Malware Analysis Report

2025-01-02 08:00

Sample ID 240509-mngyhafg92
Target Setup.exe
SHA256 08e0b8a76cebb1a668f2ed3d1de76d13e38b6e41e98ed804599e4faa298eb3a2
Tags
privateloader discovery evasion loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08e0b8a76cebb1a668f2ed3d1de76d13e38b6e41e98ed804599e4faa298eb3a2

Threat Level: Known bad

The file Setup.exe was found to be: Known bad.

Malicious Activity Summary

privateloader discovery evasion loader persistence

Modifies firewall policy service

PrivateLoader

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Loads dropped DLL

Checks installed software on the system

Executes dropped EXE

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Runs net.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 10:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 10:36

Reported

2024-05-09 11:32

Platform

win7-20240221-en

Max time kernel

170s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\475:UDP = "475:UDP:*:Enabled:NetHASP UDP" C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\475:TCP = "475:TCP:*:Enabled:NetHASP TCP" C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe N/A

PrivateLoader

loader privateloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240509112949.log\" /passive ignored /burn.runonce" C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ce085a78-074e-4823-8dc1-8a721b94b76d} = "\"C:\\ProgramData\\Package Cache\\{ce085a78-074e-4823-8dc1-8a721b94b76d}\\vcredist_x86.exe\" /passive /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240509113000.log\" /burn.runonce" C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ioArt.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-IVBRE.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\avutil-55.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-8I0RA.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\FocusIndicator.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\Atik.Core.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\libiomp5md.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\ArtemisSyn.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\io.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-6PQ9V.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\ioPointGrey.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-1QMBN.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-76HT0.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-CKO42.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-NOK40.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-1O5JS.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-C62UC.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-EVGJH.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-HHRLG.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-COV8O.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-4ERNS.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\ExposeControl.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-T0BD2.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-70A07.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-O7JLQ.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-PDE5T.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-IV4VI.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\haspds_windows.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\FlyCapture2_v90.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-8STBQ.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\PtGreyVideoEncoder_v90.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-NRSQ0.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-TOJSR.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\FlyCapture2_v140.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\lumenera.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\avcodec-57.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-PRPO4.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-H4M66.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\nhlminst.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\swresample-2.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\haspms32.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\hinstd.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\synsss32.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-RDMC2.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-3KREL.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-K9SJF.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\ftd2xx.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\DMX.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\avformat-57.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\lucamapi.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\swscale-4.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-UGK81.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\en-US\Synoptics.resources.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-KPGK6.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Microsoft.Office.Interop.Excel.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\PdfSharp.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtocolLightTest.exe C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\x86\libtesseract302.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-J93GQ.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-59PC0.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-1KE45.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-GL0G0.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-9V49U.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\fr-FR\ProtoCOL3.resources.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3Spy.exe C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-0NN7Q.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-8LC9A.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-RGFNU.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-C3JEL.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Emgu.CV.World.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Analysis.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-AJA1E.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-TGHK1.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-MIJMJ.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VMV1R.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\GeneralMatrix.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Synoptics.Bio.StoredData.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\x86\liblept168.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-MF0LC.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-N94UU.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-7G0F2.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VNQ9O.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Emgu.CV.UI.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtocolButtonTest.exe C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ja-JP\Synoptics.resources.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-TO1C1.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-87Q8B.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\x86\is-U7B65.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Synoptics.ImageAnalysis.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\ja-JP\is-KU3D5.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-F1NA9.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-9DRTS.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\x86\is-TOLN0.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\EPPlus.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\AntibacterialStripDetector.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-74S59.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-NQCA6.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-QC4NT.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-EM54C.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-3SG0D.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-04NS6.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\PdfSharp.Charting.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-1DP67.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VBUU5.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\ko-KR\is-9RGPM.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\ja-JP\is-4IL3T.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-C2AH7.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VPA4D.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-IK8SF.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-0OHS4.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\fr-FR\Synoptics.resources.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\MigraDoc.RtfRendering.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\log4net.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ja-JP\ProtoCOL3.resources.dll C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-QB8CP.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\ko-KR\is-OA17T.tmp C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940953.0\9.0.30729.1.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940843.0\vcomp90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112940937.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76ae35.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112940921.1 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112940906.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\f76ae2d.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.1\9.0.30729.1.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90deu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76ae30.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\XLZ8JTEF\System.Windows.Forms.DataVisualization.Design.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.1\9.0.30729.1.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112940921.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2541.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90cht.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940890.0\9.0.21022.8.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76ae30.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\181GTL1V\System.Web.DataVisualization.dll C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\Installer\f76ae2d.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940906.1\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940843.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940843.0\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90enu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940906.1\mfc90u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940906.0\msvcr90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76ae33.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940890.0\9.0.21022.8.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940937.0\9.0.30729.1.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76ae33.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940906.1\mfcm90u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940906.0\msvcm90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940906.0\msvcp90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112940984.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112940843.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940953.0\9.0.30729.1.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.manifest C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90esp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940937.0\9.0.30729.1.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940921.0\mfc90rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\S281FQQM\System.Web.DataVisualization.Design.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\AT5R2FFG\System.Windows.Forms.DataVisualization.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112940812.0\atl90.dll C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe N/A
N/A N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe N/A
N/A N/A C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\f:\f79571ba686a42b73d4f582fc35ad289\SPInstaller.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\f:\f79571ba686a42b73d4f582fc35ad289\SPInstaller.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FocusIndicatorLib.FocusCalculatorPage\CurVer\ = "FocusIndicatorLib.FocusCalculatorPage.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1008EEB1-D863-4E4C-9ECA-1BD2C13C5276}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FEE82C3-DA75-11CF-9EC8-444553540000}\ = "IOStructuringElement Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0BFB758-5FDB-11CF-882D-444553540000}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28079A20-D575-11D2-B948-0080C8276C2D}\ = "IIOAnnotationEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{464CE70F-87EB-4A4E-ADD4-095C520854C2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7C476656-0797-4F99-886B-2CD0B9797885}\TypeLib\Version = "1.4" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08B93C42-BAB3-424F-AF8A-D59338E96531}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOHistogram.1\ = "IOHistogram Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOStructuringElementSequence\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42D186E4-39C8-4E99-BA46-30D92A414F70}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FD2B08A5-50CC-491B-A1D7-E4433F3C65E9}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C0BFB756-5FDB-11CF-882D-444553540000}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BD0A292-626F-4b12-A1C6-FFB950653D1F}\InprocServer32\ = "C:\\Windows\\SysWow64\\ioPointGrey.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F4855B0-AECF-4FD8-9294-E80A60BD9C37}\TypeLib\ = "{95CBADD0-EE34-11D4-B386-0080C8D9F878}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lumenera.LumeneraCamera\ = "LumeneraCamera Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{878CF29D-B8CC-4124-84D4-DDF5EB3DC645}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{81D37D2D-0CDA-4378-9CBF-BCE82FBA7115}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28079A20-D575-11D2-B948-0080C8276C2D}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FEE82C2-DA75-11CF-9EC8-444553540000}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOBlobs\CurVer\ = "IO.IOBlobs.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FocusIndicator.FocusCalculator\ = "FocusCalculator Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55BB4041-A8D1-11CF-9EC7-444553540000}\VersionIndependentProgID\ = "IO.IOFile" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55BB4040-A8D1-11CF-9EC7-444553540000}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59B23FE2-A814-11CF-9EC7-444553540000}\NumMethods\ = "23" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOImage.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C0BFB759-5FDB-11CF-882D-444553540000}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOVectors.1\CLSID\ = "{858B0163-ED5F-11D0-8808-0040950397EE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IODisplay.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C0BFB756-5FDB-11CF-882D-444553540000}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{325A17C6-60A1-11CF-882D-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{858B0160-ED5F-11D0-8808-0040950397EE}\NumMethods\ = "25" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8AE898D3-206B-4299-BA13-0CF2B8E94546}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOVector.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOStructuringElementSequence C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631B32B5-1D5B-4c15-8AAA-1932021C0A74}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E6006C0-C04D-11CF-AB39-0020AF71E433}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOHistogram.1\CLSID\ = "{C9D1B281-D58A-11CF-9EC8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{858B0162-ED5F-11D0-8808-0040950397EE}\TypeLib\ = "{C0BFB74B-5FDB-11CF-882D-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59B23FE0-A814-11CF-9EC7-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5F47BFA-D64C-4CE6-B2CA-44FD8CDF1DB6}\Info C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOBlobs.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59B23FE2-A814-11CF-9EC7-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CEC008C-D9A5-11CF-AB39-0020AF71E433}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FEE82C2-DA75-11CF-9EC8-444553540000}\ = "IIOStructuringElement" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IOPointGrey.Camera\ = "Camera Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96F5EAC9-BEC4-11CF-AB39-0020AF71E433}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C0BFB74B-5FDB-11CF-882D-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\D20352A90C039D93DBF6126ECE614057 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOFileType\ = "IOFileType Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CAE70E8-CE5B-4C9A-ACDC-898858F490DF}\TypeLib\ = "{C0BFB74B-5FDB-11CF-882D-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3603690-D7DC-462C-A62B-6C645640A1AE}\TypeLib\ = "{878CF29D-B8CC-4124-84D4-DDF5EB3DC645}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{631B32B5-1D5B-4c15-8AAA-1932021C0A74}\AppID = "{A338F5A7-9E8D-48bb-BD1B-25BA88C6B7A6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CEC008D-D9A5-11CF-AB39-0020AF71E433}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C0BFB756-5FDB-11CF-882D-444553540000}\Version\ = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7EAFE56C-D6A6-4BC0-BDB3-606AEE5B20B6}\ = "LumeneraCameraColourPage Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ArtemisLib.ArtemisCameraPage.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{325A17C6-60A1-11CF-882D-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59B23FE2-A814-11CF-9EC7-444553540000}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96F5EAC8-BEC4-11CF-AB39-0020AF71E433}\TypeLib\ = "{C0BFB74B-5FDB-11CF-882D-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F956166C-B960-485A-B091-6D507A1CB1D2}\1.0\HELPDIR\ = "C:\\Windows\\system32" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOVectors.1\ = "IOVectors Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9D1B280-D58A-11CF-9EC8-444553540000}\TypeLib\ = "{C0BFB74B-5FDB-11CF-882D-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeIncreaseQuotaPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeLockMemoryPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeIncreaseQuotaPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeMachineAccountPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeTcbPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeTakeOwnershipPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeSystemProfilePrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeSystemtimePrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeProfSingleProcessPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeCreatePagefilePrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeCreatePermanentPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeBackupPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeRestorePrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeShutdownPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeDebugPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeAuditPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeSystemEnvironmentPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeChangeNotifyPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeRemoteShutdownPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeUndockPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeSyncAgentPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeEnableDelegationPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeManageVolumePrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeImpersonatePrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeCreateGlobalPrivilege N/A \??\c:\534f1e7eebf514bc488bbab9\install.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe N/A
N/A N/A C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp
PID 2612 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp
PID 2612 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp
PID 2612 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp
PID 2612 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp
PID 2612 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp
PID 2612 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp
PID 2340 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe
PID 2340 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe
PID 2340 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe
PID 2340 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe
PID 2340 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe
PID 2340 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe
PID 2340 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe
PID 2536 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe \??\c:\534f1e7eebf514bc488bbab9\install.exe
PID 2536 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe \??\c:\534f1e7eebf514bc488bbab9\install.exe
PID 2536 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe \??\c:\534f1e7eebf514bc488bbab9\install.exe
PID 2536 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe \??\c:\534f1e7eebf514bc488bbab9\install.exe
PID 2536 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe \??\c:\534f1e7eebf514bc488bbab9\install.exe
PID 2536 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe \??\c:\534f1e7eebf514bc488bbab9\install.exe
PID 2536 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe \??\c:\534f1e7eebf514bc488bbab9\install.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2168 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe
PID 2340 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2340 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2340 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2340 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2340 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2340 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2340 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe
PID 2340 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe
PID 2340 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe
PID 2340 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe
PID 2340 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe
PID 2340 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe
PID 2340 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe
PID 2340 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe
PID 2808 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe
PID 2808 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe
PID 2808 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe
PID 2808 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe
PID 2808 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe
PID 2808 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe
PID 2808 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe
PID 2340 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\MSChart.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp" /SL5="$5014E,110133280,125952,C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe" /QB

