/files/0x000600000001ad78-408.dat	acprotect
behavioral1/files/0x000600000001ad78-406.dat	acprotect
behavioral1/files/0x000600000001ad78-421.dat	acprotect
behavioral1/files/0x000600000001ad78-419.dat	acprotect
behavioral1/files/0x000600000001ad78-415.dat	acprotect
behavioral1/files/0x000600000001ad78-413.dat	acprotect
behavioral1/memory/3804-429-0x00000000008F0000-0x00000000008F9000-memory.dmp	acprotect

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001ad69-280.dat	upx
behavioral1/files/0x000600000001ad69-281.dat	upx
behavioral1/memory/3804-282-0x0000000000400000-0x00000000006FF000-memory.dmp	upx
behavioral1/files/0x000600000001ad78-410.dat	upx
behavioral1/files/0x000600000001ad78-408.dat	upx
behavioral1/files/0x000600000001ad78-406.dat	upx
behavioral1/files/0x000600000001ad78-421.dat	upx
behavioral1/files/0x000600000001ad78-419.dat	upx
behavioral1/files/0x000600000001ad78-415.dat	upx
behavioral1/files/0x000600000001ad78-413.dat	upx
behavioral1/memory/3804-429-0x00000000008F0000-0x00000000008F9000-memory.dmp	upx
behavioral1/memory/3804-824-0x0000000000400000-0x00000000006FF000-memory.dmp	upx
behavioral1/memory/3804-1144-0x0000000000400000-0x00000000006FF000-memory.dmp	upx

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3096	msiexec.exe
5	3096	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\AUTORUN.INF	ComSoft-Basic-5.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\AUTORUN.INF	ComSoft-Basic-5.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdiport.inf_amd64_1aa603447a4e28b4\ftdiport.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\SET355F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\SET3562.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdibus.inf_amd64_f0ce3c6964697eb9\amd64\ftd2xx64.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdibus.inf_amd64_f0ce3c6964697eb9\amd64\ftbusui.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\amd64\ftserui2.dll	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	rundll32.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\SET3562.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\SET3560.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdibus.inf_amd64_f0ce3c6964697eb9\amd64\FTLang.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\i386	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2dcc62df-49ed-9a48-b452-79980e3f66d4}\SET2EC8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\ftdibus.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\SET3563.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdibus.inf_amd64_f0ce3c6964697eb9\i386\ftd2xx.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdiport.inf_amd64_1aa603447a4e28b4\amd64\ftcserco.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\amd64	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mscomm32.ocx	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\SET3561.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\SET355F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\ftdibus.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\amd64\ftser2k.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\amd64\ftcserco.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\SET5D7C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ftdiport.inf_amd64_1aa603447a4e28b4\ftdiport.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\ftdiport.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2dcc62df-49ed-9a48-b452-79980e3f66d4}\SET2EC8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\i386\SET3564.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	rundll32.exe
File created	C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\amd64\SET5D68.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\SET5D7B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\SET5D7B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdiport.inf_amd64_1aa603447a4e28b4\amd64\ftserui2.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2dcc62df-49ed-9a48-b452-79980e3f66d4}\SET2EC7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2dcc62df-49ed-9a48-b452-79980e3f66d4}\SET2EC7.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdibus.inf_amd64_f0ce3c6964697eb9\ftdibus.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ftdiport.inf_amd64_1aa603447a4e28b4\amd64\ftser2k.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2dcc62df-49ed-9a48-b452-79980e3f66d4}\testo175176bus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2dcc62df-49ed-9a48-b452-79980e3f66d4}\testo175176bus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\ftdibus.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\SET355E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\SET355E.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\i386\SET3564.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	rundll32.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\pt\DevExpress.XtraReports.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\Tcusbevt.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\testomscomm.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\vcand32.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\it\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\zh-CN\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\TestoControlLibrary.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIPort\AMD64\ftser2k.sys	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\pt\DevExpress.XtraPrinting.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIPort\AMD64\ftd2xx64.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\setup.bmp	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\tctapi.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIBus\AMD64\ftlang.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\c177res.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\da\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\InfragisticsWPF3.Documents.Excel.v11.1.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\t177a.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\is-IS\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\zh-CHS\DevExpress.XtraEditors.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIPort\AMD64\ftbusui.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIPort\i386\ftser2k.sys	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\it\DevExpress.XtraPrinting.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\sl\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\C1.WPF.C1Chart.Extended.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\es\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\HAL_Logger.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\TestoSplash.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\devcore.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\DevExpress.XtraTreeList.v11.1.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\cs\DevExpress.XtraReports.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\wdapi1020.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\t174.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIBus\i386\ftserui2.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\fi-FI\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\pt\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\InfragisticsWPF3.v11.1.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\testo175176bus.inf	msiexec.exe
File created	C:\Program Files\Testo\testo175176bus\setup.ini	setup.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\corepg.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\de\DevExpress.XtraEditors.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIBus\AMD64\ftd2xx64.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIPort\i386\ftbusui.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIBus\ftdibus.inf	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\tr\DevExpress.XtraEditors.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\t174dev2009.dll	msiexec.exe
File created	C:\Program Files\Testo\testo175176bus\testo175176bus.inf	setup.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\DevExpress.Printing.v11.1.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\da\DevExpress.XtraReports.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\de\DevExpress.XtraReports.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\hu-HU\DevExpress.XtraReports.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIPort\i386\ftserui2.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\nl\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\sk\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\nvalidate.licence.htm	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\testo175176bus.cat	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\DevExpress.XtraPrinting.v11.1.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\REP_Logger.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Testo Shared\tcddka.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\DevExpress.Data.v11.1.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\TestoPageBaseLogger.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\da\DevExpress.XtraPrinting.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\ComSoft.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\tr\DevExpress.Data.v11.1.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\zh-CHS\DevExpress.Data.v11.1.resources.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\inf\c_cashdrawer.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\c_volume.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmsii64.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\megasas.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\wsynth3dvsc.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\c_display.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmusrk1.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmusrsp.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\prnxxcl3.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\wnetvsc_vfpp.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\3ware.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\c_fsphysicalquotamgmt.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\eaphost.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmaiwa5.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\prnbrcl1.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmeric2.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\net8187bv64.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\netwlan92de.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\wiaky002.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\wmbclass_wmc_union.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\c_fsundelete.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\c_memory.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\gameport.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mchgr.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmtdkj6.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\lsi_sas3i.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmgl002.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\net8192se64.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\netirda.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\prnhpcl2.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\c_hdc.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\lltdio.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\prnsacl1.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\battery.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmcpq2.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmelsa.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmrock.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmsun1.PNF	nsjE6D4.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\c_bluetooth.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\hpsamd.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\netrast.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\c_sbp2.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmmetri.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mgtdyn.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\netvf63a.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\prnhpcl1.PNF	nsjE6D4.tmp
File created	C:\Windows\Installer\e58ce0b.msi	msiexec.exe
File created	C:\Windows\inf\bthpan.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\c_biometric.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\lsi_sas.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmmcd.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmneuhs.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmnttme.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\oem1.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmisdn.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmnis1u.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\wdma_usb.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\mdmcodex.PNF	nsjE6D4.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	nsjE6D4.tmp
File created	C:\Windows\inf\mdmiodat.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\netnvma.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\netvwififlt.PNF	nsjE6D4.tmp
File created	C:\Windows\inf\prnms007.PNF	nsjE6D4.tmp

Executes dropped EXE 16 IoCs

pid	Process
4520	TestoSetup.exe
2552	setup.exe
3804	setup.exe
1208	nsjE6D4.tmp
3464	nsjE6D4.tmp
3988	nsjE6D4.tmp
508	nsjE6D4.tmp
4912	nsjE6D4.tmp
4708	nsjE6D4.tmp
3276	nsjE6D4.tmp
4888	nsjE6D4.tmp
1216	nsjE6D4.tmp
4312	nsjE6D4.tmp
4244	nsjE6D4.tmp
1200	nsjE6D4.tmp
4580	ComSoft.exe

