d314979381670be394531a78835a56e5e5894aa7aa43da36d86fcda97db2567b

Resubmissions

09/03/2024, 00:10

240309-agetcabb6y 8

09/03/2024, 00:06

240309-adr99sac64 8

Analysis

max time kernel
136s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AMASS 2.0/LicenseManager/LicenseManagerSetup.exe
Size

40.8MB
MD5

0b8af7b445e5eecf1674e198dcf422c6
SHA1

d8c0025cf41f2e313b6382001a45594e65896cd4
SHA256

c5e754131691a1362d9f28ba77e6ab2aec76b3834796c54a63b44d2a66916774
SHA512

d47617f496a7864260e94aacc7ff0c1b95b3ecb22981e09409da2bc4433a61a3ecb097053589fe58abc66eeb3c07f6f7b8d22f68aed5b2c5a94ecdc4fd1283da
SSDEEP

786432:ZIxZMrefY33o5l6QHaiWdWL22938+uNqMkyH1pK1oHEgBN:YiegHo5psdWx8+uNnH1p2opN

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\hardlock.sys	haspdinst_x64.exe
File opened for modification	C:\Windows\system32\drivers\hardlock.sys	haspdinst_x64.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x00070000000232d7-199.dat	upx

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca0582d4-2b1f-634b-bcdb-5eb74419bc44}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}\SETC197.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\akshasp.inf_amd64_ebe154dbfd666efb\akshasp.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}\akshhl.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\aksusb.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\aksusb5.dll	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshhl.cat	haspdinst_x64.exe
File created	C:\Windows\syswow64\hlvdd.dll	haspdinst_x64.exe
File created	C:\Windows\System32\DriverStore\Temp\{ca0582d4-2b1f-634b-bcdb-5eb74419bc44}\SETA2F2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\SETC679.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\SETC6AD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\aksusb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}\akshhl33.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\akshhl.inf_amd64_69874431ab9bf72c\akshhl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\akshhl33.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\SETC69C.tmp	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\hardlock.sys	haspdinst_x64.exe
File opened for modification	C:\Windows\syswow64\hlvdd.dll	haspdinst_x64.exe
File created	C:\Windows\System32\DriverStore\Temp\{ca0582d4-2b1f-634b-bcdb-5eb74419bc44}\SETA343.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\SETC679.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\akshasp.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\aksclass.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca0582d4-2b1f-634b-bcdb-5eb74419bc44}\akshasp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca0582d4-2b1f-634b-bcdb-5eb74419bc44}\SETA313.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}\SETC186.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}\akshhl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\aksusb.inf	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\hardlock.cat	haspdinst_x64.exe
File created	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}\SETC1A8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca0582d4-2b1f-634b-bcdb-5eb74419bc44}\akshsp53.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca0582d4-2b1f-634b-bcdb-5eb74419bc44}\SETA343.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}\SETC1A8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\akshhl.inf_amd64_69874431ab9bf72c\akshhl.inf	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshhl.inf	haspdinst_x64.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshhl.sys	haspdinst_x64.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\akspccard.sys	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\SETC6BE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksclass.sys	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\aksusb.cat	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshsp53.dll	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca0582d4-2b1f-634b-bcdb-5eb74419bc44}\akshasp.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}\SETC186.tmp	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshhl33.dll	haspdinst_x64.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksfridge.sys	haspdinst_x64.exe
File created	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\SETC68A.tmp	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\akshasp.cat	haspdinst_x64.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksusb.inf	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca0582d4-2b1f-634b-bcdb-5eb74419bc44}\SETA302.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\akshasp.inf_amd64_ebe154dbfd666efb\akshsp53.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}\SETC198.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{998efb70-6350-a347-909c-6a92e78ce14f}\SETC198.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\akshhl.inf_amd64_69874431ab9bf72c\akshhl33.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\akshhl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_b496304d4eb1ff2c\akshhl33.dll	DrvInst.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksusb5.dll	haspdinst_x64.exe
File created	C:\Windows\system32\setup\aladdin\hasphl\aksusb.sys	haspdinst_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca0582d4-2b1f-634b-bcdb-5eb74419bc44}\SETA2F2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{09edbfc7-fe76-b548-982d-1764d171e6c5}\SETC668.tmp	DrvInst.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PANalytical\LicenseManager\PanEnvCrypt.v2c	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\vendors\97093.xml	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\es.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\fr.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\zh-CN.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\LicenseManagerApplication.exe	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\hasp_rt.exe	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\PANalytical.SecureLoading.dll	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\haspdinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\haspvlib_97093.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\de.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\ru.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\PANalytical.XRX.LicenseManager.chm	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\Application.container	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\haspdnert.dll	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\PANalytical.XRX.Licensing.Core_x86.dll	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\ApplyV2C.exe	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\hasp_windows_97093.dll	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\LicenseManagerApplication_splash.png	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\ReleaseAndInstallationNotes.rtf	msiexec.exe
File created	C:\Program Files (x86)\PANalytical\LicenseManager\Virus Scan Declaration.pdf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\it.15.1.alp	haspdinst_x64.exe
File created	C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\templates\ja.15.1.alp	haspdinst_x64.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\aksdrvsetup.log	haspdinst_x64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ShortcutLicenseMan_B3A5EFFDDD314312A2CF874488528003.exe	msiexec.exe
File created	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ShortcutLicenseMan_ECCD81C95621472699D3D3C3C6F24B09.exe	msiexec.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\e5867fc.msi	msiexec.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\Installer\e5867fc.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ShortcutLicenseMan_B3A5EFFDDD314312A2CF874488528003.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ShortcutLicenseMan_ECCD81C95621472699D3D3C3C6F24B09.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	haspdinst_x64.exe
File opened for modification	C:\Windows\aksdrvsetup.log	haspdinst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{49D650A8-F245-46A6-B41E-F68E5FB52B81}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76A2.tmp	msiexec.exe
File created	C:\Windows\Installer\e5867fe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\ARPPRODUCTICON.exe	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
4568	LicenseManagerSetup.exe
2608	haspdinst.exe
4736	haspdinst_x64.exe

