Malware Analysis Report

2025-01-02 07:47

Sample ID 240509-y4zzssfg47
Target setup.exe
SHA256 b41f32b58a179da7f4b53a015779e6b73ef28b22a7dac3525f7cd768a524d112
Tags
privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b41f32b58a179da7f4b53a015779e6b73ef28b22a7dac3525f7cd768a524d112

Threat Level: Known bad

The file setup.exe was found to be: Known bad.

Malicious Activity Summary

privateloader

Privateloader family

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 20:21

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 20:21

Reported

2024-05-09 20:26

Platform

win7-20240508-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\MSIEXEC.EXE

MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{1AFEE24F-4C66-4B84-ABCA-CB8B268CE1CB}\Mike's Easy BMW Tools.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="setup.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\~363D.tmp

MD5 9b5f48e753542fe2cfe1a04370a3121f
SHA1 3af32dbee6487055ac3a3cccb009cb689632f9ed
SHA256 06d4f584647803c8a042dc79b6cf1de5afd41db016dcd9531e00d92ec703da12
SHA512 93c2222c126f4339ebbb7be89f4a635df1ffc52a383768a4c3469274cefb9c33b665332392f8be1b6ae6b9771a17736c26ff757ebd909ea760e2128388fe8ddd

C:\Users\Admin\AppData\Local\Temp\{6D9F65C6-B327-40EA-9286-CAD0D167AEC7}\0x0409.ini

MD5 8586214463bd73e1c2716113e5bd3e13
SHA1 f02e3a76fd177964a846d4aa0a23f738178db2be
SHA256 089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54
SHA512 309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 20:21

