d314979381670be394531a78835a56e5e5894aa7aa43da36d86fcda97db2567b

Resubmissions

09/03/2024, 00:10

240309-agetcabb6y 8

09/03/2024, 00:06

240309-adr99sac64 8

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AMASS 2.0/LicenseManager/LicenseManagerSetup.exe
Size

40.8MB
MD5

0b8af7b445e5eecf1674e198dcf422c6
SHA1

d8c0025cf41f2e313b6382001a45594e65896cd4
SHA256

c5e754131691a1362d9f28ba77e6ab2aec76b3834796c54a63b44d2a66916774
SHA512

d47617f496a7864260e94aacc7ff0c1b95b3ecb22981e09409da2bc4433a61a3ecb097053589fe58abc66eeb3c07f6f7b8d22f68aed5b2c5a94ecdc4fd1283da
SSDEEP

786432:ZIxZMrefY33o5l6QHaiWdWL22938+uNqMkyH1pK1oHEgBN:YiegHo5psdWx8+uNnH1p2opN

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\hardlock.sys	haspdinst_x64.exe
File opened for modification	C:\Windows\system32\drivers\hardlock.sys	haspdinst_x64.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/files/0x00070000000233e6-200.dat	upx

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4aaf2dc1-e6fc-3643-98f3-b12fe1c50386}\akshasp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\SETE118.tmp	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshhl33.dll	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\akshhl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\akshhl33.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\akshasp.inf_amd64_ebe154dbfd666efb\akshasp.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4aaf2dc1-e6fc-3643-98f3-b12fe1c50386}\SETDF8E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{83123634-31ea-8d4f-82f2-8405f28e8801}\akshhl.inf	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\hlvdd.dll	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	haspdinst_x64.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\hardlock.cat	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{83123634-31ea-8d4f-82f2-8405f28e8801}\SETE05B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{83123634-31ea-8d4f-82f2-8405f28e8801}\SETE05B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\SETE0F5.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\akshasp.inf_amd64_ebe154dbfd666efb\akshasp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\aksusb.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4aaf2dc1-e6fc-3643-98f3-b12fe1c50386}\SETDF8E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4aaf2dc1-e6fc-3643-98f3-b12fe1c50386}\SETDF8F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\akshhl.inf_amd64_69874431ab9bf72c\akshhl.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\SETE12C.tmp	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksusb.sys	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\akshhl.inf_amd64_69874431ab9bf72c\akshhl.inf	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksclass.sys	haspdinst_x64.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshhl.cat	haspdinst_x64.exe
File created	C:\Windows\System32\DriverStore\Temp\{4aaf2dc1-e6fc-3643-98f3-b12fe1c50386}\SETDF8D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4aaf2dc1-e6fc-3643-98f3-b12fe1c50386}\akshasp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4aaf2dc1-e6fc-3643-98f3-b12fe1c50386}\akshasp.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{83123634-31ea-8d4f-82f2-8405f28e8801}\SETE039.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{83123634-31ea-8d4f-82f2-8405f28e8801}\SETE05C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\SETE0F5.tmp	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshasp.cat	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\SETE119.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\akshhl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\aksclass.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4aaf2dc1-e6fc-3643-98f3-b12fe1c50386}\akshsp53.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\aksusb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4aaf2dc1-e6fc-3643-98f3-b12fe1c50386}\SETDF8D.tmp	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshsp53.dll	haspdinst_x64.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksusb5.dll	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\aksusb.inf	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksfridge.sys	haspdinst_x64.exe
File opened for modification	C:\Windows\syswow64\hlvdd.dll	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\SETE106.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\SETE11A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\SETE12B.tmp	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksdf.sys	haspdinst_x64.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\hardlock.sys	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{83123634-31ea-8d4f-82f2-8405f28e8801}\akshhl33.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\SETE11A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4aaf2dc1-e6fc-3643-98f3-b12fe1c50386}\SETDF90.tmp	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\akspccard.sys	haspdinst_x64.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksusb.cat	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\akshhl.inf_amd64_69874431ab9bf72c\akshhl33.dll	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshhl.inf	haspdinst_x64.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d505ba1-56fc-ec4a-af83-a7ae0dc8459f}\akshsp53.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{83123634-31ea-8d4f-82f2-8405f28e8801}\SETE04A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\akshsp53.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\aksclass.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\aksusb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\it.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\PANalytical.XRX.LicenseManager.chm	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\hasp_windows_97093.dll	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\haspdnert.dll	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\PANalytical.SecureLoading.dll	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\haspdinst.exe	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\LicenseManagerApplication_splash.png	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\PANalytical.XRX.Licensing.Core_x86.dll	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\Virus Scan Declaration.pdf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\haspvlib_97093.dll	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\ApplyV2C.exe	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\LicenseManagerApplication.exe	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\Application.container	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\de.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\fr.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\ru.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\zh-CN.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\hasp_rt.exe	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\PanEnvCrypt.v2c	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\ReleaseAndInstallationNotes.rtf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\vendors\97093.xml	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\es.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\ja.15.1.alp	haspdinst_x64.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58d2bc.msi	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\e58d2bc.msi	msiexec.exe
File created	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\e58d2be.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	haspdinst_x64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{49D650A8-F245-46A6-B41E-F68E5FB52B81}	msiexec.exe
File opened for modification	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ShortcutLicenseMan_B3A5EFFDDD314312A2CF874488528003.exe	msiexec.exe
File created	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ShortcutLicenseMan_ECCD81C95621472699D3D3C3C6F24B09.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID78F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ShortcutLicenseMan_ECCD81C95621472699D3D3C3C6F24B09.exe	msiexec.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ShortcutLicenseMan_B3A5EFFDDD314312A2CF874488528003.exe	msiexec.exe
File opened for modification	C:\Windows\aksdrvsetup.log	haspdinst_x64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\aksdrvsetup.log	haspdinst.exe

