1311662208589ca5c9b826d14de36e2b55d018934e6aa781b5e69f00a1b82431

Analysis

max time kernel
7s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Size

14.0MB
MD5

27f56fe9c8bb63aadfa43ce4e34eec40
SHA1

5d271dc411d8470cb2b6e3000eab86d529434d41
SHA256

31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc
SHA512

d96daa8f91bbb2c1fe2ac45ffb7e3ec8c77c0925f4904097dc919c585509d971f52c71a10e584881962ecfa25ae4ce10c2be999f1d65cf831558872dfb39c656
SSDEEP

196608:t9iQpZfwAwdwpTyXvXPbHoPh2KNrM6ZkjmpxqZBrSnM77M:b+wOv/zoPh2KfmkwUMfM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2924	vcredist_x86.exe
1212	VCREDI~3.EXE

Loads dropped DLL 29 IoCs

pid	Process
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2924	vcredist_x86.exe
2924	vcredist_x86.exe
2924	vcredist_x86.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	VCREDI~3.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPEngineUninstaller.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XHttpLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XMemPoolLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatform.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPLauncherPlugin92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPlatformPlugin92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XBasicLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatform.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPEngineUninstaller.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPLauncherPlugin92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\default.xtheme	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\OpenSource License.txt	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XClassLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XHttpLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformAX92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\default.xtheme	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\npXPlatformPlugin92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformAX92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\OpenSource License.txt	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XBasicLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XMemPoolLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XClassLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File opened for modification	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformLib92.dll	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
File created	C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\VCREDI~3.EXE	vcredist_x86.exe
File created	C:\Windows\TMP4351$.TMP	vcredist_x86.exe
File created	C:\Windows\VCREDI~3.EXE	vcredist_x86.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\InprocServer32\ThreadingModel = "Both"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\CLSID\ = "{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\ = "XPlatformAXCtrl92 Class"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib\Version = "1.0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ = "IXPlatformAXCtrl92"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ProxyStubClsid32	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\FLAGS\ = "0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\ProxyStubClsid32	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib\Version = "1.0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\InprocServer32	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\MiscStatus\1	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\TypeLib	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\Version	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\Version\ = "1.0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib\Version = "1.0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib\Version = "1.0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92.1\CLSID	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\VersionIndependentProgID\ = "XPlatformAX.XPlatformAXCtrl92"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\MiscStatus\ = "0"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92.1	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\Control	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\InprocServer32\ = "C:\\Program Files (x86)\\TOBESOFT\\XPLATFORM\\9.2\\XPlatformAX92.dll"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\TOBESOFT\\XPLATFORM\\9.2\\XPlatformAX92.dll, 102"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\ = "_IXPlatformAXCtrl92Events"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ = "IXPlatformAXCtrl92"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A733AAE8-110A-4D4E-BC83-9328FEC01C1B}	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\CurVer\ = "XPlatformAX.XPlatformAXCtrl92.1"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\VersionIndependentProgID	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\AppID = "{A733AAE8-110A-4D4E-BC83-9328FEC01C1B}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\TypeLib	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib\ = "{4CBCE6F5-1E75-4813-897A-432959766B20}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92.1\CLSID\ = "{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\ToolboxBitmap32	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\MiscStatus\1\ = "131473"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\ = "XPlatformAX92 1.0 Type Library"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\HELPDIR	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\ = "XPlatformAXCtrl92 Class"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\Programmable	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\0	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\ProgID\ = "XPlatformAX.XPlatformAXCtrl92.1"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{43C5FE00-DD32-4792-83DB-19AE4F88F2A6}\TypeLib\ = "{4CBCE6F5-1E75-4813-897A-432959766B20}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92\CLSID	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\HELPDIR\	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\ = "_IXPlatformAXCtrl92Events"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\ProxyStubClsid32	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A733AAE8-110A-4D4E-BC83-9328FEC01C1B}\ = "XPlatformAX"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XPlatformAX.XPlatformAXCtrl92.1\ = "XPlatformAXCtrl92 Class"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\0\win32	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4CBCE6F5-1E75-4813-897A-432959766B20}\1.0\0\win32\ = "C:\\Program Files (x86)\\TOBESOFT\\XPLATFORM\\9.2\\XPlatformAX92.dll"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A1800FA-0890-4081-AFBA-91570ECB5F5E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ProxyStubClsid32	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D639579B-004B-455D-A738-809746AC00F3}\TypeLib	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2012	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2924	2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2132 wrote to memory of 2924	2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2132 wrote to memory of 2924	2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2132 wrote to memory of 2924	2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2132 wrote to memory of 2924	2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2132 wrote to memory of 2924	2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2132 wrote to memory of 2924	2132	31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe	28
PID 2924 wrote to memory of 1212	2924	vcredist_x86.exe	29
PID 2924 wrote to memory of 1212	2924	vcredist_x86.exe	29
PID 2924 wrote to memory of 1212	2924	vcredist_x86.exe	29
PID 2924 wrote to memory of 1212	2924	vcredist_x86.exe	29
PID 2924 wrote to memory of 1212	2924	vcredist_x86.exe	29
PID 2924 wrote to memory of 1212	2924	vcredist_x86.exe	29
PID 2924 wrote to memory of 1212	2924	vcredist_x86.exe	29
PID 1212 wrote to memory of 2012	1212	VCREDI~3.EXE	30
PID 1212 wrote to memory of 2012	1212	VCREDI~3.EXE	30
PID 1212 wrote to memory of 2012	1212	VCREDI~3.EXE	30
PID 1212 wrote to memory of 2012	1212	VCREDI~3.EXE	30
PID 1212 wrote to memory of 2012	1212	VCREDI~3.EXE	30
PID 1212 wrote to memory of 2012	1212	VCREDI~3.EXE	30
PID 1212 wrote to memory of 2012	1212	VCREDI~3.EXE	30

