Resubmissions
08/03/2024, 15:55
240308-tc4fpabh5y 708/03/2024, 15:21
240308-srgpssad29 708/03/2024, 11:00
240308-m381jadd65 7Analysis
-
max time kernel
2635s -
max time network
2313s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
08/03/2024, 15:55
Behavioral task
behavioral1
Sample
subbmit.rar
Resource
win10-20240221-en
windows10-1703-x64
General
-
Target
subbmit.rar
-
Size
65.5MB
-
MD5
9bac5ed3c448059173b3660f3ce8a3bc
-
SHA1
390fcdcf0992973d39942d4d8e69cec823e17a41
-
SHA256
973a70a89bd259cc4303dd451f6415331d9b957e8a50d55c0e66a3270b28d3a4
-
SHA512
45011a7dbb7d8cc00ef0a0babb9d5da42921b9ea663cf73c78e238002242904e005a9e0b60db2d143003b76087dc76ae27d145f036d5322405da4d6416a09e19
-
SSDEEP
1572864:NmEPQiIVbaJLO5Tg2DcrmOLsG83c/SZr8VqLC1KAWPC9Rtgfq:s7ZbSO9gGcKOLsG8sYwqLnjPCRgfq
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 324 setup.exe 2220 setup.exe 4848 setup.exe 1852 SSD5411-32bit.exe 968 tlicinst.exe 5072 ledit.exe 2928 leditdrc.exe -
Loads dropped DLL 64 IoCs
pid Process 324 setup.exe 2136 MsiExec.exe 2136 MsiExec.exe 2164 MsiExec.exe 2220 setup.exe 968 tlicinst.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe -
resource yara_rule behavioral1/memory/4692-1386-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/4692-1388-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/608-1390-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/4424-1392-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/3540-1394-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/3576-1396-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/928-1397-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/4076-1398-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/4076-1399-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/1560-1400-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TannerInstaller = "C:\\Users\\Admin\\Desktop\\drive-download-20240308T093036Z-001\\setup.exe /i 0 /f 0" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TannerInstaller = "C:\\Users\\Admin\\Desktop\\drive-download-20240308T093036Z-001\\setup.exe /i 2 /f 0" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TannerInstaller = "C:\\Users\\Admin\\Desktop\\drive-download-20240308T093036Z-001\\setup.exe /i 22 /f 0" setup.exe Key deleted \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TannerInstaller = "C:\\Users\\Admin\\Desktop\\drive-download-20240308T093036Z-001\\setup.exe /i 0 /f 0" setup.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\7zE8A9037E1\drive-download-20240308T093036Z-001\autorun.inf 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zE8A9037E1\drive-download-20240308T093036Z-001\autorun.inf 7zFM.exe -
Drops file in System32 directory 35 IoCs
description ioc Process File created C:\Windows\SysWOW64\MFC71CHS.DLL msiexec.exe File created C:\Windows\SysWOW64\msvcp71.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\t0000001.tmp leditdrc.exe File created C:\Windows\SysWOW64\mfc71u.dll msiexec.exe File created C:\Windows\SysWOW64\MFC71ITA.DLL msiexec.exe File created C:\Windows\SysWOW64\t0000001.tmp ledit.exe File opened for modification C:\Windows\SysWOW64\t0000001.tmp ledit.exe File opened for modification C:\Windows\SysWOW64\sysprs7.dll leditdrc.exe File opened for modification C:\Windows\SysWOW64\sysprs7.tgz leditdrc.exe File opened for modification C:\Windows\SysWOW64\lsprst7.dll leditdrc.exe File created C:\Windows\SysWOW64\MFC71CHT.DLL msiexec.exe File created C:\Windows\SysWOW64\MFC71FRA.DLL msiexec.exe File created C:\Windows\SysWOW64\lsprst7.dll ledit.exe File created C:\Windows\SysWOW64\sysprs7.dll ledit.exe File opened for modification C:\Windows\SysWOW64\sysprs7.dll ledit.exe File created C:\Windows\SysWOW64\sysprs7.tgz ledit.exe File created C:\Windows\SysWOW64\clauth2.dll ledit.exe File created C:\Windows\SysWOW64\MFC71ENU.DLL msiexec.exe File opened for modification C:\Windows\SysWOW64\sysprs7.tgz ledit.exe File opened for modification C:\Windows\SysWOW64\clauth2.dll leditdrc.exe File created C:\Windows\SysWOW64\MFC71JPN.DLL msiexec.exe File opened for modification C:\Windows\SysWOW64\lsprst7.dll ledit.exe File opened for modification C:\Windows\SysWOW64\ssprs.dll ledit.exe File opened for modification C:\Windows\SysWOW64\clauth1.dll ledit.exe File created C:\Windows\SysWOW64\MFC71ESP.DLL msiexec.exe File created C:\Windows\SysWOW64\ssprs.dll ledit.exe File opened for modification C:\Windows\SysWOW64\clauth2.dll ledit.exe File created C:\Windows\SysWOW64\t0000001.tmp leditdrc.exe File opened for modification C:\Windows\SysWOW64\clauth1.dll leditdrc.exe File created C:\Windows\SysWOW64\mfc71.dll msiexec.exe File created C:\Windows\SysWOW64\MFC71KOR.DLL msiexec.exe File created C:\Windows\SysWOW64\MFC71DEU.DLL msiexec.exe File created C:\Windows\SysWOW64\clauth1.dll ledit.exe File opened for modification C:\Windows\SysWOW64\ssprs.dll leditdrc.exe File created C:\Windows\SysWOW64\msvcr71.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\docs\ReleaseNotes.pdf msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\upi\Interpreted_Include\ctype.h msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\docs\ts.pdf msiexec.exe File created C:\Program Files (x86)\Tanner EDA\S-Edit\tutorial\output\p125x3.ftx msiexec.exe File created C:\Program Files (x86)\Tanner EDA\S-Edit\tutorial\output\transamp.out msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\license.txt msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\lvs\softconnect\Buffer.spc msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\AddIns\Dxf.upi msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\plot\lib\raw.drv msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\license.txt msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\tutorial\schematic\lights.sdb msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\spr\example3\gsr_lib_3layer.tdb msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\docs\models\BSIM3v322.pdf msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\extmod\win32\mos1.sp msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\examples\pll\wir\charge_pump.1 msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\lvs\ex1\read_me_ex1.txt msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\upi\dll\mfc\mfcupi.rc msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\examples\gaasamp\sch\gaasamp_tran.1 msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\spr\example3\mhp_n05.ext msiexec.exe File created C:\Program Files (x86)\Tanner EDA\S-Edit\tutorial\output\nandgate.out msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\ledit.exe msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\lvs\ex3\ex3_2.spc msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\spr\example1\lights_tpr.sdb msiexec.exe File created C:\Program Files (x86)\Tanner EDA\S-Edit\tutorial\schematic\invert1.sdb msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\wavetool.exe msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\examples\gaasamp\viewdraw.ini msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\examples\gaasamp\sch\gaasamp_dc.1 msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\upi\dll\goto\release\goto.dll msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\upi\dll\spring\spring.dsp msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\TannerApplicationNotes.pdf msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\examples\pll\wir\mytest_pll.1 msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\examples\pll\wir\vco_bak.1 msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\tutorial\schematic\tutorial\viewdraw.ini msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\upi\dll\palette\dll.rc msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\wedit.exe msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\examples\pll\sym\pll.1 msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\tutorial\schematic\opamp2.sdb msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\tgdsn.dll msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\examples\ringvco\sch\diffcell.1 msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\upi\PolarArray\VC++6\PolarArray.dsp msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\tech\Generic0_25um\SpecialDevices.md msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\extmod\win32\makemodl.bat msiexec.exe File created C:\Program Files (x86)\Tanner EDA\S-Edit\tutorial\input\opamp5.sp msiexec.exe File created C:\Program Files (x86)\Tanner EDA\S-Edit\tutorial\input\wave.sp msiexec.exe File created C:\Program Files (x86)\Tanner EDA\S-Edit\tutorial\output\wave.out msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\lang\Japanese.tui msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\plot\lib\lshost msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\spr\example1\lights_edn.sp msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\upi\intrpted\intrface\intrface.c msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\lvs\xor\XOR2_Open.spc msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\spr\example2\bargraph.vdb msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\tech\Generic0_25um\Generic_025.ext msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\upi\Interpreted_Include\upistub.h msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\tutorial\output\p125x3.qtx msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\upi\intrpted\spring\spring.c msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\upi\Mosfet\Mosfet.def msiexec.exe File opened for modification C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\plot\lib\preset.cfg setup.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\examples\pll\wir\myexperiment.1 msiexec.exe File created C:\Program Files (x86)\Tanner EDA\T-Spice 11.0\tutorial\schematic\tutorial\ml2_125.md msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\spr\standard.tdb msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\spr\example1\lights.vdb msiexec.exe File created C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\samples\tech\mosis\mamin08.ext msiexec.exe File created C:\Program Files (x86)\Tanner EDA\S-Edit\tutorial\output\p125x3.qtx msiexec.exe File created C:\Program Files (x86)\Tanner EDA\Utilities\slm71sys.pdf msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut35_1F579E0F834D47718DBFF08787B18725.exe msiexec.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\4FE6C3CB8F1107B42967D896E6A18C3C\2.20.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\TSpice_GettingStarte_1F579E0F834D47718DBFF08787B18725.pdf msiexec.exe File created C:\Windows\Installer\e67fff1.msi msiexec.exe File opened for modification C:\Windows\Installer\e67ffee.msi msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut1_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\LeditQuickReferenceS_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\LicensingGuideShortc_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\Installer\e67fff1.msi msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\4FE6C3CB8F1107B42967D896E6A18C3C\2.20.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\4FE6C3CB8F1107B42967D896E6A18C3C\2.20.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut1_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut23_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\4FE6C3CB8F1107B42967D896E6A18C3C\2.20.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24 msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut12_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut19_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\SEditReleaseNotesSho_EB3A718DD37E4E5E839D999EEC706C97.wri msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut22_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\LicensingGuideShortc_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File created C:\Windows\Installer\SourceHash{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3} msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\ReleaseNotesShortcut_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut4_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\TSpiceQuickReference_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut23_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut24_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIBEA4.