Reported

2024-05-09 20:26

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\USB Driver\dpinst-amd64.exe N/A
N/A N/A C:\EC-APPS\INPA\BIN\INPALOAD.exe N/A
N/A N/A C:\ediabas\bin\EBAS32.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\BMW_Coding_Tool.ex_899E10CA7E504F59ABA0CA191D3DF247.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\INPA.exe1_C6EC8CA68FF942ED94E23AF7F179D2F9.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58e9b1.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF1EE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\winkfpt.exe1_EB056415D74840D3B13E1F0323A6D96D.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\DPINST.LOG C:\USB Driver\dpinst-amd64.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\NCSEXPER.exe_7305A7434B6C4872B111316951E98241.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\Tool32.exe_BCEAB819CC9B4CC8A7908EC77C8A3C87.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\winkfpt.exe1_EB056415D74840D3B13E1F0323A6D96D.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{CC94D767-0DEA-4D47-AD8F-641268491ACC} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\Tool32.exe1_FBFB780E736D4026AB993AFF7D0892BC.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEF2D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\NcsDummy.exe_41203BA290F24D649BE9F8BC250E63CD.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\BMW_Coding_Tool.ex_DC2B1108826C487CB8621A072D11059E.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\NCSEXPER.exe1_4435E1C047E941EAAD93B3643D37D812.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\NcsDummy.exe1_7533673DADEA4765BB7BAA2C484DF5B9.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\BMW_Coding_Tool.ex_899E10CA7E504F59ABA0CA191D3DF247.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\NcsDummy.exe_41203BA290F24D649BE9F8BC250E63CD.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\winkfpt.exe_C8F2E55ACE9547F7997DE018526DF035.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\winkfpt.exe_C8F2E55ACE9547F7997DE018526DF035.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58e9af.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\INPA.exe_0D4E94E4BA914623B19949CFA4BAAAD2.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\NCSEXPER.exe1_4435E1C047E941EAAD93B3643D37D812.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\Tool32.exe1_FBFB780E736D4026AB993AFF7D0892BC.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58e9af.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\INPA.exe_0D4E94E4BA914623B19949CFA4BAAAD2.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\NCSEXPER.exe_7305A7434B6C4872B111316951E98241.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\Tool32.exe_BCEAB819CC9B4CC8A7908EC77C8A3C87.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\BMW_Coding_Tool.ex_DC2B1108826C487CB8621A072D11059E.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\INPA.exe1_C6EC8CA68FF942ED94E23AF7F179D2F9.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\NcsDummy.exe1_7533673DADEA4765BB7BAA2C484DF5B9.exe C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\AlternateCLSID = "{6E5311A1-325D-4FFD-9AF4-B373F02AE458}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3B7C8860-D78F-101B-B9B5-04021C009402} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}\AlternateCLSID = "{6E5311A1-325D-4FFD-9AF4-B373F02AE458}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6262D3A0-531B-11CF-91F6-C2863C385E30} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6262D3A0-531B-11CF-91F6-C2863C385E30}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6262D3A0-531B-11CF-91F6-C2863C385E30}\AlternateCLSID = "{74DD2713-BA98-4D10-A16E-270BBEB9B555}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3B7C8860-D78F-101B-B9B5-04021C009402}\Compatibility Flags = "1024" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3B7C8860-D78F-101B-B9B5-04021C009402}\AlternateCLSID = "{894BA3A3-3CA3-402F-B4FE-CD08337E9535}" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\MiscStatus C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\ToolboxBitmap32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|NCS Dummy|NcsDummy.exe C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{894BA3A3-3CA3-402F-B4FE-CD08337E9535}\InprocServer32\ = "C:\\EC-APPS\\NFS\\BIN\\RICHTX32.OCX" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}\ C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\767D49CCAED074D4DAF846218694A1CC\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{275DBBA0-805A-11CF-91F7-C2863C385E30}\InprocServer32\ = "C:\\EDIABAS\\Bin\\MSFLXGRD.OCX" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E} C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}\InprocServer32\InprocServer32 = 74006600780068006a00600062002e00700040002c0029005000760028006c00280072005a006a003e006b00360021007300630067005f006900700038006800660052002700730055007b006e002c007a00000074006600780068006a00600062002e00700040002c0029005000760028006c00280072005a006a003e0074006300390046003f00480039005a0066003f006c006a0038005d003000760056006c0024004e0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\ = "Microsoft Rich Textbox Control 6.0 (SP6)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID\ = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E9E78A0-531B-11CF-91F6-C2863C385E30}\1.0\0\win32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\ToolboxBitmap32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{894BA3A3-3CA3-402F-B4FE-CD08337E9535}\Implemented Categories C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{894BA3A3-3CA3-402F-B4FE-CD08337E9535}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{894BA3A3-3CA3-402F-B4FE-CD08337E9535}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KmmServer4_31_1.Module\CLSID\ = "{FF4311A3-F68B-11D4-8507-0008C7F7B21E}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\Control\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObjectFiles" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|EDIABAS|Bin|NET|4.0|apiNET32.dll C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|EDIABAS|Bin|apivbNET32.dll\apivbNET32,Version="7.3.0.500",Culture="neutral",FileVersion="7.3.0.500",ProcessorArchitecture="MSIL" = 74006600780068006a00600062002e00700040002c0029005000760028006c00280072005a006a003e002800350074004e003800630033005a0030003f00330021002a0060003d0021007700490065005b0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{894BA3A3-3CA3-402F-B4FE-CD08337E9535}\ToolboxBitmap32\ = "C:\\EDIABAS\\Bin\\Richtx32.ocx, 1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version\ = "1.2" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{5E9E78A0-531B-11CF-91F6-C2863C385E30}\1.0\FLAGS C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\FLAGS\ = "2" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|EDIABAS|Bin|NET|4.0|TestCsNET32.exe C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\ToolboxBitmap32\ = "C:\\EDIABAS\\Hardware\\ENET\\MSWINSCK.OCX, 1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}\ = "Microsoft WinSock Control, version 6.0 (SP6)" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\Version C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74DD2713-BA98-4D10-A16E-270BBEB9B555}\ToolboxBitmap32\ = "C:\\EDIABAS\\Bin\\MSFLXGRD.OCX, 1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\683F74172066309438344F043A9C611D C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\767D49CCAED074D4DAF846218694A1CC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{1AFEE24F-4C66-4B84-ABCA-CB8B268CE1CB}\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\767D49CCAED074D4DAF846218694A1CC C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39977C62-C383-463D-AF61-C71220634656}\VersionIndependentProgID\ = "MSWinsock.Winsock" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\ediabas\bin\EBAS32.EXE N/A
N/A N/A C:\ediabas\bin\EBAS32.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\ediabas\bin\EBAS32.EXE N/A
N/A N/A C:\ediabas\bin\EBAS32.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 4656 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 4656 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 4600 wrote to memory of 4480 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4600 wrote to memory of 4480 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4600 wrote to memory of 3308 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4600 wrote to memory of 3308 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4600 wrote to memory of 3308 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4600 wrote to memory of 4548 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\cmd.exe
PID 4600 wrote to memory of 4548 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\cmd.exe
PID 4548 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\USB Driver\dpinst-amd64.exe
PID 4548 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\USB Driver\dpinst-amd64.exe
PID 4600 wrote to memory of 1336 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4600 wrote to memory of 1336 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4600 wrote to memory of 1336 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1336 wrote to memory of 3752 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1336 wrote to memory of 3752 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4100 wrote to memory of 3988 N/A C:\EC-APPS\INPA\BIN\INPALOAD.exe C:\ediabas\bin\EBAS32.EXE
PID 4100 wrote to memory of 3988 N/A C:\EC-APPS\INPA\BIN\INPALOAD.exe C:\ediabas\bin\EBAS32.EXE
PID 4100 wrote to memory of 3988 N/A C:\EC-APPS\INPA\BIN\INPALOAD.exe C:\ediabas\bin\EBAS32.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\MSIEXEC.EXE

MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{1AFEE24F-4C66-4B84-ABCA-CB8B268CE1CB}\Mike's Easy BMW Tools.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="setup.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5A7F04926E10915AC3E2AB8109EB2971

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\USB Driver\checkOS.bat""

C:\USB Driver\dpinst-amd64.exe

dpinst-amd64.exe

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 07FD34BBA0DDC06DD1F9C1E37442DF93 C

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\EC-APPS\readme.rtf" /o ""

C:\EC-APPS\INPA\BIN\INPALOAD.exe

"C:\EC-APPS\INPA\BIN\INPALOAD.exe"

C:\ediabas\bin\EBAS32.EXE

C:\ediabas\bin\EBAS32.EXE -p1004 -t12A0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 2.17.196.152:443 www.bing.com tcp
US 8.8.8.8:53 152.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
BE 2.17.196.160:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.71:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 160.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~A7B.tmp

MD5 9b5f48e753542fe2cfe1a04370a3121f
SHA1 3af32dbee6487055ac3a3cccb009cb689632f9ed
SHA256 06d4f584647803c8a042dc79b6cf1de5afd41db016dcd9531e00d92ec703da12
SHA512 93c2222c126f4339ebbb7be89f4a635df1ffc52a383768a4c3469274cefb9c33b665332392f8be1b6ae6b9771a17736c26ff757ebd909ea760e2128388fe8ddd

C:\Users\Admin\AppData\Local\Temp\{B7AA5505-3F6A-43A1-BDFE-08972ED674B7}\0x0409.ini

MD5 8586214463bd73e1c2716113e5bd3e13
SHA1 f02e3a76fd177964a846d4aa0a23f738178db2be
SHA256 089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54
SHA512 309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

\??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{57f86cc4-c238-40ba-a1ca-960eb15d46d9}_OnDiskSnapshotProp

MD5 7d8b93c54d7ae6e68c74d2abe5170b18
SHA1 d7dc3f8f6d8068f1505eda40c9f3ce823fe56f22
SHA256 13693239252ac29c8f727e76b92db6bfbd29ba94c4e9931d0f850d730c1ce898
SHA512 11232c4f7408d24dcbc3c224b02ff7669501b4d5b41a92247dd96ab4313a1e021f30e7315802b2655120039c449765208d5c0854c026e0763529e67a7275c80b