Executes dropped EXE 3 IoCs

pid	Process
1264	LicenseManagerSetup.exe
1644	haspdinst.exe
3808	haspdinst_x64.exe

Loads dropped DLL 3 IoCs

pid	Process
2784	MsiExec.exe
1644	haspdinst.exe
3808	haspdinst_x64.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009b9629f4dfdec3790000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009b9629f40000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009b9629f4000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9b9629f4000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009b9629f400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	haspdinst_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	haspdinst_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	haspdinst_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	haspdinst_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\PackageName = "License Manager.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A056D94542F6A644BE16FE8F55BB218	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\ProductIcon = "C:\\Windows\\Installer\\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\74559A0FED301D642BF03C3ACB81D5D9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A056D94542F6A644BE16FE8F55BB218\LicenseManager	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\ProductName = "License Manager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\PackageCode = "9819A9F9D930DFE40A59A5B6DCD7CB82"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\74559A0FED301D642BF03C3ACB81D5D9\8A056D94542F6A644BE16FE8F55BB218	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\Version = "16973826"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4204	msiexec.exe
4204	msiexec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4784	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4784	MSIEXEC.EXE
Token: SeSecurityPrivilege	4204	msiexec.exe
Token: SeCreateTokenPrivilege	4784	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4784	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4784	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4784	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4784	MSIEXEC.EXE
Token: SeTcbPrivilege	4784	MSIEXEC.EXE
Token: SeSecurityPrivilege	4784	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4784	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4784	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4784	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4784	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4784	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4784	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4784	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4784	MSIEXEC.EXE
Token: SeBackupPrivilege	4784	MSIEXEC.EXE
Token: SeRestorePrivilege	4784	MSIEXEC.EXE
Token: SeShutdownPrivilege	4784	MSIEXEC.EXE
Token: SeDebugPrivilege	4784	MSIEXEC.EXE
Token: SeAuditPrivilege	4784	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4784	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4784	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4784	MSIEXEC.EXE
Token: SeUndockPrivilege	4784	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4784	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4784	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4784	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4784	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4784	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4784	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4784	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4784	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4784	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4784	MSIEXEC.EXE
Token: SeTcbPrivilege	4784	MSIEXEC.EXE
Token: SeSecurityPrivilege	4784	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4784	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4784	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4784	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4784	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4784	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4784	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4784	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4784	MSIEXEC.EXE
Token: SeBackupPrivilege	4784	MSIEXEC.EXE
Token: SeRestorePrivilege	4784	MSIEXEC.EXE
Token: SeShutdownPrivilege	4784	MSIEXEC.EXE
Token: SeDebugPrivilege	4784	MSIEXEC.EXE
Token: SeAuditPrivilege	4784	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4784	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4784	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4784	MSIEXEC.EXE
Token: SeUndockPrivilege	4784	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4784	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4784	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4784	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4784	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4784	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4784	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4784	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4784	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4784	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 1264	3608	LicenseManagerSetup.exe	92
PID 3608 wrote to memory of 1264	3608	LicenseManagerSetup.exe	92
PID 3608 wrote to memory of 1264	3608	LicenseManagerSetup.exe	92
PID 1264 wrote to memory of 4784	1264	LicenseManagerSetup.exe	97
PID 1264 wrote to memory of 4784	1264	LicenseManagerSetup.exe	97
PID 1264 wrote to memory of 4784	1264	LicenseManagerSetup.exe	97
PID 4204 wrote to memory of 2784	4204	msiexec.exe	100
PID 4204 wrote to memory of 2784	4204	msiexec.exe	100
PID 4204 wrote to memory of 2784	4204	msiexec.exe	100
PID 4204 wrote to memory of 4312	4204	msiexec.exe	112
PID 4204 wrote to memory of 4312	4204	msiexec.exe	112
PID 4204 wrote to memory of 3096	4204	msiexec.exe	114
PID 4204 wrote to memory of 3096	4204	msiexec.exe	114
PID 4204 wrote to memory of 3096	4204	msiexec.exe	114
PID 4204 wrote to memory of 1644	4204	msiexec.exe	115
PID 4204 wrote to memory of 1644	4204	msiexec.exe	115
PID 4204 wrote to memory of 1644	4204	msiexec.exe	115
PID 1644 wrote to memory of 3808	1644	haspdinst.exe	116
PID 1644 wrote to memory of 3808	1644	haspdinst.exe	116
PID 4240 wrote to memory of 4736	4240	svchost.exe	122
PID 4240 wrote to memory of 4736	4240	svchost.exe	122
PID 4240 wrote to memory of 1624	4240	svchost.exe	120
PID 4240 wrote to memory of 1624	4240	svchost.exe	120
PID 4240 wrote to memory of 4548	4240	svchost.exe	121
PID 4240 wrote to memory of 4548	4240	svchost.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\LicenseManager\LicenseManagerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\LicenseManager\LicenseManagerSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}\LicenseManagerSetup.exe
  C:\Users\Admin\AppData\Local\Temp\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}\LicenseManagerSetup.exe /q"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\LicenseManager\LicenseManagerSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}\License Manager.msi" /log C:\Users\Admin\AppData\Local\Temp\LicenseManagerSetup.log SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\LicenseManager" SETUPEXENAME="LicenseManagerSetup.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4784