Loads dropped DLL 3 IoCs

pid	Process
2156	MsiExec.exe
2608	haspdinst.exe
4736	haspdinst_x64.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	haspdinst_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008fdc540eeb98985f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008fdc540e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008fdc540e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8fdc540e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008fdc540e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	haspdinst_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	haspdinst_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	haspdinst_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	haspdinst_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	haspdinst_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\Version = "16973826"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\ProductName = "License Manager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\ProductIcon = "C:\\Windows\\Installer\\{49D650A8-F245-46A6-B41E-F68E5FB52B81}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A056D94542F6A644BE16FE8F55BB218	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\PackageCode = "9819A9F9D930DFE40A59A5B6DCD7CB82"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\74559A0FED301D642BF03C3ACB81D5D9\8A056D94542F6A644BE16FE8F55BB218	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A056D94542F6A644BE16FE8F55BB218\LicenseManager	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\74559A0FED301D642BF03C3ACB81D5D9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\PackageName = "License Manager.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{746988E5-1DBF-4F0F-B659-195284C31491}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{746988E5-1DBF-4F0F-B659-195284C31491}\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A056D94542F6A644BE16FE8F55BB218\Language = "1033"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4944	msiexec.exe
4944	msiexec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	740	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	740	MSIEXEC.EXE
Token: SeSecurityPrivilege	4944	msiexec.exe
Token: SeCreateTokenPrivilege	740	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	740	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	740	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	740	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	740	MSIEXEC.EXE
Token: SeTcbPrivilege	740	MSIEXEC.EXE
Token: SeSecurityPrivilege	740	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	740	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	740	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	740	MSIEXEC.EXE
Token: SeSystemtimePrivilege	740	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	740	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	740	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	740	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	740	MSIEXEC.EXE
Token: SeBackupPrivilege	740	MSIEXEC.EXE
Token: SeRestorePrivilege	740	MSIEXEC.EXE
Token: SeShutdownPrivilege	740	MSIEXEC.EXE
Token: SeDebugPrivilege	740	MSIEXEC.EXE
Token: SeAuditPrivilege	740	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	740	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	740	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	740	MSIEXEC.EXE
Token: SeUndockPrivilege	740	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	740	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	740	MSIEXEC.EXE
Token: SeManageVolumePrivilege	740	MSIEXEC.EXE
Token: SeImpersonatePrivilege	740	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	740	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	740	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	740	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	740	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	740	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	740	MSIEXEC.EXE
Token: SeTcbPrivilege	740	MSIEXEC.EXE
Token: SeSecurityPrivilege	740	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	740	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	740	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	740	MSIEXEC.EXE
Token: SeSystemtimePrivilege	740	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	740	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	740	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	740	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	740	MSIEXEC.EXE
Token: SeBackupPrivilege	740	MSIEXEC.EXE
Token: SeRestorePrivilege	740	MSIEXEC.EXE