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 7f283649316ee54c301ae189643e63a0
SHA1 d20337eddacb0f7c2f59d15845aa2dcaba9a282a
SHA256 3040fb8b643ad6a84e245e4bd70f72f142f78022682b702b11ede28252da56b3
SHA512 8d66b8fc96d8e590b34e18005ed91dfcb655698dc7af90ee01f24dce3381cf8363150a8617e5e51ee1d28478d2a04f3c52d5fdba1ef607a2d2f73263726b609a

C:\Windows\Installer\MSIEF2D.tmp

MD5 29e4cb02681bf0780985a429b48903ca
SHA1 474acf63ad259fa06164916259a40ffe8909f622
SHA256 3dd81287d4318c25ed9f0afa740c3ca59b746d9a587735e1e33107c14e1b40e0
SHA512 5c491bf4357bb1cee86ff0eb9662f6046c32b7e8b8fb406f12e4f866885a25994c34e8f46315f98f116be27a6a7a06c21ca52b030aacb1c1216910ac339500a1

C:\NCSEXPER\DATEN\E46\SELECT.ASC

MD5 639708d9167d1928da0379afa51a58ca
SHA1 dec1a5413d3b32c3fe2435436f931b79f2048044
SHA256 dfb530d238b7d84ccb86ad97c8d1946c7ec6c98210605559194e01ba5fde0cf8
SHA512 535c0bfcc2affbc6c3823ec0e7fd119b4811aee894a9e68a4e60bf03d764d9780b51e6d0151119296fadbe939bd1adb56e994a108b160b64e9507be9973f26e3

C:\NCSEXPER\DATEN\E46\VARIABLE.ASC

MD5 d223890f95b465b653a8fc710b30dcae
SHA1 ead7f261a1f67d91d79bd69189a805b5f6b194f6
SHA256 09519558a5ec081b5a7c8b47b6edebdb4620c841e51d3f382870e57f40eb5831
SHA512 073a2194b30d1295d59041a4fa09ab7bbbd878d340bcbeef46a2a6a0ab4b9dbb073650e484b7e9389d65c992bb8a28939f30b2a1582c9559b846d300abc39327

C:\NCSEXPER\DATEN\E52\SELECT.DAT

MD5 b9e1784a14b11e627dd1711a412e53e6
SHA1 1a7eb63ff4fa82b8dfd77883097de13f82f7ebea
SHA256 32c418e0e586e21c267f6f290dc42e5f9e3bf0591f3d03a3ea842584c25b61d7
SHA512 ead31c08f2438021333cdfc9c6381ad4d82815a17d3a63e39b73e9b59462f8ebbb0bb6f27eb0868b52a3ebdea7fa84a74f38d840af9abfebd6cbecf6902efecb

C:\NCSEXPER\DATEN\E52\VARIABLE.DAT

MD5 f8537d2142afce76f9d38020a1e70bda
SHA1 7b8cbf946970c82a9412588c5ba1e3a3b33803b5
SHA256 d063e40a72208d67f4358d1b330dca783008e455cd2aefa7b48623ea9b782cc3
SHA512 a04488809b2d439e2b7bfa024c38ae94f42330c31813ca15941668e9677674a3a8300c2daa2d6da1414d56828d4b51c583cbcd5c3d591840a3e857a6efa8b5e1

C:\NCSEXPER\DATEN\E53\SWTFSW01.dat

MD5 3401238e921aac057bd8985a2030bbdb
SHA1 5a7d0c5d59e06323d1f3d90f6da7771ac1c55665
SHA256 5159bc445a6c4f162c27fd7e142ed1303657cac69e790e58a4044d7d0c82181c
SHA512 a335032e691ce3d0d607ca2d3dc398f7499600db23b9f48bbacfdd881c6e6db25892480600eebd53c771cdebc665b6e22930bf4e18c57baebeb59ffb6816da34