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F31135EEFBFC15EE6FFAC4DCE13C634B C
  2⤵
  - Loads dropped DLL
  PID:2784
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4312
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0412728AAB8195CB4F3E27095210FB8D
  2⤵
  PID:3096
- C:\Program Files (x86)\PANalytical\LicenseManager\haspdinst.exe
  "C:\Program Files (x86)\PANalytical\LicenseManager\haspdinst.exe" -i -cm
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\haspdinst_x64.exe
    C:\Users\Admin\AppData\Local\Temp\haspdinst_x64.exe -i -nomsg -32to64
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:3808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{c7a01b62-675e-f245-bbf1-31ba452eb307}\akshasp.inf" "9" "4d1770e3f" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Windows\system32\setup\aladdin\hasphl"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4736
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4846a92d-6de1-f448-b126-f482ef467b84}\akshhl.inf" "9" "48e7fedb7" "0000000000000158" "WinSta0\Default" "000000000000015C" "208" "C:\Windows\system32\setup\aladdin\hasphl"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1624
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{380ee709-a27e-8a4a-9806-3ced7bcf951c}\aksusb.inf" "9" "486f4dfd7" "000000000000015C" "WinSta0\Default" "0000000000000154" "208" "C:\Windows\system32\setup\aladdin\hasphl"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4548

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PANalytical\LicenseManager\LicenseManagerApplication.exe

Filesize
20KB

MD5
68373dea49681bf1d7eb22b18f6e484e

SHA1
5fc48022539d444fb76ee91aef6c78fef134dbe9

SHA256
416e8afc3ed2e11972ce1cec17b9edee3106e38a7e4710b615facd2bfc6bb395

SHA512
4063f9de49b89a5537390bda15b91466cb10a5c74c2693c7a6827778e3fcfa18ebe4c3df9a4ce606870273290b57022506fe4343eae17b707d5fb47babe50be0