\??\c:\534f1e7eebf514bc488bbab9\install.exe

c:\534f1e7eebf514bc488bbab9\.\install.exe /QB

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000005A0"

C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe" /passive

C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe" /passive -burn.unelevated BurnPipe.{B1D9B05C-C968-46A7-B92F-C19E85746B63} {018618C6-5040-4525-958D-753FD2C71132} 2168

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000005BC" "00000000000003DC"

C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe" /passive

C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe" /passive -burn.unelevated BurnPipe.{6085447E-82B1-45BE-894C-F5A34C22D28A} {40DAAAB1-D94F-4B87-A9F7-7DA21A9B7A9F} 2244

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot21" "" "" "6f9bf5bcb" "0000000000000000" "00000000000003DC" "00000000000004A4"

C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe" /passive

C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe

"C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /passive

C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\MSChart.exe

"C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\MSChart.exe" /passive

\??\f:\f79571ba686a42b73d4f582fc35ad289\SPInstaller.exe

f:\f79571ba686a42b73d4f582fc35ad289\SPInstaller.exe /passive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "net stop ArtemisHscServiceMonitor"

C:\Windows\SysWOW64\net.exe

net stop ArtemisHscServiceMonitor

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ArtemisHscServiceMonitor

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "net stop ArtemisHscService"

C:\Windows\SysWOW64\net.exe

net stop ArtemisHscService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ArtemisHscService

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DMX.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\io.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\iograbberinterfaces.olb"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\FocusIndicator.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ExposeControl.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\lumenera.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\GenericDarkroom.olb"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ioArt.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ioPointGrey.dll"

C:\Windows\SysWOW64\NET.exe

"NET" LOCALGROUP "ProtoCOL Admins" /ADD /COMMENT:"The administration group for ProtoCOL"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 LOCALGROUP "ProtoCOL Admins" /ADD /COMMENT:"The administration group for ProtoCOL"

C:\Windows\SysWOW64\NET.exe

"NET" LOCALGROUP "ProtoCOL Advanced Users" /ADD /COMMENT:"The advanced user group for ProtoCOL"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 LOCALGROUP "ProtoCOL Advanced Users" /ADD /COMMENT:"The advanced user group for ProtoCOL"

C:\Windows\SysWOW64\NET.exe

"NET" LOCALGROUP "ProtoCOL Users" /ADD /COMMENT:"The user group for ProtoCOL"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 LOCALGROUP "ProtoCOL Users" /ADD /COMMENT:"The user group for ProtoCOL"

C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe

"C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe" /install

C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe

"C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe" ProtoCOL 3

C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe

"C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
N/A 10.127.0.255:1433 tcp
N/A 10.127.0.255:1433 tcp
N/A 10.127.0.255:1433 tcp
N/A 10.127.0.255:1433 tcp
N/A 10.127.0.255:1433 tcp
N/A 10.127.0.255:1433 tcp
N/A 10.127.0.255:1433 tcp
N/A 10.127.0.255:1433 tcp
N/A 255.255.255.255:475 udp
N/A 10.127.0.255:1433 tcp
N/A 10.127.0.255:1433 tcp
N/A 10.127.0.255:1433 tcp
N/A 10.127.0.255:1433 tcp

Files

memory/2612-0-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2612-2-0x0000000000401000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-SLAEO.tmp\Setup.tmp

MD5 898d42b5939b4bbc6057c4a85c4e0cfb
SHA1 219fc6d4f8f82260f1a9194f262770e2b3509339
SHA256 acb1db9d7755b12718c02acc9d10660046fc39626e000f763e037a06e52719ea
SHA512 7c36c852e0b6288267a28323e34f60dd3c7799982def2c3e9d86848c3967ad64ad043ecfcef7a7eb3232739279cc53b0fd98945b7321647373bdc955ca410d43

memory/2340-8-0x0000000000400000-0x000000000052E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\_isetup\_isdecmp.dll

MD5 77d6d961f71a8c558513bed6fd0ad6f1
SHA1 122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a
SHA256 5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0
SHA512 b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

memory/2612-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2340-14-0x0000000000400000-0x000000000052E000-memory.dmp

memory/2340-16-0x0000000000400000-0x000000000052E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc9redist_x86.exe

MD5 5689d43c3b201dd3810fa3bba4a6476a
SHA1 6939100e397cef26ec22e95e53fcd9fc979b7bc9
SHA256 41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b
SHA512 4875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b

\??\c:\534f1e7eebf514bc488bbab9\install.ini

MD5 5feaa6a36fea7dfdb88c18d69ba6d6a9
SHA1 7afd91a7b046d68b6ee9fd367bcd7a4fec546216
SHA256 67a50ffbb8a1d500eaa4d9f0227d6a8595a2750154e6b31662fc4f51286e47fc
SHA512 6c8c0456f232a02a49d51b3f1a830a18b9078e621cd0dc3f4f76f79b83035e8affac67bce3af9a37fa9096a34a8499c59cf982b63a4b2400b9190d2db293e682

C:\534f1e7eebf514bc488bbab9\install.exe

MD5 33c9213ff5849ef7346799cae4d8ac80
SHA1 5421169811570171e9d2d0a1cdca9665273e7b59
SHA256 3377e31d233ff41aea253e6221815820997763acdf40b005f8791400366cb8ff
SHA512 da0fc3f57156e06c0c37c1fb5176e1b147ce4aa21f519112123722496b04ad4bc3d366e2b51fd78de1ba0304d35bfd5e5fc95cabc2b3eb174f77636a8fa162a1

\??\c:\534f1e7eebf514bc488bbab9\globdata.ini

MD5 0a6b586fabd072bd7382b5e24194eac7
SHA1 60e3c7215c1a40fbfb3016d52c2de44592f8ca95
SHA256 7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951
SHA512 b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

\534f1e7eebf514bc488bbab9\install.res.1033.dll

MD5 8e97ea8a1ed69806232e8743f9a28706
SHA1 e911d3802e64f9be0e1ac68865bbcc92624d6a1f
SHA256 2893b1b9751f833d4a3ded7c1fba1a96cada2927a2349c5d751365eed647c100
SHA512 aa57fe0b822145aa1d8eb72f9735ef5d92036f24c4c80392799d701447d18ea510331f5653b39c43dc923cd0f1a61bf87be0f8a4927f6e3754d19ac76fd443c3

memory/2340-58-0x0000000000400000-0x000000000052E000-memory.dmp

\??\c:\534f1e7eebf514bc488bbab9\vc_red.msi

MD5 6e17361f8e53b47656bcf0ed90ade095
SHA1 bce290a700e31579356f7122fb38ce3be452628a
SHA256 8811e5fe167223d906701bc8deb789de0a731e888e285834bcae164b03d43c96
SHA512 a566fc8bbb4d354db32f13de2fde73a1210c61b1c30a1be22b16c7e98b8d51c673259c57a924b04035cb9f0bf4a087a3e8b32221e7ff87032cddc840ffe3ed2f

C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI07FD.txt

MD5 28877b65cf8ff377efe9c5cbf929b66b
SHA1 662d0c25693fa9160762f8f37ac33e99ea170acb
SHA256 b8e839d1facf4b1f08ae63ab63efb1fb4ef777783e6d36d946f69c0eb6116151
SHA512 0412c454aa9f15dc4faecb50345f922fcefe0a18b4f243586177d40efe62c708d88fdd37c9b891ca8d3870c052d8f4307afa1a96edcbce7dabc6930145da1612

\??\c:\534f1e7eebf514bc488bbab9\vc_red.cab

MD5 ecca3c1acb74cb73c600eabdd3f9c9d9
SHA1 f015759f623c377494a5996670204f1fcd0895e3
SHA256 43b7648183347374236296f2176c7c7da920da9c1a08adda761e12614efb299e
SHA512 2785b8e8cfc310ec114cee696c5b85900fc71186dcbf0c99a9c13f4f0fdcc9e9dd583c9d1fd82492a680efcd7071c3593b02b628bd947bc19b1302b931aca807

C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc12redist_x86.exe

MD5 7f52a19ecaf7db3c163dd164be3e592e
SHA1 96b377a27ac5445328cbaae210fc4f0aaa750d3f
SHA256 b924ad8062eaf4e70437c8be50fa612162795ff0839479546ce907ffa8d6e386
SHA512 60220a7c9de72796bd0d6d44e2b82dbdd9c850cc611e505b7dc0213f745ff1f160b2d826eaf62fd6e07c1a31786a71d83dc6e94389690fd59b895e85aba7444b

\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll

MD5 d7bf29763354eda154aad637017b5483
SHA1 dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA256 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA512 1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

C:\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/2340-236-0x0000000000400000-0x000000000052E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc13redist_x86.exe

MD5 99e3d99d8ed70ac88f59e31757ed3d62
SHA1 18f81495bc5e6b293c69c28b0ac088a96debbab2
SHA256 bbc26aca42cd311a0e1ea1356852f061d863af047f1891ac9952ab7e7cb8e04f
SHA512 34ff42d09d1738df912823fcb8c16ab28927415f736f0a49779f9eddf0e2fe36682fa3d021414b4751532b0d385aa513290f6c44c48936500c9a58b332fc147c

\Users\Admin\AppData\Local\Temp\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\wixstdba.dll

MD5 fb45cc1b78259a878ccc2247d4ceb68c
SHA1 0be045e040f9cffdc2baf021c320abcb471439be
SHA256 87644901a31aa7ee1f61e5906d225491846563eb4a53a302fa337c4ec25e3714
SHA512 c9fdb0019b3b0a7c5c97aa5ea880d7b1522496dc09b097f777233352589a43f2564c0a2fe4fbcfc95c9b70720e0ac1b97b369def65352302ab5a4863ab9fa43b

C:\Windows\WindowsUpdate.log

MD5 c5d1b3ec4b29cd4d7f169b687539ce79
SHA1 9cfaba3e370ab3740678c01ed7a14cd9548754c3
SHA256 3a760fc5b222678cd5bba763710deb09beee2cbf865c2c275a7cf51c41613516
SHA512 f35e641cdd3a6c73c2b3d490c721050aead69f27f6b11545f05edddbbd74b702d019ba56f1929687b06bbd8fb7b0c3d70247de2e8b66a6ff3c66b4ea482b6dfe

memory/2340-280-0x0000000000400000-0x000000000052E000-memory.dmp

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

MD5 ed8339dcfa1167a5042770c73a5641dc
SHA1 f6cf19c148f67c514eddc9946defe7c8eb5a36b5
SHA256 e9c480dd9637882b633d1e0b01431d27183b4f94be88d84c7b92c36ff9a342b1
SHA512 a96faff093ad21c6c4ee5a429073d8517dbe179e06178f0c589f1570b99029351eb38e86f8c24323d012fde4e4d43afc5bcf8526ab9d7085d06483e870ffa43c

C:\Users\Admin\AppData\Local\Temp\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.be\vcredist_x86.exe

MD5 e6d5fb03f157f33376e9d8a1055ed70a
SHA1 541add9491f98277163c822390d7c8da07754ae0
SHA256 52a0948253c8120a6e1f96f717978270bbd2d07c0ce46c5f2b8b8ffa7a967494
SHA512 51298ec2dde1d8ec6956cee8dce75572fc85217f49e071867a8a2987071e595db03bf1e1b8a4e7b5439d9383fc0daa89dedeb1573aba8ce32aa4c24bf28d1a75

\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\vc19redist_x86.exe

MD5 35b40b21383ac38487ceec8ab6e53565
SHA1 59894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256 caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA512 3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

C:\Windows\Temp\{65BEE86A-CB91-473B-95E3-A6C2F7C2278E}\.cr\vc19redist_x86.exe

MD5 86123c033231dd7e427d619ddeefd26a
SHA1 608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256 d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512 ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