C:\Users\Admin\AppData\Local\Temp\31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe
"C:\Users\Admin\AppData\Local\Temp\31509a8632447e0b6ad6a2e0a414f8a22bb95f910560dd7a551aa75e52e1defc.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe
  "C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe" /Q /T:C:\Windows
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\VCREDI~3.EXE
    C:\Windows\VCREDI~3.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec /i vcredist.msi
      4⤵
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:776
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD81F829E917F4A5711CA2C431D92EB2
  2⤵
  PID:2224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1536

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "000000000000032C"
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\OpenSource License.txt

Filesize
11KB

MD5
4aa6eb19b5760f59faf5af19c00c52f7

SHA1
3456acd01c6687f1bae5323b5832c2a548b38f66

SHA256
decb5f311741af43441f0df5b70cc0dd8b8c6ebe7e3109474e70b6ab9252fa2d

SHA512
b1044af4fb86a3e33162ebd908052a503181cf75a790d2c96b75a0ab2a9255175daa3c3ca583214e8255207a4e70416e91632766740963aa17cf842c1727358f

Download Submit
C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformLib92.dll

Filesize
94KB

MD5
384ec80eb5a2487d1fe7bbec36e04574

SHA1
4d0f0d7ed657e546903363989d5ccb6d96b8663b

SHA256
dda155579fc80117a4802866d8d254b28025aab0417cfcb7059261f71f57c964

SHA512
eeaa7756ef4eb3fe48283d5b7a4b86ed765041801974c2e86fb3d00e0f7068059c69baf001128c06df8569c1c926d64b87c946789881477f49c0e816baea4333

Download Submit
C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
128KB

MD5
82450f5de6e128c85d880748c7753192

SHA1
42f51bcc1f047d9185209310f799ac2cfb835088

SHA256
79d25e066c6f0f881cc8a95b8cc336ae9c18428f7c7e1db011a1f3acb814a869

SHA512
ee3999a942e3bbbd0b88f18b32c7adae55eb588c0f906a084e1fcba0b11aabc5f874a11d76b33dc955b4ddb3934f26ea2e39f83a8d31da333595bac15654ab8b