Download Submit
C:\Program Files (x86)\PANalytical\LicenseManager\haspdinst.exe

Filesize
2.1MB

MD5
aa4d79b37cc17670aefdbf935198cf35

SHA1
08586a09c4b60aeaf41913f6a6f27f58545394c2

SHA256
3fad4c1c3fbe34ae9489864dcd2233b48b61e219ac8578ebf5b18d5df5ddca6e

SHA512
1bdf4858f0e9509f516a6d9b136cf538338b99ec2b5b8b0f2a1f597361992fec1c429214101f5bc22c7436245640e66fa9a038f732706e6fd1bede00c4675fd8

Download Submit
C:\Program Files (x86)\PANalytical\LicenseManager\haspdinst.exe

Filesize
3.0MB

MD5
d9ded337d3814ab72e8c38d705800cd3

SHA1
e2edcb8b8e30008d1387854bb100e33dab5619a0

SHA256
13af8b4ecefede9bcb260a69ef0ea4f50f125aedfdbe75fd6dd3ad4b3617306d

SHA512
5fd1554debc0990c5032f728559b72cc63eacb2124db729cf91f611b9cc43622657a4a2bd6541db2749c1b81320a797ea2a4cc483be48b28e22c4d2290ad4853

Download Submit
C:\Users\Admin\AppData\Local\Temp\0pdc.txt

Filesize
4KB

MD5
175c58d6c736ddd3cec0d3fe8e29b115

SHA1
2a0ddc74ab6d53931a66643c9d9d5de7865d5338

SHA256
aa9223ed8ab7ab3e555242dcc62cd25c63f129522150f56425da7740bb24e529

SHA512
32eb8af3bdba3251b70c03b2f402fc41e47178eb2c754fc9c408d7badd06af9d21e063f2673a022ca7c9bcc26eb6616ea205c601787ab0b75d1c59e70aef8e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\LicenseManagerSetup.log

Filesize
7KB

MD5
1e1cb92fd3c77da5105c2c135e3d69f2

SHA1
86a82cf0993309c63b35270c2ed5e0f345620953

SHA256
79c19e86868ba655f2b39a05b9752d4cf22f8773253dffa57c1d56ff1ace812a

SHA512
96af5d17cb17307fd84a7128cda1ac898e999417a247f90aa00cad01191bdd222c64ac8f189a61875dbbdcf2b568b3eae2d9a7c8a5837901fccce7f6b8bb1e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI662C.tmp

Filesize
89KB

MD5
04b8065d6aad3317e1cf6af2476eb6a5

SHA1
1df0a469e1b03152cbc2d27767a2bc67ca00275b

SHA256
dfad5b298984973d6c8566124b8564fff4dccc9006eefe08d7d7bd0e4e4bb0c6

SHA512
d0a2e9a3e449505c7f9108e6e64c55f479b5023d02efae9b50e26f07a174c5cfdf03cbfbf4e140cb3fbfab5401c2ec3eba891f9651dbd8d3ae99ec5dd807cc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI662C.tmp

Filesize
57KB

MD5
29c7f06665e74d9d37218bfc15910f3b

SHA1
511e3c44a31ca15741bce79d938374ee514a4bb7

SHA256
d7d702819b377190dfb5ff5f0534490eb7383b7765ecf55d84ec7015480dd796

SHA512
d801040e95fb723bf67184238fbbbf4d296c3eeee39e1a1b63d1d65a7f94a90f5497d36958e182fa574aacac80efe5b062ab67c8a8cdb071d1929f2ebfa15fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\haspdinst_x64.exe

Filesize
1.1MB

MD5
fe40473d2da2873c6b112aa0e9a38924

SHA1
6085ad16998eb692972f55bcd841936912a62cb2

SHA256
7cfab09b0fcff6f419aee7bb4c10d2dfc0fc77e7ab9f4d44c8159638622ba779

SHA512
6baa1a005f58daa01bb7e1a6ed1ed38b411e8c75337ebbd019a5b46fb690c49fd5955305ebfc66975d107970c5ce19f01a0546c84b66e8560486444aeb9c1d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\haspdinst_x64.exe

Filesize
1.2MB

MD5
385f53ed8ec2af0fd25240c443c65858

SHA1
2a44bc40ef1427bab21a06f943c4bef656c39c4e

SHA256
ae8bb026ac8f55caf3d1b6868903ff8afd973ffc4ff8abddcb6a98226e9ce8ae

SHA512
abd1c14849250597fd7d259671849161dcf221b77e33b97f2bda420b146b25f052cd58486deae0d77677d06d3ae3686fd2f25ae85c8fe50089add912d55717ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\haspds_windows.dll