Token: SeShutdownPrivilege	740	MSIEXEC.EXE
Token: SeDebugPrivilege	740	MSIEXEC.EXE
Token: SeAuditPrivilege	740	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	740	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	740	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	740	MSIEXEC.EXE
Token: SeUndockPrivilege	740	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	740	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	740	MSIEXEC.EXE
Token: SeManageVolumePrivilege	740	MSIEXEC.EXE
Token: SeImpersonatePrivilege	740	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	740	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	740	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	740	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	740	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
740	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 4568	4340	LicenseManagerSetup.exe	90
PID 4340 wrote to memory of 4568	4340	LicenseManagerSetup.exe	90
PID 4340 wrote to memory of 4568	4340	LicenseManagerSetup.exe	90
PID 4568 wrote to memory of 740	4568	LicenseManagerSetup.exe	97
PID 4568 wrote to memory of 740	4568	LicenseManagerSetup.exe	97
PID 4568 wrote to memory of 740	4568	LicenseManagerSetup.exe	97
PID 4944 wrote to memory of 2156	4944	msiexec.exe	100
PID 4944 wrote to memory of 2156	4944	msiexec.exe	100
PID 4944 wrote to memory of 2156	4944	msiexec.exe	100
PID 4944 wrote to memory of 4792	4944	msiexec.exe	109
PID 4944 wrote to memory of 4792	4944	msiexec.exe	109
PID 4944 wrote to memory of 3612	4944	msiexec.exe	112
PID 4944 wrote to memory of 3612	4944	msiexec.exe	112
PID 4944 wrote to memory of 3612	4944	msiexec.exe	112
PID 4944 wrote to memory of 2608	4944	msiexec.exe	114
PID 4944 wrote to memory of 2608	4944	msiexec.exe	114
PID 4944 wrote to memory of 2608	4944	msiexec.exe	114
PID 2608 wrote to memory of 4736	2608	haspdinst.exe	116
PID 2608 wrote to memory of 4736	2608	haspdinst.exe	116
PID 1480 wrote to memory of 4288	1480	svchost.exe	118
PID 1480 wrote to memory of 4288	1480	svchost.exe	118
PID 1480 wrote to memory of 4784	1480	svchost.exe	119
PID 1480 wrote to memory of 4784	1480	svchost.exe	119
PID 1480 wrote to memory of 4260	1480	svchost.exe	120
PID 1480 wrote to memory of 4260	1480	svchost.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\LicenseManager\LicenseManagerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\LicenseManager\LicenseManagerSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\{746988E5-1DBF-4F0F-B659-195284C31491}\LicenseManagerSetup.exe
  C:\Users\Admin\AppData\Local\Temp\{746988E5-1DBF-4F0F-B659-195284C31491}\LicenseManagerSetup.exe /q"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\LicenseManager\LicenseManagerSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{746988E5-1DBF-4F0F-B659-195284C31491}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{746988E5-1DBF-4F0F-B659-195284C31491}\License Manager.msi" /log C:\Users\Admin\AppData\Local\Temp\LicenseManagerSetup.log SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\LicenseManager" SETUPEXENAME="LicenseManagerSetup.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33DA5639283B633E6FF9D85AB79D7793 C
  2⤵
  - Loads dropped DLL
  PID:2156
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4792
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A67532671457731DB5B7FC060F3FFBED
  2⤵
  PID:3612
- C:\Program Files (x86)\PANalytical\LicenseManager\haspdinst.exe
  "C:\Program Files (x86)\PANalytical\LicenseManager\haspdinst.exe" -i -cm
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\haspdinst_x64.exe
    C:\Users\Admin\AppData\Local\Temp\haspdinst_x64.exe -i -nomsg -32to64
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    PID:4736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f2527557-f44c-9744-9820-994a58c9c09b}\akshasp.inf" "9" "4d1770e3f" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "C:\Windows\system32\setup\aladdin\hasphl"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4288
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{40b9681a-3610-4145-a2be-8f9ab3ecbdfe}\akshhl.inf" "9" "48e7fedb7" "0000000000000164" "WinSta0\Default" "000000000000015C" "208" "C:\Windows\system32\setup\aladdin\hasphl"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4784
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{30f6254d-b4c1-dc4c-b9b4-8a3c2b3b97c8}\aksusb.inf" "9" "486f4dfd7" "000000000000015C" "WinSta0\Default" "0000000000000170" "208" "C:\Windows\system32\setup\aladdin\hasphl"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PANalytical\LicenseManager\LicenseManagerApplication.exe