C:\Windows\Temp\{02AEB245-F259-4DB4-A1C6-EB19A8614363}\.ba\thm.wxl

MD5 fbfcbc4dacc566a3c426f43ce10907b6
SHA1 63c45f9a771161740e100faf710f30eed017d723
SHA256 70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce
SHA512 063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

\Windows\Temp\{02AEB245-F259-4DB4-A1C6-EB19A8614363}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Users\Admin\AppData\Local\Temp\is-U75HD.tmp\MSChart.exe

MD5 e7605df8e1a6ef547c2f77a304de8848
SHA1 776c876430e692c702a8eabed9c89d1ad94d5927
SHA256 95ca5aaa5e9b19dc55127bf89a32abec4f72c4ae03495e461d251a6ecfbeed92
SHA512 58c3ea86fb722bcbe074f634901650ec19262d47a42f9011fbae4e57fd80bdca797cd20d849f382da2671eb9eec52883a15a6ee017483d803c7aab46f029ac18

\??\f:\f79571ba686a42b73d4f582fc35ad289\SPInstaller.exe

MD5 075bfb4c71d2fb11b644eaabd8b64a01
SHA1 479b6189ca547e6e2926fca014561619766bf8d7
SHA256 2a99618b7d7416d86ea55dad961e785688979acb578ba85851c0b9a6dfe41a58
SHA512 9230dd2d4956edf6dffa179a0e22bef3ef8432f6d09291c8e3f9db82db5f49bf39fe4faf1ef58f41947085b4e8fe129c0a8919d584bc97d784cd8b320ad91665

\??\f:\f79571ba686a42b73d4f582fc35ad289\sqmapi.dll

MD5 89e2c7e8af95c3cd3209ed67837d882f
SHA1 def626501cf2d8bacfed0ef3c2f6137a6af0d138
SHA256 f19eaba1f8e6c28215d93481ddfa37767390500c70ea5cc06d747eb1132b41dd
SHA512 0b6155c1413ad48c4a1665a7aa87ec004e860c2da2d6cad96ec4b9436e9ff649e5cd807895730f2f49aecd5ba7a1f6bf83d0e47e58b504983033a2bd2ddc9a01

\??\f:\f79571ba686a42b73d4f582fc35ad289\SPInstallerEngine.dll

MD5 7c071bc63b58519d2712a13337055fc7
SHA1 e27822a2e785ba0b64d1b6f14035f2fe2ccf6eb5
SHA256 d89494e63910cfc528139a0304555577638da38b5258bdfd22aa86300e00fc8a
SHA512 fa86c69bd79bea703ac218ac5e4d3a18b2c9de66f29458e59f502708c4f28eb57743672c3bf20ec97eeed7bce99568a9290bbe46107d9ea968f46452fb41a66a

\??\f:\f79571ba686a42b73d4f582fc35ad289\DHTMLHeader.html

MD5 ed37a53d539007fec2ff78bbfc449ec8
SHA1 a59b06a2544e612b8c712ebb0e29705922704156
SHA256 b5f71fb8b34fb75a1a89251b5de3b22c25232ab84c6a392c85f738d75de86678
SHA512 921a5e8d68b39019657153b371cbce0fda8b842dca89889a4f11a8187344b2ada74dbf863f8d0f9a9dc7837af11c7e0f94cc5a8fba0d5e8c449758482af8adf9

\??\f:\f79571ba686a42b73d4f582fc35ad289\ParameterInfo.xml

MD5 8d82e881132076df04aa63ee0469017d
SHA1 941214a5e8082f5dae9fc61dcfe2737045fdc7b0
SHA256 e1ad3bdb0caeca027126cb8925f19efb504444a12a000a99e97a4bd75290f89b
SHA512 049345de531f5f5b47aa5ae2aa3f4a90e1ba0f91c24a8e94fdcf5f0e4b5e07ec76c7ce1f6fb47ee36616900df455458576225c0a7bd23025315853c5b9ace19d

C:\Users\Admin\AppData\Local\Temp\HFI23B7.tmp.html

MD5 0be8c0435cb8184edb6331e448d455e1
SHA1 c4000cd80117614810a2bdd4f89c3f0e3b2c8f18
SHA256 b2c971a0b16896e36f915e37ff5bb14d6e9e0b786ac3c992498904e5d68c9eae
SHA512 67ffaef867cd32ec1852a99cd0863d23cff3ecfb0b275738e6d95e41f0cc3340907a3e4ce775d9828846e64ae28d9c8f663279ac9894146597a402a421799185

\??\f:\f79571ba686a42b73d4f582fc35ad289\1029\SPInstallerResources.dll

MD5 32559ef0dcfd6e98a4654a6156b24806
SHA1 f9eaac20f7dbc25f365e251313e06250999cc04f
SHA256 61dd0492f273cf211ea3d045ef6e5fe2c460462026ba9f39e18db4f4bbaa52aa
SHA512 b56e9ddd20c186272771bf38dfc06c71be9457395cd03dba37225bbb46ef1e494bf818903b33f280034c349ed7da817391ffd1676710fac641eec2e6dbed527d

\??\f:\f79571ba686a42b73d4f582fc35ad289\1043\SPInstallerResources.dll

MD5 a3dacc8620132fa42db21edaf10e39f0
SHA1 97b35a7081c2e0ae922ddb10c824376537ce88d3
SHA256 b67120dc578df6c16fd737d30a4e8a02158199459add46b9d69d606989276695
SHA512 d57b6c56a6068f931a0a51e61dbec7a84f227e040626ec8cd7e87c34e64dd8e178962bcfed20d4ad1bbdd23917d3c474495ea49e885efe1a6b464d588127c509

\??\f:\f79571ba686a42b73d4f582fc35ad289\1042\SPInstallerResources.dll

MD5 3d0c839bf757d90fb9fdd8f23a91f5e9
SHA1 6e87a85cd5314695e1874b2f91d4c4f58767d30b
SHA256 0f7eb179bad25e47322043f9769233660d15c4007e36d0baf9e3905a6044491b
SHA512 d2e40386e176ac8d79253b831b07e8cf37ec3283ccaad614909a38fc45b247cb5cc8ef94d9ae810c2dd944eda9ea96b7e48f661c1e35fba14d4400bbcfecd8a0

\??\f:\f79571ba686a42b73d4f582fc35ad289\1041\SPInstallerResources.dll

MD5 15f465dcab7b2005038dade9e51a2bfc
SHA1 e02ed7861b8fb78325d785ec0ac630cda0f81c2b
SHA256 f66abb970a9aa170796e306cce45caade1cbfc156953ea6490fa34e263a0a319
SHA512 18f4ceec94704839646bd1f45a18221539efa6e13ff4cd2fb819d8f760703e21f3d02e3f8d706f86704332bc310a87a415008692c0c95e4fd7971185e8993e21

\??\f:\f79571ba686a42b73d4f582fc35ad289\1040\SPInstallerResources.dll

MD5 472ac29c84c74a424d5161a4b0745dae
SHA1 77652533721c8f4301d1a5364746f86b251b0a59
SHA256 5cc73eca5799c78314f0fecb28e85c38e382a1e1c994e6eb64f19856e5e3c6ce
SHA512 59294338ba226d0d79c19eb082d3fa20488b91ed798cbd40f00b3c63e4a54929817a2cda36e2810213718d6c807a0c16c108e180dd65af45420530493efecef6

\??\f:\f79571ba686a42b73d4f582fc35ad289\1038\SPInstallerResources.dll

MD5 5d00ca12e7ec50e8188abb8807baab87
SHA1 82ec3c52fb6ede26e4ac070fe434ebfbd999d2ce
SHA256 897ec707e9295b352bb631b624f3d11beffd815b6f2d6ab0605eef70039dd11e
SHA512 6255935592ec686d34cb8695f81e1f6040b20fab3435ea6d21f156d91632ca36ecc865450ecce899bea46867d4104088a82645805ead0400b890c03368090d15

\??\f:\f79571ba686a42b73d4f582fc35ad289\1037\SPInstallerResources.dll

MD5 57b8b21ce63c136af37052552540af4a
SHA1 063958e5e79bfc5642bd0f629b4e11dd88625ea0
SHA256 27595b089380a1a9ec9c12be7efb3dffab5ece938602741af3d64128cdf2fb0b
SHA512 f49a1364e6b2c3efdcd37830902a72d4f772656815cc28ac1ae34ff1a20911cfda9c85115c217021dd1dacab9d90333e83cabdbbcb3089d45b27ec126e59b3d4

\??\f:\f79571ba686a42b73d4f582fc35ad289\1036\SPInstallerResources.dll

MD5 8c4d826ca9f7361cd0692c132a666f4f
SHA1 eb68ead34940e3ffda2bf4bc6e1bcc4115482720
SHA256 fbfd9ba5d045af4963f3ffe3c81a36b49c569f4283b131cb7273ad86c40b759f
SHA512 e27e908ef4de78ac22e49c4cc3fce3a708d3ee6c667e26fdc9f0247b2b0c860d90c0a655eff92a44fa35e6a4026d1b10eab9422c107290af46f0445ce6f54f7d

\??\f:\f79571ba686a42b73d4f582fc35ad289\1035\SPInstallerResources.dll

MD5 8fd2563faf57f2b92dfaab55d0a77c6e
SHA1 5f6737ca593e5f74684680cdd3bba2fd30aac821
SHA256 55959f45f03065a69364fa92d048a292fa9bcad4172bca5ce145193f75b80b24
SHA512 722f68631f1ce3cbe668e9b61607eedf00dde3a31995821a7e71b5ff43863f09861acc88986e638dc4e030f2a26f955cde9fa368421e71d15c4d4f42bfb0e5c5

\??\f:\f79571ba686a42b73d4f582fc35ad289\1033\SPInstallerResources.dll

MD5 34d54153af0e303291796916359d9cec
SHA1 3eb3aa7ca91031a8ed530260edd94cac40d2ed1e
SHA256 286d22dfe8b8e0a66988a0d22d7ebe72ffd8051f4c63817951300d5f97d40131
SHA512 019202b9fe7e3dc377402eed8ef0e171a861bcf7de1967f50d08f272686e1c13391ea3d64628efba1945402971c150639b94a3b30a6e18b58c71323f6165ad8a

\??\f:\f79571ba686a42b73d4f582fc35ad289\1032\SPInstallerResources.dll

MD5 f704da575f66e0dc048a5d7339e31ebe
SHA1 0e916ca4e1d5a7a1ebaf13f05b1b0723033b084d
SHA256 65f3ade9567fbc1aa53d9a519d34e71a5e686cd002f7d4eeec4c7e7bbcdd6609
SHA512 3be0508e9b0f8a0b543658b2724465492e33d2f82475c7994ec103501d3eab68f86e72542796869929623f6e0045b3688bfbe05c922a3dced17607a7a9a4e8ce

\??\f:\f79571ba686a42b73d4f582fc35ad289\1031\SPInstallerResources.dll

MD5 a56847d3faf3b173533b182f211f0cc8
SHA1 16d13c1c8ba934962764a0af19aa06e1a144c99d
SHA256 6205dfe7c2745a002f1be3fb41396f29806b3ed5e8070852eb50cff3a49c1153
SHA512 2edd51edf5022509fa6205cdd07853ee562b89e305587b4027cd090d2c6b3c30614bd7df01edd74220de99cc5e64efc8be837f36e29f67414c16887dffc04710

\??\f:\f79571ba686a42b73d4f582fc35ad289\1030\SPInstallerResources.dll

MD5 9c2e2c99305ccba94c1365b9257023e3
SHA1 a2463a0c29b3ae7322918a8f1af801872be8dec1
SHA256 dbc71f4a8b49df9163d1c754195530997acf154dbce53945c553cd55d0f31266
SHA512 87e824a0623a782588ca29e04de11cadaa706363bc4e6e7f9f03b89ce467a4eee2f0f7052ea3327eb54998401089e12c5d937bdbce28a468cfff4a07674c2a4d