Filesize
1.7MB

MD5
d6f947edfb0f98cc41f7facb16fc0886

SHA1
f78b2677fc67d5a57947102141385fa562e9905d

SHA256
bf079e0348830afaa6c96687070920d1404d7d5d0af64a21397f975cf63d22c6

SHA512
80922014d9e7f3845ce71bc988f519f1155159c5371af1db54d1c004025f7a18eef691a01a6bf9eabff4363d9c0f978409cc439900b80237c608297b7064ac3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\haspds_windows.dll

Filesize
473KB

MD5
db356b031be71766fbf96ded95ec94c3

SHA1
cb4e6885a4cae9f2ac7209b6b0da5bfa136b45d6

SHA256
98408f0e91307f9f874b95294da440422726d85c763f95d997192076079f2dc7

SHA512
158273eb26257366cad12a6e422de7435a18f62833a77f2e67176dc1353fc6d68fe8af9549a601124a254324e2e0f4302f8851ace357fa1dbf7b0b1a4a9c57d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\haspds_windows_x64.dll

Filesize
913KB

MD5
c5f209f6c35584d1185f3d3610380c6c

SHA1
3269507c0f338575541a879526ee69c959b7083c

SHA256
d247c121aa0ffd6efd7e24ecc2b8bd1e0ef4d4f35bfb523c3b79e59b68733795

SHA512
2493740a6f89a4a709add2ce156b40aba666fb24b8a6294fa2794b4b19fb6d715d85bd3de7460ba8f34a00e7110d8a1b1b39e975dc8fb7c92a5a7a19c7e5c68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhl01.cab

Filesize
1.1MB

MD5
271014fe17485fe73dccd3dddc627b0f

SHA1
32a1ad48757a2009d8825d26edc767c5dac22237

SHA256
530ace69fcf16dde0dd26f4f573b0367b45e2463e6ec7d291673eb3b823620be

SHA512
2ed52ff1d5113c911be2b0ca6a10f30c8a3f8a7b0b04f32077bf0598634358561221906381997d0e34a7dd28f472991898892d1a9e5c1e15f3863bd1fb579c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhl01.cab

Filesize
517KB

MD5
020aca5122e354350b7607b9510e5164

SHA1
4bf2b083f2010b107705c6436a93c77bb44af520

SHA256
ba0efb8c7a6a9b6f953804b2fd89a9da3d57dcc8f639340bbe9af3def0a20047

SHA512
9cffcc4c6d317ce64822688fc2cd272d63eb941aae4a0a00c930b661b9137f29bddbdf2fb42daa12e380b573c9603badf6e88484a50feab624b97dc65d2e7456

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}\License Manager.msi

Filesize
168KB

MD5
0b2c296e75528e39ddc4184fe702f756

SHA1
a45baec80a48b7aeb58fb23d7b3c6ebb13596f47

SHA256
b382eff835e851b5f00c190877b8eef0ecd8a2d0def45e42d58f3aa65c4c43b3

SHA512
238a034b2274d83f1265ad825f0a96e253177268a50a53f535f6bca0ffd962c7bbf94fd0348d7693e5eb7b4732a85a4f8f79e6b5b98eb64d82a502dd4f7ae11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}\LicenseManagerSetup.exe

Filesize
830KB

MD5
36fd7b37087fb28df5476e0c82733d20

SHA1
f7cda8e854136afb7ae54de94c2ba4e7d39876c0

SHA256
8ca633535089de7c6cce6d79195df0ad7e1dee79c6bbd3130c0d805c439c3e55

SHA512
1a70db4403ebae83c7df16bc8c12afd56fea783c111e6d14bf439e461daeaee8a860789fd7cd25cdf344df95f608b4c6d5e4c5a28384225716965135a128b186

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}\LicenseManagerSetup.exe

Filesize
686KB

MD5
b406f4b111a59b701ca32e84fb119889

SHA1
c766339796efd141d8acdf6a4dfb71b460ed86d1

SHA256
5285d3f5a4b0c6699ec029b3bf5ad7c1945407228aa3e0416fc281704fea61da

SHA512
b45f693e8a21ff80e999c5f64cee4659f540af746d5c18c2d3ce6a68175d7258394cbb8d62891cd47fb708ab9e432e30999e18258ef7de2f6700d4d73d7ddb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0C82B1E0-0938-4B9C-87DA-9DBE15E5F6EA}\_ISMSIDEL.INI