Filesize
20KB

MD5
68373dea49681bf1d7eb22b18f6e484e

SHA1
5fc48022539d444fb76ee91aef6c78fef134dbe9

SHA256
416e8afc3ed2e11972ce1cec17b9edee3106e38a7e4710b615facd2bfc6bb395

SHA512
4063f9de49b89a5537390bda15b91466cb10a5c74c2693c7a6827778e3fcfa18ebe4c3df9a4ce606870273290b57022506fe4343eae17b707d5fb47babe50be0

Download Submit
C:\Program Files (x86)\PANalytical\LicenseManager\haspdinst.exe

Filesize
9.0MB

MD5
d5ae882d43c9e12312a72f3428fbf8f5

SHA1
b37ca247084258a34c0817116bddfe081d944696

SHA256
634f381b07e9e9261ca959b7b5cee75bbfcbcbed70b739cab3d3cd0e1f46a3be

SHA512
5888508a5199cb2e41d3779f1fdfd38328eca425fcb4f8a7cd9b0969f9b0155383f874323a61602c5d3c3a1d1f898b365e337038a8296cfb96b22925c3f58da2

Download Submit
C:\Program Files (x86)\PANalytical\LicenseManager\haspdinst.exe

Filesize
10.1MB

MD5
02d9f563726b408344ad882319343f61

SHA1
d99617934074cce9a48a7ea4085e60aaa9a8624d

SHA256
9c588855eb15baf3524af6511b22d65f3810e26b32dee5cb45f140d5470ecf74

SHA512
446b4f3dd896dbff0a77d9c3ff9f6e16ad76911617cc83bfa776617fcc7093143f072c3f4dc249c3c9c84499475acdcb6568732a3a155fd9988e7a41a7787771

Download Submit
C:\Users\Admin\AppData\Local\Temp\0pdc.txt

Filesize
4KB

MD5
175c58d6c736ddd3cec0d3fe8e29b115

SHA1
2a0ddc74ab6d53931a66643c9d9d5de7865d5338

SHA256
aa9223ed8ab7ab3e555242dcc62cd25c63f129522150f56425da7740bb24e529

SHA512
32eb8af3bdba3251b70c03b2f402fc41e47178eb2c754fc9c408d7badd06af9d21e063f2673a022ca7c9bcc26eb6616ea205c601787ab0b75d1c59e70aef8e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\LicenseManagerSetup.log

Filesize
7KB

MD5
adab0646ccd5440682524d75011cc960

SHA1
91e472819dabb3362fe25b26937784cb6d29e447

SHA256
3bd614bc06f462ec3cd5f3e968fb3a24f2f1d58aa33ac7ef8959ff411a5e2fa9

SHA512
88ce5ceb7af0e33548c98b7b2fd895655346d0a34645af63d17e7578f19798cc45d076add8473f4dccbcbc6bbf72b5d1383ec46d030e8221e4f143e4af512905

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICCA6.tmp

Filesize
165KB

MD5
b5adf92090930e725510e2aafe97434f

SHA1
eb9aff632e16fcb0459554979d3562dcf5652e21

SHA256
1f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b

SHA512
1076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509

Download Submit
C:\Users\Admin\AppData\Local\Temp\haspdinst_x64.exe

Filesize
8.2MB

MD5
6f8736db30a30395930cd3ea1d3190fa

SHA1
e9235385ec3e415eb859cb190ee87b06d4ac4e7e

SHA256
a505a29dbdb6d04a6fe69779182923976a6d7f3144567c4a1c41642e91213e77

SHA512
5835fb67f5c982aa3b94c91481d7ea5cbd8ecc50cec47859c6fe2565b839e70ff7226040c829c59a4a74c314f44ca0e4992b4f9cac96e5b5e63b37ac0c4965f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\haspdinst_x64.exe