Loads dropped DLL 64 IoCs

pid	Process
772	MsiExec.exe
772	MsiExec.exe
5024	MsiExec.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
1208	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
3464	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
3988	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
508	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
3804	setup.exe
4912	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
4708	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
3276	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
4888	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
1216	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
4312	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
4244	nsjE6D4.tmp
3804	setup.exe
3804	setup.exe
1200	nsjE6D4.tmp
1396	MsiExec.exe
1396	MsiExec.exe
5024	MsiExec.exe
4580	ComSoft.exe
4580	ComSoft.exe
4580	ComSoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	nsjE6D4.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	nsjE6D4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	nsjE6D4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	nsjE6D4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	nsjE6D4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	nsjE6D4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	nsjE6D4.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	nsjE6D4.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	nsjE6D4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}\TypeLib\Version = "6.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T175dev.t175spi.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{879A0A7D-FF88-41C4-AA54-D3FB96E2D129}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TEPdev.tEPspi	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\testo.t17bspi\ = "t17bspi Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{3B36DE0A-22A0-40E1-976A-8A5D769E150A}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T17ca.T17cacfg	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C19222B6-7EF6-45F7-91CF-9CC534E26EFF}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T174a.T174aProg.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C72D979F-FDC7-484F-8A92-21281CAFBD5C}\VersionIndependentProgID\ = "testo.t17b"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{648A5600-2C6E-101B-82B6-000000000014}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{168740CA-875D-11D5-A091-00E029399CFB}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD43DE20-E8B8-11D5-A5CB-0000C0403AD3}\ = "IT177aSocket"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEA6AB0F-BE3F-11D5-A5A9-0000C0403AD3}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Testo Shared\\c177res.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DC17D633-EFCE-11D5-A5D2-0000C0403AD3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75DDE3C0-E802-11D5-A5C9-0000C0403AD3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DEB57987-C57A-4B1A-BF3B-685CF9BBB093}\ProxyStubClsid32\ = "{DEB57987-C57A-4B1A-BF3B-685CF9BBB093}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C91161C7-FB86-4E72-8BA0-CA4201F28049}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\T17cdev.t17cspi\CurVer\ = "T17cdev.t17cspi.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T17c.tdsdprps.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T17ca.t17caprg\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{2EBED6AF-7C34-11D5-92F8-009027A0358E}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C0CF91D5-37FB-4339-9E1F-18C16FBD6F10}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D397252E-2B86-4D6B-820C-4DBAB0412F11}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T177.SetDst\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D518C1E-A2B5-11D5-A589-0000C0403AD3}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T174.t174ipdo	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\testo.t174.1\ = "t174impl Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\testo.t17bspi.1\ = "t17bspi Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{337DD8BA-0C5B-44D4-87FF-79AD842FA619}\ProgID\ = "testo.tdsd.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\testo.t17c.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD43DE21-E8B8-11D5-A5CB-0000C0403AD3}\VersionIndependentProgID\ = "T177a.t177askt"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{113C8911-E889-11D5-A5CA-0000C0403AD3}\ = "IT177aSocketCollection"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\testo.tdsd.1\CLSID\ = "{337DD8BA-0C5B-44D4-87FF-79AD842FA619}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48909EF0-E337-11D5-A5C5-0000C0403AD3}\VersionIndependentProgID\ = "T177.SetDst"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Tcusbevt.tcusbinf\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DC17D633-EFCE-11D5-A5D2-0000C0403AD3}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88E0B9DF-B0E5-494C-8299-18408023DC09}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T17ca.T17cacfg\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{48909EF0-E337-11D5-A5C5-0000C0403AD3}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Tcusbevt.tcusblis	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T17ba.T17baProg\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T17ba.T17baProg.1\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T17cdev.t17cspi\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{46A90A3C-CBAE-4364-9F0C-88E0DF808CFF}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D6FAE8F3-63DE-11D5-A55E-0000C0403AD3}\VersionIndependentProgID\ = "T177.t177ipdo"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30361937-B38B-11D2-B9E5-0000C0A215C3}\TypeLib\ = "{933CB583-B37E-11D2-B9E5-0000C0A215C3}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{337DD8BA-0C5B-44D4-87FF-79AD842FA619}\ = "tdsdimpl Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{3F0BDE9E-1A36-4E44-89D5-A4C7C4A3EE34}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{441A8231-A39C-11D5-A58A-0000C0403AD3}\TypeLib\ = "{8D518C10-A2B5-11D5-A589-0000C0403AD3}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\testo.t174\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{EC08CA53-95EA-4C43-BB54-7C590BFA8050}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC08C321-DA90-480A-9388-C46965D9BDD1}\ = "tiusb Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\T17c.tdsdipdo\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\T17ca.T17caSocket.1\CLSID\ = "{C19222B6-7EF6-45F7-91CF-9CC534E26EFF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4BE9095F5A3FF6148BF9855CE98D25BE\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\testo\\ComsoftBasic\\csbasic64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6F6E5902-BCA0-465F-B10C-0178E7AEB839}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9D69BC1-4B58-11D5-A54D-0000C0403AD3}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F9D69BC1-4B58-11D5-A54D-0000C0403AD3}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E031BE2-8F9D-477A-A90A-F245E93F2AF8}\ = "tcddka.tcvi2file"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30361937-B38B-11D2-B9E5-0000C0A215C3}\ = "IProtocolCollection"	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A7A6D8E35527A32CC6FDABA7C2132B6FFE488617	nsjE6D4.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A7A6D8E35527A32CC6FDABA7C2132B6FFE488617\Blob = 030000000100000014000000a7a6d8e35527a32cc6fdaba7c2132b6ffe4886172000000001000000eb040000308204e7308203cfa00302010202101508574c63541722f1e0b57605f089fb300d06092a864886f70d01010505003081b6310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f7270612028632930393130302e06035504031327566572695369676e20436c617373203320436f6465205369676e696e6720323030392d32204341301e170d3039303830343030303030305a170d3132303830333233353935395a3081a4310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d6265726731123010060355040713094c656e7a6b697263683111300f060355040a1408546573746f204147313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e2076323111300f06035504031408546573746f20414730819f300d06092a864886f70d010101050003818d0030818902818100dcf6cad15488a9a9d192fd8e418f386616b6343b1225e096843c466f09b629f1c56f4fa0c48e106475bbdaf00ef9cc8f77a8aa75ceed5e666a33dbb6ef6889efadc65483d5d8068bba0ebf72450113727670499df4857519edf1e97bfad73dcb654949dc8d38763372e31159d3ff1af2e4bb87369b4a18982a4e4ab540042b290203010001a38201833082017f30090603551d1304023000300e0603551d0f0101ff04040302078030440603551d1f043d303b3039a037a0358633687474703a2f2f637363332d323030392d322d63726c2e766572697369676e2e636f6d2f435343332d323030392d322e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307506082b0601050507010104693067302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303f06082b060105050730028633687474703a2f2f637363332d323030392d322d6169612e766572697369676e2e636f6d2f435343332d323030392d322e636572301f0603551d2304183016801497d06ba82670c8a13f941f082dc4359ba4a11ef2301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d010105050003820101004a771eef0950a5b7932ad65178ce614030cb6fcd32bf3519b11622d58054db0fcc426cfb6e2dcff6647ae4afa6306617557af67f17611700e2944024325a39e2425cc931266fbff8c264aaefb18cb1331938ecff248fcf80702448da55fb922f14b066248bf06cf3470644fb9fabd136b9361c7722fb4a116b99863c6a4d2618d5a31ccd98b4b85f31622d7406a70042bdf40c8c3a7ea8aaee38323fcec939795c81aa4bdff97ec1cf5d7df49e07fe294b5fd30fc09a6bd8d41950dac5e1ac694d51bfb9a3231560194ed1c389c089d9f35ea13783bae47da8c40f243e53cc88f38f5ad787f0b146e47a36d891b133f190c0c9709bab355edd1f47a7084b1fa2	nsjE6D4.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A7A6D8E35527A32CC6FDABA7C2132B6FFE488617	nsjE6D4.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4012	msiexec.exe
4012	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3096	msiexec.exe
Token: SeSecurityPrivilege	4012	msiexec.exe
Token: SeCreateTokenPrivilege	3096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3096	msiexec.exe
Token: SeLockMemoryPrivilege	3096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3096	msiexec.exe
Token: SeMachineAccountPrivilege	3096	msiexec.exe
Token: SeTcbPrivilege	3096	msiexec.exe
Token: SeSecurityPrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeLoadDriverPrivilege	3096	msiexec.exe
Token: SeSystemProfilePrivilege	3096	msiexec.exe
Token: SeSystemtimePrivilege	3096	msiexec.exe
Token: SeProfSingleProcessPrivilege	3096	msiexec.exe
Token: SeIncBasePriorityPrivilege	3096	msiexec.exe
Token: SeCreatePagefilePrivilege	3096	msiexec.exe
Token: SeCreatePermanentPrivilege	3096	msiexec.exe
Token: SeBackupPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeShutdownPrivilege	3096	msiexec.exe
Token: SeDebugPrivilege	3096	msiexec.exe
Token: SeAuditPrivilege	3096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3096	msiexec.exe
Token: SeChangeNotifyPrivilege	3096	msiexec.exe
Token: SeRemoteShutdownPrivilege	3096	msiexec.exe
Token: SeUndockPrivilege	3096	msiexec.exe
Token: SeSyncAgentPrivilege	3096	msiexec.exe
Token: SeEnableDelegationPrivilege	3096	msiexec.exe
Token: SeManageVolumePrivilege	3096	msiexec.exe
Token: SeImpersonatePrivilege	3096	msiexec.exe
Token: SeCreateGlobalPrivilege	3096	msiexec.exe
Token: SeCreateTokenPrivilege	3096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3096	msiexec.exe
Token: SeLockMemoryPrivilege	3096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3096	msiexec.exe
Token: SeMachineAccountPrivilege	3096	msiexec.exe
Token: SeTcbPrivilege	3096	msiexec.exe
Token: SeSecurityPrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeLoadDriverPrivilege	3096	msiexec.exe
Token: SeSystemProfilePrivilege	3096	msiexec.exe
Token: SeSystemtimePrivilege	3096	msiexec.exe
Token: SeProfSingleProcessPrivilege	3096	msiexec.exe
Token: SeIncBasePriorityPrivilege	3096	msiexec.exe
Token: SeCreatePagefilePrivilege	3096	msiexec.exe
Token: SeCreatePermanentPrivilege	3096	msiexec.exe
Token: SeBackupPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeShutdownPrivilege	3096	msiexec.exe
Token: SeDebugPrivilege	3096	msiexec.exe
Token: SeAuditPrivilege	3096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3096	msiexec.exe
Token: SeChangeNotifyPrivilege	3096	msiexec.exe
Token: SeRemoteShutdownPrivilege	3096	msiexec.exe
Token: SeUndockPrivilege	3096	msiexec.exe
Token: SeSyncAgentPrivilege	3096	msiexec.exe
Token: SeEnableDelegationPrivilege	3096	msiexec.exe
Token: SeManageVolumePrivilege	3096	msiexec.exe
Token: SeImpersonatePrivilege	3096	msiexec.exe
Token: SeCreateGlobalPrivilege	3096	msiexec.exe
Token: SeCreateTokenPrivilege	3096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3096	msiexec.exe
Token: SeLockMemoryPrivilege	3096	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
992	ComSoft-Basic-5.exe
3096	msiexec.exe
3096	msiexec.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 4520	992	ComSoft-Basic-5.exe	71
PID 992 wrote to memory of 4520	992	ComSoft-Basic-5.exe	71
PID 992 wrote to memory of 4520	992	ComSoft-Basic-5.exe	71
PID 4520 wrote to memory of 2552	4520	TestoSetup.exe	72
PID 4520 wrote to memory of 2552	4520	TestoSetup.exe	72
PID 4520 wrote to memory of 2552	4520	TestoSetup.exe	72
PID 2552 wrote to memory of 3096	2552	setup.exe	74
PID 2552 wrote to memory of 3096	2552	setup.exe	74
PID 2552 wrote to memory of 3096	2552	setup.exe	74
PID 4012 wrote to memory of 772	4012	msiexec.exe	76
PID 4012 wrote to memory of 772	4012	msiexec.exe	76
PID 4012 wrote to memory of 772	4012	msiexec.exe	76
PID 4012 wrote to memory of 4152	4012	msiexec.exe	80
PID 4012 wrote to memory of 4152	4012	msiexec.exe	80
PID 4012 wrote to memory of 5024	4012	msiexec.exe	82
PID 4012 wrote to memory of 5024	4012	msiexec.exe	82
PID 4012 wrote to memory of 3804	4012	msiexec.exe	83
PID 4012 wrote to memory of 3804	4012	msiexec.exe	83
PID 4012 wrote to memory of 3804	4012	msiexec.exe	83
PID 3804 wrote to memory of 1208	3804	setup.exe	84
PID 3804 wrote to memory of 1208	3804	setup.exe	84
PID 3804 wrote to memory of 3464	3804	setup.exe	86
PID 3804 wrote to memory of 3464	3804	setup.exe	86
PID 3804 wrote to memory of 3988	3804	setup.exe	88
PID 3804 wrote to memory of 3988	3804	setup.exe	88
PID 3804 wrote to memory of 508	3804	setup.exe	90
PID 3804 wrote to memory of 508	3804	setup.exe	90
PID 3804 wrote to memory of 4912	3804	setup.exe	92
PID 3804 wrote to memory of 4912	3804	setup.exe	92
PID 3804 wrote to memory of 4708	3804	setup.exe	94
PID 3804 wrote to memory of 4708	3804	setup.exe	94
PID 3804 wrote to memory of 3276	3804	setup.exe	96
PID 3804 wrote to memory of 3276	3804	setup.exe	96
PID 3804 wrote to memory of 4888	3804	setup.exe	98
PID 3804 wrote to memory of 4888	3804	setup.exe	98
PID 3804 wrote to memory of 1216	3804	setup.exe	100
PID 3804 wrote to memory of 1216	3804	setup.exe	100
PID 3804 wrote to memory of 4312	3804	setup.exe	103
PID 3804 wrote to memory of 4312	3804	setup.exe	103
PID 2564 wrote to memory of 4028	2564	svchost.exe	106
PID 2564 wrote to memory of 4028	2564	svchost.exe	106
PID 3804 wrote to memory of 4244	3804	setup.exe	107
PID 3804 wrote to memory of 4244	3804	setup.exe	107
PID 3804 wrote to memory of 1200	3804	setup.exe	109
PID 3804 wrote to memory of 1200	3804	setup.exe	109
PID 4012 wrote to memory of 1396	4012	msiexec.exe	111
PID 4012 wrote to memory of 1396	4012	msiexec.exe	111
PID 2564 wrote to memory of 2436	2564	svchost.exe	112
PID 2564 wrote to memory of 2436	2564	svchost.exe	112
PID 2436 wrote to memory of 3968	2436	DrvInst.exe	113
PID 2436 wrote to memory of 3968	2436	DrvInst.exe	113
PID 2564 wrote to memory of 664	2564	svchost.exe	114
PID 2564 wrote to memory of 664	2564	svchost.exe	114
PID 664 wrote to memory of 3312	664	DrvInst.exe	115
PID 664 wrote to memory of 3312	664	DrvInst.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ComSoft-Basic-5.exe
"C:\Users\Admin\AppData\Local\Temp\ComSoft-Basic-5.exe"
1⤵
- Drops autorun.inf file
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\TestoSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\TestoSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\csbasic64\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\csbasic64\setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\csbasic64\csbasic64.msi"
      4⤵
      Blocklisted process makes network request
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3096