Filesize
648B

MD5
e1ef9f1ba412f6ba9f659d1a6c477e72

SHA1
1d749dc110abeda407427afa522b135a25eba9a9

SHA256
b4ff14b5e3a460b22b008ad9e72e5218ad5071a46d70267639ece9c1399e0aa1

SHA512
98c93b5329127f754505862458542fd403cbe7ac795453662f04e3307c251380321732b798274ac4d8069243fc24f90b7b1e8473a5cbefa77cc59eeafff38a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4846A~1\akshhl.cat

Filesize
9KB

MD5
545a0bf637f55a48972780dbf58c8d55

SHA1
1f5369492f34aa3088b6e1433a81e1faff1d32ce

SHA256
e097b13d615ed6874e95954393017ca2b357f05ee164d5588d02545d842b5ae2

SHA512
7f2c122653f74e1e166488d0ca44827e5ec3cfb19b36c38550c36f956155e02e2f73364b814219492703943f2ab139c3758ee63eb3b9ad8a86ff3431028584c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4846A~1\akshhl33.dll

Filesize
273KB

MD5
6b7146812b4d8d282a55bb58aebe1106

SHA1
4ea6cd560bdc5c2a0a9703267b5aa05997a7c32d

SHA256
046b84032596cf064c28cfb40ab839f484304a9e8e8c05c32c09cf875b5a922b

SHA512
17c4a91ba9d4addca449696579bed70074c4a9ec559bae5879aea71fb616450a33867d60154bb262fcd8dc29c829dbbd86361892295c2f75e0736af9f8283af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4846a92d-6de1-f448-b126-f482ef467b84}\akshhl.inf

Filesize
2KB

MD5
c46095c8fbad763043c03e7333cedbcc

SHA1
1e854d5a5ad0e4f8c77d60b08aa9f2732bbf0e02

SHA256
758192f976302955fa8130ff85a0b459ac7a5df2ff05cf258c7255a5d4697dd5

SHA512
a93442a716dd58eeb710270f4a0f4d3175f3cbd0b6121ea60b1233a792a59548e7ab0417d0409c49064e649aec423c4ac9583632284792ff31d5b68d67f3bb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4F1C.tmp

Filesize
5KB

MD5
1315aa99778e319357eaa30728fb3369

SHA1
0c3610795869eabba7bf113e6b64434caf049148

SHA256
f5d115bd6743167068e550f5b5a81d915762b3ca6b052e322defd64ac69ed070

SHA512
47d3ae5200941b4211e6cef2977f4b0ed3f2b12cd514134041c6cda9d9c6f89a31ee0c7907611977d2c1df7623681d2373fc21f4396cffe10be5c608b6171d71

Download Submit
C:\Windows\Installer\e58d2bc.msi

Filesize
3.6MB

MD5
8806310d86064f4d11458db4b5e8cb9e

SHA1
bf15002050f8a31af093e5abec8e53b6e794ac02

SHA256
507fdac3539ed299e74cec6d68a38ceff8efa717d07188078c86cf847c831e9b

SHA512
e0add6d67fe5b55087c68b30690171e67688be235f8f840069abbed1818102a240669007d6d2cc222245095b96913a546c2a274ef989874fca0d4be2506edc46

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
aba34cf9079e4e8d036d363793d2d029

SHA1
503d2862278f55ac4d64fb15f07cce82811125c3

SHA256
c09bfec2598c5845000b3d132c6580b93c879bad8f6021875a7459a3f517009c

SHA512
efa23cc133b5ea177ba043df724dd30f1a4411a2f1fbd376b72a17e0c2a9b47e958de24039250199b4c51b186d251703cd615ddbe896020a0efb7e2dd1afb97e

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
44c3c1197639b15c45d60ccf2452c943

SHA1
149fe8e04f9c163121585e7336a4f648fbeb1c75

SHA256
018010fa51f086795c1a8630f49966f1d61c18c65e3b55505ffccf0830b48e35

SHA512
d4bf191fff88abda830c40906194bab98ffa7ef486e02ae6d444b1b7bfe5391e29b7bcb9387cb4d5ed0011e0112dc1e7159998630536e6639600cc3c2163f1b3