C:\NCSEXPER\DATEN\E53\SWTPSW01.dat

MD5 95deb7c31a72179a3384b46403c68257
SHA1 a0b10e96800a60423c330eee36b96e9699c1f0d9
SHA256 3c68ad2721e23b2522a2144604eef46691188746ffda480429b880be06878ecc
SHA512 5dbba4b48a2e90f3c91c3fb14cbb9c99160fb71aaf68ea05d3cc97b1f6ae89c68aec88f5e7e95400db3cacb10f4955c4c2b0152200efb168688fa925ed517e35

C:\NCSEXPER\SGDAT\30RLS260.ipo

MD5 6fa0420b70b160f1676622aa74d14cfd
SHA1 848d4a7989b02b7803177341509b827974b7dc19
SHA256 7107651940476c3620625de2e7724e422db1beab3c960ea1fe3a44ef322a23f4
SHA512 eb12e5dbe61a19f4aab94d7991cbdcb503b26abb2589481256a91f8baddb87bb781515882792399d28400b6bc8fe659b1ee01046b45d98541654b5c5e729ff25

C:\NCSEXPER\SGDAT\30SBSL60.IPO

MD5 8e819267281fd1de68b052388efbc7ad
SHA1 e5e83c1692dbdf8d755e0a497c1bd3db5da4a1db
SHA256 8d327d1b2d8b8a38adbebad45547c96b26a144a71d13dfc084ffa3534368fd1d
SHA512 496fe265b93d1ab638274643ffa71860b42a094468ff170808895af9e609ff43b7610a3c0048999ad639b46d6553adee852a18d4e516035100714e15bb32c050

C:\NCSEXPER\SGDAT\30SVS_65.ipo

MD5 78f3b937e818e405a6db3b7f0427b790
SHA1 0759fd551c9b9d7a0317939e8d45c4df4aaafba5
SHA256 2f19b051bc096c00aaa4db2dcc0ae9f4a597b823526fdab2d06a2492da2bf14d
SHA512 93b47e7baa7f317730ac148a3d3c2c016d96161b41ef365f666c7609e8f8f01bdb04acf3dce9864470afc6e7a1af765f1c916d12587450ac03cdaea823dc7d6d

C:\NCSEXPER\SGDAT\00swtkws.ipo

MD5 3c7ef1ea8d6bb6e5fa8f9ec65e5b7328
SHA1 9aaec440a32a5d4c56cb31c09f6d23103a5e0b44
SHA256 c750ed6e6ac912fbdbf69bb63f558febd94629bea6f34feb630e44fceaa474eb
SHA512 3c8963bdd3c591ef0593724329bc4e1ca351467e888090569497714290e48aa3d50db24fb1f7241918e18b1a6d042fcafda8025c1172086a6435d7b6723906eb

C:\NCSEXPER\SGDAT\110100szm60.ipo

MD5 11de44962abde688a97d548d16b1454f
SHA1 9486ab58f1eeed575ad7b9f2a716fac07240b325
SHA256 93c10f638a9cdc50d9d8f07e07a1b30653476431f6a516b1852a0104561e6825
SHA512 342604c6435df752f629b00eb6456a829afa5638460b6c1817a5f425f7a98deb2968c13319c828c56f2d2d0677945c644b12533a58a35e8ea548057fd419be53

C:\NCSEXPER\SGDAT\110100VDM70.ipo

MD5 aa010e974af5e45262dfb24dd96b5f3d
SHA1 87cb3a3095abe7ccad8c6f774646a3d399ba7f0f
SHA256 064a36ab51cc798713ef8953107875ed704402a78cd426487cac6fb6d0b839fc
SHA512 402bbe1091fdf2e8338eee4761170c5db1984f4e5236fac84f3350dd9f810a7662323cf38eec8fa250518591e80bb469ec01c935e980485895a7e774663130fb

C:\NCSEXPER\SGDAT\01msd852.ipo

MD5 6fd577a7592dffeff146782a0250846f
SHA1 01e551e2a3059b7d6e5b96e53ad2be91e587bc06
SHA256 893bc6a4bf44f501a33ef260cc0ce9c625f08fd72f6938c9bf98d0e4c5db64cb
SHA512 e2bc6508c8b08d970dacc799a43b3c0a63110ebef4cb30ab719b7b7a13b8b77794cf5735eb533430f5683f5c88afc96f046a25fceb7d8e0e0170712d943b2c45