Filesize
9.1MB

MD5
09e0f7a085a9e5119680203b013dd878

SHA1
33ea541b9a194cd916c76a01fb2ae277af8fab2e

SHA256
9fe923532e970333e5ef917739cc27b69dfcfc3fc14b2bffa7c1b30cb852fd44

SHA512
c6d8c80b6fef6bf910c179060534e4f2d22bcc1718f49ad6c9b78bef2602184d814c3249ce4eaf315a52ed63d0c1615d7cd4fb3819836b35f8ec7366c26378bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\haspds_windows.dll

Filesize
14.2MB

MD5
495855a5077e051bd96ac75c3cc0f280

SHA1
478d7099e364aac12516c027ab2955e1573bf1e2

SHA256
23c68f278293fd0f8dcf60f78a66630de268f332cc56f9fde1c5e9d3a0182dcb

SHA512
3749e66be483bd16169bae57866767e076087fd38ddc3836759730a1f2ec74797a70ee23c7b408911b23416c8817e3323a6e5762d42c6ae609d5cae0dfe0ca59

Download Submit
C:\Users\Admin\AppData\Local\Temp\haspds_windows.dll

Filesize
896KB

MD5
d7ca000ec0ae59f10c9c25c4504e1b1d

SHA1
681366aef53624394d99efd383a14ad3027fac48

SHA256
2d9bfdd956ee9d3b51352c8e9e8f812289da5f3f2d14ef3564f45d1a24154324

SHA512
ee6826fe513741fae28d45cd6fbb22fbaa96608cfb92df06d6c5db81c2515ebfc8d3ad3023ffa7d8fba00ec7871d2c4ff1f0e051a78b13ce88e49341395c8aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\haspds_windows_x64.dll

Filesize
9.2MB

MD5
5bb0a87d220a0e9a089f29904176778f

SHA1
165ab90dc46fede1ee7a8aaafd0068d9d7c9bbb5

SHA256
e9794089902ed5c0488d7fb3f7ce0ed6cca1aa9caeed16ddaaa8403d44a66160

SHA512
aa5d0e4a84c86aa199a70968fd1e28c4e2a253a69614da09722f55d4ec1cd241068a68b2fa39a21ad45354ca90022bdaa05d7c2f84aaad8d2a4219ca686d2046

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhl01.cab

Filesize
8.0MB

MD5
f03c2d060fbd807496fa56c8813b92ef

SHA1
9582715586ed908e9ee9566e7feab9d00123300c

SHA256
1d313fa33111704af145c65a215a98888e79b34127ec84251cd9400b5a791fa7

SHA512
f2dcd527b480500c7b6af29ed280de0ee045027980beffb4bdf90a4e81f8bb2d95d637d4aa857a69b36e0de882779b06c0aee850aa2d6d78643f58235233f8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{746988E5-1DBF-4F0F-B659-195284C31491}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{746988E5-1DBF-4F0F-B659-195284C31491}\License Manager.msi

Filesize
34.1MB

MD5
c2b39166996bdc9001811a08a904d7a8

SHA1
135543ae1ccd2185248d8db945208f95ac8b1d4e

SHA256
8cec6b6f938a8a9ec837cea96b4c8e647998108cb4106740618cf6c8ba4c9449

SHA512
7eec4492622758285afecff4ed9176c86c63eb8fac6488619d7ea49b54c2018b01ecab729de17b0204ded23981f2729e9008fc0dda529c6e800a0ecda5fd38f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{746988E5-1DBF-4F0F-B659-195284C31491}\LicenseManagerSetup.exe

Filesize
14.1MB

MD5
585278408aa8c7abd46e740ef7f60199

SHA1
dbc8a028d54f00bbe038ffcd1ba0c65d65a9ef0d

SHA256
f358c322c547bfa8484459de2cc0899bf9d0c112a7ee7a45a164666bb766258d

SHA512
5d7b4e618ab38f157e86f81047557d2fa577b5b3bf39e52e9eec217654948588b2169f2851781ee135313b4782a7aed30999989253c3cf42e09363c0c35e222c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{746988E5-1DBF-4F0F-B659-195284C31491}\LicenseManagerSetup.exe

Filesize
14.4MB

MD5
34d9cdea93614f40aa0ae7625c69fee8

SHA1
134d25e0535f6e4ae46e8dd0bf794f48021495ac

SHA256
c2ed08695713fc01fda078b07d97c7ea2127f115637633d122823729ed1c4962

SHA512
abb0182a0f035dd7f53c43ac3f4fb2eb09721f741d3d9f07250abc7550e17b5351bea7c449f915aa1494e2ea53e4d4ff6c699d5c05eefbb2bf8838c9ffe081a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{746988E5-1DBF-4F0F-B659-195284C31491}\_ISMSIDEL.INI

