8261b2c779b217838ed6873426bd40030b6ce1e1f3645529dac7c6ab015d6250

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spacedesk_driver_Win_10_64_v2112.msi
Size

4.7MB
MD5

ef5eb5dba160db286cee572eb50ecb1b
SHA1

3a09c68be4928bad70723ac170350888413f39c1
SHA256

8261b2c779b217838ed6873426bd40030b6ce1e1f3645529dac7c6ab015d6250
SHA512

be639698e8d46918225eae348a4915fb8e2681f0eced53f37fc887036bda956e94926c6988f62f812a7e1923d3666e938fa58ceb5c012b2b1949a07b26b3fb1e
SSDEEP

98304:gSdCUt7trauapinC/o6PhvkkWYzVq3UHXeUR9+:RkE7tOvQnyPaXE

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\spacedeskDriverAndroidControl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET63D6.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET63D6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\spacedeskDriverBus.sys	DrvInst.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	4164	msiexec.exe
7	4164	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidusb.inf_amd64_61add788f4d66839\amd64\spacedeskDriverAndroidUsb.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskktminputmouse.inf_amd64_96adfd1912f06435\spacedeskKtmInputmouse.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a69b4c24-fa8b-c14a-9367-883a6838419b}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriveraudio.inf_amd64_5f028417c7e42db4\amd64\spacedeskDriverAudio.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_13ea77b9eea9208c\spacedeskDriverAndroidControl.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverhid.inf_amd64_bf54ec09d0f1b070\spacedeskDriverHid.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdisplay.inf_amd64_046736ce8babdf8d\amd64\spacedeskDisplayUmode1_2.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_13ea77b9eea9208c\amd64\spacedeskDriverAndroidControl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a69b4c24-fa8b-c14a-9367-883a6838419b}\SET5511.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6e4c0f73-0466-fd4c-b371-04ea7b29ebc0}\SET4C37.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f414c658-fdd2-1f42-8239-7a8e8deb738a}\SET51C6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskktminputmouse.inf_amd64_96adfd1912f06435\spacedeskKtmInputmouse.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ac8cbee4-1c6c-694d-b57b-b8d9f643a0f0}\SET5B0D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2bc8f7df-2fe1-7349-be37-676f336075c6}\SET6230.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6e4c0f73-0466-fd4c-b371-04ea7b29ebc0}\amd64\spacedeskDriverAndroidControl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f414c658-fdd2-1f42-8239-7a8e8deb738a}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6e4c0f73-0466-fd4c-b371-04ea7b29ebc0}\amd64\SET4C77.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a69b4c24-fa8b-c14a-9367-883a6838419b}\spacedeskKtmInputmouse.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2bc8f7df-2fe1-7349-be37-676f336075c6}\amd64\SET6232.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverbus.inf_amd64_abcbc2d85579e21e\spacedeskDriverBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2bc8f7df-2fe1-7349-be37-676f336075c6}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6e4c0f73-0466-fd4c-b371-04ea7b29ebc0}\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b0350547-0468-d84a-8b33-0c3a576c7376}\SET58BB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ac8cbee4-1c6c-694d-b57b-b8d9f643a0f0}\amd64\spacedeskDisplayUmode1_0.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c68b4149-29c8-7c41-b357-6b1fe11c4077}\SET5F03.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c68b4149-29c8-7c41-b357-6b1fe11c4077}\spacedeskdriveraudio.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b0350547-0468-d84a-8b33-0c3a576c7376}\amd64\SET58BA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c68b4149-29c8-7c41-b357-6b1fe11c4077}\amd64\spacedeskDriverAudio.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2bc8f7df-2fe1-7349-be37-676f336075c6}\spacedeskDriverBus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f414c658-fdd2-1f42-8239-7a8e8deb738a}\SET51F5.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b0350547-0468-d84a-8b33-0c3a576c7376}\amd64\SET58BA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdisplay.inf_amd64_046736ce8babdf8d\spacedeskdisplay.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriveraudio.inf_amd64_5f028417c7e42db4\spacedeskDriverAudio.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2bc8f7df-2fe1-7349-be37-676f336075c6}\amd64\SET6232.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6e4c0f73-0466-fd4c-b371-04ea7b29ebc0}\amd64\SET4C77.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6e4c0f73-0466-fd4c-b371-04ea7b29ebc0}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f414c658-fdd2-1f42-8239-7a8e8deb738a}\amd64\spacedeskDriverAndroidUsb.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a69b4c24-fa8b-c14a-9367-883a6838419b}\SET5551.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b0350547-0468-d84a-8b33-0c3a576c7376}\spacedeskDriverHid.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c68b4149-29c8-7c41-b357-6b1fe11c4077}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6e4c0f73-0466-fd4c-b371-04ea7b29ebc0}\SET4C67.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2bc8f7df-2fe1-7349-be37-676f336075c6}\spacedeskDriverBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_13ea77b9eea9208c\spacedeskDriverAndroidControl.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b0350547-0468-d84a-8b33-0c3a576c7376}\amd64\spacedeskDriverHid.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b0350547-0468-d84a-8b33-0c3a576c7376}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6e4c0f73-0466-fd4c-b371-04ea7b29ebc0}\SET4C37.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ac8cbee4-1c6c-694d-b57b-b8d9f643a0f0}\SET5AFC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ac8cbee4-1c6c-694d-b57b-b8d9f643a0f0}\amd64\SET5B1D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ac8cbee4-1c6c-694d-b57b-b8d9f643a0f0}\amd64\SET5B1D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6e4c0f73-0466-fd4c-b371-04ea7b29ebc0}\spacedeskDriverAndroidControl.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverhid.inf_amd64_bf54ec09d0f1b070\spacedeskDriverHid.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ac8cbee4-1c6c-694d-b57b-b8d9f643a0f0}\amd64\spacedeskDisplayUmode1_2.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdisplay.inf_amd64_046736ce8babdf8d\spacedeskDisplay.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ac8cbee4-1c6c-694d-b57b-b8d9f643a0f0}\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverHid.dll	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskConsole.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdriveraudio.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverAudio.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverBus.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskServiceTray.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdisplay.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskktminputmouse.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdisplay.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskktminputmouse.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdriverhid.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDisplayUmode1_2.dll	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAudio.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\SpacedeskSetupCustomAction64.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverAndroidUsb.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdriverbus.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverBus.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverHid.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskKtmInput.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDisplayUmode1_0.dll	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverAndroidControl.sys	msiexec.exe

Drops file in Windows directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI613F.tmp	msiexec.exe
File created	C:\Windows\Installer\e58438c.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI50FD.tmp
File created	C:\Windows\inf\oem7.inf	DrvInst.exe
File created	C:\Windows\INF\oem1.PNF	MSI4717.tmp
File created	C:\Windows\INF\oem0.PNF	MSI4717.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI4A75.tmp
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{C992B9F6-B2FF-499A-9C4A-29DB732CDF44}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A75.tmp	msiexec.exe
File created	C:\Windows\inf\oem9.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\e58438c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4717.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI53DD.tmp
File opened for modification	C:\Windows\Installer\MSI5DE2.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem8.inf	DrvInst.exe
File created	C:\Windows\Installer\{C992B9F6-B2FF-499A-9C4A-29DB732CDF44}\ShortCutIcon.exe	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI57E5.tmp
File opened for modification	C:\Windows\Installer\MSI5A09.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI5DE2.tmp
File opened for modification	C:\Windows\Installer\MSI49E7.tmp	msiexec.exe
File created	C:\Windows\Installer\{C992B9F6-B2FF-499A-9C4A-29DB732CDF44}\installerIcon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65D5.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem9.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI57E5.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\{C992B9F6-B2FF-499A-9C4A-29DB732CDF44}\installerIcon.ico	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI50FD.tmp	msiexec.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem8.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6672.tmp	msiexec.exe
File created	C:\Windows\Installer\e58438e.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\{C992B9F6-B2FF-499A-9C4A-29DB732CDF44}\ShortCutIcon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI53DD.tmp	msiexec.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI613F.tmp
File opened for modification	C:\Windows\Installer\MSI64AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4541.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6867.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI5A09.tmp
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem7.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	MSI4717.tmp