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\4FE6C3CB8F1107B42967D896E6A18C3C\2.20.0\Global_VC_CPPRT60_f0.51D569E3_8A28_11D2_B962_006097C4DE24 msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut19_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\DesktopShortcut_TSpi_1F579E0F834D47718DBFF08787B18725.exe msiexec.exe File opened for modification C:\Windows\SysWOW64 leditdrc.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\4FE6C3CB8F1107B42967D896E6A18C3C\2.20.0\Global_VC_MFC42ANSICore_f0.51D569E2_8A28_11D2_B962_006097C4DE24 msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut1_EB3A718DD37E4E5E839D999EEC706C97_1.exe msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\ReleaseNotesShortcut_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\lservrc tlicinst.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\DevGenDocShortcut_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\TSpiceWaveToolShortc_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\4FE6C3CB8F1107B42967D896E6A18C3C\2.20.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut10_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\TSpiceReleaseNotesSh_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\4FE6C3CB8F1107B42967D896E6A18C3C\2.20.0\Global_VC_IRT_f0.3CE1F932_C090_11D2_977B_006097C4DE24 msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\TSpiceWEditDocShortc_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut25_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\FlexLM_Shortcut_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\4FE6C3CB8F1107B42967D896E6A18C3C msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\DesktopShortcut_LEdi_1F579E0F834D47718DBFF08787B18725.exe msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\TSpiceDocShortcut_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\Installer\MSIBDA9.tmp msiexec.exe File created C:\Windows\lservrc tlicinst.exe File opened for modification C:\Windows\Installer\MSIF11.tmp msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\DesktopShortcut_SEdi_1F579E0F834D47718DBFF08787B18725.exe msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut31_1F579E0F834D47718DBFF08787B18725.exe msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\4FE6C3CB8F1107B42967D896E6A18C3C\2.20.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\TSpiceWEditDocShortc_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\SysWOW64 ledit.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\DesktopShortcut_LEdi_1F579E0F834D47718DBFF08787B18725.exe msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\SEditReleaseNotesSho_EB3A718DD37E4E5E839D999EEC706C97.wri msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut30_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\DesktopShortcut_TSpi_1F579E0F834D47718DBFF08787B18725.exe msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut7_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File opened for modification C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut10_EB3A718DD37E4E5E839D999EEC706C97.exe msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\TSpiceProDocShortcut_EB3A718DD37E4E5E839D999EEC706C97.pdf msiexec.exe File created C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\TSpice_GettingStarte_1F579E0F834D47718DBFF08787B18725.pdf msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch leditdrc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" leditdrc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\L-Edit.Document\shellex msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\L-Edit_Backup.Document\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4FE6C3CB8F1107B42967D896E6A18C3C\LEdit_AddIn_ReplaceInstance = "LEdit_AddIns" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\L-Edit.Document\shell\printto msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\L-Edit_Backup.Document\protocol\StdFileEditing\verb\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E3B1F29-AB98-11D2-AB23-0060081C82F7} ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E3B1F2D-AB98-11D2-AB23-0060081C82F7}\TypeLib\Version = "1.0" ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\L-Edit.Document\protocol\StdFileEditing\ msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\L-Edit.Document\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vdb\ = "LVS.Document" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Model.Document\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4FE6C3CB8F1107B42967D896E6A18C3C\LEdit_AddIn_AreaCalc = "LEdit_AddIns" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tlu\ = "TannerLicense.Update" tlicinst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\L-Edit.Document\Insertable\ msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\T-Spice.Document\shell\print msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\T-Spice.Document\shell\print\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node ledit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64712B25-A9A2-11D2-AB23-0060081C82F7}\TypeLib ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{887E3166-AFA2-11D2-AB23-0060081C82F7}\TypeLib\ = "{64712B24-A9A2-11D2-AB23-0060081C82F7}" ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{887E3169-AFA2-11D2-AB23-0060081C82F7}\ = "ILEditAutoCells" ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LVS.Document\protocol\ msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\L-Edit_Backup.Document\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4FE6C3CB8F1107B42967D896E6A18C3C\LEdit_AddIns = "LEditPro" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4FE6C3CB8F1107B42967D896E6A18C3C\Util_Support = "Utilities" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TannerLicense.Update\QuickView\ = "*" tlicinst.exe Key created \REGISTRY\MACHINE\Software\Classes\.cir msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{64712B24-A9A2-11D2-AB23-0060081C82F7}\1.0\ = "LEdit" ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E3B1F29-AB98-11D2-AB23-0060081C82F7}\ = "ILEditAutoApp" ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E3B1F2D-AB98-11D2-AB23-0060081C82F7}\ = "ILEditAutoDocs" ledit.exe