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
e305eff3c219b7487a4622b4a4473988

SHA1
ee1f83b322b6c79a33f5b74a629f7f2f28c63386

SHA256
3c63dd1e75e0aa021516d40cb754f0e0fa0d9974a6a6f516f526818fb712cadc

SHA512
07b235e159165bb5f7ac57fcfec12fa01837d0ee5c468ebd42b2c41d3748253f8ab025c0d113ee2110413f2269bffe432f2ecb9a251781f81f6e1790e5345069

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\aksclass.sys

Filesize
30KB

MD5
c9fe36d2bb921a06a0e6b247273734ab

SHA1
4c552e3097d238455668b2e0173d19e942254431

SHA256
740bffacf2f383c9e5180203adc7fcb8476df876a1097791b97cea8d7689c11a

SHA512
703568c05193c1289469bc59d9596d42439f433e6e67e37f7135df232abf5766b51407016f691cb6dd5be1beb97324c73caa9df9ab5c3844dceb982a9d046bfb

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshasp.cat

Filesize
9KB

MD5
db676cf7da13308a53380addcf2d273c

SHA1
b61190e5ca0569d092ff0470daebec584814931e

SHA256
f4739fca522e29627af4ae3eb8149fb89ddea18631cd1f9ba29deb2e845f353a

SHA512
7a41bbbfa7b1ae01792c043e7c677902cca398c98b77e781f49ccdc8a8cd86ada70809c49fe36b9adc925369251c78968289e9c04460d267debdf0675c5d9766

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshasp.inf

Filesize
2KB

MD5
34f5a5f56ddea6ef57022046d5c03e8f

SHA1
62de609029398186648359815e68ca9e3fdcc2cc

SHA256
2083bca634feb5c9faf3eb2a4488ac1faec2bd36f6c6de53277be528509a3e7c

SHA512
9ff5390f9ffd73df2f7963d252ea5d09590bdfe2be3c340535c9cc2d845abe15d2a3a37781a9466bb6cd34c5749625ab86a01624be4a7cf32ef861cc3b6f8dd9

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshasp.sys

Filesize
67KB

MD5
f1adc7ded5184045a47e02a85bf2917c

SHA1
2f3711aeb6e50d1c35040acaecbdc6aa930719dd

SHA256
3c635791b9b514a152ff9b3a853458864acdf668ba72d4a8b2840619ad93055b

SHA512
40161eb931c3fe7a2af2060e5f7ed3cd608bd61377112e73a6a0d7c114ea9cfd60ab01a609628f4c1d70a68d097113efd78cd26a5ed127c517c74cc56ea9e17f

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshhl.sys

Filesize
66KB

MD5
d885a9cd59ef699df92d163a365119ec

SHA1
0080abf2536cbf47f2c656483f41debaa99ab996

SHA256
4a80438e8c8aa89b9e356fb9320b57d7c01c9b1ff66e7b8fdf69d4022024750c

SHA512
4bbaba4f3b7aa570855e20352293523cfbfcbf8d615fd1593e032841ae5e41ad05c981efdbe2fe3cc34f813b27e6e6e523b34abb32bd3606472d5c441eb5ac23

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshsp53.dll

Filesize
72KB

MD5
a462556de56256e4e27a92e84f16e0b6

SHA1
b333a7df15d813ca3a4ee7caa897be7657322946

SHA256
488a800297c3357e855937730a51ac61fce86ef42d34c467c1109789f1fab385

SHA512
b3876d96b36ff89e1e1b6ea5a340086b98f1ff2f0de8f86b221372198d3f4820ae3c168b1332b5292672390757ed13b6df47099023d7502a2de639c6b80a558c

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\aksusb.cat

Filesize
11KB

MD5
0dc3fd5d19ebd6c1525c547fbf5a9d0d

SHA1
2f50b13a9380b85096bbe42b26a2cba8f6607daf

SHA256
a71d9d4ce4ed79325fb708502c8e3e3adf3dd6b36e0acd878150cbd32396a5cf

SHA512
894b578fb0195b1336c69a953fa3fc5db89b63b68cfdcda8a4498fe30518fe5df2ac9326f5b81324ce23b5c68892bfb1c49c3d32b1d1cab03e70e94d71b967c9