Executes dropped EXE 18 IoCs

pid	Process
2320	MSI4717.tmp
4260	MSI49E7.tmp
3968	MSI4A75.tmp
4172	MSI50FD.tmp
1300	MSI53DD.tmp
636	MSI57E5.tmp
3500	MSI5A09.tmp
3520	MSI5DE2.tmp
3340	MSI613F.tmp
4216	MSI64AB.tmp
4132	spacedeskService.exe
2532	spacedeskServiceTray.exe
4756	MSI65D5.tmp
3572	MSI6672.tmp
2252	MSI6867.tmp
1764	spacedeskConsole.exe
4872	spacedeskService.exe
4708	spacedeskServiceTray.exe

Loads dropped DLL 1 IoCs

pid	Process
4988	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	MSI613F.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	MSI5A09.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	MSI53DD.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	MSI57E5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MSI53DD.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	MSI53DD.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MSI57E5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	MSI613F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MSI5DE2.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	MSI613F.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MSI53DD.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MSI53DD.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	MSI57E5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	MSI613F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	MSI5A09.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MSI613F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	MSI4A75.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	MSI5DE2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	MSI57E5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	MSI5A09.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	MSI5A09.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	MSI4A75.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	MSI53DD.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	MSI57E5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MSI5DE2.tmp
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000237a6c0e57fb805f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000237a6c0e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900237a6c0e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d237a6c0e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000237a6c0e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	MSI4A75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\datronicsoft\v3DDK	MSI4717.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\Version = "33619980"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\ProductIcon = "C:\\Windows\\Installer\\{C992B9F6-B2FF-499A-9C4A-29DB732CDF44}\\installerIcon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\ProductName = "spacedesk Windows DRIVER"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7D4CBC34A6B7014BBE966DEFF93900B	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9B299CFF2BA994C9A492BD37C2FD44	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\PackageCode = "3D55AC23B9222914AB6A83BB856E54CA"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\SourceList\PackageName = "spacedesk_driver_Win_10_64_v2112.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6F9B299CFF2BA994C9A492BD37C2FD44\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7D4CBC34A6B7014BBE966DEFF93900B\6F9B299CFF2BA994C9A492BD37C2FD44	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6F9B299CFF2BA994C9A492BD37C2FD44\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4200	msiexec.exe
4200	msiexec.exe
2320	MSI4717.tmp
2320	MSI4717.tmp
1764	spacedeskConsole.exe
1764	spacedeskConsole.exe
1764	spacedeskConsole.exe
2944	powershell.exe
2944	powershell.exe
2944	powershell.exe
3428	powershell.exe
3428	powershell.exe
3428	powershell.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
4556	powershell.exe
4556	powershell.exe
4556	powershell.exe
3084	powershell.exe
3084	powershell.exe
3084	powershell.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
4992	powershell.exe
4992	powershell.exe
4112	powershell.exe
4112	powershell.exe
4992	powershell.exe
4112	powershell.exe
1280	powershell.exe
1280	powershell.exe
4948	powershell.exe
4948	powershell.exe
1280	powershell.exe
2332	powershell.exe
2332	powershell.exe
4948	powershell.exe
2332	powershell.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4164	msiexec.exe
Token: SeSecurityPrivilege	4200	msiexec.exe
Token: SeCreateTokenPrivilege	4164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4164	msiexec.exe
Token: SeLockMemoryPrivilege	4164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4164	msiexec.exe
Token: SeMachineAccountPrivilege	4164	msiexec.exe
Token: SeTcbPrivilege	4164	msiexec.exe
Token: SeSecurityPrivilege	4164	msiexec.exe
Token: SeTakeOwnershipPrivilege	4164	msiexec.exe
Token: SeLoadDriverPrivilege	4164	msiexec.exe
Token: SeSystemProfilePrivilege	4164	msiexec.exe
Token: SeSystemtimePrivilege	4164	msiexec.exe
Token: SeProfSingleProcessPrivilege	4164	msiexec.exe
Token: SeIncBasePriorityPrivilege	4164	msiexec.exe
Token: SeCreatePagefilePrivilege	4164	msiexec.exe
Token: SeCreatePermanentPrivilege	4164	msiexec.exe
Token: SeBackupPrivilege	4164	msiexec.exe
Token: SeRestorePrivilege	4164	msiexec.exe
Token: SeShutdownPrivilege	4164	msiexec.exe
Token: SeDebugPrivilege	4164	msiexec.exe
Token: SeAuditPrivilege	4164	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4164	msiexec.exe
Token: SeChangeNotifyPrivilege	4164	msiexec.exe
Token: SeRemoteShutdownPrivilege	4164	msiexec.exe
Token: SeUndockPrivilege	4164	msiexec.exe
Token: SeSyncAgentPrivilege	4164	msiexec.exe
Token: SeEnableDelegationPrivilege	4164	msiexec.exe
Token: SeManageVolumePrivilege	4164	msiexec.exe