C:\NCSEXPER\SGDAT\02EK9272.ipo

MD5 715293e545a5565e675f64820b5ea726
SHA1 4b3e03f3286fe126a4500e0f9280fe11e6d22d60
SHA256 87ef34e59a06934a6e37cb6ad66d1427538ae9b20978c45fe37cf877ab586073
SHA512 57250e1ae2e63fa121a688ebd16ccbe582cb80f3957f8444b3f2d88cf9e31c4e4de813a67b2579008853a916057bbe9de5dda09ceba6130458bb444de5787a97

C:\NCSEXPER\SGDAT\14PDC65.ipo

MD5 a592929eac2571fedbd23dd3b4e0e253
SHA1 f60a16420454d3c1befb96803266584c78363bf4
SHA256 562878fde8d124fb53c2921bfbd4394e7e01f4a320c2b9dc3746182b035462c1
SHA512 6e2559a9608c37aa55c74a7259679e683285be1d9c39a5f37159913f378ba5b76d33c777646ac3463b34ab94922a9b16aaa6ca49c4247b154e64c7d5c8fd50a2

C:\NCSEXPER\SGDAT\152ARS60.ipo

MD5 869595fd7e638c2728c57146d6591385
SHA1 85e41daab9f2f1d7a1dea43f987a3ab63a15fbe7
SHA256 0f7959809c95965d15d62a3c6c83244f7c1648ea7da8ff614ad2c9cd8c3be5c9
SHA512 b2b7888a6d1ad98fac750b654f44a3466a1766ceedaf4d7755f0fa317c508971bfac0082db7bcb59a77b796594f1b8523550cbb9b9af60a701bf964f2cf4482a

C:\NCSEXPER\SGDAT\05GK35.IPO

MD5 b88b1d922e77d43e01e7313ca978e84b
SHA1 d3b1953daa97171413d2a670cfb7a30e869190bc
SHA256 5ae2f48317c25e15b5d78b39af192eeb639d5192a0c28928bbfe543c6090dbd8
SHA512 67f0f882e3d38267cdca6aaf6fe521cd8a53a28b0c96c99ad03d8d509817cf1b760d5994059066367e14a59adc3ed32bdb067466c07108b372a3d366238607b2

C:\NCSEXPER\SGDAT\35ULF60.ipo

MD5 5bf0d3a105d71429256d5750d6dbe1b7
SHA1 6628de66845d12f55a015b5d7726c0a13ffc46d7
SHA256 72649b71f7532673ee557eae5779d6ee98e517019c6f32fe75833aeaaeec1267
SHA512 f9c9ab7249338fd69ffe33d32e4aba90517a7989aeed4101e82c7669acf47adef34ffa2496040d7d7315b6b88a6f0c32ebf4559e81734ef3dc1166d850d5fb65

C:\NCSEXPER\SGDAT\36MASKM1.ipo

MD5 13a3e5eb4a82be41829edc315b48e1da
SHA1 b58c7d212806c821235385fb9bc8009bb9578153
SHA256 12e79c622123d773c0d8ad74bbdb1b8c92c3f5d9be881d200a0a1b6900d77df4
SHA512 ebecd300bb82c226d9f445e1e56e35ae75962ad9cdedeb29a3023b6bc346c1c227dbf7966da6a84dd7c566f712eae74b17d5e698e67709bf7a7d319d71a39c1f

C:\NCSEXPER\SGDAT\07dde71.ipo

MD5 8ba679d128801b1ad57fefe9d340241c
SHA1 e647a4ec7302bfba7c759364edee1de1918c0a1f
SHA256 5ae3696abd00eee1b78b7676da451f09d9304f076d5114cf46114afd9008b92e
SHA512 03aeb53c85ad2a3f35860045e8e7561ea5a566e940e6b0d1359561832d656114c811cad9af5e308d57b20d1f78fb2fba52f020e2b696d72484d28ec2bd24bf7f