Download Submit
C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
71KB

MD5
356e5db1d753cefccf37ec74faa4e90d

SHA1
0a174b9d6790033e410fe53df8792dd10a58a0be

SHA256
bb2c56c3cf198294c490914f97f3cff211d8ecb5b293d7443e25fe7642c573b2

SHA512
3a7e6647bf0e300befb4269c572df9862e3144eb6b7dd2b0f1af77926a3a23c7bdc54d52f4bcfccc2cbc997c8113ef8735d2647be70c3a7b495d9ce105313aca

Download Submit
C:\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
33KB

MD5
47cea8fe43e1403d6ac36b14c0dfeeec

SHA1
40c805377171a8611320d4cbda7d0a6c16b3d6ac

SHA256
5cda2b2c9430002fa864723c5aecd3a12aec582d1cf24ac4ee4c9b7eadd229d3

SHA512
1f272e0d08ab737d668eb15a547cab2de242687e722e6b9ab9868c7ae743526842738c4340ce7eb4dd64b18cc11ee9dfb49d49a036715abdd56da7c0f1e672fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d59233297b817af5d43b5e7c68bb058e

SHA1
60faa9dad8df301c65538c7002c6031a2e1be7e7

SHA256
a6750948522f28f86ab1812cc88fd7a16b854bb0f030324a6cc563bf58bc2e78

SHA512
35a70753ee906d3c41ef3c2fcf66cbabefc2f550ced71cd597de71bcef40a94101096c7fdf143c398c85d55f2efc5fa232a919f779132473b82385a35598ed3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab78B9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
16KB

MD5
9e1fc2fc4f1ad73dc934278a10f46721

SHA1
8acd4a94f34c720bc4c03a225a0083c17ca9211c

SHA256
f9fb69fde90c4022fa03541d6f8aebbf1cf694353d3fd48ce7d4e7d7d63dd89e

SHA512
433434b09248ac34dafd33ec4d2750e28137a52cddfd5c7d1a7d9be99db5f2951b00a49526c8f57840bfbc8dd48279ee406b9ab9bb607864eec3863c56545c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
68KB

MD5
70919cf1e37b9359f3929da0a63a0b50

SHA1
647c0c7dcf0d0047209f36b9deb0d55b387328bf

SHA256
29ef59ae86e4f8b480efdf1e68c10c81bc47ad651708fc4a687c46d619a74aa2

SHA512
1fa8e9c1ff43cd7cde45d7d8f14f74037d09c0161104f869b121e9be092ecec2d6e46c0129ba86f3e5864be17542c7297e311c06168e32fdcd1113be0363b398

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBasicLib92.dll

Filesize
71KB

MD5
a024b4fa7c5c915c4fd0f18a410d19d7

SHA1
78574ecb3e91f0058d98873d3a6f2037285b1fc2

SHA256
a1d14d8cbfcd2c8873bcb1e2602c1f53479bfa9281febe5515e5d65a14683122

SHA512
d312bdd33ea726f1db83ed292b427c24cd433535a9aae25fbf0b4fc33a0772056c37c683f1ef8818d4b81b6b77de3a0bc5f0b9216dc482e34cdb0f43a4aa65c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClassLib92.dll

Filesize
112KB

MD5
c12c03612147f727c27ce9d80fa73835

SHA1
d41579ac43eccc2228796df8d5f02e906f5e0e05

SHA256
2c60e723a569cbd6904569dabcf82a0551109edca08d16a5ebb7748f86da364b

SHA512
da30a91cf7d109efce6ae6a009c2a35606fce4a8ad1c0770421e078ec3f023d394f73d8de0c66184e7c8435aae9fc3707906c6cd6f86f26ddd4107e29ed32a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\XHttpLib92.dll

Filesize
135KB

MD5
b144731277c8ddf98a3384596bf240c3

SHA1
4b55909b614fd9a396a5e03ca7fa142f6fd5c804

SHA256
1e80af21b9279efa718a56da4bac3235567de6e91f1849c1450824fa93b89100

SHA512
1b5111b5eedb3817ef5ac1044216e9efbebb82a5849bac99e5d3a414c688ef256741a26a785ce938a78cc8ed66df1a0428cc900c1530e26257057530f2429503