Token: SeImpersonatePrivilege	4164	msiexec.exe
Token: SeCreateGlobalPrivilege	4164	msiexec.exe
Token: SeCreateTokenPrivilege	4164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4164	msiexec.exe
Token: SeLockMemoryPrivilege	4164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4164	msiexec.exe
Token: SeMachineAccountPrivilege	4164	msiexec.exe
Token: SeTcbPrivilege	4164	msiexec.exe
Token: SeSecurityPrivilege	4164	msiexec.exe
Token: SeTakeOwnershipPrivilege	4164	msiexec.exe
Token: SeLoadDriverPrivilege	4164	msiexec.exe
Token: SeSystemProfilePrivilege	4164	msiexec.exe
Token: SeSystemtimePrivilege	4164	msiexec.exe
Token: SeProfSingleProcessPrivilege	4164	msiexec.exe
Token: SeIncBasePriorityPrivilege	4164	msiexec.exe
Token: SeCreatePagefilePrivilege	4164	msiexec.exe
Token: SeCreatePermanentPrivilege	4164	msiexec.exe
Token: SeBackupPrivilege	4164	msiexec.exe
Token: SeRestorePrivilege	4164	msiexec.exe
Token: SeShutdownPrivilege	4164	msiexec.exe
Token: SeDebugPrivilege	4164	msiexec.exe
Token: SeAuditPrivilege	4164	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4164	msiexec.exe
Token: SeChangeNotifyPrivilege	4164	msiexec.exe
Token: SeRemoteShutdownPrivilege	4164	msiexec.exe
Token: SeUndockPrivilege	4164	msiexec.exe
Token: SeSyncAgentPrivilege	4164	msiexec.exe
Token: SeEnableDelegationPrivilege	4164	msiexec.exe
Token: SeManageVolumePrivilege	4164	msiexec.exe
Token: SeImpersonatePrivilege	4164	msiexec.exe
Token: SeCreateGlobalPrivilege	4164	msiexec.exe
Token: SeCreateTokenPrivilege	4164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4164	msiexec.exe
Token: SeLockMemoryPrivilege	4164	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4164	msiexec.exe
2532	spacedeskServiceTray.exe
2532	spacedeskServiceTray.exe
4164	msiexec.exe
2532	spacedeskServiceTray.exe
4708	spacedeskServiceTray.exe
4708	spacedeskServiceTray.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2532	spacedeskServiceTray.exe
2532	spacedeskServiceTray.exe
2532	spacedeskServiceTray.exe
4708	spacedeskServiceTray.exe
4708	spacedeskServiceTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 4988	4200	msiexec.exe	86
PID 4200 wrote to memory of 4988	4200	msiexec.exe	86
PID 4200 wrote to memory of 4988	4200	msiexec.exe	86
PID 4200 wrote to memory of 3164	4200	msiexec.exe	97
PID 4200 wrote to memory of 3164	4200	msiexec.exe	97
PID 4200 wrote to memory of 2320	4200	msiexec.exe	99
PID 4200 wrote to memory of 2320	4200	msiexec.exe	99
PID 4200 wrote to memory of 4260	4200	msiexec.exe	100
PID 4200 wrote to memory of 4260	4200	msiexec.exe	100
PID 4200 wrote to memory of 3968	4200	msiexec.exe	101
PID 4200 wrote to memory of 3968	4200	msiexec.exe	101
PID 1048 wrote to memory of 628	1048	svchost.exe	103
PID 1048 wrote to memory of 628	1048	svchost.exe	103
PID 1048 wrote to memory of 2664	1048	svchost.exe	104
PID 1048 wrote to memory of 2664	1048	svchost.exe	104
PID 4200 wrote to memory of 4172	4200	msiexec.exe	105
PID 4200 wrote to memory of 4172	4200	msiexec.exe	105
PID 1048 wrote to memory of 1884	1048	svchost.exe	106
PID 1048 wrote to memory of 1884	1048	svchost.exe	106
PID 4200 wrote to memory of 1300	4200	msiexec.exe	107
PID 4200 wrote to memory of 1300	4200	msiexec.exe	107
PID 1048 wrote to memory of 3236	1048	svchost.exe	108
PID 1048 wrote to memory of 3236	1048	svchost.exe	108
PID 4200 wrote to memory of 636	4200	msiexec.exe	109
PID 4200 wrote to memory of 636	4200	msiexec.exe	109
PID 1048 wrote to memory of 4312	1048	svchost.exe	110
PID 1048 wrote to memory of 4312	1048	svchost.exe	110
PID 4200 wrote to memory of 3500	4200	msiexec.exe	111
PID 4200 wrote to memory of 3500	4200	msiexec.exe	111
PID 1048 wrote to memory of 3504	1048	svchost.exe	112
PID 1048 wrote to memory of 3504	1048	svchost.exe	112
PID 4200 wrote to memory of 3520	4200	msiexec.exe	113
PID 4200 wrote to memory of 3520	4200	msiexec.exe	113
PID 1048 wrote to memory of 1732	1048	svchost.exe	114
PID 1048 wrote to memory of 1732	1048	svchost.exe	114
PID 4200 wrote to memory of 3340	4200	msiexec.exe	115
PID 4200 wrote to memory of 3340	4200	msiexec.exe	115
PID 1048 wrote to memory of 548	1048	svchost.exe	116
PID 1048 wrote to memory of 548	1048	svchost.exe	116
PID 1048 wrote to memory of 3352	1048	svchost.exe	117
PID 1048 wrote to memory of 3352	1048	svchost.exe	117
PID 4200 wrote to memory of 4216	4200	msiexec.exe	118
PID 4200 wrote to memory of 4216	4200	msiexec.exe	118
PID 4132 wrote to memory of 2532	4132	spacedeskService.exe	120
PID 4132 wrote to memory of 2532	4132	spacedeskService.exe	120
PID 4132 wrote to memory of 2532	4132	spacedeskService.exe	120
PID 4200 wrote to memory of 4756	4200	msiexec.exe	121
PID 4200 wrote to memory of 4756	4200	msiexec.exe	121
PID 4200 wrote to memory of 3572	4200	msiexec.exe	122
PID 4200 wrote to memory of 3572	4200	msiexec.exe	122
PID 4200 wrote to memory of 2252	4200	msiexec.exe	123
PID 4200 wrote to memory of 2252	4200	msiexec.exe	123
PID 1764 wrote to memory of 2944	1764	spacedeskConsole.exe	131
PID 1764 wrote to memory of 2944	1764	spacedeskConsole.exe	131
PID 1764 wrote to memory of 3428	1764	spacedeskConsole.exe	133
PID 1764 wrote to memory of 3428	1764	spacedeskConsole.exe	133
PID 1764 wrote to memory of 5044	1764	spacedeskConsole.exe	136
PID 1764 wrote to memory of 5044	1764	spacedeskConsole.exe	136
PID 1764 wrote to memory of 4556	1764	spacedeskConsole.exe	138
PID 1764 wrote to memory of 4556	1764	spacedeskConsole.exe	138
PID 1764 wrote to memory of 3084	1764	spacedeskConsole.exe	140
PID 1764 wrote to memory of 3084	1764	spacedeskConsole.exe	140
PID 1764 wrote to memory of 2896	1764	spacedeskConsole.exe	143
PID 1764 wrote to memory of 2896	1764	spacedeskConsole.exe	143