Filesize
648B

MD5
8c185dd4491dd612b04ba891af012b70

SHA1
e9bd13304749207fc58be605c94cd0658443eabe

SHA256
81a35ba253db4a03fe4b4a7491682db176d502f6da55a45bd63c352be9441b69

SHA512
f88ba7061a0e6de6c9e0bbbeffb4c34dce1614181b7a8f9b0393bb24bf2803e54146829e755b77298cfe5e29c540c9b04915971c6ef3729e24b0b21a0b987317

Download Submit
C:\Users\Admin\AppData\Local\Temp\~AE05.tmp

Filesize
5KB

MD5
1315aa99778e319357eaa30728fb3369

SHA1
0c3610795869eabba7bf113e6b64434caf049148

SHA256
f5d115bd6743167068e550f5b5a81d915762b3ca6b052e322defd64ac69ed070

SHA512
47d3ae5200941b4211e6cef2977f4b0ed3f2b12cd514134041c6cda9d9c6f89a31ee0c7907611977d2c1df7623681d2373fc21f4396cffe10be5c608b6171d71

Download Submit
C:\Windows\Installer\e5867fc.msi

Filesize
10.5MB

MD5
b2acc85ba0ec994b8bc0bd4c640db950

SHA1
0d608b2c1dfe5a1c2810dea557174ddb71cf0bcf

SHA256
78a662d3c84c6af25d39dac0c47d9e65b16873d1d485ca47182076bdf570bb02

SHA512
10e6175566beaa059deb96bd60efc4dae25f7195ccb45ce162631a71285c08c4c70271c03b319883913618de96770ba4a4bfc5dae09ebe90d32113546734c360

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
0b8938ad7634e5ddc947e7e2a325b0f7

SHA1
a71f7451342a85db71b1e533921ead02306128bb

SHA256
38c7329a6656b1f5234a7cca905276d6f81c86b7b5bc29877b1dee55248fa297

SHA512
231de7f634d886aafa463fbe55ffce2a2620e7ef6a326b00e43411bedf196f872f70ba76e71e0e680f07ff82bb8898e1cce6a1a5806c1a526c9da1dbfab3da5b

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
0eefd129c412c322ee7d56640790ab53

SHA1
27da2b1e3e5d9d86e31bd3ba676dea09764c16fc

SHA256
520ed2fc5972942623f5260d79202ceed17c8ba55bcb1332c2484848ba8cd8ae

SHA512
b048b5595c79c9a4dfe4fcb9322dd4712007bba395bf5109e05c6245d587b49d43e4978e9b06eceb64438520057ad6bb2a2d7bcca56a3d3e06fd112ac9443d26

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
d568e73105c6ee910297fbdd25ec5888

SHA1
d2ab6ed84d7b91d66cd405b87f986852f2bdd591

SHA256
327215ae53ce8225734fb3d1c1a7ed2ede98c754a6fe5b25c72434d88c3c635d

SHA512
de7ee4dd1fa2b8f868f870a1aad8cdaf237d52da7c8966c8ca8162c195e6e6608cd8a9e5827d50839033ae8c8250010f6d986f1c65d37f6075a83fa889f5b657

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\aksclass.sys

Filesize
30KB

MD5
c9fe36d2bb921a06a0e6b247273734ab

SHA1
4c552e3097d238455668b2e0173d19e942254431

SHA256
740bffacf2f383c9e5180203adc7fcb8476df876a1097791b97cea8d7689c11a

SHA512
703568c05193c1289469bc59d9596d42439f433e6e67e37f7135df232abf5766b51407016f691cb6dd5be1beb97324c73caa9df9ab5c3844dceb982a9d046bfb

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshasp.cat

Filesize
9KB

MD5
db676cf7da13308a53380addcf2d273c

SHA1
b61190e5ca0569d092ff0470daebec584814931e

SHA256
f4739fca522e29627af4ae3eb8149fb89ddea18631cd1f9ba29deb2e845f353a

SHA512
7a41bbbfa7b1ae01792c043e7c677902cca398c98b77e781f49ccdc8a8cd86ada70809c49fe36b9adc925369251c78968289e9c04460d267debdf0675c5d9766