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\aksusb.inf

Filesize
2KB

MD5
086aa6a5eac4bdebb28aef6e4a63ce41

SHA1
cd475bc06cd13d105f92ce92fbd2f69b39f6e15f

SHA256
10a13e9a15a18016a8bdbc2b235dffb819e4229a7f5a7c352d3fb0923a569b7f

SHA512
a06a2c1e32c95d16cc401c137c5cc63b8ae37ec92df0043ad10f6f348ebf2240d1108e0e3f3b42f139270d0dfe20d4242f765dee829b6e4e49f86c1d16b9b7e0

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\aksusb.sys

Filesize
306KB

MD5
b3b72750906bd3db26067c31bc06572a

SHA1
23c270f303306c42d660fa873f4813e340596c35

SHA256
63ac9315688dc5c67b79dbbd0205f69e3dafec1c4cb104b9f806809472819142

SHA512
f3796f194626ae0b49034f353188a4464096df3450e01dbc1c11e32d6f57e9f3dfcbbf5a3daae80512558f5e46284d96551fb2673a5b23f929e8fefdb7ea0aa4

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\aksusb5.dll

Filesize
83KB

MD5
ad417d60cfbe9c46507852273a8cbdc1

SHA1
c5e590667cd0b4b6e1acfa378952f794afe533a6

SHA256
514972afcd1d1f3792cba8434e7b1ac0a2bb04752597d2372882726d725e9b1d

SHA512
261106b9c76f3387fc61a5a22ae4f5a99233e636ca56051d4d278e55736a36f5d3e2177637440d3c3798a476c011b0de357356d0411da95f1d5a3cea26b01424

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\hardlock.sys

Filesize
1.9MB

MD5
a3b46f3b34f97c81fa956026769f0c39

SHA1
40e530c48c7a2797a11c0d38287e274e3df32b93

SHA256
1d3e3dc116eb68c6a22ef06d92c06ce9f650cb8fa772c623545d2b974f87520a

SHA512
e7f6687cf7bcb3d8757a0a1243facc4304df69bf1a9de41b34e15784b378ac9f9db487873ec74bd6ba79d4d52544e21e9fc78b888491195849b50acb70601b5e

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\hlvdd.dll

Filesize
201KB

MD5
48f5fd0e76cc410b525f23ec8968357b

SHA1
e65bf34f3fbd2a35f0baf9a840fedd60ec327b3f

SHA256
587d166830beb63866394c3738c40931958cb1703b3be3dc035f8913ce3c816b

SHA512
9f4932e0159ac0a864c8cc77c027270aacef6789dac6669ed6a7b0d4e4e25584c420b1d48d47a2093c64395ec620e31736c2161628d01c0f3a7108a4e8a9b162

Download Submit
C:\Windows\aksdrvsetup.log

Filesize
1KB

MD5
071c3c362bf2e00bf7ee51dbea34ab9c

SHA1
5cdd797eb6a88679788c741494eb0c1b7f5bd688

SHA256
e58f6c6c0855c1b70930ddb87e4123d1b34de59b6d464746175827bbb4261b94

SHA512
519adcf5a376dc01302a16b5b7359ec4177867f8200f1996445b294dba60926f41d2137f6ab926673cdd580eaf3b19f4b7b1844af6c650512f5d8b029a8f7db5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
10.6MB

MD5
268063fc96914cb358054da936bae159

SHA1
b7c2ea632ab3afde223828d801fec0718689eb59

SHA256
fd50f041559ec37d608905c481066b0c019e457cf6778f4453042f6e0d580f1b

SHA512
06271e80c918cbf218aa3e4ef8128f7958468bb6b878b2f966dc91baab381e7832c8fb9d3826e1f65ddd25a1a7d6f8595911fd903c1cb29fbe20dfb2d826c505

Download Submit
\??\Volume{f429969b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{643b1652-9bb0-4249-b9d0-b9e324f3b6d0}_OnDiskSnapshotProp

Filesize
6KB

MD5
91c0a2643e23b0cd18f214e3b57730d4

SHA1
565a6167077daca99d32624a88b842765927fbc1

SHA256
03ee828bdcb5e411e32f02b1d47788f13f9ddf92f50e89de0cb3034441c8d5f3

SHA512
54c788647748c961f6bcfda89f5f08d337f4efdb0d2e98d71e74697a0e87ce12af9877c1b52e4180528775ea6d000283fcb659d621c1cc6013f7444d0682e5cf

Download Submit