Key created \REGISTRY\MACHINE\Software\Classes\L-Edit.Document\DocObject msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\LVS.Document\Shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\L-Edit.Document\shell\open\ddeexec\ = "[open(\"%1\")]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\L-Edit.Document\protocol\StdFileEditing\verb msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\L-Edit.Document\shell\open\ msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\LVS.Document\protocol\StdFileEditing msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\L-Edit_Backup.Document\shellex msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\LVS.Document\protocol\StdFileEditing\verb\0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SBFile\ = "S-Edit Database File" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\SBFile\DocObject msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\SBFile\protocol\StdFileEditing\verb\0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TannerLicense.Update\DefaultIcon\ = "C:\\Program Files (x86)\\Tanner EDA\\Utilities\\tlicinst.exe,0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Model.Document\shell\print msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Model.Document\shell\print\ddeexec\ = "[print(\"%1\")]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{3002EF89-0A05-11D4-90D9-0050DACD0A68}\InprocHandler32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\L-Edit_Backup.Document\DefaultIcon\ = "C:\\Program Files (x86)\\Tanner EDA\\L-Edit 11.1\\ledit.exe,17" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05098500-A063-11d2-AF03-0060089D051D} ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\L-Edit_Backup.Document\shell\open\ddeexec\ = "[open(\"%1\")]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LVS.Document\CLSID\ = "{1C27F1A7-9057-11D2-8A2B-00600819B92D}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\L-Edit_Backup.Document\shell\open\ddeexec msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TannerLicense.Update\AlwaysShowExt msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64712B23-A9A2-11D2-AB23-0060081C82F7}\DefaultExtension ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64712B25-A9A2-11D2-AB23-0060081C82F7}\TypeLib\ = "{64712B24-A9A2-11D2-AB23-0060081C82F7}" ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E3B1F2D-AB98-11D2-AB23-0060081C82F7}\TypeLib\Version = "1.0" ledit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tdb\ = "L-Edit.Document" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\L-Edit_Backup.Document\shell\printto\command\ = "\"C:\\Program Files (x86)\\Tanner EDA\\L-Edit 11.1\\ledit.exe\" /dde" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3002EF89-0A05-11D4-90D9-0050DACD0A68} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4FE6C3CB8F1107B42967D896E6A18C3C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Desktop\\drive-download-20240308T093036Z-001\\Tanner\\Tools\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TannerLicense.Update\QuickView msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TannerLicense.Update\Shell\Open\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Model.Document\shell\print\ msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tspgui.Application msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4FE6C3CB8F1107B42967D896E6A18C3C\LEdit_AddIn_ArtworkPlot = "LEdit_AddIns" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64712B23-A9A2-11D2-AB23-0060081C82F7}\Printable ledit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4148 msiexec.exe 4148 msiexec.exe 2136 MsiExec.exe 2136 MsiExec.exe 2136 MsiExec.exe 2136 MsiExec.exe 4148 msiexec.exe 4148 msiexec.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2472 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2472 7zFM.exe Token: 35 2472 7zFM.exe Token: SeSecurityPrivilege 2472 7zFM.exe Token: SeSecurityPrivilege 2472 7zFM.exe Token: SeShutdownPrivilege 4468 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 4468 MSIEXEC.EXE Token: SeSecurityPrivilege 4148 msiexec.exe Token: SeCreateTokenPrivilege 4468 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 4468 MSIEXEC.EXE Token: SeLockMemoryPrivilege 4468 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 4468 MSIEXEC.EXE Token: SeMachineAccountPrivilege 4468 MSIEXEC.EXE Token: SeTcbPrivilege 4468 MSIEXEC.EXE Token: SeSecurityPrivilege 4468 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 4468 MSIEXEC.EXE Token: SeLoadDriverPrivilege 4468 MSIEXEC.EXE Token: SeSystemProfilePrivilege 4468 MSIEXEC.EXE Token: SeSystemtimePrivilege 4468 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 4468 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 4468 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 4468 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 4468 MSIEXEC.EXE Token: SeBackupPrivilege 4468 MSIEXEC.EXE Token: SeRestorePrivilege 4468 MSIEXEC.EXE Token: SeShutdownPrivilege 4468 MSIEXEC.EXE Token: SeDebugPrivilege 4468 MSIEXEC.EXE Token: SeAuditPrivilege 4468 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 4468 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 4468 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 4468 MSIEXEC.EXE Token: SeUndockPrivilege 4468 MSIEXEC.EXE Token: SeSyncAgentPrivilege 4468 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 4468 MSIEXEC.EXE Token: SeManageVolumePrivilege 4468 MSIEXEC.EXE Token: SeImpersonatePrivilege 4468 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 4468 MSIEXEC.EXE Token: SeBackupPrivilege 2196 vssvc.exe Token: SeRestorePrivilege 2196 vssvc.exe Token: SeAuditPrivilege 2196 vssvc.exe Token: SeBackupPrivilege 4148 msiexec.exe Token: SeRestorePrivilege 4148 msiexec.exe Token: SeRestorePrivilege 4148 msiexec.exe Token: SeTakeOwnershipPrivilege 4148 msiexec.exe Token: SeRestorePrivilege 4148 msiexec.exe Token: SeTakeOwnershipPrivilege 4148 msiexec.exe Token: SeRestorePrivilege 4148 msiexec.exe Token: SeTakeOwnershipPrivilege 4148 msiexec.exe Token: SeBackupPrivilege 2732 srtasks.exe Token: SeRestorePrivilege 2732 srtasks.exe Token: SeSecurityPrivilege 2732 srtasks.exe Token: SeTakeOwnershipPrivilege 2732 srtasks.exe Token: SeBackupPrivilege 2732 srtasks.exe Token: SeRestorePrivilege 2732 srtasks.exe Token: SeSecurityPrivilege 2732 srtasks.exe Token: SeTakeOwnershipPrivilege 2732 srtasks.exe Token: SeRestorePrivilege 4148 msiexec.exe Token: SeTakeOwnershipPrivilege 4148 msiexec.exe Token: SeRestorePrivilege 4148 msiexec.exe Token: SeTakeOwnershipPrivilege 4148 msiexec.exe Token: SeRestorePrivilege 4148 msiexec.exe Token: SeTakeOwnershipPrivilege 4148 msiexec.exe Token: SeRestorePrivilege 4148 msiexec.exe Token: SeTakeOwnershipPrivilege 4148 msiexec.exe Token: SeRestorePrivilege 4148 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2472 7zFM.exe 2472 7zFM.exe 2472 7zFM.exe 4468 MSIEXEC.EXE 4468 MSIEXEC.EXE 2572 MSIEXEC.EXE 2572 MSIEXEC.EXE 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe 4280 taskmgr.