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4EC52126FA34F94BBC161CFC6DDDF0D6 C
  2⤵
  - Loads dropped DLL
  PID:772
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4152
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4AA39A1E81C3260EB88CBBBFD69CBF24
  2⤵
  - Loads dropped DLL
  PID:5024
- C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\setup.exe
  "C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\setup.exe" /S
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1208
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3464
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3988
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:508
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4912
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4708
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:3276
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:4888
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    PID:1216
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:4312
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1200
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 523214642B7579A9962042EBB2A47A95 E Global\MSI0000
  2⤵
  - Drops file in System32 directory
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  PID:1396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:4236

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Testo\testo175176bus\testo175176bus.inf" "9" "4df1da6af" "0000000000000160" "WinSta0\Default" "000000000000017C" "208" "C:\Program Files\Testo\testo175176bus"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4028
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIBus\ftdibus.inf" "9" "4624a7b47" "000000000000017C" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIBus"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{8f0b9a9c-2035-1743-95e1-07a00e9d47cc} Global\{ca904e62-5e97-7e42-ac03-87028c6d8732} C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\ftdibus.inf C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\ftdibus.cat
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3968
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIPort\ftdiport.inf" "9" "4ec18cc9b" "0000000000000198" "WinSta0\Default" "000000000000019C" "208" "C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\FTDIPort"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{707a4e5f-b0ee-844c-866a-e60851492c5f} Global\{225faaac-f483-3f41-a413-cdd3248cc8bb} C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\ftdiport.inf C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\ftdiport.cat
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3312