\??\f:\f79571ba686a42b73d4f582fc35ad289\1028\SPInstallerResources.dll

MD5 d9f240d725b70875a393d743598dfb2a
SHA1 427fba25a3365703b089444b3eaabf99c01d7ccb
SHA256 7eea9bd7127229feba8e5b8361a33baeb4722ff42726b99a073017df6bfd41be
SHA512 c4f636c6c23ea47200783c98440614334b28b9b98b392fe7498185f66f4cafe5721e9bcc05ac310e3d101595b32862b252ec930a758b1c99384a18aeaf684056

\??\f:\f79571ba686a42b73d4f582fc35ad289\1025\SPInstallerResources.dll

MD5 4cea15e2da2d63993363ff4f4d6e7c48
SHA1 5d753d5b72abfe1ca202ad8ed4db60da9d5ae0bf
SHA256 3a95d2f43ce9727cfc61b68f27f2217e9098e793f01ea1439de62005bbdb55d6
SHA512 71700bc823dcbc8333550dab555acfa42bb4a7d6eb15564fb639bfa829b56f8549be125c5679c9f65db9b958c8f924504cae1c8c5ac1377307fd76aa504bd5c7

\??\f:\f79571ba686a42b73d4f582fc35ad289\UiInfo.xml

MD5 bcd1b1b5fd79f3be496c430480a72096
SHA1 db0a33a1c11c65e9b7a7960ae9737b87f2ef6406
SHA256 918d468ecc579e74209643b4a1e16afa5b918b1c3b2fb509ac4c5d01a24aed0e
SHA512 a15d831023d4204070137a9381280880236c916369b41b0a6c444c334b10680df45756554dcc97a65a6a88dd5ca67672803baa9ea14513fa357c2a98c371385f

\??\f:\f79571ba686a42b73d4f582fc35ad289\SPInstallerUi.dll

MD5 c99e0fa0933efc3658dd02525b43fdd7
SHA1 3cdd7b8d22f2d8519f5544b7f12ac30a2268a5b9
SHA256 7eaf337bcb544eaa50b46c114cfde2d21954299e5b84fade03dc37c15d1b00ab
SHA512 9b4187863e7057e1f250ed1e0a616e2a4746b11ef4f0ae4b017d2c2cf7dab23de030e12f54ca74edb18427bd009d03e465b6687603344ccab9bd2f3f8aa3772f

\??\f:\f79571ba686a42b73d4f582fc35ad289\LocalizedData.xml

MD5 60194fff32d63effec5a298a3de26da1
SHA1 f149a86d77e56127b9a3721e85e69066638ed92b
SHA256 66a4a89410cba0b00035e0356120187c1aaf0e2a13787811a782a26d1a832c1d
SHA512 d2bd136593267f0ef9c8a31ea243f5020d56cbbfc2d4f66de8340aeab4eefd42e2c3f85888736d20623fe365ceb735d6554547fbb7c19d1ee76cf25796327c05

memory/2436-493-0x0000000003E90000-0x000000000403A000-memory.dmp

memory/2436-497-0x00000000013C0000-0x00000000013D8000-memory.dmp

memory/2436-501-0x0000000004040000-0x00000000041F0000-memory.dmp

memory/2436-505-0x00000000013E0000-0x00000000013F6000-memory.dmp

C:\Windows\assembly\tmp\AT5R2FFG\System.Windows.Forms.DataVisualization.dll

MD5 4eb366f068876656057fccb2b5360fdb
SHA1 5ca25be2e5fd5205971c931c30ee52bd1855ed05
SHA256 9d193f4ac582a024e9c8a386717944e82d281e30b30bd1b3b4d015dcb52a5d56
SHA512 177a0c7f8ac5526ca8622447816412a91c2ff1c6933b6f67bfe3bae4aa9cafd81b787bbc8df106ae96167f1e6f1cdf63ab7b3ed81f9a1370f23af05259abe7dc

C:\Windows\assembly\tmp\181GTL1V\System.Web.DataVisualization.dll

MD5 6502f885536ef34d3011acec9021b4a2
SHA1 4ae4723cd4c36c82bf85737580ac29832756a871
SHA256 ee4b416f47e919459134253dc7429993a3f33bb31fad9e6fb95a16bf4fd3995d
SHA512 e6d68d84c51b11c874eda91a49d67a0ebb4f2221e4531c1aa971178978deb08a16914c7a97e4b8a85af8642aa7ef50b1b4a87ada51d09cdb3e959c5d08106602

C:\Windows\assembly\tmp\XLZ8JTEF\System.Windows.Forms.DataVisualization.Design.dll

MD5 f9ce119437c7c56eda862b412f5b7dfd
SHA1 092dfc99d44b3d1ff9ef2af7e2a80b7941ff0131
SHA256 49248d90a581d2e9933b1013b7f2aef8346f6da297851c9215ac45f8fe9fd857
SHA512 c8ba2f65c040946c26657d4e939ff2b069b806c6adde938a1b5971432df6b3796abb23c1bf9722b1e1483480fa488a42642b71c1e71d909a57d134088eabf620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

MD5 cbbfa01222199a57014fe77917e33314
SHA1 43254c09e65a5dabee9eb323aba9ae6734aed030
SHA256 d0c58f118aa7b9c8a823bad4c8c5611c99ee7a14084c05853e7c10052881df52
SHA512 452781109a543898d8fc7b9f9d10f6c63dd611e63b0eb3e1aaa94cee024cb5967c3e10f21cf8f734172bc178a1d84211dc729571bb4ce348a00cb5d216ee96b3

C:\Windows\assembly\tmp\S281FQQM\System.Web.DataVisualization.Design.dll

MD5 68921811aae9fc8c544274a580369483
SHA1 8f113e1f286c43d8037d58d7047ffc9196e12e05
SHA256 41552906188914f8b781315751ed105acc8ccbdcd160baecb7f88ce4caf23923
SHA512 fb6fe53638b02b6a326ace5dd506302a8b5c32f728a99e4725a701b069605f2f1b3e8ef6d0bf870dcc248fa72c109f0d9a509ae7cfbf4ba17f9bac50e6c970cd

C:\Config.Msi\f76ae34.rbs

MD5 716384cdc5a0697c35aa229a93db13a4
SHA1 2d788d2a764a419aa573366cf8f7fe2c595e0abe
SHA256 2bf0f04509c40f0277adb7d4d647ed3903595e243e037feab35c76ef850b0c92
SHA512 b5dd9e03d4ca2d9ace856225e52444eb2dac6ab125678cc185d9f3f8c05f97340a218a40ca39af0c9656f7c7c30c2282819a3dc7026ca4a68f013bfb2a3daf3c

C:\Windows\Installer\f76ae30.msi

MD5 a497584d5356ece498183eaf9fb353a3
SHA1 a0d1400b0ee1492b96d5d15972050500a0a7f7a2
SHA256 13c8e09908cc076d93ec3f7ade0b9127fc9d38763ea90f8a5d83c57d835c2582
SHA512 e694c97baa54a642df34385e720f1658392dd7bf87a4d8b0d5332ff41c6b1577d452041e90edaf0b8b459a4da6f867102f5c0cb9273091a806a504f7e07b0152

memory/604-618-0x0000000074A90000-0x0000000074B23000-memory.dmp

memory/604-619-0x0000000074770000-0x0000000074794000-memory.dmp

C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe

MD5 827af659355b680117fdbdc542edc328
SHA1 2197dd695f2e561387665caa512b3113312d8c7a
SHA256 b617e1f86ef1df71f60811340ed1160cacf69399e7736d641ee9095c1477ac0c
SHA512 dddf5940607cad8f68e0f581ae14b0c734089587d082afa3c92aa6109b46b7c11e9c362047ffa70799bc20ab39ff0fbcd85c0168d18af64922ccf832f95ec11b

memory/2340-919-0x0000000000400000-0x000000000052E000-memory.dmp

memory/2408-937-0x00000000001A0000-0x00000000001D5000-memory.dmp

memory/2016-940-0x0000000002210000-0x000000000317F000-memory.dmp

memory/2016-941-0x0000000003180000-0x000000000324C000-memory.dmp

memory/2560-947-0x0000000001210000-0x00000000016B0000-memory.dmp

memory/2560-948-0x0000000000440000-0x000000000048C000-memory.dmp

memory/2560-950-0x0000000005BD0000-0x0000000006000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab35FE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar36CC.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b86c5fd65ac31408644c18c2760ce4b3
SHA1 d1fe8a52fc33a2d9baa111d0190c7edf413dae0f
SHA256 4ff7cd1a1a0505f9bfa4a214c69455fede707afd44717830172ffcfda61349fa
SHA512 80c1c741132a76b7c0a938f44cc9a4284534638763e58588b8aeeff01174f993d9fc4ad55eb4e97d3228e955d87c848b6ce95c09c395185a4ef84b2c1ed8d377

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar37F1.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2560-1176-0x0000000005980000-0x00000000059A0000-memory.dmp

memory/2340-1178-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Program Files (x86)\Synbiosis\ProtoCOL3\InstallWizard.exe

MD5 99ddb833d182bd2f2f8087b8dbe766d9
SHA1 a9bb4b088e9ab5222f87e1c291d5ad850314cfd9
SHA256 5c867934c1e41fe546127795f13e0a993111bd847d33702960e23703d5f3c3b8
SHA512 4322606f53fa3dced7ee88ec880dde2d6daf970e6c5582ea94e1928c088d6bf3723568ebf6c7255cb042543b3450d4f78129624fa44a4a3dd71dd28a3feda4e8

memory/780-1207-0x0000000000490000-0x00000000004B4000-memory.dmp

memory/780-1206-0x00000000001D0000-0x00000000001DA000-memory.dmp

memory/780-1205-0x0000000000020000-0x000000000003D000-memory.dmp

memory/780-1208-0x00000000004E0000-0x0000000000533000-memory.dmp

memory/2340-1210-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Program Files (x86)\Synbiosis\ProtoCOL3\nethasp.ini

MD5 7bf9b43947d9415d2e0a723ab7322401
SHA1 8d4e3ef40c94e16264a7271a3ea66fd44c90a367
SHA256 c16460e830c1fd4c6864502a101c3ccd028d5d05d07ace3aff6e671844f79a81
SHA512 1a3802e6dae146feabe5b833e7adbec58157db20b98733ce8137ddbfb34ebe75be5efd761776eecb3775c61b77943113ce6d20d5a0d19a9776ae6daccf91d240

memory/2340-1222-0x0000000000400000-0x000000000052E000-memory.dmp

memory/2612-1223-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1056-1224-0x00000000013D0000-0x000000000185E000-memory.dmp

memory/1056-1225-0x0000000004C60000-0x0000000004EA2000-memory.dmp

memory/1056-1226-0x00000000009A0000-0x00000000009EC000-memory.dmp

memory/1056-1227-0x0000000005BF0000-0x0000000006020000-memory.dmp

memory/1056-1229-0x0000000000D00000-0x0000000000D0E000-memory.dmp

memory/1056-1228-0x0000000000CA0000-0x0000000000CEA000-memory.dmp

memory/1056-1400-0x0000000005310000-0x0000000005363000-memory.dmp

memory/1056-1401-0x00000000054C0000-0x00000000054E0000-memory.dmp

memory/1056-1402-0x0000000006160000-0x0000000006180000-memory.dmp

memory/1056-1403-0x00000000063B0000-0x00000000063C8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 10:36