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshasp.inf

Filesize
2KB

MD5
34f5a5f56ddea6ef57022046d5c03e8f

SHA1
62de609029398186648359815e68ca9e3fdcc2cc

SHA256
2083bca634feb5c9faf3eb2a4488ac1faec2bd36f6c6de53277be528509a3e7c

SHA512
9ff5390f9ffd73df2f7963d252ea5d09590bdfe2be3c340535c9cc2d845abe15d2a3a37781a9466bb6cd34c5749625ab86a01624be4a7cf32ef861cc3b6f8dd9

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshasp.sys

Filesize
67KB

MD5
f1adc7ded5184045a47e02a85bf2917c

SHA1
2f3711aeb6e50d1c35040acaecbdc6aa930719dd

SHA256
3c635791b9b514a152ff9b3a853458864acdf668ba72d4a8b2840619ad93055b

SHA512
40161eb931c3fe7a2af2060e5f7ed3cd608bd61377112e73a6a0d7c114ea9cfd60ab01a609628f4c1d70a68d097113efd78cd26a5ed127c517c74cc56ea9e17f

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshhl.cat

Filesize
9KB

MD5
545a0bf637f55a48972780dbf58c8d55

SHA1
1f5369492f34aa3088b6e1433a81e1faff1d32ce

SHA256
e097b13d615ed6874e95954393017ca2b357f05ee164d5588d02545d842b5ae2

SHA512
7f2c122653f74e1e166488d0ca44827e5ec3cfb19b36c38550c36f956155e02e2f73364b814219492703943f2ab139c3758ee63eb3b9ad8a86ff3431028584c1

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshhl.inf

Filesize
2KB

MD5
c46095c8fbad763043c03e7333cedbcc

SHA1
1e854d5a5ad0e4f8c77d60b08aa9f2732bbf0e02

SHA256
758192f976302955fa8130ff85a0b459ac7a5df2ff05cf258c7255a5d4697dd5

SHA512
a93442a716dd58eeb710270f4a0f4d3175f3cbd0b6121ea60b1233a792a59548e7ab0417d0409c49064e649aec423c4ac9583632284792ff31d5b68d67f3bb29

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshhl.sys

Filesize
66KB

MD5
d885a9cd59ef699df92d163a365119ec

SHA1
0080abf2536cbf47f2c656483f41debaa99ab996

SHA256
4a80438e8c8aa89b9e356fb9320b57d7c01c9b1ff66e7b8fdf69d4022024750c

SHA512
4bbaba4f3b7aa570855e20352293523cfbfcbf8d615fd1593e032841ae5e41ad05c981efdbe2fe3cc34f813b27e6e6e523b34abb32bd3606472d5c441eb5ac23

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshhl33.dll

Filesize
273KB

MD5
6b7146812b4d8d282a55bb58aebe1106

SHA1
4ea6cd560bdc5c2a0a9703267b5aa05997a7c32d

SHA256
046b84032596cf064c28cfb40ab839f484304a9e8e8c05c32c09cf875b5a922b

SHA512
17c4a91ba9d4addca449696579bed70074c4a9ec559bae5879aea71fb616450a33867d60154bb262fcd8dc29c829dbbd86361892295c2f75e0736af9f8283af2

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\akshsp53.dll

Filesize
72KB

MD5
a462556de56256e4e27a92e84f16e0b6

SHA1
b333a7df15d813ca3a4ee7caa897be7657322946

SHA256
488a800297c3357e855937730a51ac61fce86ef42d34c467c1109789f1fab385

SHA512
b3876d96b36ff89e1e1b6ea5a340086b98f1ff2f0de8f86b221372198d3f4820ae3c168b1332b5292672390757ed13b6df47099023d7502a2de639c6b80a558c

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\aksusb.cat

Filesize
11KB

MD5
0dc3fd5d19ebd6c1525c547fbf5a9d0d

SHA1
2f50b13a9380b85096bbe42b26a2cba8f6607daf

SHA256
a71d9d4ce4ed79325fb708502c8e3e3adf3dd6b36e0acd878150cbd32396a5cf

SHA512
894b578fb0195b1336c69a953fa3fc5db89b63b68cfdcda8a4498fe30518fe5df2ac9326f5b81324ce23b5c68892bfb1c49c3d32b1d1cab03e70e94d71b967c9