C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\ComSoft.exe
"C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\ComSoft.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58ce0a.rbs

Filesize
1.5MB

MD5
c570367daf5505c6aa48dad8c5a5666c

SHA1
288a0ca79101e5d2f43a48de6b06a3de2f08060a

SHA256
befc670adf9dd86e22f34b37c7d3c9dcb08e9d32655156f21f3f027ba773930e

SHA512
22427a4a29039e1eae38f09f3e633a389a6f230f04dafb30784b575959b4bec894d24abcc8a86e58bb8f25f7657429ef02aaa713f545fb18b47591132603bf19

Download Submit
C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\ComSoft.exe

Filesize
487KB

MD5
0cdb44aecdf02384bc74d2b6dd35c81c

SHA1
151366320cff49e8eabd1a40572cd3806aa12aaa

SHA256
95fc361295f092e772f79a4c3aef579d40ed298a680aa8a91e007e621e9c9baa

SHA512
2fae7415cbbfe04ff44e1a9b4cb88283cdb337286c94f9fc33ef8c6283a99bafd9edb71557e3f536cbcb38c658edb3336904cd7a7f8898e93e8898a5f5e3f43f

Download Submit
C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\setup.exe

Filesize
1.0MB

MD5
bc7e137c4496cbfd6ded3851dcd9d207

SHA1
57bc94e649395bb0693461358e4d7f8cdec1172c

SHA256
b9c3b1694bb5b059eab0c5662950f1bec062c60983440dbde5c99696e93bdbf2

SHA512
28431b59505b69808ff394d9bb38890eb0bd891a5a9860eee878bb4b7b0d1080c9f2aafdb4a32f5469f273574371a6765388f192103a74c1c256f8c397ddea30

Download Submit
C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\setup.exe

Filesize
1.0MB

MD5
bc7e137c4496cbfd6ded3851dcd9d207

SHA1
57bc94e649395bb0693461358e4d7f8cdec1172c

SHA256
b9c3b1694bb5b059eab0c5662950f1bec062c60983440dbde5c99696e93bdbf2

SHA512
28431b59505b69808ff394d9bb38890eb0bd891a5a9860eee878bb4b7b0d1080c9f2aafdb4a32f5469f273574371a6765388f192103a74c1c256f8c397ddea30

Download Submit
C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\setup.ini

Filesize
1KB

MD5
6316af8b147b190eeff1c49ab3e952a1

SHA1
5df9e2b3159d2b5c6a571b4d5e6d10b11637fd3a

SHA256
62cad957acf347d275bc3aaf2f23d75e1c60abc6a375b2b1c4fc5331a831ba15

SHA512
2bb24911d1b17c3006c0585805cb0883d1a9f1b544d27a017b048e7231bb3d2adab602082b3bee63ef9b61fbbf69f26b6073cc3872f7dab170160c6d6a931cae

Download Submit
C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\testo.cer

Filesize
1KB

MD5
eef52348fb73cc7fa42107f5ddfcbac7

SHA1
a7a6d8e35527a32cc6fdaba7c2132b6ffe488617

SHA256
ce06cf56028f352b441a92262ec788c595714583726c1b60be98fc7f5826a88c

SHA512
0eb496124162225587cc3f4a0660577d78f61785ee981e30522ac7366713f84e5846519f922d195e46e5f7d397c3d3862b14cf959c19fc41ab11b21610698d0a

Download Submit
C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\testo175176bus.cat

Filesize
5KB

MD5
a6057cbb66589441a4c4a12bdfe8944c

SHA1
44399edd3db6469d79aea6e5b88a3a81587adc49

SHA256
01a80fb1194dce960f0b39f974a519704b7da3107570428fe6f4e46587e7a880

SHA512
c5eb7df331aef9d470dca3de90c7522a3248fbd3cf672dc52869d88db800de29c7d0a06e8e872f0aa68f51123031ebf92ee75f50fb437b25956c454ff3286b95

Download Submit
C:\Program Files (x86)\Testo\Comfort Software Basic 5.0\USBDriver\TiUsb\testo175176bus.inf

Filesize
2KB

MD5
19a6602d477c5e4d72a8a6eb8d22a6dd

SHA1
914067cb0c55f6cacd043d8bbceecd37bdbee16e

SHA256
ab4ec24f26cf1636920e3700d3dd9b5db267660ad5e3fa049818c753dd96ba6d

SHA512
9c6be75ec89c45524a7e767dcb3825695e3a88cc131974bd645f5b6ba48ec69b7b9f816c0208db7ff3fbcfb8f0968d289bc582515ed428590ec509cf3ff1df20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
8c7f3d561b7f80db228e84c408e9359e

SHA1
2d51d533324f36bf32bb791e2d697afd6416b003

SHA256
4a3c58aed7c288fd0d6b6278b3f647d3982c9137c343ae7955140e369d6fd4a1

SHA512
7df099f69e7d4110f175a77cdaed8739be1a12449423d49e50b74a899a5035ac25feadb7f3ff588e4ad5d351d35e3708129faba91e468ab0e39ae5ac55ff5017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A79B45CEB3953B17FCDFD163EA459E7D

Filesize
727B

MD5
35a3a62caa8424fd00ca7cbd058e7f3f

SHA1
54598f23f86d23f238aefe99254617372203bb66

SHA256
60cd84248818c8406bc2a4b59ab3b033af949a5daf57e30acdaf5f48b83b7286

SHA512
cd1640dab1e59b523fbf1d93886565b72e9951a4c72029b267e063ab9355ec81c2baf10c0e65918b6610da7bb4df52a7481a03921a59c4b1cf54069b2a4c81a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
97c7c8b6481f18dffa7f9419c8fe4f99

SHA1
eb24496320676e87fb5c4a7f31a5aad7fadf8c5a

SHA256
4c036c26bac1ffd63250fa6e0cc1ddf7c4d514c6ad04bb8a4d64b4c1883c077b

SHA512
8acb03305c6070301c37867552f01281535907f0d233166ecb5d8c9eefd1b26f29bf8768c00eb5b7d5c36078c00ec860f59cade9827a713be1486ddd660d802e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
627706f9ffe72d0e3259d9999382da10

SHA1
2ed6b12f8ac2c0242d2f154da3e73f7923eba775

SHA256
e4c740a8fed3e1b6e2b441db9d7d6308b81cfdff977c0dee87bee12a1a2981f6

SHA512
e3fcb9fa19303eb36fc0bf73c0d044f7917bfc9049eee4461822132186b19d8332f790b2516f452e69c0ae844373498113d2fdf77b6a7727693f2b8d7c59c7d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A79B45CEB3953B17FCDFD163EA459E7D

Filesize
404B

MD5
3872956aa505fea37e467b19414467d3

SHA1
6207b76999dd48d0f8f83b78d6af1ffcedc17745

SHA256
050f98da8aa11dfdd358f2294643dc6460091731f2a1b6be99dc8bdfa47bafd2

SHA512
72de979688cc6c01b070c59d995d82f8268676960baa363ba34d1e762e238aa131943500ec212e6b758bb001bb66f6e26100b5797835c9f68ad3fb7e40a5b98f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
d73400b70f7327296300b70ab8ea4339

SHA1
b11acb8acd9f66b9106f33c312d5c6cfa90ca806

SHA256
56c65e5e0f919992c0b3fde24d0f2618ec0f81462458cb92182b8361aa135e39

SHA512
21d4e7ddafd82bc13573ae089c3bca4d4a61e68780e5724675264950a7c288e8a10cf47c2f0f4d8e94ab78b71319b64cd5bd2d4a2babd02b41683459527263e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2100.tmp

Filesize
202KB

MD5
b2052adb8202ed24034dee4cc7bb8515

SHA1
9cab6ba0a629f26a0031ef7aa47f7a25eb7093cb

SHA256
20056d3a5c6115fae1c4169cd5e236897215b340cb1feac71ec8297191db76b9

SHA512
f8ace80d9042f9a66c5db6f5caa4e8237b4fa88b9e3fb25845313b531e8b9e38b262f5a4c74ece0d273cdc2e0017af0b046744d620feb36c2ae81c94ea1a022b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5A42.tmp