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\spacedesk_driver_Win_10_64_v2112.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BA8A05BDCCC52C81B84F6D05231C5CDD C
  2⤵
  - Loads dropped DLL
  PID:4988
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3164
- C:\Windows\Installer\MSI4717.tmp
  "C:\Windows\Installer\MSI4717.tmp" -preInstallCheck_W10
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Windows\Installer\MSI49E7.tmp
  "C:\Windows\Installer\MSI49E7.tmp" -qWaveCheck
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\Installer\MSI4A75.tmp
  "C:\Windows\Installer\MSI4A75.tmp" -install_android_control,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:3968
- C:\Windows\Installer\MSI50FD.tmp
  "C:\Windows\Installer\MSI50FD.tmp" -install_android_usb,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  PID:4172
- C:\Windows\Installer\MSI53DD.tmp
  "C:\Windows\Installer\MSI53DD.tmp" -install_ktm,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1300
- C:\Windows\Installer\MSI57E5.tmp
  "C:\Windows\Installer\MSI57E5.tmp" -install_hid,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:636
- C:\Windows\Installer\MSI5A09.tmp
  "C:\Windows\Installer\MSI5A09.tmp" -install_iddcx,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\,0
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:3500
- C:\Windows\Installer\MSI5DE2.tmp
  "C:\Windows\Installer\MSI5DE2.tmp" -install_audio,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:3520
- C:\Windows\Installer\MSI613F.tmp
  "C:\Windows\Installer\MSI613F.tmp" -install_bus,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:3340
- C:\Windows\Installer\MSI64AB.tmp
  "C:\Windows\Installer\MSI64AB.tmp" -install_server,C:\Program Files\datronicsoft\spacedesk\
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\Installer\MSI65D5.tmp
  "C:\Windows\Installer\MSI65D5.tmp" -openFirewall,C:\Program Files\datronicsoft\spacedesk\
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\Installer\MSI6672.tmp
  "C:\Windows\Installer\MSI6672.tmp" -spacedeskProgramFilesDelete,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\Installer\MSI6867.tmp
  "C:\Windows\Installer\MSI6867.tmp" -otherFirewallCheck
  2⤵
  - Executes dropped EXE
  PID:2252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{767a9c25-ac5c-bc4f-8974-39bf82528673}\spacedeskDriverAndroidControl.inf" "9" "44282f7e3" "000000000000014C" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:628
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "1" "ROOT\SPACEDESK_ANDROID_CONTROL\0000" "C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_13ea77b9eea9208c\spacedeskdriverandroidcontrol.inf" "oem3.inf:*:*:1.0.445.8:ROOT\VID_DATRONICSOFT_PID_SPACEDESK_DRIVER_USB_ANDROID_0001," "44282f7e3" "000000000000015C"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:2664
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.inf" "9" "4c4c2d17b" "0000000000000184" "WinSta0\Default" "0000000000000188" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1884
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6b55f1f7-b2e3-094f-878f-ca24e84e3244}\spacedeskKtmInputmouse.inf" "9" "431da1b7b" "0000000000000188" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3236
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0cdfe7b3-a2f6-fd4b-8c68-5d55f2612fed}\spacedeskDriverHid.inf" "9" "4427793e7" "000000000000015C" "WinSta0\Default" "000000000000014C" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4312
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{ec5ce845-e214-fe41-8ec5-56a55090f530}\spacedeskdisplay.inf" "9" "442436977" "000000000000014C" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3504
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{e861ce6d-23a5-4645-84db-ff8278ba99eb}\spacedeskDriverAudio.inf" "9" "447268673" "0000000000000158" "WinSta0\Default" "0000000000000184" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1732
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{8442168c-ba07-2a4a-bf8e-457f4565fb2d}\spacedeskDriverBus.inf" "9" "4522ade83" "0000000000000164" "WinSta0\Default" "0000000000000188" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:548
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "1" "ROOT\SPACEDESK_VIRTUAL_BUS\0000" "C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverbus.inf_amd64_abcbc2d85579e21e\spacedeskdriverbus.inf" "oem9.inf:*:*:1.0.445.40:Root\VID_DATRONICSOFT_PID_SPACEDESK_VIRTUAL_BUS_0001," "4522ade83" "0000000000000164"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:3352

C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe
"C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Program Files\datronicsoft\spacedesk\spacedeskServiceTray.exe
  This is spacedesk Service calling.
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2532

C:\Program Files\datronicsoft\spacedesk\spacedeskConsole.exe
"C:\Program Files\datronicsoft\spacedesk\spacedeskConsole.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-NetConnectionProfile > "C:\Users\Public\netconnectionprofile.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-NetConnectionProfile > "C:\Users\Public\netconnectionprofile.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1756

C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe
"C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe"
1⤵
- Executes dropped EXE
PID:4872
- C:\Program Files\datronicsoft\spacedesk\spacedeskServiceTray.exe
  This is spacedesk Service calling.
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58438d.rbs

Filesize
540KB

MD5
d0e33bd2a51ac2cb24135c21ffcc47c9

SHA1
fa85d5316fcbdf037de59fa6254015d793cc9a8d

SHA256
4321f742dd4c74e56b6571f600fc388e830d262167235be9b389c875a1c16590

SHA512
5193b645f758577224ab8cbea8c9929f96d59000be7213efce7093f7d064e71fcd22d81f4e1185a379c4aef7cb829c024b1b586746d394de0a20de8a186db233

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDisplayUmode1_0.dll

Filesize
136KB

MD5
a97dfefb607d5ed226e49b584dcef206

SHA1
25908e74c10f417bc398e9833977a24246f36005

SHA256
1d73fba133c466bf8339ac2accc097781b8d93bbe5519cbcd5a28a221faf9dac

SHA512
2d316f6f8c298a7542e0ca9f9c854c50d5ecead833b108b92eb9f48f090413117e7550c39bcb29cd07d5c8ec68c4d91b06152fda12a7ff4eec69dd8773886717

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDisplayUmode1_2.dll

Filesize
136KB

MD5
c9ecdffd10750e5fad6d5319f75a5ca9

SHA1
4953803df46fa64ac0818a5c532fb746e3fc6aa1

SHA256
411ec23facc6258bc0343bd851aabaec48f52e9e9b8e6e3b3a2b49b7852fea45

SHA512
10e963a1641d0c7dca0041490f9a5332a64d609ca0d79e6cd42e5907275d1aebbb969e0fdca621df19511daa415c22697557d77c10ac7a188d3955dfdd296327

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverAndroidControl.sys

Filesize
49KB

MD5
170642b3ce200fec362060c67f560673

SHA1
a9a1812ed1c7c89a414c908a8bd1f5d05df219dc

SHA256
ee6bab365925343a0b73fdfa087103336b21690a698dcb7b91de5fed2c4454c0

SHA512
a2cc04033044ce48ce9cf5d5c4b2e091fcf09e4fa8d9138daa4270a3d5f2c4e4b1dc02b0e63024d64859be190f5536dac755a8d54404b3542bbe12cd041dd7f9

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverAndroidUsb.sys

Filesize
43KB

MD5
abcf6e9cb55dec1ae68854a91a4199a6

SHA1
0d9471bcc595277ab5a27b2bf91cca0bef8e4336

SHA256
97c816a005b7a066176fab07ae5dd324a7dcca93839eaa6ffe22c3a27e230df3

SHA512
d6c506c77eb1f9c36f93991af91321dda6f76195ab09cc6db916f73f3c6eb1cc14dca98104a54651c03cbe08f72e5a00ec28f75825b388ce3acd5a72e2c9a839

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverAudio.sys

Filesize
135KB

MD5
330c31805c9e2f8b594f79b7d8c63cd7

SHA1
af865cda469126d0f7208f92d8e5dd30331810d1

SHA256
ff09c098f44679fc668a10a837ca9de8f57d986c26bdec73513c7df58b06b800

SHA512
e23d5a1f1fbf75e5565dcf91555a025fb416bcee739b1c83d56c3f015668971b6422673ece28f2f4086b66d3bf1dbe3c00629cd2514c44459793581d03c1bbe2

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverHid.dll

Filesize
97KB

MD5
99843f0c701bffcf7c56f47b34395a69

SHA1
281d2554451bc5b4a2097424ad6f21830aa0d7f0

SHA256
398fea56c1b0074b41282dd673043b3c5b1a2b10f7f0925f51bee6e7b5f8a2f2

SHA512
38e0066bc10f2c0ab7087d042dfd6ab7343e4809e2857a00f72b331fd9f1cae97a63f290cbc3c76d781812419fe705092d48b03f0c36ed8fd548c9710b9de207