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\aksusb.inf

Filesize
2KB

MD5
086aa6a5eac4bdebb28aef6e4a63ce41

SHA1
cd475bc06cd13d105f92ce92fbd2f69b39f6e15f

SHA256
10a13e9a15a18016a8bdbc2b235dffb819e4229a7f5a7c352d3fb0923a569b7f

SHA512
a06a2c1e32c95d16cc401c137c5cc63b8ae37ec92df0043ad10f6f348ebf2240d1108e0e3f3b42f139270d0dfe20d4242f765dee829b6e4e49f86c1d16b9b7e0

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\aksusb.sys

Filesize
306KB

MD5
b3b72750906bd3db26067c31bc06572a

SHA1
23c270f303306c42d660fa873f4813e340596c35

SHA256
63ac9315688dc5c67b79dbbd0205f69e3dafec1c4cb104b9f806809472819142

SHA512
f3796f194626ae0b49034f353188a4464096df3450e01dbc1c11e32d6f57e9f3dfcbbf5a3daae80512558f5e46284d96551fb2673a5b23f929e8fefdb7ea0aa4

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\aksusb5.dll

Filesize
83KB

MD5
ad417d60cfbe9c46507852273a8cbdc1

SHA1
c5e590667cd0b4b6e1acfa378952f794afe533a6

SHA256
514972afcd1d1f3792cba8434e7b1ac0a2bb04752597d2372882726d725e9b1d

SHA512
261106b9c76f3387fc61a5a22ae4f5a99233e636ca56051d4d278e55736a36f5d3e2177637440d3c3798a476c011b0de357356d0411da95f1d5a3cea26b01424

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\hardlock.sys

Filesize
1.9MB

MD5
a3b46f3b34f97c81fa956026769f0c39

SHA1
40e530c48c7a2797a11c0d38287e274e3df32b93

SHA256
1d3e3dc116eb68c6a22ef06d92c06ce9f650cb8fa772c623545d2b974f87520a

SHA512
e7f6687cf7bcb3d8757a0a1243facc4304df69bf1a9de41b34e15784b378ac9f9db487873ec74bd6ba79d4d52544e21e9fc78b888491195849b50acb70601b5e

Download Submit
C:\Windows\System32\setup\aladdin\hasphl\hlvdd.dll

Filesize
201KB

MD5
48f5fd0e76cc410b525f23ec8968357b

SHA1
e65bf34f3fbd2a35f0baf9a840fedd60ec327b3f

SHA256
587d166830beb63866394c3738c40931958cb1703b3be3dc035f8913ce3c816b

SHA512
9f4932e0159ac0a864c8cc77c027270aacef6789dac6669ed6a7b0d4e4e25584c420b1d48d47a2093c64395ec620e31736c2161628d01c0f3a7108a4e8a9b162

Download Submit
C:\Windows\aksdrvsetup.log

Filesize
1KB

MD5
93f34b19c02c52c2f7a7f01b9c94e51e

SHA1
3f9babae39053403e73bdc66dcb25af0bc3bbd9a

SHA256
fb073a080ff1a7f93f82c72cfd949fc699991233847fccfcf0069ac4b61b746f

SHA512
bae53c1fb9b920e19b1634ecf40e4698e53808a2e027bfcb3112d199e59cb11dcda613a5a27219f8554a8c3e18575015496d78630378565bbff5055758a5c361

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
20.1MB

MD5
c8ff9b6c213b0679f3f9d6ba207ac1bf

SHA1
37245b28b04f8c2b6340f68518f0f9d313db09cc

SHA256
528a20894b6eab090d24f733f55f3c11afa316a90a086ec1ae3cff342c51d558

SHA512
589c1dca1dd06c0c2f387cfd7416158851b53afe0e0e2922a143cfabbca9209c10896e5e5f71920a79e98e923f01ea7487521e697455948ee5de55f94197c6c9

Download Submit
\??\Volume{0e54dc8f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0633a9e7-9c1e-46b6-9620-dc48d5b96acd}_OnDiskSnapshotProp

Filesize
6KB

MD5
8b2b58a750f31d9290223e496d67ecf0

SHA1
36ff8851f07c54d872494ad65448552cba014cac

SHA256
4ae33dac03b57a01cd2dffed012e2caa280943fd0dd6f2ac0b08c062e2cfa62e

SHA512
333673629b4746ffa4c0c3edf1a6ca7f1d3cd956026aaf7749c61d11ad90b016fbc0f31e404f737fddc807426395d1e4ebfce8eff0ee1b165cc942a894019793

Download Submit