Filesize
105KB

MD5
d5b5b64c74e5f40a26d1af1c23c28216

SHA1
8d82c7de85c5d50b4459f830da4b43934d312447

SHA256
f7148b04ebf94b2008a0e70f0978b1d9133a3c677889e314f462a3b09e4889ce

SHA512
70cb63b0e0328f3aa4d85e1f5c5059c215011522f44bd742c83906e6bf7d446c1f8ccdb0dd02a08e2199c5e24c0a478879c64459905f53db3b035dbeb53c1d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PnP Driver Installer.log

Filesize
732B

MD5
f7985be8ac0aaa5f3aefb143c75a53b2

SHA1
6f55ca74761a50b9b9c401536a8e9431927be821

SHA256
ca6827a120af6ae47aa8c46558b7846337153659d123674430188ff2802eea12

SHA512
2ad7d65323ae9b838b0a18aba5d552957e883aadcfc2f7240e12acc42a115dc2735c16520d3dbeeaadc35d414fe13aa89ab0322c6d326b7f3b7231633409a756

Download Submit
C:\Users\Admin\AppData\Local\Temp\PnP Driver Installer.log

Filesize
880B

MD5
cb6564af649728af8f75664bbbda4ef7

SHA1
44a153c0869c3fb70dec4af4e993bef18b705c51

SHA256
d4249b32d79485ff47c8c215936b9bbabddceb1ef8b62bd0f140fc93b60d8953

SHA512
d65420815fc8887f7a9fc2a3ca32982b0550783887f442251a2eeb00ad96f7206907c84c65c75bb1dbadc2634a020d30f41a88f7fecbb5203bbdd03355d4d7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PnP Driver Installer.log

Filesize
3KB

MD5
414942dc5a800fc7c1b785d2f8f72705

SHA1
2345fc14e1a89b24847a8351f119becbd4be38f2

SHA256
4f1644eddbdde2e29739936943602727836103133096fca43581c84d6a6d0e6f

SHA512
3242e9de0fdb1c7027e865739cb9507c29bc6b1109058b7792e668d74d396e4568ddcdffdde49640705a9c7cd2361359991a447a218d507014ed666006e76c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\PnP Driver Installer.log

Filesize
4KB

MD5
1d7c8d2d85cb953304dc321bd082c978

SHA1
70d47d599cf1aa203c73fd4e8a74018111a31aa1

SHA256
dfb6343f623b0f642c30746238db05aad36297e2283134b2b1d2a2445c7bee97

SHA512
feeb798e03db21d8429a865ddd99948ba9330b4fabfbdae620a7e92473be652be346a70e7c7d98389df279a70f11b97389f3d89195bb74327f7fa30a4e02c963

Download Submit
C:\Users\Admin\AppData\Local\Temp\PnP Driver Installer.log

Filesize
4KB

MD5
108357398617ccf7e7dd0a98c8d7ec84

SHA1
8eef27b8a80d13bc607d75ab9181182391dc4b5f

SHA256
6712e4a2896252bc26e98c5b749a3c69b7dd1bf6d7b2c3fd343943bf337e5450

SHA512
ee4fa81a92512b453efb26d5eb986ed4d144a213911b7bfdbcf9b77490c8609f7c51d81f0935514ca1cb9bd4446e819af889482bc9893e6ba2596c66d452b872

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp

Filesize
215KB

MD5
c8070535966e5def8e5c879bf64fd08a

SHA1
93e2b105c6d15be77eaf4d5ccafb7f61d4499d48

SHA256
16534121f235c69ab988622128991b99f54128019cf808ed9f4acb5f86d809a6

SHA512
a0377f9480cf17950236396cbf0e3ae96e2968803ad82ef629346f37c53e5f4accc489cb6550bd45c2e9831ade6975f8b9626b0ebcb6528c4d94c20cdfc398c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp

Filesize
215KB

MD5
c8070535966e5def8e5c879bf64fd08a

SHA1
93e2b105c6d15be77eaf4d5ccafb7f61d4499d48

SHA256
16534121f235c69ab988622128991b99f54128019cf808ed9f4acb5f86d809a6

SHA512
a0377f9480cf17950236396cbf0e3ae96e2968803ad82ef629346f37c53e5f4accc489cb6550bd45c2e9831ade6975f8b9626b0ebcb6528c4d94c20cdfc398c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp

Filesize
215KB

MD5
c8070535966e5def8e5c879bf64fd08a

SHA1
93e2b105c6d15be77eaf4d5ccafb7f61d4499d48

SHA256
16534121f235c69ab988622128991b99f54128019cf808ed9f4acb5f86d809a6

SHA512
a0377f9480cf17950236396cbf0e3ae96e2968803ad82ef629346f37c53e5f4accc489cb6550bd45c2e9831ade6975f8b9626b0ebcb6528c4d94c20cdfc398c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp

Filesize
215KB

MD5
c8070535966e5def8e5c879bf64fd08a

SHA1
93e2b105c6d15be77eaf4d5ccafb7f61d4499d48

SHA256
16534121f235c69ab988622128991b99f54128019cf808ed9f4acb5f86d809a6

SHA512
a0377f9480cf17950236396cbf0e3ae96e2968803ad82ef629346f37c53e5f4accc489cb6550bd45c2e9831ade6975f8b9626b0ebcb6528c4d94c20cdfc398c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D4.tmp

Filesize
215KB

MD5
c8070535966e5def8e5c879bf64fd08a

SHA1
93e2b105c6d15be77eaf4d5ccafb7f61d4499d48

SHA256
16534121f235c69ab988622128991b99f54128019cf808ed9f4acb5f86d809a6

SHA512
a0377f9480cf17950236396cbf0e3ae96e2968803ad82ef629346f37c53e5f4accc489cb6550bd45c2e9831ade6975f8b9626b0ebcb6528c4d94c20cdfc398c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp

Filesize
35B

MD5
e7a4229b292dc7356ebeef99d7012748

SHA1
eab3d5f5a35d9e782e53fef2edb40620cf13a133

SHA256
f21ed17b37e926370c163b254c860a564c508b5de9f003c179e5a7cb1461536a

SHA512
0f1d3869bb8dd053c647062f9329124bcecb7ee9d266e8feda75e9f49607bff3d403fefc9a14ea60ef1f75c37fbba069469eab2d0b81a1d0b48210a1035b79ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp

Filesize
125B

MD5
2f7e83c2cbe907096d8236236d5ce730

SHA1
bd44173e3782a5c00cd86fd472a75c4da8807b43

SHA256
589e8ebe4946bb5a4a0d9ae62dad6a7954076587df127525c8f76f50a8ecb3e2

SHA512
5b32f4537c10153f883dbc6b15f55ec102b234339f551d96eba3a0d4f77c3c500e10ee6dd9e23a2e4f7da6e03dcbcba28b78b2c2b661fba0900fd0e69a9dcb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp

Filesize
40B

MD5
e559fc1b89d0fc49ef681e5927c9356b

SHA1
f2b5dc7d756d3f06b413aad534fd6516d92f1733

SHA256
cd7051eef2effb019a656c260e345dbe3ddee9b695a50af2d246862678fb54ad

SHA512
c8c64630df4271f5e85299e49d2777378f051183eddeb469f674bfb7ef39dc0f3c4411a2abe087677a66e5f183ba3c1d694a894dc0eeb0e65df4d788b3043c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp

Filesize
69B

MD5
6eaa58dfabe29b01f3e38d91c583c4dc

SHA1
843c8655969256447d7ad7cba628211633ca098e

SHA256
78dee87f3878281ad9dfd0cc2362747d83cec88c398f81b8520ca81223b8147c

SHA512
cb6816ae0b684a892d091bcf0a191061c4d7028a8f8c27b363b415031e62e2ed6fb93bc97339a6239414f767e01592548b7c53bde8f24471bccfcbb4d9420a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp

Filesize
69B

MD5
6eaa58dfabe29b01f3e38d91c583c4dc

SHA1
843c8655969256447d7ad7cba628211633ca098e

SHA256
78dee87f3878281ad9dfd0cc2362747d83cec88c398f81b8520ca81223b8147c

SHA512
cb6816ae0b684a892d091bcf0a191061c4d7028a8f8c27b363b415031e62e2ed6fb93bc97339a6239414f767e01592548b7c53bde8f24471bccfcbb4d9420a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp

Filesize
302B

MD5
f18697ae982da09dd469a88bd25cd7a5

SHA1
1b5a19411ceefd38b86e8085f72bf9d3fa4edd6b

SHA256
eefa58913ed96891345b4811c54b73e714aca5471b11c2d8fbc200fe07838321

SHA512
ad291b3a6c5a01a54b91b7027a83bfba8aa461e1f51d8fdbfbc327b4dd9d63d6d1b53befc70b796e11b9f03346344accffc17a4bbe684d89dcb0307b823cd8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp