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPlatform.exe

Filesize
62KB

MD5
a161b59a780f1a15c4f9209c1635b3fb

SHA1
0635e6b902dda3313367d75b7487fcee97024457

SHA256
27c1dae04ad26181f10d4c57870145a70e1567bcae88eb1a27c374a5d8191c6b

SHA512
658628e78e2bd86fd5084116c9010e62503755764a4ad58bbe46479fd88b1d898859ed4f708c7401b1fb5f4a67137341dc2333159d089ada24fcb132959a8fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPlatformAX92.dll

Filesize
49KB

MD5
9d908350e6e2629dc89d6d8a19bfb438

SHA1
193c24b9142231bdbd3eb566d68ab83593984e86

SHA256
3e9863850d776d415df66e99bb3c307a917a282665d908fdbce5dbd01fa9cbc8

SHA512
a495a7c0143996f099119d41669f144fda6f8ef8d94a4e77662385e54021ad7e14bb200a03056ece9235f36bbebcece8c17380fc29e141b738496c1356f023d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\npXPLauncherPlugin92.dll

Filesize
104KB

MD5
98c93a557acc034a6fcf03156368effb

SHA1
53f47f6f32bf19d3302136d37350c6b77e04580c

SHA256
aa54694418dcdba1544e1ccc632e599bfc9b913ca90d831a7cf6869c1576a087

SHA512
19798279deb110afb496dff3c4faa42667f7bc8479bebf34803f1dbe4d42d1076a87c3996d793f601b19257fd62855ff04d91ad0aa8830b35e7b1a58a467fbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\npXPlatformPlugin92.dll

Filesize
43KB

MD5
22f3f193efddc1df25dfb02fec5736cb

SHA1
e1227526fa4ba7eac9ad1243de1dca1584ff59bc

SHA256
c6847efc00ad6a861aaabf84ff1d0927acc24dbb1cceaf8647350e15bce2939c

SHA512
227e5995a016d3e5c630b6dbdec699bec73e83e1a9a16e32a4c6939fdd75e08e6b5a897eaf365cb2f6df8bc139281b29b1b153a1000cfdd7fe946dad1ad45274

Download Submit
C:\Windows\Installer\f77788a.msi

Filesize
1KB

MD5
ed0b03928567b102fabf75e1e08f2bf8

SHA1
99d31583390548bca42f496e8875a0b954dbcfa4

SHA256
9f2336e8765a0db3e429b333d6de3f597030a28f1b6d6437c265c1d0db63116d

SHA512
3b12b98f722cb8296dc6a276a0bd7d9f0f016f728419a6e2d215d2b39150f9e59c1a730ebc20f433a04098c893951addba9791d882406756bc4e19bc3db5f7be

Download Submit
C:\Windows\VCREDI~3.EXE

Filesize
79KB

MD5
a54bcbf100b8203b9034e74d13f0aa77

SHA1
b0c395327b7c7cc68939555a9ad854647c19d4a0

SHA256
0a60954a32958cc47189b065dc723bfa9f126cbcdb678c62507698623783519e

SHA512
5ac7fc9cdc63cfdfa64d441e261850152856077547863e4315d5a628d1489d0358408a2e31093d7e62097b312c99b3a54d9798cb99a251167b8070a02d483e2b

Download Submit
C:\Windows\VCREDI~3.EXE

Filesize
75KB

MD5
a7079de91e746a5cf4ba1f8f247fbd29

SHA1
d9e4d9eacb918b29ba34e62db81825d60fa9b4d7

SHA256
7744339fa79edb04cd2c5cc12961c4fee54fbe2bbad68537a9c25136c93d795e

SHA512
ff6a6b7163b11a8b9642384aade1c26659176207b58d8a5b8f5216d4675c06a13a0631ad09c273a1fb5ad27b28b067f087546c67489674abfc25343f25fcb25f