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 324 setup.exe 324 setup.exe 2220 setup.exe 2220 setup.exe 2220 setup.exe 2220 setup.exe 968 tlicinst.exe 968 tlicinst.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 5072 ledit.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe 2928 leditdrc.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 3936 wrote to memory of 2472 3936 cmd.exe 74 PID 3936 wrote to memory of 2472 3936 cmd.exe 74 PID 324 wrote to memory of 2220 324 setup.exe 80 PID 324 wrote to memory of 2220 324 setup.exe 80 PID 324 wrote to memory of 2220 324 setup.exe 80 PID 2220 wrote to memory of 4848 2220 setup.exe 81 PID 2220 wrote to memory of 4848 2220 setup.exe 81 PID 2220 wrote to memory of 4848 2220 setup.exe 81 PID 4848 wrote to memory of 4468 4848 setup.exe 82 PID 4848 wrote to memory of 4468 4848 setup.exe 82 PID 4848 wrote to memory of 4468 4848 setup.exe 82 PID 4148 wrote to memory of 2732 4148 msiexec.exe 87 PID 4148 wrote to memory of 2732 4148 msiexec.exe 87 PID 2220 wrote to memory of 1852 2220 setup.exe 91 PID 2220 wrote to memory of 1852 2220 setup.exe 91 PID 2220 wrote to memory of 1852 2220 setup.exe 91 PID 1852 wrote to memory of 2572 1852 SSD5411-32bit.exe 92 PID 1852 wrote to memory of 2572 1852 SSD5411-32bit.exe 92 PID 1852 wrote to memory of 2572 1852 SSD5411-32bit.exe 92 PID 4148 wrote to memory of 2136 4148 msiexec.exe 93 PID 4148 wrote to memory of 2136 4148 msiexec.exe 93 PID 4148 wrote to memory of 2136 4148 msiexec.exe 93 PID 4148 wrote to memory of 2164 4148 msiexec.exe 94 PID 4148 wrote to memory of 2164 4148 msiexec.exe 94 PID 4148 wrote to memory of 2164 4148 msiexec.exe 94 PID 2632 wrote to memory of 4692 2632 cmd.exe 101 PID 2632 wrote to memory of 4692 2632 cmd.exe 101 PID 2632 wrote to memory of 4692 2632 cmd.exe 101 PID 2632 wrote to memory of 608 2632 cmd.exe 102 PID 2632 wrote to memory of 608 2632 cmd.exe 102 PID 2632 wrote to memory of 608 2632 cmd.exe 102 PID 2632 wrote to memory of 4424 2632 cmd.exe 103 PID 2632 wrote to memory of 4424 2632 cmd.exe 103 PID 2632 wrote to memory of 4424 2632 cmd.exe 103 PID 2632 wrote to memory of 3540 2632 cmd.exe 104 PID 2632 wrote to memory of 3540 2632 cmd.exe 104 PID 2632 wrote to memory of 3540 2632 cmd.exe 104 PID 2632 wrote to memory of 3576 2632 cmd.exe 105 PID 2632 wrote to memory of 3576 2632 cmd.exe 105 PID 2632 wrote to memory of 3576 2632 cmd.exe 105 PID 2632 wrote to memory of 928 2632 cmd.exe 106 PID 2632 wrote to memory of 928 2632 cmd.exe 106 PID 2632 wrote to memory of 928 2632 cmd.exe 106 PID 2632 wrote to memory of 4076 2632 cmd.exe 107 PID 2632 wrote to memory of 4076 2632 cmd.exe 107 PID 2632 wrote to memory of 4076 2632 cmd.exe 107 PID 2632 wrote to memory of 1560 2632 cmd.exe 108 PID 2632 wrote to memory of 1560 2632 cmd.exe 108 PID 2632 wrote to memory of 1560 2632 cmd.exe 108 PID 2632 wrote to memory of 968 2632 cmd.exe 109 PID 2632 wrote to memory of 968 2632 cmd.exe 109 PID 2632 wrote to memory of 968 2632 cmd.exe 109 PID 5072 wrote to memory of 2928 5072 ledit.exe 111 PID 5072 wrote to memory of 2928 5072 ledit.exe 111 PID 5072 wrote to memory of 2928 5072 ledit.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\subbmit.rar1⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\subbmit.rar"2⤵
- Drops autorun.inf file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2472
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1852
-
C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\setup.exe"C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\setup.exe"C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\setup.exe" /i 02⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\Tanner\Tools\setup.exe"C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\Tanner\Tools\setup.exe" /v"FROM_TANNER_SHELL=1"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\Tanner\Tools\Tanner tools with L-Edit v11.1 and T-Spice v11.0.msi" FROM_TANNER_SHELL=1 SETUPEXEDIR="C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\Tanner\Tools"4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4468
-
-
-
C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\Rainbow\Driver\SSD5411-32bit.exe"C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\Rainbow\Driver\SSD5411-32bit.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\_is7C2E\Sentinel System Driver 5.41.1 (32-bit).msi" SETUPEXEDIR="C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\Rainbow\Driver"4⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2572
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C2B1798AA9E4F9BF68E3D06A7063D68A C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2136
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DCAFA16D641A42168895D474CBD195372⤵
- Loads dropped DLL
PID:2164
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\crack.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\hi.comhi ledit.patch "..\L-Edit 11.1\ledit.exe"2⤵PID:4692
-
-
C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\hi.comhi lvs.patch "..\L-Edit 11.1\lvs.exe"2⤵PID:608
-
-
C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\hi.comhi leditdrc.patch "..\L-Edit 11.1\leditdrc.exe"2⤵PID:4424
-
-
C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\hi.comhi leditdrcn.patch "..\L-Edit 11.1\leditdrcn.exe"2⤵PID:3540
-
-