Reported

2024-05-09 11:32

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

205s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

PrivateLoader

loader privateloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240509112939.log\" /passive ignored /burn.runonce" C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ce085a78-074e-4823-8dc1-8a721b94b76d} = "\"C:\\ProgramData\\Package Cache\\{ce085a78-074e-4823-8dc1-8a721b94b76d}\\vcredist_x86.exe\" /passive /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20240509112941.log\" /burn.runonce" C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\DMX.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\PtGreyVideoEncoder_v90.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\haspds_windows.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-HK92A.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-PBQ5A.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-IU2O5.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\avcodec-57.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\lumenera.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\ioPointGrey.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-B606M.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\io.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\swresample-2.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-CF33M.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\ftd2xx.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\nhlminst.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-29V1E.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-V593K.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-I5JKK.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-BPV1C.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\ExposeControl.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\ioArt.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-8EBN3.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-398G6.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-74QB7.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\avutil-55.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\hinstd.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\libiomp5md.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-18VCM.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\FocusIndicator.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-SQB9T.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-DUGLT.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-1BI2Q.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\FlyCapture2_v140.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\ArtemisSyn.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\lucamapi.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-6E94R.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-I6D79.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-FF2HL.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-DRTSO.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-6IVED.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-OD0V0.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\Atik.Core.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\avformat-57.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-0EV9R.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-HBD75.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\FlyCapture2_v90.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\swscale-4.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\synsss32.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Windows\SysWOW64\haspms32.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-444MP.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-7OD3M.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-O28KQ.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-KBE1A.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-3MHNT.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-COKLH.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\fr-FR\ProtoCOL3.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\zh-CHS\ProtoCOL3.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\zh-CHS\Synoptics.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-RMQVT.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-38U62.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VA0LQ.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\x86\is-IQ4H1.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ko-KR\Synoptics.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\en-US\Synoptics.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3Spy.exe C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-QV5HT.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-25KHI.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ExcelLibrary.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VCQIC.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-HDH9E.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-RCJ24.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Synoptics.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\x86\liblept168.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-MGR64.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\PdfSharp.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\PdfSharp.Charting.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\cli_basetypes.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-3QRNG.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created \??\c:\Program Files (x86)\Microsoft Chart Controls\Assemblies\System.Windows.Forms.DataVisualization.Design.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ReportLibrary.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\EPPlus.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-9ETMD.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created \??\c:\Program Files (x86)\Microsoft Chart Controls\Assemblies\System.Windows.Forms.DataVisualization.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\GeneralMatrix.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-SS5SK.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VSHCR.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Synoptics.DMXLib.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtocolCameraTool.exe C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-QSNCI.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\ja-JP\is-D98BF.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-H0NGG.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-27MAH.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\ru-RU\is-IKQSE.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-C8EF1.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-3PRAO.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-UDOBV.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ja-JP\Synoptics.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-Q6ME1.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-C78A7.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VROUC.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-NSS5S.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-02INH.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-LUUV0.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-V9MLN.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-0HPLE.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\MigraDoc.RtfRendering.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-5RB8F.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-RUN07.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-VVU0L.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\Synoptics.Controls01.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\fr-FR\Synoptics.resources.dll C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-4JA5L.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-J77VQ.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File created C:\Program Files (x86)\Synbiosis\ProtoCOL3\is-HLD5F.tmp C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
File opened for modification C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927072.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\e57d0d2.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{9A25302D-30C0-39D9-BD6F-21E6EC160475} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927088.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927134.0\9.0.30729.1.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927072.0\9.0.21022.8.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927088.0\msvcp90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927119.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.1\9.0.30729.1.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927150.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927134.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{41785C66-90F2-40CE-8CB5-1C94BFC97280} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\mfc90.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90fra.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\mfcm90u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\8A23OZLL\System.Web.DataVisualization.Design.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927056.0\atl90.dll C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\Installer\e57d0d1.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927150.1\9.0.30729.1.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\mfcm90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1AA8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\94798G57\System.Windows.Forms.DataVisualization.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\XGMS1MWW\System.Windows.Forms.DataVisualization.Design.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927056.0 C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\Installer\e57d0d2.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\tmp\WBW3UUCV\System.Web.DataVisualization.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927056.1\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927088.0\msvcm90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927056.1 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927056.1\vcomp90.dll C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\Installer\e57d0cd.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927056.1\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927056.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90esp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\mfc90chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927134.0\9.0.30729.1.policy C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057\9.0.30729\FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927088.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\e57d0cd.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927088.0\msvcr90.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D20352A90C039D93DBF6126ECE614057 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927056.0\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927150.0\9.0.30729.1.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927103.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927103.0\mfc90u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240509112927150.1 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID39C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927072.0\9.0.21022.8.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240509112927119.0\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03.cat C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp N/A
N/A N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe N/A
N/A N/A C:\Windows\Temp\{897C4252-F799-4486-92FA-14C2366DFE88}\.cr\vc19redist_x86.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
N/A N/A \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\4a051f497f7543617520ac\SPInstaller.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4CEC008D-D9A5-11CF-AB39-0020AF71E433}\VersionIndependentProgID\ = "IO.IOPoint" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOColorStatistics.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BFB758-5FDB-11CF-882D-444553540000}\TypeLib\ = "{C0BFB74B-5FDB-11CF-882D-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39D6207C-6D26-11D4-B35E-0080C8D9F878}\TypeLib\ = "{95CBADD0-EE34-11D4-B386-0080C8D9F878}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD2B08A5-50CC-491B-A1D7-E4433F3C65E9} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59B23FE2-A814-11CF-9EC7-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CAE70E8-CE5B-4C9A-ACDC-898858F490DF}\ = "IIO3DDisplayDraw" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF0F4952-D2E9-4175-87FE-6FE90180AD52}\AppID = "{73FB929C-6F2C-4EA4-90EF-34FC172D7DD8}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C755DFC9-ED9D-48C0-AF7B-CD8258563DB4}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64E3F5AD-92CD-4C33-9239-A1D4A766AA94}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EA90F61-EBA4-11CF-9EC8-444553540000}\ = "IOColorStatistics Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8102DCBF-1143-4358-830B-CC961E2E3D13}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27FCFFD3-942C-4FF4-86B8-9DD716AF22EF}\TypeLib\Version = "1.4" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lumenera.LumeneraCamera\ = "LumeneraCamera Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOPoints.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EAFE56C-D6A6-4BC0-BDB3-606AEE5B20B6}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{E88B860B-0E6B-4DAA-A443-84EF57C55C3A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73781EB2-4FF5-4F9A-A43B-78D923B80B10}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C0BFB759-5FDB-11CF-882D-444553540000}\ProgID\ = "IO.IOImage.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7275760-F05C-11CF-9EC8-444553540000}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63EA5BB8-3F41-4ECD-9338-EE8A64A1E592}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{683D6E19-BEEF-4A73-9A51-4B93ECAB6EB4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08B93C42-BAB3-424F-AF8A-D59338E96531}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5535384A-2432-454E-9450-D147180CA3A4}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3777908-3350-41DB-8292-5AAD41A4F26D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8AE898D3-206B-4299-BA13-0CF2B8E94546}\TypeLib\Version = "1.4" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FocusIndicator.FocusCalculator.1\CLSID\ = "{5535384A-2432-454E-9450-D147180CA3A4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{04EAC770-E24A-11D4-B37E-0080C8D9F878}\TypeLib\Version = "1.4" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{858B0163-ED5F-11D0-8808-0040950397EE}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5535384A-2432-454E-9450-D147180CA3A4}\TypeLib\ = "{878CF29D-B8CC-4124-84D4-DDF5EB3DC645}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57F82446-0C90-11D5-9E9B-0080C8ECB1E3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4EA90F60-EBA4-11CF-9EC8-444553540000}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOColorStatistics\CLSID\ = "{4EA90F61-EBA4-11CF-9EC8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{325A17C6-60A1-11CF-882D-444553540000}\NumMethods\ = "25" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F8267752-4AB6-4D3B-A4D9-693A4EEEC82E}\ = "IIOLensControl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOPoint.1\ = "IOPoint Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.CRT,version="9.0.30729.1",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 4500600029005600590027002d0046005a0036005e00620076007a0072004f00520068005b004d00460054005f00560043005f005200650064006900730074005f004300520054005f007800380036003e006b0027005600490037006f00520050007e00370055003d006f0029006d00730026002c003300420000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D20352A90C039D93DBF6126ECE614057\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOPoint.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42D186E4-39C8-4E99-BA46-30D92A414F70}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42D186E4-39C8-4E99-BA46-30D92A414F70}\InprocServer32\ = "C:\\Windows\\SysWow64\\ExposeControl.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64E3F5AD-92CD-4C33-9239-A1D4A766AA94} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0044421-FA07-4EA4-85C2-444B0639AFEE}\ = "IIOGrabCameraID" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FocusIndicator.FocusBar\CLSID\ = "{E3603690-D7DC-462C-A62B-6C645640A1AE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4CEC008D-D9A5-11CF-AB39-0020AF71E433}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CB56E7C-8FBA-44B7-AC5C-0E3643A2F8E0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59B23FE0-A814-11CF-9EC7-444553540000}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EAFE56C-D6A6-4BC0-BDB3-606AEE5B20B6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F8267752-4AB6-4D3B-A4D9-693A4EEEC82E}\ = "IIOLensControl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F956166C-B960-485A-B091-6D507A1CB1D2}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOVector.1\CLSID\ = "{B7275761-F05C-11CF-9EC8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOAnnotations\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C0BFB756-5FDB-11CF-882D-444553540000}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28079A20-D575-11D2-B948-0080C8276C2D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30EF06CF-2101-4A07-BED2-C9314346ADA6}\TypeLib\ = "{95CBADD0-EE34-11D4-B386-0080C8D9F878}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IO.IOAnnotation\ = "IOAnnotation Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Lumenera.LumeneraCamera.1\ = "LumeneraCamera Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B21954DF-C555-11D4-B373-0080C8D9F878}\Categories\Cameras\ = "Cameras" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F8267752-4AB6-4D3B-A4D9-693A4EEEC82E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1008EEB1-D863-4E4C-9ECA-1BD2C13C5276} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59B23FE1-A814-11CF-9EC7-444553540000}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D6207C-6D26-11D4-B35E-0080C8D9F878}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42D186E4-39C8-4E99-BA46-30D92A414F70}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\ExposeControl.dll, 101" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5F47BFA-D64C-4CE6-B2CA-44FD8CDF1DB6}\Info\Type = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeIncreaseQuotaPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeLockMemoryPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeIncreaseQuotaPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeMachineAccountPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeTcbPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeTakeOwnershipPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeSystemProfilePrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeSystemtimePrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeProfSingleProcessPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeCreatePagefilePrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeCreatePermanentPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeBackupPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeRestorePrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeShutdownPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeDebugPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeAuditPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeSystemEnvironmentPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeChangeNotifyPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeRemoteShutdownPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeUndockPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeSyncAgentPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeEnableDelegationPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeManageVolumePrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeImpersonatePrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeCreateGlobalPrivilege N/A \??\c:\baae18ae73fa398b245866\install.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp
PID 4832 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp
PID 4832 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp
PID 1212 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe
PID 1212 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe
PID 1212 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe
PID 1564 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe \??\c:\baae18ae73fa398b245866\install.exe
PID 1564 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe \??\c:\baae18ae73fa398b245866\install.exe
PID 1564 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe \??\c:\baae18ae73fa398b245866\install.exe
PID 1212 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe
PID 1212 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe
PID 1212 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe
PID 848 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe
PID 848 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe
PID 848 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe
PID 1212 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe
PID 1212 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe
PID 1212 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe
PID 4136 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe
PID 4136 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe
PID 4136 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe
PID 1212 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe
PID 1212 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe
PID 1212 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe
PID 868 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe C:\Windows\Temp\{897C4252-F799-4486-92FA-14C2366DFE88}\.cr\vc19redist_x86.exe
PID 868 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe C:\Windows\Temp\{897C4252-F799-4486-92FA-14C2366DFE88}\.cr\vc19redist_x86.exe
PID 868 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe C:\Windows\Temp\{897C4252-F799-4486-92FA-14C2366DFE88}\.cr\vc19redist_x86.exe
PID 1212 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe
PID 1212 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe
PID 1212 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe
PID 2296 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe \??\c:\4a051f497f7543617520ac\SPInstaller.exe
PID 2296 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe \??\c:\4a051f497f7543617520ac\SPInstaller.exe
PID 2296 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe \??\c:\4a051f497f7543617520ac\SPInstaller.exe
PID 1212 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3632 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3632 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2636 wrote to memory of 2276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 2276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 2276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1212 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2364 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2364 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4788 wrote to memory of 1416 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4788 wrote to memory of 1416 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4788 wrote to memory of 1416 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1212 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1212 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp C:\Windows\SysWOW64\regsvr32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp" /SL5="$8011E,110133280,125952,C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe" /QB