Filesize
302B

MD5
f18697ae982da09dd469a88bd25cd7a5

SHA1
1b5a19411ceefd38b86e8085f72bf9d3fa4edd6b

SHA256
eefa58913ed96891345b4811c54b73e714aca5471b11c2d8fbc200fe07838321

SHA512
ad291b3a6c5a01a54b91b7027a83bfba8aa461e1f51d8fdbfbc327b4dd9d63d6d1b53befc70b796e11b9f03346344accffc17a4bbe684d89dcb0307b823cd8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp

Filesize
35B

MD5
e7a4229b292dc7356ebeef99d7012748

SHA1
eab3d5f5a35d9e782e53fef2edb40620cf13a133

SHA256
f21ed17b37e926370c163b254c860a564c508b5de9f003c179e5a7cb1461536a

SHA512
0f1d3869bb8dd053c647062f9329124bcecb7ee9d266e8feda75e9f49607bff3d403fefc9a14ea60ef1f75c37fbba069469eab2d0b81a1d0b48210a1035b79ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp

Filesize
154B

MD5
f86f5873b3dd9b2f478eba7941feb295

SHA1
d87da809914736e2778ce5f92551a72183fe2c4d

SHA256
9264d263f6548fb4123a62f61ab212e80a24477377e6b882331b8458b9fa2770

SHA512
31640bb0a40a142eb0edae2e596ae3856748c5a74d7c8a5a9060fa331837ef7872b7bfca58830ba4776f02c868de6e280cfe9bef45b2641d63bce84114c82a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D5.tmp

Filesize
51B

MD5
94cc07b25c37551e44688ae5b8359c97

SHA1
00a4e6769c2e47a6cb576485dfe3ca718b03d128

SHA256
ed2a37ee583d57d21234e86cde8c9b11a8941ad8fe9670e91af0e8ded8fb9f61

SHA512
8b00a20fc7a4bd8d2094a7d7933ff99061285e1736cb25dc7c012225600591b53345f7d321fe3853a6f0bd6bd51714ca276e72d7b83f10244a82ca39e45cc7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D6.cfg

Filesize
1KB

MD5
a6af541830d79c480afe358779f1987c

SHA1
d02ec728a48d9968515b9f5feb7ff7656632a7f0

SHA256
1e309f62f9cb9dcf12053ef5f1b0b2e2fad40b7f97656a3ae2dc088a48471ddb

SHA512
9799df336cc960b74b072d52ab6bcd2c7a6c6eafa064a6dfc81b13b21b2839ffc916381d4be142cd1864b7d54de89797815ece81d47a9bd90a6867a9d3db5e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D6.cfg

Filesize
1KB

MD5
c77065db8ac95de9d24c89aaa1357058

SHA1
4b68e5d1e36169ac9cc41f999a4eec42a24fbfc2

SHA256
4218779750dd078c6573c03082635692f4b51575ad58fb6da10db6397f10db3f

SHA512
c9d255f613ec7c62b9f540f92c60a565133b52cb61eddc19029fad7556a32dc67f246ad9b4a70df3f71c383c27c9b09b136cbaa4d6e30a87f1286007a0eeade0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D6.tmp

Filesize
388KB

MD5
53aab3a6b32b5ae5e78f89c1073e3841

SHA1
fefd8f6add5b68741e6892380b442db15858549f

SHA256
78e6f6a45a83fa27a7fa596b50a9740f1d45dfa632e0af4024e187ca96f0e1b9

SHA512
7c6a04be5a16dbb1051c6b26a4068bb9aba7c81c293e6233e3006d24e53ccd770830d89297d15f1753b3848c2b855a1e3ba81155c3eba38df508b6b41073aa70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE626.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE626.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE626.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE626.tmp\registry.dll

Filesize
16KB

MD5
ad0c39f7ff92b650511117ffa94d2a65

SHA1
f99d3932d09b3a883ee7c16465e681e2d0a90bce

SHA256
45e8054f0ac9b39a187efc0365ab871ed3fbd16868721ad3bc9fbbf4f83a64d2

SHA512
3210047bc5827535d0059a2acce84b86b96ea93d29d0829fb2a2d8057fd5245e172258778e2b3c0cf1134f89699e9b83c048656e42eb07b9dac29f20eb53528a

Download Submit
C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\TestoSetup.exe

Filesize
280KB

MD5
2b5fd42b17cd898bf79400533cc8b638

SHA1
36c4baffe3ff541c234bca0cc5a36e8808c486fd

SHA256
05bd5038584f1f8a07697bc098b286a04c49b3183b079a2c37e00d696cf84ccb

SHA512
75b68cd4e901c04bb91b100570ba3804e52a0d05693d62ce4af4313539a361431be55d473fd1f8dab4200ac357d54be5c1f45dd5f454cbf91ac176a1759f432e

Download Submit
C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\TestoSetup.exe

Filesize
280KB

MD5
2b5fd42b17cd898bf79400533cc8b638

SHA1
36c4baffe3ff541c234bca0cc5a36e8808c486fd

SHA256
05bd5038584f1f8a07697bc098b286a04c49b3183b079a2c37e00d696cf84ccb

SHA512
75b68cd4e901c04bb91b100570ba3804e52a0d05693d62ce4af4313539a361431be55d473fd1f8dab4200ac357d54be5c1f45dd5f454cbf91ac176a1759f432e

Download Submit
C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\csbasic64\csbasic64.msi

Filesize
37.7MB

MD5
b40b873d7e0f59282c3509d2048b5cdf

SHA1
6cfa5939acf846b560ade7dfc116502e0f6fafee

SHA256
6a29a64b484f8878b2d9aa2d0ad496b9240cdca386663f1fcf5e2389d7eca6ae

SHA512
738abb5415e12312b04c4c15ea36cffc76c8d522fe1c292a896a98be7d852258b382895b3da20325e1a2921afbb59d30fc41b9e414224486778380ccb31ccc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\csbasic64\setup.exe

Filesize
420KB

MD5
dcd407eb388df372d2954e25420a8946

SHA1
12ce9437fb788e821404f664ccb5b11e61be1e1f

SHA256
596f8c3db9f4af71fb9a27941474e2f1251a67ca5994015478fe43fa0f657d04

SHA512
a5aa6f8e394547ff51ac1790793e96df56781523e276617a7b29ff872240f8d8cc8a620b3716012636f74041df485221ff1f6a459addbeba1e7c0cd7b3c9bc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\testo\ComsoftBasic\csbasic64\setup.exe

Filesize
420KB

MD5
dcd407eb388df372d2954e25420a8946

SHA1
12ce9437fb788e821404f664ccb5b11e61be1e1f

SHA256
596f8c3db9f4af71fb9a27941474e2f1251a67ca5994015478fe43fa0f657d04

SHA512
a5aa6f8e394547ff51ac1790793e96df56781523e276617a7b29ff872240f8d8cc8a620b3716012636f74041df485221ff1f6a459addbeba1e7c0cd7b3c9bc75

Download Submit
C:\Windows\Installer\MSIDABD.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\e58ce09.msi

Filesize
37.7MB

MD5
b40b873d7e0f59282c3509d2048b5cdf

SHA1
6cfa5939acf846b560ade7dfc116502e0f6fafee

SHA256
6a29a64b484f8878b2d9aa2d0ad496b9240cdca386663f1fcf5e2389d7eca6ae

SHA512
738abb5415e12312b04c4c15ea36cffc76c8d522fe1c292a896a98be7d852258b382895b3da20325e1a2921afbb59d30fc41b9e414224486778380ccb31ccc1b

Download Submit
C:\Windows\System32\DriverStore\Temp\{2dcc62df-49ed-9a48-b452-79980e3f66d4}\SET2EC7.tmp

Filesize
5KB

MD5
a6057cbb66589441a4c4a12bdfe8944c

SHA1
44399edd3db6469d79aea6e5b88a3a81587adc49

SHA256
01a80fb1194dce960f0b39f974a519704b7da3107570428fe6f4e46587e7a880

SHA512
c5eb7df331aef9d470dca3de90c7522a3248fbd3cf672dc52869d88db800de29c7d0a06e8e872f0aa68f51123031ebf92ee75f50fb437b25956c454ff3286b95