C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\hi.comhi sedit.patch "..\S-Edit\sedit.exe"2⤵PID:3576
-
-
C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\hi.comhi tspice.patch "..\T-Spice 10.1\tspice.exe"2⤵PID:928
-
-
C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\hi.comhi wedit.patch "..\T-Spice 10.1\wedit.exe"2⤵PID:4076
-
-
C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\hi.comhi tsp1010.patch "..\T-Spice 10.1\tsp1010.dll"2⤵PID:1560
-
-
C:\Program Files (x86)\Tanner EDA\Utilities\tlicinst.exe"C:\Program Files (x86)\Tanner EDA\Utilities\tlicinst.exe" "C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\license.tlu"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:968
-
-
C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\ledit.exe"C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\ledit.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\leditdrc.exe"C:\Program Files (x86)\Tanner EDA\L-Edit 11.1\leditdrc.exe" -A84BCE57D000013D0000008A82⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD51abac4763c99d26e071a34dbc78e096d
SHA111075127e125abcd6a82970b6ade7b75206afada
SHA25678319b92c19912c505b47ec2336f7843a2a7696446643638b37e95de8e73b1ef
SHA512d7a84d3db6b9e33f96ae3fd3e28efef2d1441635c4249903b1bbc37cbb083b7abaa4727a5c38701da4aea354627d06cb0a391a22545c89045c24b8e1bf9399b9
-
Filesize
3.1MB
MD544dfed6d4f75b0ca814f4da96f0f747a
SHA1464703f2771ea69588d173136ab2814a10e44bec
SHA256415bd8bf5ce1d9eb3b1e7a19657b7d768c6df3b6e5e4726870859c93f5f611da
SHA512e398b96188f056e357f1e319550ae3fdaeb8d80755b3150a821e9483a3919ace47f88567951ea71041dd756a4cead1f7db7a3459409e28df3e3b002a12b501fe
-
Filesize
4.7MB
MD5b855b619d0d2900d77ab5eba933d8c3a
SHA1630d4f84a6630377424bcc60e128554dc8b8ea2f
SHA256a3d483db29b150f8f6d16128b7577acbe848d9ab53f85b7eb8849ab5e097ad3c
SHA512bc3fb42391f3adb818cb8555e47a51c19cd87ef32863d747dadb4e63702df2b8ee70961837736de6707d5699f4405dad808caf1e6ebb876873eb495f5f9d9b39
-
Filesize
1.1MB
MD5c0fbcd0cb4f6c6d1dfbbd17cd5786267
SHA1b8b19c46e1c53ad1ba1cc13c5576f5a0c0ba6168
SHA256c92788c59aa5335a8dad63489f80436feaa3b793f48506f77d8b1701044f6f23
SHA512af927329ccc825b1ae6cba23814d061abed5db0a8fab28c967d0e9c6a9deda4868aa32d82d2c37390e70dbb16cada5d64e7deb1ed6f8807ee094bbd8ec63e93e
-
Filesize
2.3MB
MD54e33fbfba2af0cd42290e686537c3d00
SHA189f8a65ed6fe2c70b02a58d403ea405f942e5707
SHA256e6c3bb1394ac138c7b7fa90fb74628a12c6c343089b3d7b4e324f4b33ed40823
SHA5120d0c8f14cce38c1081dcc12fdb07257b33db940ce307ca421211122d4c9fa2a484931199b53ec314b4eff86f4994dbbeb1c25f1c9636681c88fe0f53bf0b21ee
-
Filesize
1.5MB
MD524ba0c3f0203d33831119d038a810e44
SHA14aa9271c226f926ae61afa2d7722e4c63a739c81
SHA256fa8a887863e3503c866b3e75b7e61a1e6acd4ba5cffa2f5d2c778f31a135a47e
SHA512e18eaab0b38cff23f5ba898c48fa305fe37acdcb1a1fc862aaefd13afcc0d9b10cc641a4c3b84bcd3fe99ab88507793dce1c362a25a1227c688ef588349419c8
-
Filesize
332B
MD5fbc0d95b2d2f66bd234b95a4058b0c3f
SHA17ebb0d9e7d8363ca4039e3ba11977806984f7a2a
SHA256e158af1ef28553598ce104b641f711205f3f7ec10ef942516581b9a319502997
SHA5124e198f2f7321ba0e516c4ac3333ec3719261bb350ed15e01b07d29f93edf0b0b59fd221677bd0155548f4e9b33f930d122f28d3014eedc45b588c890521aa322
-
Filesize
12KB
MD5a6484783363a84f212cc2648d4eee56a
SHA1ba72001c1feaef87eeef8fa1446a68ef74718451
SHA25663b06f386ed34105caf23e6458578816caa3f18e4fbe6a19735c54952a866878
SHA512b27548101e58538514cedaf795da9292ac1a69d2d0543d89721850a22a667bbd1d78abefb492dbf33dd55bb161281bbdc41053eed2abeca202e2204bf6b48766
-
Filesize
501B
MD523390a09e71d4eed5851c6780d7444b4
SHA1256694fe4fe0d6446cf90efd71c0cc2a82ddfcf4
SHA256171b53138f2b659439b5b6386bff5831b97deffe36af4f44c7edc37306239932
SHA512d32e01a4662aadc72eb9a731e79669bb12860b7100d8328f2b3ec5e015ac608ca143eab493c148d5c6633e9f30755ebee0f8373f87be0eba75845f9102882f66
-
Filesize
6KB
MD5b38c3aa06ac26880e3fd39d7d817550a
SHA14b9c55927fda195473e73254dbc7137f39419149
SHA256fb1454442a06b9ed873066197828c896facdbf4db10e51218eb930d9f4019519
SHA51217e59733fc2668eef3c43b3a73f8ee393e9860a813dedf701a568f741739ebf1cd60a0a84ee06d8293bea506b919cc3ea07092050a923f996d262085a3cf4e35
-
Filesize
378B
MD5063e7e97f22158b4ecf9c28824f0f301
SHA1b4db603231ca1a3d6d32a5d2fc9068454a8f4240
SHA2566f963056cd6f77cb8633777e806654c9aed7f0906804cc10344e7570b96ebf47
SHA51264d93c4ca7e1a0191b6ae30f68618da9fd257d5174e4fc1a60bfcea31811502861beb28179fdfd398f58a42942a1163ed317bc0184017df90b4f311bbce020db
-
Filesize
431B
MD5dc3c880418749e4981f8a0fe6f41284b
SHA1c4d87e675cd2aeb4d488031f458d361d9cfb9b1f
SHA2561be25bf53d7f1f410608883eda0c2b1d669420915fb04247cce55bd3bbe099ce
SHA512406cd91874adb181d6a43845683e68d2b5e0d86b89b6f5e984a5350625c7aa6c3a63887d3214fc76212425b95422575f84a21fc4aca5b5486e51170d9e624684
-
Filesize
175KB
MD54a538801d3f0794c499f898a0600d014
SHA13f4e6b7ae79d01e651a1168aaa65c81b282fd855
SHA256fcbe824720cb2fff1a1970b18feb40def2dd0d6ad738d87ba5f495bc39231773
SHA512b39888ed040a1080865e78d348a87b23a4e390589346b7b7e0170b0d3e511ccc9434a46f00ef9b3624fd0025714676f75626574ab4fb719a38080db1ee9e78f6
-
Filesize
52KB
MD5ca2bf3efc7b4068d77029daaf48c823c
SHA1093e9af35714e99e52c7effb6178b3615131f18e
SHA256399df97a489107c54faf660a723dcd11430d9d3f446ec9ea652afe0615a9efa7
SHA512f8aac6fc7a742c4ca1eb7bd0fc1cdcad3126bf0078bc4f9578ac45c9d565cdf3283dd624d7c624eb580d251c2ecc82d08d7726ee08fa745412e01b7c105c2e69
-
Filesize
2.3MB
MD589e968b145b9ae706fafb3d5439426c6
SHA11b283d844c2cbeb28c171a34efa5e92006f45e1e
SHA2569f29d5616ac3d171f05bdfe34e45bb5555405b615c21f6613d7b4ab4552a2a24
SHA512f753b2a488b940284e92bb120a87e000a3bfb364666d7e39d364abc208d9fe1aaa8612fa7be297e94b57fd268d7e27ae4c053e8e7da3d3c22e35e678e2c0e40e
-
Filesize
220KB
MD5f0611b214f9483faa681c891c12c7df9
SHA19da4d60f65b5e1f68f74e76928d032d4bcd26293
SHA25603ed9980ad1600e3b6c7a44c221d56a2fb5fe47038fede56c36b87f9ef6f87af
SHA5125137be21e20bd00acbebb94d6c832806bbaf9574469c5a4c7f1ff0ea94d69b0bd34cd327e8e7319530ee32e8c33656132853fb065c77214c11459b12d9ffe5bc
-
Filesize
60KB
MD5da7d840224aa5de956ad2ef043229096
SHA162b26a15411b2de89388ba8db110f48c69838d98
SHA2567ec4b55f864a8744b647003853562c16897bc5a9a15cb6e271c7e425aba846d3
SHA512d0e9c38a3f623db824d9309dc927d9822000dc54f623683fa7bcbd4fa32596f1f2a53dcdd85d76b57198c0c9dcd442a610d7b46eef51c25b82e8615e44c6b5e8