\??\c:\baae18ae73fa398b245866\install.exe

c:\baae18ae73fa398b245866\.\install.exe /QB

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe" /passive

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe" /passive -burn.unelevated BurnPipe.{934C1F13-F3D8-4E56-A1BB-1DEB1130E9B9} {19C77368-7F0B-4F78-BF9E-879E4CDC1225} 848

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe" /passive

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe" /passive -burn.unelevated BurnPipe.{D76531FB-ECA7-4E02-828E-0ACAA6A771D7} {97B1AB6D-97ED-4CB9-A6BF-309BE1B2823E} 4136

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe

"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe" /passive

C:\Windows\Temp\{897C4252-F799-4486-92FA-14C2366DFE88}\.cr\vc19redist_x86.exe

"C:\Windows\Temp\{897C4252-F799-4486-92FA-14C2366DFE88}\.cr\vc19redist_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /passive

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe

"C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe" /passive

\??\c:\4a051f497f7543617520ac\SPInstaller.exe

c:\4a051f497f7543617520ac\SPInstaller.exe /passive

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "net stop ArtemisHscServiceMonitor"

C:\Windows\SysWOW64\net.exe

net stop ArtemisHscServiceMonitor

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ArtemisHscServiceMonitor

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "net stop ArtemisHscService"

C:\Windows\SysWOW64\net.exe

net stop ArtemisHscService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop ArtemisHscService

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DMX.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\io.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\iograbberinterfaces.olb"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\FocusIndicator.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ExposeControl.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\lumenera.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\GenericDarkroom.olb"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ioArt.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\ioPointGrey.dll"

C:\Windows\SysWOW64\NET.exe

"NET" LOCALGROUP "ProtoCOL Admins" /ADD /COMMENT:"The administration group for ProtoCOL"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 LOCALGROUP "ProtoCOL Admins" /ADD /COMMENT:"The administration group for ProtoCOL"

C:\Windows\SysWOW64\NET.exe

"NET" LOCALGROUP "ProtoCOL Advanced Users" /ADD /COMMENT:"The advanced user group for ProtoCOL"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 LOCALGROUP "ProtoCOL Advanced Users" /ADD /COMMENT:"The advanced user group for ProtoCOL"

C:\Windows\SysWOW64\NET.exe

"NET" LOCALGROUP "ProtoCOL Users" /ADD /COMMENT:"The user group for ProtoCOL"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 LOCALGROUP "ProtoCOL Users" /ADD /COMMENT:"The user group for ProtoCOL"

C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe

"C:\Program Files (x86)\Synbiosis\ProtoCOL3\DatabaseUpdater.exe" /install

C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe

"C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 10.127.0.90:1433 tcp
N/A 10.127.0.90:1433 tcp
N/A 10.127.0.90:1433 tcp
N/A 10.127.0.90:1433 tcp
N/A 10.127.0.90:1433 tcp
N/A 10.127.0.90:1433 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
N/A 10.127.0.90:1433 tcp
N/A 10.127.0.90:1433 tcp
N/A 10.127.0.90:1433 tcp
US 8.8.8.8:53 235.17.178.52.in-addr.arpa udp

Files

memory/4832-0-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4832-2-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QV0V4.tmp\Setup.tmp

MD5 898d42b5939b4bbc6057c4a85c4e0cfb
SHA1 219fc6d4f8f82260f1a9194f262770e2b3509339
SHA256 acb1db9d7755b12718c02acc9d10660046fc39626e000f763e037a06e52719ea
SHA512 7c36c852e0b6288267a28323e34f60dd3c7799982def2c3e9d86848c3967ad64ad043ecfcef7a7eb3232739279cc53b0fd98945b7321647373bdc955ca410d43

memory/1212-6-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\_isetup\_isdecmp.dll

MD5 77d6d961f71a8c558513bed6fd0ad6f1
SHA1 122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a
SHA256 5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0
SHA512 b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

memory/4832-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1212-14-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc9redist_x86.exe

MD5 5689d43c3b201dd3810fa3bba4a6476a
SHA1 6939100e397cef26ec22e95e53fcd9fc979b7bc9
SHA256 41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b
SHA512 4875134c664503242ec60717232f2917edca20286fc4b675223edbbe5dc0239ebfaf8f67edd76fedcaa2be5419490dc6f47930ca260e6c9988ccf242416c204b

C:\baae18ae73fa398b245866\install.exe

MD5 33c9213ff5849ef7346799cae4d8ac80
SHA1 5421169811570171e9d2d0a1cdca9665273e7b59
SHA256 3377e31d233ff41aea253e6221815820997763acdf40b005f8791400366cb8ff
SHA512 da0fc3f57156e06c0c37c1fb5176e1b147ce4aa21f519112123722496b04ad4bc3d366e2b51fd78de1ba0304d35bfd5e5fc95cabc2b3eb174f77636a8fa162a1

\??\c:\baae18ae73fa398b245866\install.ini

MD5 5feaa6a36fea7dfdb88c18d69ba6d6a9
SHA1 7afd91a7b046d68b6ee9fd367bcd7a4fec546216
SHA256 67a50ffbb8a1d500eaa4d9f0227d6a8595a2750154e6b31662fc4f51286e47fc
SHA512 6c8c0456f232a02a49d51b3f1a830a18b9078e621cd0dc3f4f76f79b83035e8affac67bce3af9a37fa9096a34a8499c59cf982b63a4b2400b9190d2db293e682

\??\c:\baae18ae73fa398b245866\install.res.1033.dll

MD5 8e97ea8a1ed69806232e8743f9a28706
SHA1 e911d3802e64f9be0e1ac68865bbcc92624d6a1f
SHA256 2893b1b9751f833d4a3ded7c1fba1a96cada2927a2349c5d751365eed647c100
SHA512 aa57fe0b822145aa1d8eb72f9735ef5d92036f24c4c80392799d701447d18ea510331f5653b39c43dc923cd0f1a61bf87be0f8a4927f6e3754d19ac76fd443c3

\??\c:\baae18ae73fa398b245866\globdata.ini

MD5 0a6b586fabd072bd7382b5e24194eac7
SHA1 60e3c7215c1a40fbfb3016d52c2de44592f8ca95
SHA256 7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951
SHA512 b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

memory/1212-53-0x0000000000400000-0x000000000052E000-memory.dmp

\??\c:\baae18ae73fa398b245866\vc_red.msi

MD5 6e17361f8e53b47656bcf0ed90ade095
SHA1 bce290a700e31579356f7122fb38ce3be452628a
SHA256 8811e5fe167223d906701bc8deb789de0a731e888e285834bcae164b03d43c96
SHA512 a566fc8bbb4d354db32f13de2fde73a1210c61b1c30a1be22b16c7e98b8d51c673259c57a924b04035cb9f0bf4a087a3e8b32221e7ff87032cddc840ffe3ed2f

C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI07E3.txt

MD5 a55df22b32b19c4d96d5339c358739c2
SHA1 8b95c133c5da7a5bc179697b104dc7bc101f1098
SHA256 559a984cce25afd5491a56334b86cf27378a0ec904d07c6e08cb7bc5f52ef315
SHA512 589f59e4707890888d44de6fe731138eccc5513bf606e378b59cf72ca770406f747d86085eebacce00e9e71a3550734af05e82039b2e11e4503be98a766ca2e5

\??\c:\baae18ae73fa398b245866\install.res.1042.dll

MD5 d276d0c01bf44cb781ff5d293676674b
SHA1 f96e3a9bbac867b4dd9b24312845a852a5b44ed4
SHA256 d6f45cb0308e3790b0d819cae9d87e61d79468414ce7f78bd41e7289fc832945
SHA512 46100a058157b8435633bf0fc6a2c92086d74c60e480e0faa016e7aaba848e16c2431e48b83e738c28e3a393592ff6cc27b7a2c2a55ff6d94494cf83686175c7

\??\c:\baae18ae73fa398b245866\install.res.1028.dll

MD5 5e7e93fb7b9d36665b10be97703dafe5
SHA1 17b42892768e9742920febf70e9214997e3f04ef
SHA256 b8f0f576199e32fd906538537c8da052ee666a91ef971c577a53fd715e544604
SHA512 8f2828606ae34a691be77cdc5dc20f3aeb641bb24742fac04860a6f847c42cdc8453b8e5f9722f7b016438849c2b57fc8ea9b41111b69ffed30624e16824a1d6

\??\c:\baae18ae73fa398b245866\VC_RED.cab

MD5 ecca3c1acb74cb73c600eabdd3f9c9d9
SHA1 f015759f623c377494a5996670204f1fcd0895e3
SHA256 43b7648183347374236296f2176c7c7da920da9c1a08adda761e12614efb299e
SHA512 2785b8e8cfc310ec114cee696c5b85900fc71186dcbf0c99a9c13f4f0fdcc9e9dd583c9d1fd82492a680efcd7071c3593b02b628bd947bc19b1302b931aca807

\??\c:\baae18ae73fa398b245866\vcredist.bmp

MD5 06fba95313f26e300917c6cea4480890
SHA1 31beee44776f114078fc403e405eaa5936c4bc3b
SHA256 594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA512 7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

\??\c:\baae18ae73fa398b245866\eula.2052.txt

MD5 ec4b365a67e7d7db46f095f1b3dcb046
SHA1 d4506530b132ef4aad51fcbc0315dadc110c9b81
SHA256 744275c515354ece1a997dd510f0b3ea607147bbf2b7d73f8fca61839675ba27
SHA512 5e5d1e196fc6ac194589bc6c6ab24e259aed8cbd856999390495fd5ec4211f212c6898e1b63538bfbb4401a5b4da08f3a2e09bca1cfb2e9c2cee38e63190b2a2

\??\c:\baae18ae73fa398b245866\eula.1028.txt

MD5 f187c4924020065b61ec9ef8eb482415
SHA1 280fc99fb90f10a41461a8ee33dbfba5f02d059d
SHA256 cfa4f2c6c2a8f86896c5a6f9a16e81932734136c3dfde6b4ed44735e9c8115c2
SHA512 1d5a8e80fb6805577258f87c4efd7c26a9ac1c69f7dea1553d6f26bcc462d2d9c01d4b94077f70110a33b39648c9aa3bb685e10534f19ba832d475e9ee6aa743

\??\c:\baae18ae73fa398b245866\eula.1031.txt

MD5 3168ed3b48c1dc8d373c2abc036574cf
SHA1 7ffbcfb6cd9b262a0e9a55853d76055693f60c60
SHA256 3e4d78fcc11eecb23af12a4eaa316114bb36d39561f6062a3921c08a43261321
SHA512 9465640705c382bb736e468a2ffb303ecfb2637c55ddca759d1fb190279b98103def64a8c599deaa1439e58c41d7b2c2809332c2a5f18945e9ee3d6c046a5197

\??\c:\baae18ae73fa398b245866\eula.3082.txt

MD5 c2d1221cd1c783b5d58b150f2d51aebf
SHA1 3bc9b6419a5f9dcf9064ae9ef3a76c699e750a60
SHA256 c79ff7b9e67aed57f939343a3d5fd4fb01aa7412530693464571148b893b7132
SHA512 c4ec596814b408e3c0aaf98864e2769c6175dba020f3014dd79f0190d81812020c932afca449e6b8b35233f36f2ab2efad0dc8d0d68dccdb40f6715fb1d050b4