Download Submit
C:\Windows\System32\DriverStore\Temp\{2dcc62df-49ed-9a48-b452-79980e3f66d4}\SET2EC8.tmp

Filesize
2KB

MD5
19a6602d477c5e4d72a8a6eb8d22a6dd

SHA1
914067cb0c55f6cacd043d8bbceecd37bdbee16e

SHA256
ab4ec24f26cf1636920e3700d3dd9b5db267660ad5e3fa049818c753dd96ba6d

SHA512
9c6be75ec89c45524a7e767dcb3825695e3a88cc131974bd645f5b6ba48ec69b7b9f816c0208db7ff3fbcfb8f0968d289bc582515ed428590ec509cf3ff1df20

Download Submit
C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\amd64\ftcserco.dll

Filesize
73KB

MD5
39e2638af413c84609bc851d942cca8c

SHA1
87b813a8edcb6acc10397978d2846c451d81db6f

SHA256
50da92af5be9be519a4648b2c1109a30e3d2341e85c928a58c1af8b4b830d4f3

SHA512
511bbfea7078b62687f64ed8e4f25bffc59529abf1e24e93de9414aa777629efc9576e890c474dc14758679a76e77783ee440bee747ec340fd40004c02172f48

Download Submit
C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\amd64\ftser2k.sys

Filesize
87KB

MD5
fbd982a8b9b94fc17d37edeba40b71e9

SHA1
6176b008b952b4c7aaaf3c14bbb45e3955c01d43

SHA256
2d07f14812af8d0796a2056808c092a71275df3138378aeb2c22a396bec67051

SHA512
f0c7a5b27e0b42462493ed3a39ec4e23c603851f54e427a1c792afd38ed7e8ac3a290ec60922d12f58a7a51705944ff84fc5edc8c0651125b97897fb3061e871

Download Submit
C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\amd64\ftserui2.dll

Filesize
63KB

MD5
6eec15bfcb7b375632aea62530c6777f

SHA1
be85e9df866ca2e3a278bdc4b70f15a996d14c23

SHA256
f716f94e4e31bd72d06152aaef53c8437093e5135430c488ea9f7c4426dd8227

SHA512
b697902e21784b8b724f241b374efd9748cda5d5cb06fe12e65aa96e411e930c0399ec4efe335634b3a2beba7ee4e4fc0fab527925d9ede4754989a74efffda1

Download Submit
C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\ftdiport.cat

Filesize
19KB

MD5
cccea8e9b70b6b1d14d7ea5261741d5a

SHA1
53d0c5b4bf4c66e14038dc9f2ca53b7dc812022e

SHA256
135efa10b6608fae3ff89b839835550511e487bff0c6b9794bb83f715ec75520

SHA512
975d782f90185a05c08206a1180ef15e6527c98b9f1a68a0befddd15163b767f1ad3e1cb92ef7edb7d3afac6c2a24019b1a836daded969d3c39a3aea69f5b9ca

Download Submit
C:\Windows\System32\DriverStore\Temp\{4a154a96-7510-0345-875a-2ce6de1aaf5c}\ftdiport.inf

Filesize
14KB

MD5
de9907b3fc04b30112e26009f3584ef6

SHA1
6bde23b7f46b131c7369ebae25d2d5d23fd81e81

SHA256
da1482b786817380e9d68360b8517b4e5364888d080f644da4e639c5a4d0006b

SHA512
4471a36870ae914ee02eac4dff3e8fb2d97ac188c32b57f905874c958b751cf1bcb5aecda12d4bdc393dac27e95b1110bac3cf271e29671f7a3fa45b8edcad61

Download Submit
C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\FTLang.dll

Filesize
268KB

MD5
8bb75f1ed68c88d6b32c67e86bbb66e4

SHA1
a74b385571c39f6a603149655efbcb13e04c3c40

SHA256
84b22f61827d448946977b259ce06b0a8e83bc1dc7b9d8a208d3e32525f08507

SHA512
3f36043e71dd96e6c4f18e1e439aad56c77a3738d728b29a8c4f79d27f59378a96d689ebb7dfc870ed6ad6ec5b254c39cebc0521ccaa0ff421463a75adcbb25b

Download Submit
C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\ftbusui.dll

Filesize
164KB

MD5
284c4c51734ac901df4e00bab3d7c628

SHA1
e9616a6d0b7b9982a2cf741b5ae2b7b55f33f50f

SHA256
368c42008ecdc511b1c95c67236ba11c69d69e708e00490e014be958952043e1

SHA512
17795545db5d670c2345811dff410323d6bf01b0db97ff48119e90129656ca843ecc906f4553306b1e542ff14fb8e25f0385c99a3569361209953480ddac8eb3

Download Submit
C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\ftd2xx64.dll

Filesize
307KB

MD5
7832f9df38bf967e60ee067a780d0201

SHA1
ed7a81137f109d504899c8e4a6b1e9e3ba108fe2

SHA256
9c282c4580aac9388adadf8c2d9794cca2f953af36331aedf814e936cfed97ad

SHA512
a278ff53ca44cbe471bffa38fe00e86c01b776cdb199a3cbf809162716f6f5bd3db143fd92bedcaa48c0c99e56eddcdde93be2ab40e08713ce32f021a5e20ad3

Download Submit
C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\amd64\ftdibus.sys

Filesize
126KB

MD5
d5f53afcd0d6e0a2925bfff9e2605552

SHA1
e9d81358cecfeac1f58234a40ff52e6282c80039

SHA256
8c494a63b270d8605ab9a4ad7d5ae074f7d466d64adba36f5e559210ecb35617

SHA512
e54bfc393837693fa39c0e95e9c1335f917317d06725c54139f2bb013a6da13826b88c2e9612e2cd0ec530f5f8be2089e32a7d6bff12e3ecb67f09287470bf91

Download Submit
C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\ftdibus.cat

Filesize
15KB

MD5
e81c2220d3b35c4d004c3b140764557c

SHA1
d7eec221ba8adbb44f6b7ef03b180561d139d6b5

SHA256
7e8458cad469c5b89e25ad288bf46ef46c93eeafdea42c9d2aa59a86fb1e1c34

SHA512
ad07efaf844169b6017b8d2df0fee2db91b8930eb711a22444b0e7423dcdfa0193b85926a4f2d93c63c9233418e0866e73ce3322ef45eb4a6ffa2d410e421d8a

Download Submit
C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\ftdibus.inf

Filesize
15KB

MD5
81dc3265d62ecb5f4f863e49356eb995

SHA1
f96aeecdb6e1a6c5f03c1619e681d5eff89cae4f

SHA256
ca0c22005e73462ec5a47d1391607a92b9c8c6e5748b5b46e78417ab30c9fa31

SHA512
772d04b46c434f378c0b5d97c7d4fb87477eda5e5fdc0aa50bf9ff5465bb097edeadac5e2dab2febd7f8114bd7a02b98df2949461d705c02b30231e869a1d1bc

Download Submit
C:\Windows\System32\DriverStore\Temp\{8cd5929a-6142-fb42-8e75-987729770692}\i386\ftd2xx.dll

Filesize
265KB

MD5
2f1e187ff00944e337121064c7bd3f2e

SHA1
f315dcc6154427f06aa0a16e44c149527d61d918

SHA256
f133f056b866d3c1d05db3a52c3457ed2326623a823fc48b724f6cada351224f

SHA512
81e3226ef4fbe8a4604d73eb9489798fed596acbfaf5d4fc7821f502012a4cc90e217387b10d476895446d9b67e789f7c926ddeafd98bb5046807e9dfbad1729

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
188KB

MD5
a3629ab6a75f30d28c650263ce50b044

SHA1
a0bfc67038cc51e82cd384987257a19357755560

SHA256
01cdf57235226f6173aafb5e032a0c474749762854d70c7a4958b6dd68356b2b

SHA512
aeaf3ada476b5fd34a5b5baf1b830cc25cbc692137a01f31d636b528bb3b5e25065704bb4ab4ef6a6d7f88d73e521238430fee3f031e5fc077ea535609e98f18

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2100.tmp

Filesize
202KB

MD5
b2052adb8202ed24034dee4cc7bb8515

SHA1
9cab6ba0a629f26a0031ef7aa47f7a25eb7093cb

SHA256
20056d3a5c6115fae1c4169cd5e236897215b340cb1feac71ec8297191db76b9

SHA512
f8ace80d9042f9a66c5db6f5caa4e8237b4fa88b9e3fb25845313b531e8b9e38b262f5a4c74ece0d273cdc2e0017af0b046744d620feb36c2ae81c94ea1a022b