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskKtmInput.sys

Filesize
41KB

MD5
fad80e5e02e03e48609c852a489f6cd3

SHA1
b711d9025e0b6f6567d1407d65d7f67daca292a5

SHA256
398582f8456f404653129df83d04b40f85c6b61cf213c86b75766cf77d323386

SHA512
fcc2bac894faae66c28168775bb97d75a708443bb4000c64e74ca21a3c357215f6a7bd626bbdbc090e6a55eec707de2faa7e7631129d3d4ed196fc6804033c06

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDisplay.cat

Filesize
13KB

MD5
6f52e53107099dd6022f1288473c5ebf

SHA1
e1e3c47faa5d009d624f70e23f9fdad52698e97f

SHA256
da3a008f1f0046388dc79e6bbcf548175000056887f897482c7db072642807ff

SHA512
26e910e1879f3828ee8482325e3730634302eb93549c40c6685d45407ac96b94d4427c7ef1ceaa50e16f3c226db8302e36374d5d0463c7fe1ebccc2ce56fa586

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDriverAndroidControl.cat

Filesize
12KB

MD5
19ee64fa9f7a7b566068dc3251aa8112

SHA1
427b9e39a98f22b97ba9d9a025671c1f2c60bc40

SHA256
005a5f2fc2f9661e62ee8adb15579964d104b26dc67b7e28c3adb9b9c947755c

SHA512
e55e6c8d54b4c8461bb22f76804fe80a7d8b4a1ff471f4efa7c32347534c8fe16166fe1ec2c1a67acd37e2aecdbe9948f282cd1c29dae281b572c551f434cacf

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDriverAndroidUsb.cat

Filesize
12KB

MD5
b8aeea537343fbe8a2bf6019cf537339

SHA1
6d869527f5660264fe6ad77e50b9739f93585546

SHA256
002a10228b378af9df703bebff0d27633d3e0b6e9954a88a3779f14743bffe4a

SHA512
963bc4aefe9bf784336652bd78b66848e7510048adebe81730dd685a9af7e3aabb0f3856a07e4a75616b76e29be981759cf884981d296c3f873e1192c28b0ea2

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDriverHid.cat

Filesize
12KB

MD5
1df7ad327ce6e0604d1e29e2941c0003

SHA1
b4746c9638a9e0d7e9e1c7f6a69e175f5e738d3f

SHA256
6c41517afa9f366b68e0ca720ed9cdd362fa6c4a51df3108736b5c666443c2f3

SHA512
3b980c5480252574d71a14bc848344d915bbe552abac50324cb74ceb3e5718d9f9aeaf8f3ce86784c6555ac647013d3957ce5ab12c804ffdcc0554e2cfc8678d

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskKtmInputmouse.cat

Filesize
12KB

MD5
42a4ed6e6b94e1b74e9c5538ea3af0b4

SHA1
b394e9f6c9cde7985a86c87ab2823641f32c8eea

SHA256
6d363492a43aa06bf2e5ee919c3a1d4cdd4de1ae6eca0c6d94cedd0490d1e530

SHA512
5d9620a8f7c6b7033ead1e99ef74976c6fec066d56e5ba51abfbb616b93c970e73961aae8511656779a36d6c799363f1cf57eec889bb06223077a304a9f8848a

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskdriveraudio.cat

Filesize
15KB

MD5
710ee13c1f6ba72e25414ee4bff1e993

SHA1
50993cf17f397fe7f8b06df7af50b750781b76da

SHA256
34ffd8509dc23002d2d1dd9c1fef27ae8cd14bac5a99db73d427314c46c5ae8c

SHA512
4034b3eb2c2b03ba05f7215eba863c87a87f79389d55a3ac481b87256c21af2938d08d4549d089264e06e44e5d56eea21e1167331db32f4c602823487bd0c721

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.inf

Filesize
3KB

MD5
a9b63baf155b43d1c6a5d45b717bc9b1

SHA1
28c5982172b6c8f7f15487fcb2639710547d9bc1

SHA256
513253c10e027e807f8ff02ce29b542dcddeea7576ad7fbc112a6d15bfa0c820

SHA512
1f8468c84548a34d5e2504696b2883ea84c5d18ee406a96de90c611fc457725c598f4f7e2bf4fb9148e17d1e3cb5375898f8e2c0dadb46555e84b8ef224a8165

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.inf

Filesize
4KB

MD5
6b3ab204d23fb8584728074c0d097511

SHA1
6e007ee626269538cc4c5283642568b82c9aca55

SHA256
fa7c3d6b72d8adf875c2446c6ff17a26ef785893a0279e87f675ea0d51a13aa0

SHA512
f1fd1bc5364b2e4c703c5597d04f710cb544ab99da99ee274005a62b278dd97c33b366151c1cac4107048ed76acb24775bbf6a73852716eba3040ddc11886ff7

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAudio.inf

Filesize
20KB

MD5
23e653a98b3ebfb5a474a30c0fb7f770

SHA1
8e9f5b638451379a5706df066e11657c484ae160

SHA256
6f1ea7acb6c668695d64cfe3d4323eaa6e997702b9ccb588e32d8e8156c5ed4b

SHA512
16d8acc399c92e94066b2e14a64e468363fb3e47e13b9cbe9da033ba085cf7054b8db57457ba1e1b437f0c5239a12e21a23070fce6bab9035d1f25f546f3c9b6

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverHid.inf

Filesize
6KB

MD5
87959c6e4c057aff8757b60cdda3d676

SHA1
c185e927c5a1b81d372a1aea71e61c086ec19380

SHA256
05e8bee169866e34d5c5da557c9022cd27db0417e4a36a32e20cf0afa1097b68

SHA512
0bf33ba48f1c6e3a212c0a78254ff9fb3dc96746ac52773e5543bcb6c32b7a44e90163b02004f2d2a8126bb2b6410ccf409e5962223beec46c63c737677959d9

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskKtmInputmouse.inf

Filesize
2KB

MD5
c8e701ea27a2a1d0abc8bfa99509c5c4

SHA1
b3bd4debbd0ae0499a9da6867c83014f7328753d

SHA256
bfd53b3c4e0bbbda52a631f882eafb946d62c50ae6f8df0f446984b64eb5b474

SHA512
7dcc00c31c952d84858c34354214f738f58e1d20698a2f33ba5692b6ceda41e0dec78923739427392cbe14c7114dc73a0d89429727661b86fab21a260a335bef

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdisplay.inf

Filesize
4KB

MD5
7f8080645d5d74842bee801037f8991c

SHA1
78b78803460f7522bfe702d99a2b5acd04c1b97d

SHA256
7dc731c9460f5b504bfeaed319368d730ba672d5a4465ae45b6c66afdeb2e390

SHA512
c3bffa95368aa7d72703cbc7c0f41d658dc68f8a5adf6390cb549b68a159fcdf690781aad007b7eb482a770b210c0adbb1eb6e206eeb419bf7369c7d591b1358

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
11875ff234475adba23cc5faabe777e2

SHA1
4097da8be0b58460ed56b77efa65d7ca190875e1

SHA256
f64fe2382531d0943eadf8724c253c41ccebff8d337775d1b50b363de79d9619

SHA512
dc0a2f40f226af3d1b192b58576e93b2b1b15bae7161a3d4f2499661d807a30aa64a9d622811434ccde4b77b3b947725c05a46f9364bda4864ca7dd687c759f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_15A751EAC52E3BDD7E5151D6C1F63C61