-
Filesize
96KB
MD5f6beb419343b05c74d228cd10e2ad13a
SHA1f23aad2466751af06424b3a599676a75ef4a3424
SHA25610d8dd66481e0151467440097ba480278be77d29cd36323c2f3d744eea4db688
SHA51211b64c2498cb3c0a6960b723112a9b66e679c1f74556c0776d91e1c41b3d24e59ad5e51632e9af98e5f03481f8c7c6fcab310e61e5c1fd4896653aa392986526
-
Filesize
4KB
MD57a858ca524beb223533a2ac6138c4b73
SHA1aa7a7e8e7c6c2324d2906a78c243b187a072aa59
SHA25697eca8e6d33a2761f94831f3f82e030a8e79b5cbc12dcbed4eb1de9c4edf4d1a
SHA512d3861daf5e0754388f1719450cbfebe629090e41249ef2a206a86dc3fc5f68b3a98c29ddc159d44348080e48bc84a8e0815aa39d535187eb4737cdf4d486bf88
-
Filesize
1KB
MD5f26c83f70de34876c403952e552703d0
SHA138c91b109285e659b424186cc5d348b128312322
SHA25603ba1d8562304bb1569ca9377d5a6f5b5481d79ff04af6472211654f829427f1
SHA512e62c2af543ca3a9d322c0ad2add9832de677d88e9ed33e37365f8038e514d0f1916cac9b74c1c5c877fac31d02ddf59eaa710d11ee5905cef986ba9204b4f321
-
Filesize
9B
MD5ed5602cb0540d203f85998db92821f1d
SHA16090ee19d2e0d2fc3c65cb0bdf8242abc849ba9d
SHA25639dc0aa1c73f37aca1528e6b1dbece97e523cd1324e9b577f5dc5e2217197868
SHA51214fd93c45a129a88defac989f01df8f4a25580b83ad6b5eb5a9d1d28f6a6c68f840b2f6c71ec77558f8d4f35f8fc3f8ddcece19f3b687e40f396b153b4f79746
-
Filesize
4KB
MD547b8151455bc54356bd8eab2d9656dff
SHA1077fce613856628b7144db497c38283d733ff0d1
SHA256ddc0262ecaf411329b7d6b0510696e934f7f15887a9b81084ef3b1d07c7f3824
SHA512fe78e017c856e5de346b781b745fbef32eb265bfe9d33c0d543f412fbc60261535ffb355cd3f52a15f17e235273f386c40d474ef8d40f404dffeb1fbfb610b6b
-
Filesize
1.2MB
MD522360ec1ab3097a355e2044db5505e1e
SHA13c4b1ef8742b0113815168ee52dfdfad16ebd180
SHA25602e71c932aeff1da347f5d9e60a9edae89c5abc6aeca4bc07c6dd8befd334eaf
SHA5127fcebf5754a6ac6aa4687902fbd172809b24bed85a07b4f8e6c0a77aa6b245247f387fb7b98908d47ba0fed6a77e0034d78d600c9306669a660471d9388dc6eb
-
Filesize
1KB
MD55bb58b952f84555dc7f0c2d5c5c72161
SHA1a2177fa31020999a874c9ad76e77d8a5ab9336e7
SHA256cd41f24fcaecd9b280b7b03bbcf8e3103513bf936d1cc8527ec9a50b632c5526
SHA512de021e19b44f1eaf286a1693447a797ac51349d74e6f1c49ee2671c2543491a09501063b3f955aceb3c53b9920e056d81885d2ebcdb0a1615a50e0246ed2b368
-
Filesize
4.8MB
MD50f98e321c2c5f1f8100fe0d5689bc99e
SHA147ebf18ca77e4e9fb124cfd35123cdc84d6bddde
SHA25693123c5e56307179695b8c49f993499f009d9a5065b2e41099b5d085680be9dd
SHA51227e837ed1af9e36f76df441bd47fd3a5ac372aae4f26181fa8a98d62703e04726153ac657b679bdd84def92ddf585d3037df0a8830d78cef96b412d80b5e3df6
-
Filesize
13.0MB
MD5fb60b5dea76d2cdbeae6f7b22368bb4c
SHA14e1d30249625a131c80e44f2682637414f00af6a
SHA256ea5a694504c33fcb4cdd4d0e7d6d76d93cb9907d8e0a6a08b399abde72f1308a
SHA51228cbce636107ca05662e1f720229d322e6608aba596ece0d1dda1c6042743c96ee0b642d67d397f9cd7ef49dafc098bed4671aeb775ff12f5ea61ae6fcc22c9c
-
C:\Users\Admin\Desktop\drive-download-20240308T093036Z-001\Tanner\Tools\Tanner tools with L-Edit v11.1 and T-Spice v11.0.msi
Filesize1.5MB
MD525c59c6c0a0cfc106f79c0d53e7dfded
SHA1d35e6142b9bd8fca0d7a98e6aa24f423a5e4adc2
SHA256b46d2d512da5bd427b7b0e8bdd73295c58c6d963535283c52cdacec097f7fa78
SHA512ae7003770fd9087f7d63bb047403dfa44190ffb132a407c764f3b4270bfea4304c5d5d2f9cd99633be25db14f39fddf4fca033266df0358a0080a316db772d39
-
Filesize
2.1MB
MD5b0ba860231d0998408f9dff696e9a073
SHA1d50cee295a2fddab7a235fd3a785adc11eeb74c4
SHA256c74cedb169c048fb18254111f4d67c7496302af34ba4092fc49b8120ec9d23f0
SHA5123bed3ac5f31c232a145cc05cb9fe0a2b7ad1665b02345f63cc5ffc182d4038ca9009b635e26d1e07c81d18c967e22fc9025d95d725a6fd5c7c3a62cfd9bdfa3e
-
Filesize
549KB
MD5403ebe0b58ffbe7f25ba61eed97e06ee
SHA174f237a316dded8d3368f382a11478848bc3a670
SHA256c93fd5de5865b9ea3b4e389bb14972b8f7b58d54a7c730ff66ed49e495e697d1
SHA512d2167d8db5b1c1d7ba8307a50e26ef1f954859b49671bc51fba76965bc9d92f4c793b5cae2bdb56444b9f0816e7551c8bb44d68fefd8890aaf221c249f3e22bf
-
Filesize
396KB
MD5e617272b958767bc073388c230069435
SHA1c1dcf3e3a073755507b88a45f4c2354cda991517
SHA256297ab2b5cd4836a53e158462af18c6b8707f54e9318a11a89ee01a946a0a7bdd
SHA5122e358788a10d3f292d3cc2fe8ae78dc9869c6e47d1e53ef4428218c71da6cae23cc1406fde4c748ac84b09d1d24de210744d4cad2d2991cee1e8f9375fcaedfb
-
C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\LeditQuickReferenceS_EB3A718DD37E4E5E839D999EEC706C97.pdf
Filesize23KB
MD5ccd24e3f680c0184316e6fdb80a02d80
SHA1f955e3e56cd2aae1ed68b936d08f8c34ed571c54
SHA2565ebee5d689c924b30ec6ccd2cc0333ea9b821f904db46adfbd399d05275bb582
SHA512f2a7651373d65a33a2316934c2db5829904668affd54894e7f28043d0e3470c4c695bb35b3409492d890bfcceda55f6547015820c2e58a3e5bca21f89762ada1
-
C:\Windows\Installer\{BC3C6EF4-11F8-4B70-9276-8D696E1AC8C3}\NewShortcut9_EB3A718DD37E4E5E839D999EEC706C97.exe
Filesize40KB
MD5bad8b3760297c75d58953f702ea36674
SHA148f9498ad46e4d669a764adb55b20c9bae7c59c8
SHA256af1a8f1b43e79e1580853bd0fb784ecc8c21f4187412734a3f85c7630e7b6302
SHA512407d6500afe0f347c5a1a9ee643eb17b3a57a1b7a230db7b3cdbde2866260cff30501569463cfb41e9af7b74e432b9c9be1acdfc945834bc125e72a62c192d14
-
Filesize
1KB
MD5b87bb941bccdf4abf7a219e0e12c2c42
SHA17c7382f90b68f13a0c58f7344f30a8dec8545012
SHA2566c8ea343f2f289f42aa55eca4dcd2d301c45e8eef2c4c2022ca067c98432630b
SHA512fddafc367d64b54e78e06fd1eb314a16c4914adb44de80c4e5b9f36f957322c85f820cc71033ccf108923b031d63059ea3af98224eafb086b5d6ef57ef8c9837
-
Filesize
1KB
MD516e422f928967c13b97851b55d55f1ac
SHA1dbcd11b284253876cff11e38115b3fb84c99f9da
SHA2564a66058c2bdc55f0cacdde91740d70e8b76d421e9be6567d91be56502ab7f0b7
SHA512ddc038d32be564c9ba04aaa54656453e41ebc940c9de0cc558b8385bb10e1cb5cfb46cce01666bc60da818b78b2f3044b38b6403da043d0cb2079025df3d7d69
-
Filesize
87B
MD570e3418c73ae9e98462780a91a47539b
SHA15ca6c80cb018de7a6673325b81879a729fc809c7
SHA2569092abf1f358918e4ec41b89f4a41f4f0de69f5b4af7f32b4cea60c470a2b1fd
SHA512447f4db1f40a4f7ec0faf673f85df4b14a9b84c8eff50b0e94867d04a020c7b93c86592e3eefee1dbbe409b852a03718e5636a473ea771150e80e610943ebf39
-
Filesize
1KB
MD5d5271e5dd6f4e30d8eeba13fb8a826da
SHA1c6d20986982b26a5a4212173b19c6782884d930b
SHA256d2e00049877be1df675c85a9b78662ff5ca5294959bfd6742c7f47cd1790c1ca
SHA51280ad02d2f6be0b14769d47cf566aad12b82bea81d5537b56d79317ad59de9f5ac410a28bf6b92671754ce688904dd43e181c3fe49e03aa0c6de250e15288a689
-
Filesize
1KB
MD5e6f250df36e191a3d4bf3182309c1c90
SHA1d40ea037c58d9d48741f2eb16c3258f17a5230b7