Download Submit
\Users\Admin\AppData\Local\Temp\MSI5A42.tmp

Filesize
105KB

MD5
d5b5b64c74e5f40a26d1af1c23c28216

SHA1
8d82c7de85c5d50b4459f830da4b43934d312447

SHA256
f7148b04ebf94b2008a0e70f0978b1d9133a3c677889e314f462a3b09e4889ce

SHA512
70cb63b0e0328f3aa4d85e1f5c5059c215011522f44bd742c83906e6bf7d446c1f8ccdb0dd02a08e2199c5e24c0a478879c64459905f53db3b035dbeb53c1d2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D6.tmp

Filesize
388KB

MD5
53aab3a6b32b5ae5e78f89c1073e3841

SHA1
fefd8f6add5b68741e6892380b442db15858549f

SHA256
78e6f6a45a83fa27a7fa596b50a9740f1d45dfa632e0af4024e187ca96f0e1b9

SHA512
7c6a04be5a16dbb1051c6b26a4068bb9aba7c81c293e6233e3006d24e53ccd770830d89297d15f1753b3848c2b855a1e3ba81155c3eba38df508b6b41073aa70

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D6.tmp

Filesize
388KB

MD5
53aab3a6b32b5ae5e78f89c1073e3841

SHA1
fefd8f6add5b68741e6892380b442db15858549f

SHA256
78e6f6a45a83fa27a7fa596b50a9740f1d45dfa632e0af4024e187ca96f0e1b9

SHA512
7c6a04be5a16dbb1051c6b26a4068bb9aba7c81c293e6233e3006d24e53ccd770830d89297d15f1753b3848c2b855a1e3ba81155c3eba38df508b6b41073aa70

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D6.tmp

Filesize
388KB

MD5
53aab3a6b32b5ae5e78f89c1073e3841

SHA1
fefd8f6add5b68741e6892380b442db15858549f

SHA256
78e6f6a45a83fa27a7fa596b50a9740f1d45dfa632e0af4024e187ca96f0e1b9

SHA512
7c6a04be5a16dbb1051c6b26a4068bb9aba7c81c293e6233e3006d24e53ccd770830d89297d15f1753b3848c2b855a1e3ba81155c3eba38df508b6b41073aa70

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE665.tmp\nsjE6D6.tmp

Filesize
388KB

MD5
53aab3a6b32b5ae5e78f89c1073e3841

SHA1
fefd8f6add5b68741e6892380b442db15858549f

SHA256
78e6f6a45a83fa27a7fa596b50a9740f1d45dfa632e0af4024e187ca96f0e1b9

SHA512
7c6a04be5a16dbb1051c6b26a4068bb9aba7c81c293e6233e3006d24e53ccd770830d89297d15f1753b3848c2b855a1e3ba81155c3eba38df508b6b41073aa70

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\registry.dll

Filesize
16KB

MD5
ad0c39f7ff92b650511117ffa94d2a65

SHA1
f99d3932d09b3a883ee7c16465e681e2d0a90bce

SHA256
45e8054f0ac9b39a187efc0365ab871ed3fbd16868721ad3bc9fbbf4f83a64d2

SHA512
3210047bc5827535d0059a2acce84b86b96ea93d29d0829fb2a2d8057fd5245e172258778e2b3c0cf1134f89699e9b83c048656e42eb07b9dac29f20eb53528a

Download Submit
\Users\Admin\AppData\Local\Temp\nstE626.tmp\registry.dll

Filesize
16KB

MD5
ad0c39f7ff92b650511117ffa94d2a65

SHA1
f99d3932d09b3a883ee7c16465e681e2d0a90bce

SHA256
45e8054f0ac9b39a187efc0365ab871ed3fbd16868721ad3bc9fbbf4f83a64d2

SHA512
3210047bc5827535d0059a2acce84b86b96ea93d29d0829fb2a2d8057fd5245e172258778e2b3c0cf1134f89699e9b83c048656e42eb07b9dac29f20eb53528a

Download Submit
\Windows\Installer\MSIDABD.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
memory/3804-459-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-824-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/3804-483-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-1144-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/3804-482-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-481-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-469-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-468-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-465-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-464-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-463-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-462-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-461-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-460-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-458-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-457-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-451-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-429-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/3804-282-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/4580-1325-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/4580-1326-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/4580-1327-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/4580-1328-0x0000000005830000-0x00000000058D4000-memory.dmp

Filesize
656KB

Download
memory/4580-1329-0x0000000002E30000-0x0000000002E3A000-memory.dmp

Filesize
40KB

Download
memory/4580-1330-0x0000000002E40000-0x0000000002E48000-memory.dmp

Filesize
32KB

Download
memory/4580-1331-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/4580-1332-0x00000000058E0000-0x0000000005966000-memory.dmp

Filesize
536KB

Download
memory/4580-1333-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/4580-1334-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/4580-1335-0x0000000005EE0000-0x0000000005FE4000-memory.dmp

Filesize
1.0MB

Download
memory/4580-1336-0x0000000005E60000-0x0000000005EAA000-memory.dmp

Filesize
296KB

Download
memory/4580-1337-0x0000000008A20000-0x0000000008B70000-memory.dmp

Filesize
1.3MB

Download
memory/4580-1338-0x0000000008EF0000-0x0000000008F10000-memory.dmp

Filesize
128KB

Download
memory/4580-1339-0x0000000008F40000-0x0000000008F64000-memory.dmp

Filesize
144KB

Download
memory/4580-1340-0x00000000094B0000-0x000000000956A000-memory.dmp

Filesize
744KB

Download
memory/4580-1341-0x00000000096D0000-0x0000000009830000-memory.dmp

Filesize
1.4MB

Download
memory/4580-1343-0x000000000B570000-0x000000000C70E000-memory.dmp

Filesize
17.6MB

Download
memory/4580-1342-0x00000000093F0000-0x0000000009428000-memory.dmp

Filesize
224KB

Download
memory/4580-1344-0x0000000008FC0000-0x0000000008FDE000-memory.dmp

Filesize
120KB

Download
memory/4580-1345-0x0000000009450000-0x0000000009464000-memory.dmp

Filesize
80KB

Download
memory/4580-1346-0x0000000009440000-0x000000000944C000-memory.dmp

Filesize
48KB

Download
memory/4580-1347-0x00000000096B0000-0x00000000096BA000-memory.dmp

Filesize
40KB

Download
memory/4580-1348-0x000000000A660000-0x000000000A672000-memory.dmp

Filesize
72KB

Download
memory/4580-1349-0x000000000A680000-0x000000000A702000-memory.dmp

Filesize
520KB

Download
memory/4580-1350-0x000000000A8D0000-0x000000000A9D8000-memory.dmp

Filesize
1.0MB

Download
memory/4580-1351-0x000000000A9E0000-0x000000000AB14000-memory.dmp

Filesize
1.2MB

Download
memory/4580-1352-0x000000000AB20000-0x000000000ACE0000-memory.dmp

Filesize
1.8MB

Download
memory/4580-1353-0x000000000C710000-0x000000000CC0E000-memory.dmp

Filesize
5.0MB

Download
memory/4580-1354-0x000000000B040000-0x000000000B39C000-memory.dmp

Filesize
3.4MB

Download
memory/4580-1355-0x00000000096C0000-0x00000000096C8000-memory.dmp

Filesize
32KB

Download
memory/4580-1356-0x000000000A800000-0x000000000A848000-memory.dmp

Filesize
288KB

Download
memory/4580-1357-0x000000000ACE0000-0x000000000AD56000-memory.dmp

Filesize
472KB

Download
memory/4580-1358-0x000000000A1B0000-0x000000000A1B8000-memory.dmp

Filesize
32KB

Download
memory/4580-1359-0x000000000AE60000-0x000000000AEA2000-memory.dmp

Filesize
264KB

Download
memory/4580-1360-0x000000000AF50000-0x000000000AFC0000-memory.dmp

Filesize
448KB

Download
memory/4580-1361-0x000000000A5C0000-0x000000000A5CA000-memory.dmp

Filesize
40KB

Download
memory/4580-1362-0x000000000A630000-0x000000000A648000-memory.dmp

Filesize
96KB

Download
memory/4580-1365-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/4580-1366-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/4580-1367-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/4580-1368-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download