\??\c:\baae18ae73fa398b245866\eula.1036.txt

MD5 c360851dfdf51b6ddc9cfcc62c584898
SHA1 f8fbe6b98039d01700dc49eb454bb1c1d8cc4aa6
SHA256 3456ebc9c6decef8b27b10d97f7f6d30a73b5da0024e1b8a0657e3b9a1cc93d9
SHA512 a340a7d98b4b6f925a803805224e733433e76230a36c4ab17e28f9d5951b81280d776153414701b29bb05b496b726932683e35fb603587d7ff5b716a88fece8d

\??\c:\baae18ae73fa398b245866\eula.1040.txt

MD5 04b833156f39fcc4cee4ae7a0e7224a1
SHA1 2ffa9577a21962532c26819f9f1e8cd71ab396bd
SHA256 ebafaeb37464ed00e579dab5b573908e026cd0e3444079f398aada13fa9a6f66
SHA512 8d3f6a900ebd63a3af74ab41ac54d3041de5fe47331a5e0d442d1707f72a8f557d93d2f527bbb857fb1c67dd8332961fd69acc87de81ba4f2006c37b575f9608

\??\c:\baae18ae73fa398b245866\eula.1049.txt

MD5 bc3a8865b60ec692293679e3e400fd58
SHA1 2b43b69e6158f307fb60c47a70a606cd7e295341
SHA256 f82bca639841fa7387ae9bbf9eca33295fab20fade57496e458152068c06f8a3
SHA512 0d9820416802623e7cd5539d75871447f665481b81758c08f392f412bc0fd2ef12008be0960c108d1c1ce6f26422f1b16161705104d7a582df6a1006b0d1b610

\??\c:\baae18ae73fa398b245866\eula.1041.txt

MD5 031fab3fb14a85334e7e49d62a5179fe
SHA1 12370185ef938a791609602245372e3e70db31be
SHA256 467773ddffdb3f31027595313b70d1ea934c828b124d1063a4aa4dbe90f15961
SHA512 7424a52bbb18a006816ee544d47f660e086557d13bb587d765631307da96aba56d8b9cd3d4e7d50c2a791815273910cef95ebe928bc03dd9c540b97ac7a86447

\??\c:\baae18ae73fa398b245866\eula.1042.txt

MD5 6fcd6b5ef928a75655d6be51555288c7
SHA1 eafdcc178343780b83f1280dad9d517aaedab9e4
SHA256 3d45f022996cd6d9ebb659a202fbfd099795f9a39ed4e6bbd62ac6f6ed5f8c7b
SHA512 635ba44d8d8ecfbdb83a88688126f68c9c607e452e67d19247dfe7c307c341dad9b1d2dc3eae56311c4b3e9617ab1ee2bd2a908570df632af6de1e1fa08bf905

\??\c:\baae18ae73fa398b245866\eula.1033.txt

MD5 162fc8231b1bd62f1d24024bb70140d5
SHA1 7fa4601390f1a69b4824ee1334bee772c2941a24
SHA256 c68a0fd93e8c64139a42af4fcd4670c6faea3a5d5d1e9dd35b197f7d5268d92b
SHA512 a707b5ef0e914ba61e815be5224831441922ed8d933f7a2ffe8aecf41f5a1790a1e45981f19d86aa5eab5ea73d03b0c8e2ab6b9f398ab0154d1c828da6f6beda

\??\c:\baae18ae73fa398b245866\install.res.2052.dll

MD5 4b8d230ccfadf8a2d3ea4b1512238292
SHA1 53793dde6106277c33367de5cf361f79a52692c2
SHA256 8fec53f664217f624ec8229425abde74225eccf6b55e41d4c12c9d9789f4159c
SHA512 10993d5ca2b40060ba5925e8d7c008d028c06d909cb3b3a8f8da6a289e2cd45b95227114115e7ab6bed7fc91601d94c5b3c1a9d44e08850dc3048e4e9d51423d

\??\c:\baae18ae73fa398b245866\install.res.1031.dll

MD5 a1157142485b86985c03e26add533201
SHA1 05320791cdf33ff3a9989396f6b54172b2d7d0ee
SHA256 94779d2272a18a0340156225485aab95d0473aef478442dfe392d11b7e6f41db
SHA512 3fa2b3c4c57e071f24cdd02fc53dca5206370c8161cd9ba7b95fa8a9bce9e5268f3f7824908f93df7a087afd38425219447339f40908ffc9b1d593d063ae21c1

\??\c:\baae18ae73fa398b245866\install.res.3082.dll

MD5 55a9b25fa0d768fb902842439d041b1f
SHA1 da103afd92af9b6f89b604191db2805a015a8c38
SHA256 8f826dba565fc464395ed24219da946f55692705de9f61f501dcfebf338970a3
SHA512 dc1b1dc345cb0e2e7e055abc07fc1374abbf773afae64fc27db292c5b97a166bfe4eaa69188d6831a91bfa2913c2238277a860a098ee9606b4112cba55067f7d

\??\c:\baae18ae73fa398b245866\install.res.1036.dll

MD5 cbf6e77d932688970a28328ca5263501
SHA1 b1d469e921ba90df15760943f228ebb2cbc55792
SHA256 3ffe888bc0bbe9bb81369b49171d532839fbea931d8553371e857df6ef815c13
SHA512 eeb2773960f7ecf9e87b5225cc730651388fab7dadda766a38d345f051ce2cab7027ac6c7286092e86f71c67b8c8a8c01c3808f205082280ad051fcba96358c9

\??\c:\baae18ae73fa398b245866\install.res.1040.dll

MD5 dcca7196203d338b41ead5e1418c6a92
SHA1 44267accc8577f093abc77dff8d5f7ff25c343b2
SHA256 c2a81077da2201d180bd5496129ea6bcfc5930d8a6d256babdb9a552b1a597d2
SHA512 13e934786445067be1c9eca38587dc55e294b2df6e1a16d13c584dc3c031126314047c007ecbc4548aa9bbe1f1021f19cd6b639fc66f43ef9465f4c4c10df049

\??\c:\baae18ae73fa398b245866\install.res.1049.dll

MD5 2e57ae4186f17be4148077ffe8212a27
SHA1 edad955ab3deef258c354d134b5a3443369f85f8
SHA256 ac9ef02d54eb87a5bc2bc8c77a6497853072ff37e7e82495ef8d79f6a5af07e3
SHA512 b2f239253866aab26cb1ab8a90f89ff90553cdb5897bba2ebf0e08eefb5a975c68bf7904f15b09e33777718478e3cc1a074dff8d8ddacc8a56b675adf125443b

\??\c:\baae18ae73fa398b245866\install.res.1041.dll

MD5 0fcc2f2bf7c18392514413a3c2a5ec5a
SHA1 bf7f494336589b8763b0936f0558749dbb407c4b
SHA256 11c111b3f24ba7d197007fb572b9f77e7d6f58c290de239a08f287c2aeb3b89d
SHA512 c704d1264fd2a106487baf87f6db054862bb31576b0716fe1570eca46ba90519c23c3246852c6b33ec1cf1fc6ff1529b163ff38ec9d32c5eb588585545fcb596

C:\Users\Admin\AppData\Local\Temp\VWL412.tmp

MD5 9bf58dcaaa3425beb2bc296bc7f73e80
SHA1 0768dd256915835aeb4363bf48ba414fc57407f2
SHA256 771e518b8a00f296cabed0960be3bf6a9e942fad1f6b98c2e637f454553c707c
SHA512 fca6fc24858b7ff799f0a3ec6fdc968f7953625350d68298205b2e07845a90d4eb9c609cbb501eb59ebf5976d1c37c5484d1ed6c82334784edc705dcea39ecf2

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc12redist_x86.exe

MD5 7f52a19ecaf7db3c163dd164be3e592e
SHA1 96b377a27ac5445328cbaae210fc4f0aaa750d3f
SHA256 b924ad8062eaf4e70437c8be50fa612162795ff0839479546ce907ffa8d6e386
SHA512 60220a7c9de72796bd0d6d44e2b82dbdd9c850cc611e505b7dc0213f745ff1f160b2d826eaf62fd6e07c1a31786a71d83dc6e94389690fd59b895e85aba7444b

C:\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll

MD5 d7bf29763354eda154aad637017b5483
SHA1 dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA256 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA512 1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

C:\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc13redist_x86.exe

MD5 99e3d99d8ed70ac88f59e31757ed3d62
SHA1 18f81495bc5e6b293c69c28b0ac088a96debbab2
SHA256 bbc26aca42cd311a0e1ea1356852f061d863af047f1891ac9952ab7e7cb8e04f
SHA512 34ff42d09d1738df912823fcb8c16ab28927415f736f0a49779f9eddf0e2fe36682fa3d021414b4751532b0d385aa513290f6c44c48936500c9a58b332fc147c

C:\Users\Admin\AppData\Local\Temp\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\wixstdba.dll

MD5 fb45cc1b78259a878ccc2247d4ceb68c
SHA1 0be045e040f9cffdc2baf021c320abcb471439be
SHA256 87644901a31aa7ee1f61e5906d225491846563eb4a53a302fa337c4ec25e3714
SHA512 c9fdb0019b3b0a7c5c97aa5ea880d7b1522496dc09b097f777233352589a43f2564c0a2fe4fbcfc95c9b70720e0ac1b97b369def65352302ab5a4863ab9fa43b

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

MD5 ed8339dcfa1167a5042770c73a5641dc
SHA1 f6cf19c148f67c514eddc9946defe7c8eb5a36b5
SHA256 e9c480dd9637882b633d1e0b01431d27183b4f94be88d84c7b92c36ff9a342b1
SHA512 a96faff093ad21c6c4ee5a429073d8517dbe179e06178f0c589f1570b99029351eb38e86f8c24323d012fde4e4d43afc5bcf8526ab9d7085d06483e870ffa43c

C:\Users\Admin\AppData\Local\Temp\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.be\vcredist_x86.exe

MD5 e6d5fb03f157f33376e9d8a1055ed70a
SHA1 541add9491f98277163c822390d7c8da07754ae0
SHA256 52a0948253c8120a6e1f96f717978270bbd2d07c0ce46c5f2b8b8ffa7a967494
SHA512 51298ec2dde1d8ec6956cee8dce75572fc85217f49e071867a8a2987071e595db03bf1e1b8a4e7b5439d9383fc0daa89dedeb1573aba8ce32aa4c24bf28d1a75

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\vc19redist_x86.exe

MD5 35b40b21383ac38487ceec8ab6e53565
SHA1 59894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256 caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA512 3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

C:\Windows\Temp\{897C4252-F799-4486-92FA-14C2366DFE88}\.cr\vc19redist_x86.exe

MD5 86123c033231dd7e427d619ddeefd26a
SHA1 608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256 d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512 ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

C:\Windows\Temp\{3B158E6B-84A6-47E6-9756-55D5DD4CD55E}\.ba\thm.wxl

MD5 fbfcbc4dacc566a3c426f43ce10907b6
SHA1 63c45f9a771161740e100faf710f30eed017d723
SHA256 70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce
SHA512 063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

C:\Windows\Temp\{3B158E6B-84A6-47E6-9756-55D5DD4CD55E}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Users\Admin\AppData\Local\Temp\is-BIMO3.tmp\MSChart.exe

MD5 e7605df8e1a6ef547c2f77a304de8848
SHA1 776c876430e692c702a8eabed9c89d1ad94d5927
SHA256 95ca5aaa5e9b19dc55127bf89a32abec4f72c4ae03495e461d251a6ecfbeed92
SHA512 58c3ea86fb722bcbe074f634901650ec19262d47a42f9011fbae4e57fd80bdca797cd20d849f382da2671eb9eec52883a15a6ee017483d803c7aab46f029ac18

C:\4a051f497f7543617520ac\SPInstaller.exe

MD5 075bfb4c71d2fb11b644eaabd8b64a01
SHA1 479b6189ca547e6e2926fca014561619766bf8d7
SHA256 2a99618b7d7416d86ea55dad961e785688979acb578ba85851c0b9a6dfe41a58
SHA512 9230dd2d4956edf6dffa179a0e22bef3ef8432f6d09291c8e3f9db82db5f49bf39fe4faf1ef58f41947085b4e8fe129c0a8919d584bc97d784cd8b320ad91665