Filesize
727B

MD5
085fad9fff11f204f448a0b77f5d45e0

SHA1
eea5559e15ef2d80e321752cd355b2b6e9a238b2

SHA256
6d5ae87b6eb2164c73ae866136fb841071de3114242ae7c5a5886ffee93f3654

SHA512
04c4f004f13118626961b875489c17f96286731477473f3722217b0d35a18bf2391bb87c4d034d8e98b8ec0dabc83a3cc4aea3d16e1cfed88a3489c6ee45c22a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
4141f7bcb4a19c9c0e2a9dcc833ead88

SHA1
07416e4582d3df2688351b33e8304271c260d96b

SHA256
b7a8bfe235035dbfc829003d720157e523ee8ff42a1d6e7fead1ac145a461260

SHA512
5511a167cb2a7e5edbcfc3facd04f982e1e0afc743438e48eb125d8c9ad1be708004a9bb9e6009eb12b7c9d36b66c279374286ed647c435da8b268c07bf57b65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
43722e1592b3b9ab04f9842f549b154f

SHA1
0e4e6ef290515269351cd2c8dcc17c6a304d3586

SHA256
49b5a3c09b905d278d983e80b3d9897460f7bc9f4dca01ee891d2e7878a40fad

SHA512
4b1de9cb888568dce451ebd6eaf163f3692ab7bf8fb355372916ce7d1cb82ae04c7045c9804724503f3dbf92457e245ce648cc5ca290a6aacee4a180f45cd860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_15A751EAC52E3BDD7E5151D6C1F63C61

Filesize
408B

MD5
0107c3a9c8a6333f85df502ba296b479

SHA1
1fcd7026ec65765001eec8e00927cdb7ac13f788

SHA256
b7e622bc05a4ce0e6aefe418a2c7d3d4dff07238addf2bb1af779b2877547b0f

SHA512
347c9a8cc485152b91fcbf674a3bfa2a7f9b7ad388085785734d77ca8d88eb4c4310cb30e1c1f4df4cac7e009d70a3b52255e7931159e2c7180d04ca556c8e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
a724d6a5bea57f7b09c152c31a03ed18

SHA1
9f252a9d20c297a87b826939b3be1221c7ed50fa

SHA256
58fbb4092c1fb5decc5b2336e85788550ce6fc4fd011a067d4ffbe68c0f89f2b

SHA512
4feb304a5b5d471eb63b5e6bc366d3a520caa3c4630e9bf12eebaa2f5591995eedda391ba3212e2213bd8b82f049d21125c27250c9036b2b9952f3fabba1b28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9CBD.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4jbh0s2.an5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
2KB

MD5
9102b83308043f93f30a662d94183fb3

SHA1
d161fe64b0481b1b150f0075b12affafb4d94fac

SHA256
dd0887b9c3e9d2fb66345b484f7bee204a3c5dbef0cd02701e72da5452693ef2

SHA512
841ac880621fa3417e5f0792028ffb4f49ca43a1abd0dd9de333c0fe9401dd792fc309b2a72f589096af05a899d8d26efd6f7859fb8886cebac0520e773ec951

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
3KB

MD5
8489782059c8e5818f14882b6262c40c

SHA1
364c6400d2390658f9cb3abcf50e1b3933fc118e

SHA256
9160c6cae220877cb63e119a7a61d722dccb5dd70bc3b47bd1a8f7caf7c9c26b

SHA512
8b64f39347d1ebd03a8b8f2c35fa3fe537341151006637a055bf94e01d6a6b6d182a78fc3939c84955b190d4d9a528c967a4915fe493555fe65b8e38dd717a24

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
4KB

MD5
5c48d5d6dc5b6ba48dfccb08655c4bca

SHA1
0a31a7bfea45baf83c95f0f77a516c69fd9d547c

SHA256
d7afe23ad6ffdce5d62c21fe9012606bb769479db3e3e2a6c0193967132c808a

SHA512
5d68c4b65fda7e8a60ba6c31ee510a2328e145447c19e05fff92919bc782d4c8f3b5d7d0b435144969512a2e9381de29ad2e7c84bffed5ea4464de8e37e39f88

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
10KB

MD5
b2f6d5ff564fc057733382c2768db664

SHA1
dd6c114d8c6d55eaf367542a905a02dd7f82cf5f

SHA256
0ea5ef8f0c99d493655c2b6a00c8e5dfdf6895b6752f8be1b43625b012500f96

SHA512
be4f62f75f42bfa5c00b414d7219ed670da00561938b46b8e0dbf59084d392935221c02f4e362a24d69227310352ae337a886153aa3b64a0fe71963e976f4f62

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
10KB

MD5
ed47bcea91524bac63a1f8e7ea17f095

SHA1
56856d8379aa081ec0479d22b049d9d4fb5699a7

SHA256
29b4e53ae5fc70e861f10eeacf2edbe63d6bff6ff7b2c91c798bcc0ce4488901

SHA512
36d79a761234fadd1beeddd0675577ebe2f4a31f9ed51edac6001aacf174ab2c3f52d1cbfa19de762080dbe3918e20aa130c31ab67b74b32deb65a589a41faf0

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
11KB

MD5
633685f30ae69e1bd105ae75acc69063

SHA1
3e43dbdd3804b868b791b33b5b448026650dfcab

SHA256
5fc2620e06f836474862f4f12ee4368a2a92d25bc3e59d8afaa1a2d0008852ef

SHA512
dd5168277fbdd7da5d4832706af7d7bc65d39ce2dc6f449f505156a59e1385ff8cdf3518dfa8b7d451f2edac66fc9635577b1e83534a880e5af541f1ec111786

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
11KB

MD5
bcb1ca9ba60cf4715219c8199b96f7c3

SHA1
b578efc1be95ecb8e0feff6409358bb5354f0220

SHA256
17778113841779fddec66abaed6f27a013044437f7219287c7ddd4f4d74332c3

SHA512
55fe115959ec299106eb13fab5d4744d4f3047c37a032192326d36ae3373ffcb0b00586aef648daa38644bb2e2f293afd02288f09d5d67f3aa619903d3de3f97

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
12KB

MD5
a0964c3c28661a15f3d1b61a710f4e27

SHA1
ad83adf69782b511d4739f847b01f7b9bf914759

SHA256
95fe178727e7a1473bf3453aae252a52422a9eaefd3c51de9277e5e78776c13f

SHA512
6b9580129c490501942b53e124155dbe76329c444f75e91f83c6246f15d826b903f0ea1c66d4f3257384fe640ebcae8848ac3f272f240d3bb0d325440003c50a

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
12KB

MD5
203eeeba904fa77e64d63148821404ef

SHA1
771253cf395907e87a97ca33f80be9edfc0dcb51

SHA256
1cc93cc0882ce2889f66e0ffb206d2f0253392184cd4e40b2d3024dc5416a30d

SHA512
1b8bc5eac7e1e31c34cff19a473d4aca995b6ce35783ed821eb36044b4f95b7dc6c5aa539312f192248ff9836a766b5e7a9e4469d11b069b0f3cb49a06329e74

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
125B

MD5
512ba2ca733a48ffa70b08ee14c1fa2e

SHA1
281d50e20a07cc59c56bb2a81c8020cd30bbcdeb

SHA256
267ea88d0335b0a9d93286fa4db07d07a8b7291baeaacf076e16b33038489704

SHA512
795b72bba3ca3d763124f6c559c3b1f21a45baf611dd5f79dc21b897b5d2d3d022ff99c27063134574c59bc7147ae124990efd248556676f1dc448b07eb020e1