SHA2563e451854d3765fd9a3759edd80a42ae67de1eaa8c6992ec674c778170ee60bbd
SHA512e28078036336a542a52d912f45e16c88f31f2f12cd2a3f2a09808cbfc97d3aeeb74c505da05d9b833293091e118d29bdf548f9240f637470370eaff5b6a26c64
-
Filesize
1KB
MD54488f87a3870df41b37e4185ea9cf1b3
SHA1e98858ece8373315f15f96dd3ff5d154d73775a3
SHA256b34e8d15e0cdd9b356a120160922ab9655a161ec3246c001eda3247cf5ff7c13
SHA5121a84c98cfc3441a32cabeaebfd12786af716db5727149134fa80e701dc880cb10765a7598a69d2649712593be6d4baedc61a9f937451003658b2d1bec8988494
-
Filesize
73B
MD5d2afe95c5427c9648ccf88f3cf570a27
SHA143008354f76f59155683e4bf9ced26ab4d465344
SHA2560b7ce7e8a9377c14ca12a9b00453ee11377e5e9631c429344fb42db0552fd7a1
SHA5122c60fc1e8921a499bf471e91b1554f9136962d052b954380082a5c073a1f6c5a03b57fe047c8eb6dcfd5693cd1d6353d9b9cd6df5a866a0a9e65b686d6f676d8
-
Filesize
204B
MD59e90274ddb33033bbf94b50e2d4ab704
SHA110460dbe963affeff12cbcec507d0c233199eed2
SHA2566b4787119e76cf2359f30481c709d9e7ebe5ad12d120849fd9ba829d3b01b629
SHA512dd22044595036bf86095d49b173d80a36696d70b316915fcbf6ce36295e395dfa8a7d6c8e0554659cc8f0e8b7ebd2abbff11cf2c529cee1791c6c1860e335e5a
-
Filesize
205B
MD512d78796bb55d8a7f328677d6fb8e761
SHA1232b73ca349c09fc5821ebdd84c117ab33fa3c7c
SHA256aee425b7cb786213e4876a53d6c58dba12f4b79228cea2c26e40c1e3f325c9e9
SHA5125e20ef81ef22099e3414cdcc22a7c6594f43f61927bd67f8012a4f481b2f20172a56a8a5b0de889e965cc2fd8fdc9e8866536975ff02b847ff7c72bec15d81cc
-
Filesize
2KB
MD57a48adb9ca846863b3b9a78a6a6812f3
SHA15fd67049563a6b73a40cda6c2365ae68ccde284c
SHA2563c431a40bd057f5af4d1cf4881d9648c1dee8bd8b829adb8e06f688f57986259
SHA5122fd8a26eca4752ad8be95df009c6d984ca24614695696cb5983865c6f0eb01c63b6cb733ea7aeb9cb6924ab35836f27c4c081d5ebcbaf278505f07083ef41d35
-
Filesize
2.1MB
MD560f05a434185ba9c245a0be2d5ab69cd
SHA1c63d1ccdfd1b3b4c4380b2e543453e9c6260ebed
SHA256990d4995a1f219f65b9064e1da0a42b3ca77674c91bd14b812a503e3184128cb
SHA5127df667d9ee3c72a4167565cec13e0b7e0347ab416d27dcc1c66bedc5ecbef40a5f2ccae08e4911bc96f35e6d850c05d2ad6c0906d26e4e3cb33e5f7c4b05111a
-
\??\Volume{b1d60b47-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2f46c79-3301-4c09-9814-68a6741ca6a8}_OnDiskSnapshotProp
Filesize5KB
MD51bc2ac07861bc0d846c30902403107d8
SHA173fdd4e972569b9c470f002cba034d0c2a92aa97
SHA256e497f8172e59c437a7173b4caeda8ff399207dacbee5822b98eed77fbd1841a2
SHA512b9779f7542484ac1c38686548410dfada6f2091dbe45ff8a070eeb9dcd2861ccb873e904579085b20ee23f42dd23baeadb420744384ee05d3b779c9c2260581a
-
Filesize
20KB
MD5e59003cb60bb61e23f2d8f9937c0e233
SHA11acdc0270d7c0097e36eaaa4fd4109866219990d
SHA2561694f111726bb3b69989519df44b3d65d1d237765e168d7380f85428eaa94d61
SHA51201ef17fabce53cbcacc3da16ba82e5221529ddbd5819c0e4a77811365dd7929354b7775cf6a9342356a0e4fa908e7c286e7b54c163be9b2b70f499c10e1bb0ea
-
Filesize
113KB
MD5dfe34ae9fd7f539552181d9253994052
SHA1bae6bc5c0e616a4a8e093bf3af5b947689fce139
SHA25691bcad1e21d9658526d88292f5a6d7fc206997d29b226580d756c6b126fccfab
SHA512bf229defa21e18de9ea4d74c79aada4492aad278551613b3aa9ab8768e10e996460751e9204588beb2e352abaf4558445a14c9f66032064d0f7610d7c7444432
-
Filesize
566KB
MD54775564fc82411536eedce2a9d22023d
SHA121e03f08e35e55ca28df87ff8d9fe21b561b911e
SHA256141840b631edbb7621163af05a610f9341f26cac5462cf3e6ceb40f3ca21d00c
SHA512902e7b9e016b813302c5b400822a1b3a41f068836dd897ed7bdf3c7ab71f5ebaea6a31ea38402f69ae05d5e8bf208f99af53d462045330bfb3824c56fe4daf97
-
Filesize
1.9MB
MD5bf8a2c3edcbe8084ba7cc04c7adb2539
SHA1834066e004ca4c925fed699fb1b7d2785ee5a210
SHA256f9e534df237c67a2cac7e4756f6ae6bb77b361d88e37ec140fb33b932620cb4a
SHA512266fafca77094589ea3678b3ff2d4c14d63a678885ab2765ddacbd17c31edf950020381edc83a6afc4913103778b82308487392c2ba77edf01ac0078bb5cf032
-
Filesize
369KB
MD54443445c1bed2a3309bf25e2e6d8780d
SHA1be0f23fd24e1648f786a0bbcfc0e2afdbabc1a32
SHA25654d5badf15b1ac9a08549417f6b6635835ebf0da22dd1f2d7f6c6c8103adbe6d
SHA512eeea7e63b5bee2db5452987219c2fd3cb2356d5210247ec06eb77073cb7e0ccbc43fea353c81a57743c543c101966994b43d8d96442163d44f36e83125212d1b
-
Filesize
126KB
MD5b11424c3d84d92a75b294003f9de8a92
SHA14f166f566333f2b604a8060710e0b12ba5d676bc
SHA25617a49c0ec8aed097e26b5086d035339e7a1d36796a2b1b5af05a5e908e26edec
SHA51275d92722a0a629bced3f00f27b08ccf4e31aba92b5a933a82a64a66d5253ea769e62e6d08e8c7acfbea78fbffb41188badfe793f09b9a722b37b257d7f9a8e96
-
Filesize
175KB
MD58eeb2a0361c6971bdf8b33d67ee6480c
SHA12248b52151ccc589b8ed3a5cce1df680e3d237c4
SHA256a4c5c8dc86d618f5fc3ea0041014675444b238950ec0f28765a2491d3f33b053
SHA5129683ba27bf70d4ce9fe24a6b063d70bf6bf1e91434bde4efd1940217521c0797fefb86b3475c89c502457c951ef4ec674ebfdd038a42b73ecd9482b99432223f
-
Filesize
164KB
MD5fbff84fad55e5d9b5118ad78b0462c0c
SHA13595b1f9432f95d1d825e5cc09ad2924a9ac28f8
SHA25676524b1eb99e60eef788a81ae7993396eda9b689ecff375a060367c2ed21b0f7
SHA512958c414897a01003243cd92b8676d5378043379feace494302c3cbc8eb501a2a02642825de99849068c61e6e4ce674875cd0bdc4b6b8190e9a7220da8349ff65
-
Filesize
43KB
MD559930356cf23b186cf7d214425fd5857
SHA1626b519832c89f1ef90ef0a93a7c03c038955ed4
SHA256cd93e7877825a00eca46845e97f7662b37636a2d40155dc626d27a706de30703
SHA512a3475d46bf824cbb70aabe03ff2ee6d5dd52c7ef9d435e13c9f3bec42de81b8749ab09a020f97c33febc20468d57b135f24977d069b7ed293e9b015dfdd004e7
-
Filesize
532KB
MD5a5958cb3d580b47259532f9cccb92929
SHA10ceeb9142c7fb090ec5bc5c2bb4fe83d7b05aa2f
SHA256c9279946ded15274197283b32dc5dfae1d39dec175dba90d04235370eaa6ec1d
SHA512e8640e58cda402991f9cb237cc9f4a677aed378f2a36ed86478e9f868abc006dc937fe1c41a3915021da6c57eba6ad2cbc2af842d640e46ce865acdf91b747cb
-
Filesize
1.0MB
MD5f35a584e947a5b401feb0fe01db4a0d7
SHA1664dc99e78261a43d876311931694b6ef87cc8b9
SHA2564da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32
SHA512b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4
-
Filesize
488KB
MD5561fa2abb31dfa8fab762145f81667c2
SHA1c8ccb04eedac821a13fae314a2435192860c72b8
SHA256df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b
SHA5127d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43
-
Filesize
340KB
MD586f1895ae8c5e8b17d99ece768a70732
SHA1d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA2568094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA5123b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da