\??\c:\4a051f497f7543617520ac\SPInstallerEngine.dll

MD5 7c071bc63b58519d2712a13337055fc7
SHA1 e27822a2e785ba0b64d1b6f14035f2fe2ccf6eb5
SHA256 d89494e63910cfc528139a0304555577638da38b5258bdfd22aa86300e00fc8a
SHA512 fa86c69bd79bea703ac218ac5e4d3a18b2c9de66f29458e59f502708c4f28eb57743672c3bf20ec97eeed7bce99568a9290bbe46107d9ea968f46452fb41a66a

\??\c:\4a051f497f7543617520ac\sqmapi.dll

MD5 89e2c7e8af95c3cd3209ed67837d882f
SHA1 def626501cf2d8bacfed0ef3c2f6137a6af0d138
SHA256 f19eaba1f8e6c28215d93481ddfa37767390500c70ea5cc06d747eb1132b41dd
SHA512 0b6155c1413ad48c4a1665a7aa87ec004e860c2da2d6cad96ec4b9436e9ff649e5cd807895730f2f49aecd5ba7a1f6bf83d0e47e58b504983033a2bd2ddc9a01

C:\Users\Admin\AppData\Local\Temp\HFI17F9.tmp.html

MD5 3fb443021b7cc775653091fbda3f0485
SHA1 8d9902c5025fc05e264afbd26d8cc8fa84ef713f
SHA256 dc32ddb61a8d542f16f9acbfe26ced213ab847dd606c934a22beb2dd034b74d3
SHA512 d7426d5db8a37e970ff61dab3b69e6fdcfd8881c5c62e45b9cc5b9f49286af237f6a55e5bf82e11f5c9cb2d3c3332d922c7d8fdd4e12cd31bcf4f116e233957a

\??\c:\4a051f497f7543617520ac\DHTMLHeader.html

MD5 ed37a53d539007fec2ff78bbfc449ec8
SHA1 a59b06a2544e612b8c712ebb0e29705922704156
SHA256 b5f71fb8b34fb75a1a89251b5de3b22c25232ab84c6a392c85f738d75de86678
SHA512 921a5e8d68b39019657153b371cbce0fda8b842dca89889a4f11a8187344b2ada74dbf863f8d0f9a9dc7837af11c7e0f94cc5a8fba0d5e8c449758482af8adf9

\??\c:\4a051f497f7543617520ac\ParameterInfo.xml

MD5 8d82e881132076df04aa63ee0469017d
SHA1 941214a5e8082f5dae9fc61dcfe2737045fdc7b0
SHA256 e1ad3bdb0caeca027126cb8925f19efb504444a12a000a99e97a4bd75290f89b
SHA512 049345de531f5f5b47aa5ae2aa3f4a90e1ba0f91c24a8e94fdcf5f0e4b5e07ec76c7ce1f6fb47ee36616900df455458576225c0a7bd23025315853c5b9ace19d

\??\c:\4a051f497f7543617520ac\LocalizedData.xml

MD5 60194fff32d63effec5a298a3de26da1
SHA1 f149a86d77e56127b9a3721e85e69066638ed92b
SHA256 66a4a89410cba0b00035e0356120187c1aaf0e2a13787811a782a26d1a832c1d
SHA512 d2bd136593267f0ef9c8a31ea243f5020d56cbbfc2d4f66de8340aeab4eefd42e2c3f85888736d20623fe365ceb735d6554547fbb7c19d1ee76cf25796327c05

\??\c:\4a051f497f7543617520ac\SPInstallerUi.dll

MD5 c99e0fa0933efc3658dd02525b43fdd7
SHA1 3cdd7b8d22f2d8519f5544b7f12ac30a2268a5b9
SHA256 7eaf337bcb544eaa50b46c114cfde2d21954299e5b84fade03dc37c15d1b00ab
SHA512 9b4187863e7057e1f250ed1e0a616e2a4746b11ef4f0ae4b017d2c2cf7dab23de030e12f54ca74edb18427bd009d03e465b6687603344ccab9bd2f3f8aa3772f

\??\c:\4a051f497f7543617520ac\UiInfo.xml

MD5 bcd1b1b5fd79f3be496c430480a72096
SHA1 db0a33a1c11c65e9b7a7960ae9737b87f2ef6406
SHA256 918d468ecc579e74209643b4a1e16afa5b918b1c3b2fb509ac4c5d01a24aed0e
SHA512 a15d831023d4204070137a9381280880236c916369b41b0a6c444c334b10680df45756554dcc97a65a6a88dd5ca67672803baa9ea14513fa357c2a98c371385f

\??\c:\4a051f497f7543617520ac\1025\SPInstallerResources.dll

MD5 4cea15e2da2d63993363ff4f4d6e7c48
SHA1 5d753d5b72abfe1ca202ad8ed4db60da9d5ae0bf
SHA256 3a95d2f43ce9727cfc61b68f27f2217e9098e793f01ea1439de62005bbdb55d6
SHA512 71700bc823dcbc8333550dab555acfa42bb4a7d6eb15564fb639bfa829b56f8549be125c5679c9f65db9b958c8f924504cae1c8c5ac1377307fd76aa504bd5c7

memory/2344-440-0x000001D9C6D10000-0x000001D9C6EBA000-memory.dmp

memory/2344-444-0x000001D9C5700000-0x000001D9C5718000-memory.dmp

memory/2344-448-0x000001D9C6EC0000-0x000001D9C7070000-memory.dmp

memory/2344-452-0x000001D9C5740000-0x000001D9C5756000-memory.dmp

C:\Windows\assembly\tmp\94798G57\System.Windows.Forms.DataVisualization.dll

MD5 4eb366f068876656057fccb2b5360fdb
SHA1 5ca25be2e5fd5205971c931c30ee52bd1855ed05
SHA256 9d193f4ac582a024e9c8a386717944e82d281e30b30bd1b3b4d015dcb52a5d56
SHA512 177a0c7f8ac5526ca8622447816412a91c2ff1c6933b6f67bfe3bae4aa9cafd81b787bbc8df106ae96167f1e6f1cdf63ab7b3ed81f9a1370f23af05259abe7dc

C:\Windows\assembly\tmp\XGMS1MWW\System.Windows.Forms.DataVisualization.Design.dll

MD5 f9ce119437c7c56eda862b412f5b7dfd
SHA1 092dfc99d44b3d1ff9ef2af7e2a80b7941ff0131
SHA256 49248d90a581d2e9933b1013b7f2aef8346f6da297851c9215ac45f8fe9fd857
SHA512 c8ba2f65c040946c26657d4e939ff2b069b806c6adde938a1b5971432df6b3796abb23c1bf9722b1e1483480fa488a42642b71c1e71d909a57d134088eabf620

C:\Windows\assembly\tmp\WBW3UUCV\System.Web.DataVisualization.dll

MD5 6502f885536ef34d3011acec9021b4a2
SHA1 4ae4723cd4c36c82bf85737580ac29832756a871
SHA256 ee4b416f47e919459134253dc7429993a3f33bb31fad9e6fb95a16bf4fd3995d
SHA512 e6d68d84c51b11c874eda91a49d67a0ebb4f2221e4531c1aa971178978deb08a16914c7a97e4b8a85af8642aa7ef50b1b4a87ada51d09cdb3e959c5d08106602

C:\Windows\assembly\tmp\8A23OZLL\System.Web.DataVisualization.Design.dll

MD5 68921811aae9fc8c544274a580369483
SHA1 8f113e1f286c43d8037d58d7047ffc9196e12e05
SHA256 41552906188914f8b781315751ed105acc8ccbdcd160baecb7f88ce4caf23923
SHA512 fb6fe53638b02b6a326ace5dd506302a8b5c32f728a99e4725a701b069605f2f1b3e8ef6d0bf870dcc248fa72c109f0d9a509ae7cfbf4ba17f9bac50e6c970cd

C:\Config.Msi\e57d0d5.rbs

MD5 c3a578eeb6d1fe943a52f7e1f8a98142
SHA1 6e0b3d8b918dd61dfc950090cbedf206de95b4d4
SHA256 a75a574826f056ab1d984874ee0dd33c2ea7a8ded0ceb7533a05ef52028a65e4
SHA512 22011e3485fd84fa00c30374a4e59144403a63d7b073ec5678fa1b0eeb77a850158ef21ad4e1da5fe05c9e23b40399170ea1870515efb2e5ad28b4459a110767

C:\Windows\Installer\e57d0d2.msi

MD5 a497584d5356ece498183eaf9fb353a3
SHA1 a0d1400b0ee1492b96d5d15972050500a0a7f7a2
SHA256 13c8e09908cc076d93ec3f7ade0b9127fc9d38763ea90f8a5d83c57d835c2582
SHA512 e694c97baa54a642df34385e720f1658392dd7bf87a4d8b0d5332ff41c6b1577d452041e90edaf0b8b459a4da6f867102f5c0cb9273091a806a504f7e07b0152

memory/1212-478-0x0000000000400000-0x000000000052E000-memory.dmp

memory/1212-505-0x0000000000400000-0x000000000052E000-memory.dmp

C:\Program Files (x86)\Synbiosis\ProtoCOL3\ProtoCOL3.exe

MD5 827af659355b680117fdbdc542edc328
SHA1 2197dd695f2e561387665caa512b3113312d8c7a
SHA256 b617e1f86ef1df71f60811340ed1160cacf69399e7736d641ee9095c1477ac0c
SHA512 dddf5940607cad8f68e0f581ae14b0c734089587d082afa3c92aa6109b46b7c11e9c362047ffa70799bc20ab39ff0fbcd85c0168d18af64922ccf832f95ec11b

memory/1764-797-0x0000000000B40000-0x0000000000B75000-memory.dmp

memory/1212-800-0x0000000000400000-0x000000000052E000-memory.dmp

memory/312-801-0x0000000002650000-0x00000000035BF000-memory.dmp

memory/312-803-0x00000000035C0000-0x000000000368C000-memory.dmp

memory/4440-808-0x00000000009C0000-0x0000000000E60000-memory.dmp

memory/4440-809-0x0000000005770000-0x00000000057BC000-memory.dmp

memory/4440-810-0x0000000006160000-0x0000000006704000-memory.dmp

memory/4440-811-0x0000000005C90000-0x0000000005D22000-memory.dmp

memory/4440-813-0x0000000006B40000-0x0000000006F70000-memory.dmp

memory/4440-814-0x0000000006110000-0x000000000611A000-memory.dmp

memory/4440-815-0x0000000007C20000-0x0000000007F74000-memory.dmp

memory/4440-816-0x0000000007B50000-0x0000000007B9C000-memory.dmp

memory/4440-817-0x0000000007F80000-0x0000000007FBC000-memory.dmp

memory/4440-818-0x0000000007BB0000-0x0000000007BD1000-memory.dmp

memory/1212-820-0x0000000000400000-0x000000000052E000-memory.dmp

memory/1212-833-0x0000000000400000-0x000000000052E000-memory.dmp

memory/4832-834-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2432-835-0x0000000000550000-0x00000000009DE000-memory.dmp

memory/2432-836-0x00000000055F0000-0x0000000005832000-memory.dmp

memory/2432-837-0x0000000005A90000-0x0000000005ADA000-memory.dmp

memory/2432-838-0x0000000005A60000-0x0000000005A6E000-memory.dmp

memory/2432-839-0x00000000063A0000-0x00000000066F4000-memory.dmp

memory/2432-840-0x0000000006C00000-0x0000000006D86000-memory.dmp

memory/2432-850-0x0000000007090000-0x00000000070E3000-memory.dmp

memory/2432-851-0x00000000075F0000-0x0000000007610000-memory.dmp

memory/2432-852-0x0000000007FB0000-0x0000000007FFC000-memory.dmp

memory/2432-853-0x0000000007890000-0x00000000078B1000-memory.dmp

memory/2432-854-0x0000000009010000-0x0000000009028000-memory.dmp