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
13KB

MD5
ee2e72efd979aa3a418458c1204ac713

SHA1
ed98d03373b392d07a250e828e6b879808909381

SHA256
199ed78f1c1ffff3117337618f15a2655ca00a24d642a83723bf9625953dde27

SHA512
5152f8075292019346fe0185e67caf805363477c75c315cd4f4dadfde4ca90cc9071134a093e4488e98313be30602b583a27e75b500ede271feb59535309d11d

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
567B

MD5
92532e1960498d9b6848c802812dbed9

SHA1
5d828a10174f58c3e3229864d76230f62337ca35

SHA256
827eca31d516042502c0687731f0e67deaabe544f207b12ddb373bba7822969f

SHA512
0aa218927fba1a1cc5904f52ff32e5567ad5fe9d95a02f77e86e81c694d2b575917d5f94ee473360bb47126bfb521a460949da14986a0617fc3f81bf3a1cc35b

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
1KB

MD5
41edfdbd9963a11ceed750aebcb70857

SHA1
511f1043e0914a598e32ffd2fed9611cc484adff

SHA256
6ae7a628c7c5e64b5e4adf49f29742508836948087fd14e8891922d2ac945bdd

SHA512
10c026eefcf08739a0ac9ae4b294dc52b2e022f223125c7268803bb16c0c960e7a65dc3183e779bad99b8b3f30f65ae1448a2283cf24d3f2510238f192774080

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
2KB

MD5
0f81adf9b0a65955778fadd8969cdfe4

SHA1
ff7b8883981b18c64787d611a372e1796708f963

SHA256
0a7c960648b2e2c1141a0df6515f78383b225c66cf666ef32a50366631c5011b

SHA512
c6d62ef437ad7ee0c49306d8da636b93b39a0322e215fbe2db1d71eb42e2ad5315d96d64f2810b140fdba3a473dbddbc7eb2457eee34707464a617a4457bdcc6

Download Submit
C:\Users\Public\spacedesklist.xml

Filesize
636B

MD5
09dc1faa2be8ccf3ad7e2d24259b00b7

SHA1
24cbd5d2ff77ffc50f22729118d5922ec98699ad

SHA256
b57f5a4dcda2eebe0a80effeb7c0af7546875ba0cfae7d42fa52e7079b218964

SHA512
21111dfbb31535a1c35f947e64d9c540efddec3a15721025442349bf1d694d0955645c9992ced27c4236bf87e1a66e9f44b68326d78b2c579f8ceb436a075378

Download Submit
C:\Windows\INF\oem0.PNF

Filesize
5KB

MD5
b65f36d629fd12d01cbae4363ef52a6b

SHA1
0f6d9359a660001f785131e12bd427a2d8f8a968

SHA256
74c29a6a2712ccf8b05173a8ac6f11086e29a46f1f8fbe2777bf25d51e80e8e5

SHA512
2dfd1074c51fc10686fb1007a631bda6945447768c8d54e9586ec404b81a448ef494b709ddc52b08fef7a492202ea280e1b994d5607958fba733cdd292bdc6d5

Download Submit
C:\Windows\INF\oem1.PNF

Filesize
5KB

MD5
85a41d05e38882bddd8208e77c9ec207

SHA1
39c49a60552832083f3ea9743f5f9a8155ac420e

SHA256
f1c2574304b3bfa2bd4bc853a927949826e8017dade9d6271be8e805c6c7ea9f

SHA512
50702455d2ddba890ed744997307ef12c3a34dbc45ad2cb64332d9d3203f5fe371e12e9b1105063cdb6b0e29f6a213f8cab4793afd9da69443253acd79f30e8f

Download Submit
C:\Windows\INF\oem2.PNF

Filesize
6KB

MD5
2751d6657fb022e07179d92658d28a6a

SHA1
476debb9a0d9cd8f43d44799795c83342b2e5e2a

SHA256
1da0610f082a76981cb891d1d3210c87cea30f4ddf11cd1dfbb8f2d105a8c618

SHA512
219d78be81b3046465065d19b4678fc4da7a1ca7d4c9d1dfb4b58986bc02b324ca84f112cb908f10ffd9528914d4d391a9c98c1be431b2834a26dc5de16c5b52

Download Submit
C:\Windows\Installer\MSI4717.tmp

Filesize
524KB

MD5
5c24aa2eec2c7d133f32633034b2ec06

SHA1
4be50fc38a82b2df03a6b3bfc6dfde2821a9cb49

SHA256
0a90142c6effec9e68dcea1a3462a808a43fcf247cfc1c936af72b2caf2842c5

SHA512
3235a7051b20be708225ae9fd4b48e998dd07c809c9701b1ab10cdb00c65f1ff982e2e6ccaba739ce78d3582bf53aced592bc62faf72695587b5abf2518c8740

Download Submit
C:\Windows\Installer\e58438c.msi

Filesize
4.7MB

MD5
ef5eb5dba160db286cee572eb50ecb1b

SHA1
3a09c68be4928bad70723ac170350888413f39c1

SHA256
8261b2c779b217838ed6873426bd40030b6ce1e1f3645529dac7c6ab015d6250

SHA512
be639698e8d46918225eae348a4915fb8e2681f0eced53f37fc887036bda956e94926c6988f62f812a7e1923d3666e938fa58ceb5c012b2b1949a07b26b3fb1e

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
151KB

MD5
6e69c9aacf7f3b315c7cf08398ddf852

SHA1
e9befe74a8280b0e0726723e2cc7e1af1ed85927

SHA256
213c2d0f5dcc6625d0c80cf88c2b38c456e098315a7c7861dd063b58380f3f16

SHA512
7617a6b369e1218f1ab025ad84f4eae9db1a1a51d19b042eef97d60f336ad2e2051eefafe1163bab0aa5b43ddd5eef84c7fa90b1a438e2e136d24d42753440c8

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
151KB

MD5
61bb34a4d7eec731230ef8759bdec126

SHA1
296a2cafd9baba519b9d28f50f4c9378f92676a5

SHA256
4b264a1a34e9ad9e1959b65754b55fbf385280af5a58e6ac01ac644b26d9aa6b

SHA512
634b08d81415ef333e4746fae2c451966745351bda5c04aedd7a03375048df42a5e8f6868089247c2757e6fc9637d009507e26a88e193ca6e23fee5daf1cd47a

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
151KB

MD5
dea597e57a3da6db4de92083fa5af50b

SHA1
12d6c160ba15aefbd8dd458c8d05cd917994b0b6

SHA256
b9566c5a77e185c010a0ee70ba029eaf0995ed57c0c3587492bd8db13af084d9

SHA512
e6b8e9a12ec4d0870f4bd7dd47f728a8b70ffc7ba51df92e6afd4936014d7d9abf94fe675bd470dca530d70de3e3131709f20b66acf4873ef050efdffa55df4a

Download Submit
C:\Windows\System32\DriverStore\Temp\{2bc8f7df-2fe1-7349-be37-676f336075c6}\SET6230.tmp