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\XPlatformAX92.dll

Filesize
93KB

MD5
4f4be51eaf726311a641d0ed08d1f708

SHA1
8f3651dfbfb51d3f6897bdc6ee28a6234f0ecd57

SHA256
4d6a1cfe33434b45b4eb58c1d5a37a5f52c7612e9a794d35b8beabbd92d10d28

SHA512
7dccacafa25279e85ca606241aff5da63533381c3dc9f3de5bf7f923a7c08780fcda2ab35cca95d5efb52ac238a85c359ff1a3b00134c28cac0b8ed13e0b6277

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
49KB

MD5
f5a2dcab01fbf6823f6182594708d8a3

SHA1
922a832c2e3463a40155bbb40579890b3d478c27

SHA256
05e8947fe45a3681b72417158e8ce2c39f261af7d42c2aedc182e7b0e8259ec6

SHA512
4c3c5cfaae614dab7b7284328bd6a5e212f7051e9ec2208a06782966b627a3324a4b7c2764ade0525b2215daef51c0f22d28dbb27126f249dec970ee2c70fe70

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
34KB

MD5
bf5052b516ba53024f2f36f441412707

SHA1
018d26ce064c39bf4731478a474b99636cdb2356

SHA256
9153790623e06ee445435709a47b662b5f6e5beba0fa34266846319a964b5907

SHA512
df93ad6053dfb933c042d43c2d6d5ccd5b12db71bf7290a6cff38c7157fc19558fedb9d8a0cb7d2c1390903475f4880a86396b609521d91372b7c309402fc648

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
77KB

MD5
5eab8ab7a15992ed7936cd36001c2763

SHA1
724786be79238bcf8d497e4c8f2c80ddc76b1f58

SHA256
294e20e1e6bc651348877727d648af897bb816f5ec5f5a35239a1027acafee6a

SHA512
d8af7dfd25ff9fc22d4ef8060b3194ed13ab869547e538bf5090ad35799531905af448347d96944d812b94c6ffb263fb0943f855e7703db3c3ed29b4d2417bda

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
24KB

MD5
d65074c37e59ef6186d5fce36f6e0ee1

SHA1
e04046fbaa99727f6437a29c14e6f603cf353406

SHA256
205560649a0f6cbe75808a005a8144ceefb24abdb039e0ef9e3c56000fdeda92

SHA512
b4394a0e4c5bc833e427e61e7bd557a288eadd5d5a203e338dd235b7358f2ce14e6f285778c23e4b2407f29e96228ae4f59864873c5ba6f7b1d9e495e90b468d

Download Submit
\Program Files (x86)\TOBESOFT\XPLATFORM\9.2\vcredist_x86.exe

Filesize
101KB

MD5
97051ed7a5375e2fe06cdf352f25a524

SHA1
aa8a19199dbb9f76540525abcb13264ac0455e3d

SHA256
576f0280b01171cee957320ae3fd89cec5b3366c5e6210e049b72eded08c91db

SHA512
954cfa2b09319f25eb33058a144fdf2ff4e2123fcf694cdccf57b6b1917b0a1ded9e885b0f0e2f127102447410be0840fdc6724f2751a3c0e43d30d32294a373

Download Submit
\Users\Admin\AppData\Local\Temp\XBasicLib92.dll

Filesize
6KB

MD5
ab9c55401c4a1d73377b607f2bdd15a2

SHA1
495733d19e54d03868391e77250e8cfe603ab06f

SHA256
7cf6a3305c0e0b6ec4ee85287b2b1377b619c9db258576c747337296d25b7c7f

SHA512
0a507e1899b2538666b47c2ea7b1e303d61910f860cc64e8eba85d26a716b6690851892ab7d68266851e19674f6c175febea5e6aa628e92f241aab54bbc3596f