Filesize
12KB

MD5
33f2e6e7ed2be0b9a31de7bf8f46111f

SHA1
9dbd1e145bc1b6b6b613990f2bbd18932bc517a6

SHA256
82258beb80243200633dc40982d89925b0b393c659da5101ff90a20d5d9878c9

SHA512
4db947fa41ad470a50db48011b9b1a98a61cd35a614af4c1c27811f3fd0a73879f44ab03de71677ecf67759dd858a4a2d8b1d8df88d596af2b6825eb40bce5ec

Download Submit
C:\Windows\System32\DriverStore\Temp\{2bc8f7df-2fe1-7349-be37-676f336075c6}\SET6231.tmp

Filesize
2KB

MD5
dce7ff426cf25340bf4e67c6d61a4d6a

SHA1
204984f9168b0bb8be147275679b89f928d9a41f

SHA256
0a03ddce2eabe169bcb415579a4774349a260fbf257bc25ae62ff4a0d48e46aa

SHA512
2545a2a1d3c8d71c96ecd02e3a2b2e5ee87d0c302606d882c8f461fcb515842cae7d40ffb811fa112534fc2abcfa02726f8d979c850dc7b3611143c8820eb036

Download Submit
C:\Windows\System32\DriverStore\Temp\{2bc8f7df-2fe1-7349-be37-676f336075c6}\amd64\SET6232.tmp

Filesize
109KB

MD5
5296b50f4218d20636088507a9bf69e1

SHA1
83f912d46ab06ab3940523836641dfac353dc4b7

SHA256
d21c57f3a4e7a17c71d6e432a6c6dc2f7f5e9f83012bc3833b48658477b1a1a7

SHA512
6b7bf74c11506c368b14af953a46bc2e350afbc5c68a7a2d412aa55e834b0cf1a65fbd0705a023509333fc5650d2b0839daaa3b6638fbedeb5458cc3c605625b

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
151KB

MD5
a5f7a1c308c424da4fda0100bb5d7139

SHA1
2301e4621bfa885d6b2763493a0f802f15177fe0

SHA256
53ae86d786d27aa37adad370069a382c67b4500f67c4ddc9c403e9779de38180

SHA512
9c75ddc6b5d4efe84644455fde214b914832c5108a6118baada8d977889aa779c0baca5350d6434aa645d0b5c7f041c5869e02f324484c1a1c3aaea43a0e7bf2

Download Submit
memory/1280-1053-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/1280-1041-0x000001907F4B0000-0x000001907F4C0000-memory.dmp

Filesize
64KB

Download
memory/1280-1014-0x000001907F4B0000-0x000001907F4C0000-memory.dmp

Filesize
64KB

Download
memory/1280-1013-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/1756-1073-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/1756-1071-0x000002C51BF80000-0x000002C51BF90000-memory.dmp

Filesize
64KB

Download
memory/1756-1070-0x000002C51BF80000-0x000002C51BF90000-memory.dmp

Filesize
64KB

Download
memory/1756-1068-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/1764-882-0x00000204EA240000-0x00000204EA24E000-memory.dmp

Filesize
56KB

Download
memory/1764-1058-0x00000204EA270000-0x00000204EA280000-memory.dmp

Filesize
64KB

Download
memory/1764-1074-0x00000204EA270000-0x00000204EA280000-memory.dmp

Filesize
64KB

Download
memory/1764-877-0x00000204E7C40000-0x00000204E7CB6000-memory.dmp

Filesize
472KB

Download
memory/1764-878-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/1764-879-0x00000204EA270000-0x00000204EA280000-memory.dmp

Filesize
64KB

Download
memory/1764-880-0x00000204EA230000-0x00000204EA238000-memory.dmp

Filesize
32KB

Download
memory/1764-928-0x00000204EA270000-0x00000204EA280000-memory.dmp

Filesize
64KB

Download
memory/1764-883-0x00000204EA270000-0x00000204EA280000-memory.dmp

Filesize
64KB

Download
memory/1764-916-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/1764-881-0x00000204EA4C0000-0x00000204EA4F8000-memory.dmp

Filesize
224KB

Download
memory/2332-1051-0x000001C757940000-0x000001C757950000-memory.dmp

Filesize
64KB

Download
memory/2332-1057-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/2332-1037-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/2332-1039-0x000001C757940000-0x000001C757950000-memory.dmp

Filesize
64KB

Download
memory/2332-1038-0x000001C757940000-0x000001C757950000-memory.dmp

Filesize
64KB

Download
memory/2896-981-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/2896-982-0x00000211AED00000-0x00000211AED10000-memory.dmp

Filesize
64KB

Download
memory/2896-986-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/2896-983-0x00000211AED00000-0x00000211AED10000-memory.dmp

Filesize
64KB

Download
memory/2944-902-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/2944-898-0x000001E3B0FC0000-0x000001E3B0FCA000-memory.dmp

Filesize
40KB

Download
memory/2944-890-0x000001E3B0E40000-0x000001E3B0E62000-memory.dmp

Filesize
136KB

Download
memory/2944-895-0x000001E398850000-0x000001E398860000-memory.dmp

Filesize
64KB

Download
memory/2944-894-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/2944-897-0x000001E3B0FD0000-0x000001E3B0FE6000-memory.dmp

Filesize
88KB

Download
memory/2944-899-0x000001E3B13B0000-0x000001E3B13D6000-memory.dmp

Filesize
152KB

Download
memory/2944-896-0x000001E398850000-0x000001E398860000-memory.dmp

Filesize
64KB

Download
memory/3084-968-0x0000017C57430000-0x0000017C57440000-memory.dmp

Filesize
64KB

Download
memory/3084-970-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/3084-967-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/3428-914-0x000002943BB90000-0x000002943BBA0000-memory.dmp

Filesize
64KB

Download
memory/3428-915-0x000002943BB90000-0x000002943BBA0000-memory.dmp

Filesize
64KB

Download
memory/3428-917-0x000002943BB90000-0x000002943BBA0000-memory.dmp

Filesize
64KB

Download
memory/3428-920-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/3428-913-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/4112-1012-0x0000022161130000-0x0000022161140000-memory.dmp

Filesize
64KB

Download
memory/4112-1011-0x0000022161130000-0x0000022161140000-memory.dmp

Filesize
64KB

Download
memory/4112-1040-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/4112-1008-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/4556-942-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/4556-953-0x0000027EEDF80000-0x0000027EEDF90000-memory.dmp

Filesize
64KB

Download
memory/4556-957-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/4556-941-0x0000027EEDF80000-0x0000027EEDF90000-memory.dmp

Filesize
64KB

Download
memory/4948-1055-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/4948-1026-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/4992-998-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/4992-1009-0x0000021C64420000-0x0000021C64430000-memory.dmp

Filesize
64KB

Download
memory/4992-1010-0x0000021C64420000-0x0000021C64430000-memory.dmp

Filesize
64KB

Download
memory/4992-1025-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/5044-938-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/5044-939-0x000001C539420000-0x000001C539430000-memory.dmp

Filesize
64KB

Download
memory/5044-955-0x00007FFBD96B0000-0x00007FFBDA171000-memory.dmp

Filesize
10.8MB

Download
memory/5044-940-0x000001C539420000-0x000001C539430000-memory.dmp

Filesize
64KB

Download
memory/5044-952-0x000001C539420000-0x000001C539430000-memory.dmp

Filesize
64KB

Download