Download Submit
\Users\Admin\AppData\Local\Temp\XBasicLib92.dll

Filesize
180KB

MD5
375da870a29d419354d4956ed3ad03a7

SHA1
9ece3e4ee2e440efdb7ff98ca6dc30db10003a0f

SHA256
b9284aca6131f2230928e4ff7023fff9d766a79ac838b2272ccb8e303490f5d6

SHA512
d31f3d74e39af95361baf02741ffd9bdcbcadd625f99bd84b760c2ba36d40321e40c9d88d8aec29ac2db57137923672e695efa2d731c264bd5b33e16be50b35e

Download Submit
\Users\Admin\AppData\Local\Temp\XBasicLib92.dll

Filesize
79KB

MD5
944169d2902b223d368c445dd17b264b

SHA1
775a4b6a8c072f079ac7a3e510806ac22bdeacdd

SHA256
2b79a05883387346ba6ec3f503d3083f8bb23fca67e973801d5dd0abaaa202b3

SHA512
227942b7d5955cef49e2178be2e0bc05ed438341e9b25ced9ec1ac08c6aa81d6d2c2acec621afab81da09d384767c7effed5a523e8c4560ada98443213768b61

Download Submit
\Users\Admin\AppData\Local\Temp\XClassLib92.dll

Filesize
74KB

MD5
59902462c88f613c59f7fd6c99b2b8f2

SHA1
9ea7f17d00faaefd6c6f649af8a71b7d1d9429c9

SHA256
d72a50967366dc7c7d5e1d8e1d58ae57d6e2d2bd7185855c9780714f78dd7fdc

SHA512
b98ce9e47486297670f38361f75b27e617515990ed73550cbe930a70893b2e50127f607b260229e9b22525b798cb9340edbf82700b9a31c2a1ae11c9695b08c5

Download Submit
\Users\Admin\AppData\Local\Temp\XClassLib92.dll

Filesize
53KB

MD5
1c1ea4b7661c3af9241bbab85e3c9462

SHA1
420cb33635897f51fc773fb8652c80484425459f

SHA256
948bd5d2c2963255220c84dbc8d01b96dc34d11d4125dc7d34081be1b3a519fd

SHA512
c9cd3292a1d24f70dcfde86a5f8e42eada549e256dc8024c804efa77da897afc852a53ee5cd64eafa2afb1143f55451aaa0829f740a8bc5b24a0834c3742c803

Download Submit
\Users\Admin\AppData\Local\Temp\XClassLib92.dll

Filesize
85KB

MD5
28417c3b66cd126b7087a4de9b17714d

SHA1
2d637191b0d01f5bdf61a662795fb2a973b3ee19

SHA256
35d3357c851bb62e6fcfdadb056a80256b184ac536b7eb5f9be1220a5fdea017

SHA512
b7bc78fead47a463da72ee4ab60728556bef3dbe8ef8a9fb0394e04e6effff53e8552aad498ac88bf436d5a1ab8ae85748dc04be543985e91968d5ea21d109d2

Download Submit
\Users\Admin\AppData\Local\Temp\XHttpLib92.dll

Filesize
67KB

MD5
0ad6e6a2713a716f5fd599d35ccefec4

SHA1
f72d6d7949468921c51572ad2951b480ece60559

SHA256
27ef61dd9476404ab09e1fe404365a3dc3cf4848c042d36fcfb45e10662b45bc

SHA512
7616e3784637d568fb55d1b6d31d4888dd3900b542624fdd126222138c4a95283262421b8351160c993a106250d379c85f7aff60738f4b05c9a37c9d9e8416b1

Download Submit
\Users\Admin\AppData\Local\Temp\XHttpLib92.dll

Filesize
53KB

MD5
c07ef049d2365d02ba03c5b042ff6989

SHA1
35e21cbba872588fe4604b2b0c7e05b4d7e4b796

SHA256
25dd2101fc6954bad090848522b09788e04e88df3eb2498b6a976c9c1ad856fd

SHA512
ed4c1df5a74d0ac9ef7a6b9ea4d99a87ffb6a1f62410a3e5a870c98e46623ebe67c897ce892bd8bf677bac694b539138c856cd59450b95cbac2558164b86547d

Download Submit
\Users\Admin\AppData\Local\Temp\XHttpLib92.dll

Filesize
47KB

MD5
028c28f2b075155bc825ef50f5ea4f28

SHA1
827b8afcce370a8923cf7d4a2404f557f3538b27

SHA256
5c583bdaaca1e0346edfb71f899520e4fde3f2b2ab339a481746d484f7f054dc

SHA512
362d3a9344e327bdfbae5cb4d4538a962a97112ca8714ebf82c378c6a0b182ef7259e8e957ff00774c91f86f8cd2874c1edc8f789772bf73ba9e22fdf47ac352

Download Submit
\Users\Admin\AppData\Local\Temp\XMemPoolLib92.dll

Filesize
24KB

MD5
bbbc1b4082fd2cf775f25df2f3c2ffd6

SHA1
08377c226d0b008e8534c822cd4dc8eb77c352bb

SHA256
58fb7d84f128797b721c5982db51fe4a0c25c8890d63fabadef6442ba4633f10

SHA512
8157964a6df1dab7250ddfabf530b36f0a25746c77fd5988d9a1f5e04a940c1b4367cfc4ebd28e5fbf0cb6902382eb6a7f8386f08decd46814ab496efbe5976e

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatform.exe

Filesize
92KB

MD5
343aefda441ab4ad95b370fc134a4f30

SHA1
c58c5a036a57a7d0120d02ead98b0195dc858d73

SHA256
3df5d33e59a9fac033566aa575f72ef07b6f0e0c7e293f6b2615f62964838b58

SHA512
d04b8eccef974b450dff3409b81705c2000b8260403153d4ce875abe5f509fc6bddeec16b3a1623e893ef10e86c9ee05294838580266df25c1f8d0ad4bc4af8c

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatform.exe

Filesize
73KB

MD5
f1f6ac9c375492582a925b834c88e320

SHA1
d3921ec6b45a902c78e389b44ed49d06efc0e3ee

SHA256
ae156cd7eeeee802ed98b361153c34bc4b5a3fa762467809cf033d66f963f501

SHA512
c1fa3afe191c3910ba068163b5a76ddec4a20191ba0ef7d8a8483e93238b07a51094c07d6471ae2715caec621bd7d1c7ac4cf61e6b6f1f8bb0ccc0d7cdd258a2

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatformAX92.dll

Filesize
97KB

MD5
463ff9834044326d15c7e086fbca4b9f

SHA1
ded2964e08e990fe80a13d0c2bf549de5ecc8d8c

SHA256
b66140366bab84318967e5aae9d038da31762f596e87e6741146a6f5876adc69

SHA512
9d45e8a7d87c45f154baf61e72a45f6c83e0671f774660d907501e67f6b94bbd9428ba1b89b948ef8b06f073a036bafec50af2030b742adab58457d1dc9d2ff9

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatformAX92.dll

Filesize
36KB

MD5
e84aea6ccab56fa8e19d3e4445b47bde

SHA1
6180046f59b2ab96cca7fe3d8eae45a67138b906

SHA256
97fd667892f2f5e95f460e16f8efddba89964d46783b4d513a5eef953d404887

SHA512
5839324036cdd63e580354e9567789ba057548ef7254ae4ae8258c64af2a7ee35caa636fe3cf928408e1ef08440f2ccad4f86c4ebde3545779a55e50f372390d

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatformLib92.dll

Filesize
47KB

MD5
c3c6343c7c51ab6ad395fa7f1e20dcd5

SHA1
94d53780d76732b795f069f1b64107339a27d3d7

SHA256
5a39731c16a3cc9b984f6b5de284a6a042286c77a9d0c8967fae4aef17a85485

SHA512
edcd3b611d3e86950de5852bb35cadbd3206b27da23c115cdc912217bf5ce58a510d40c1e4297aea7a91fdac9a67f55d06d30a95d06e05e341622740f02cd949

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatformLib92.dll

Filesize
80KB

MD5
f84d8be42f2e84993613f76fdaea093f

SHA1
4083a57dfc393c08ec45455962f259012ecdfe6e

SHA256
e69217f3f8759e87b0aa1af7b429f6516718711a572d0e65bae652176f5b4fd8

SHA512
ce4fb347686331be8d6f0bf89448477e3489494864f6e9b4af98749ef26a65acd985e3b681ef7c00350c9a34f76ccd04ffd3258094dcf60e9b1b543d82a9d18c

Download Submit
\Users\Admin\AppData\Local\Temp\XPlatformLib92.dll

Filesize
130KB

MD5
eb6bbef96bd50b08064c6b5a08659cdf

SHA1
e927559752e948a9b2f2b231c8e40ff0085ad8ca

SHA256
c78f7c56384e03cdc7337ec0361b0d532e7e7bddd3850975e456d16d5ca5128f

SHA512
ce7702aa10595cf66b76a9f7b2b1d0b83df279f47f10d121115c300db375781e8e7c0bd5f3de02646268f6e45371aebe3dfad04b97070ebda34ed99197bb34ae

Download Submit
\Users\Admin\AppData\Local\Temp\npXPLauncherPlugin92.dll

Filesize
67KB

MD5
a3dbeeb78208b8d5a17c7f6fa0be5574

SHA1
12ada489d13bd2ccd12b049ceac146cfd0dc0685

SHA256
1b84d2accb4a8eaf6d4944ab026f5ae2dc8e497b7c0ab20efa53829dce0d2b64

SHA512
21251a305f642819299528ea94d6290ca9de922f131cace5948884fabe853cc0f8ff6f3d5446f3279e1d4e163a7ec1e9395d2f718ada9f5813a165910cbc4b2a

Download Submit
\Users\Admin\AppData\Local\Temp\npXPLauncherPlugin92.dll

Filesize
45KB

MD5
0183f30f3ba8889956d651d06c22240f

SHA1
be4dba9cffa6b93209198917f5facc5fa67a8b5a

SHA256
9f834e83fb8cc1f41b1e0fa74151b2b6e74efb11ad73459f19015a87d0c26b64

SHA512
9965f6263a452ca51932b67c879c653e11623b2c91acc8e5e59f10774bcfb765b3ad743bfd4664a85ffd73a9243cf345b5be2539fe7a024f2a71ad0d4ebb3934

Download Submit
\Users\Admin\AppData\Local\Temp\npXPlatformPlugin92.dll

Filesize
88KB

MD5
62114054fa5cf6ebfd0b0768e9785357

SHA1
588807895f0f6fbf7150fd4db37ef27fd9579d16

SHA256
921618f252d7c6bd4fb093079b8ec5bf0c125d768caef66d64c49c3e5f16195b

SHA512
f0c6ef876ff413d427fc6283838a321ac4579505aa3c9dc7bb91e8d05e5358620b1f9a684a25ba401ee8df8851e6db71a30e11b1f8e1e9f58a9b0f1329511938

Download Submit
\Users\Admin\AppData\Local\Temp\npXPlatformPlugin92.dll

Filesize
76KB

MD5
a55029bcf0ed85efffac8fc12820f75d

SHA1
02d6ccb45306c5ee0020e451bc0221a6eb268fbb

SHA256
7eefc429615a94c973805c1cdc54844e6b87b64b8fc7d793f7dc1ba0237fd7aa

SHA512
689a5915bc42c477b8ddaa7ab1c69b739c104f678870777976a966f2518e3e6e3e22b62ee345bb97496457443965dbc54b801ec2b1964c5b212ce1f20b64f2de

Download Submit
\Windows\Installer\MSI7CA1.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
memory/2132-103-0x0000000001820000-0x0000000001854000-memory.dmp

Filesize
208KB

Download
memory/2132-91-0x0000000003D30000-0x00000000041CA000-memory.dmp

Filesize
4.6MB

Download
memory/2132-95-0x00000000041D0000-0x00000000043FF000-memory.dmp

Filesize
2.2MB

Download
memory/2132-108-0x0000000004400000-0x0000000004479000-memory.dmp

Filesize
484KB

Download