C:\NCSEXPER\SGDAT\08011308empi72.ipo

MD5 6cd5cfd26c3ba25d3f9051172c7f2a83
SHA1 9900c406e87c9a54d2610cf1b8a6b78d34c16361
SHA256 5eb1e186bb60984937e4ae193b2b839cc170609554295c6b708e12f603c87f36
SHA512 ae6e844e43d6b11f1ca16c0647e27e9a129e1a07796d55e1b51b04cf63316d29587978fa6b6162c4b32d09b8be50fd3f029b348432e7945727dcb6831e0e0a6e

C:\NCSEXPER\SGDAT\080200IHKA81.ipo

MD5 2847668d036258ac3617daa1c85d3ec3
SHA1 b57403abae02e684f4e3610eb069103a6caa3298
SHA256 a0802ebc1182605541c018a40561192ef858ffd54281a99c47028eae6f3a4fb4
SHA512 15eeb4bd71e74149a9271b26f844714abb1e03db1cad641b6e3a265339f49429a9b65ab924a1188a0fe0d093dfab3b29e9bdb3bfdbf47017fe7a120c3852f580

C:\NCSEXPER\SGDAT\28DDE504.ipo

MD5 bcf7dff2c764cf2dbb9e67c25318a0a3
SHA1 5e4003eacfbb1b6c06e837c0b3b84602a42f6f37
SHA256 e8073bbf88a06f9274c839f4e191781bce0560e995a1a5f184701bd7a2058584
SHA512 c04a43f2fe769dc81fced9bafc6d5b417edec970da06743505a31d30e2055e2901fda794f4e43999d523c59366c798a0da043410c12b653636cf0895381104f9

C:\EC-APPS\INPA\SGDAT\30ZFEL1.ipo

MD5 bc0211402a10161e7f197903602f6616
SHA1 557b161dbb34edb211d6e4dd01327e02213df0c1
SHA256 38ee0c581b60062f18d75ea4b4c7f5757b9644c5d62813ce0f0ab94a327800bb
SHA512 4046170c7b62612f0239a9b8718bcbff28cb49c86fd16f7b7c6a19f2f207f001cf92ebc1610d844da97fce1662df6c876e6e7831a064ac2fb6a7179026132f33

C:\EC-APPS\INPA\SGDAT\11000002TVM2RE.ipo

MD5 e34b17b8a03ff86c77a812ffd1872677
SHA1 334f7b89de60ea47e8be3ca12f9eccfb63b6eee4
SHA256 281a7847a7fe65cbdd3f99a600c25c344f92cc0a9fa49c424965fead46f348af
SHA512 1d660777df703c8a83be12ecaf429476e21cc20afcabbe64f9fa2678f9671a122711c1961994dc33e212d357a99e2cb34f383d00c7b3a031fa206d67a1b7909e

C:\EC-APPS\INPA\SGDAT\01M401.ipo

MD5 62478aa3a22e4e2335207dfb4fd4a4b9
SHA1 1ddf8ed53e6be546d8532b15c7867e84afaa5b32
SHA256 ac84da57998eff0a151afb25cf649da55b9e725f4575c8f28df11013f3970008
SHA512 395c246ad04f69ffe23f6be7d16e559accb9824b84bd588ee6fbc1906b9a832522db8529bd37c5a1a3d08681852e43a79a3162e49a2ecc2ea58aa4557dd62b22

C:\EC-APPS\INPA\SGDAT\01M527.ipo

MD5 6d52900881e082d9f391e14e09758ca6
SHA1 71d75444fbe29b53264f205fd8196d7b910094ea
SHA256 72bef78abc421914775181465d4519905f0ce3da5ff41b10793b01266a9369e4
SHA512 4b3f76f54222124e7a1b27006750c6e8962de2310144ecfdc3ad37817632fc5e7c4b7d6cbb8676b0e695b521d4256724e2f6c03d359e3f6e063813da22be8c57

C:\EC-APPS\INPA\SGDAT\08010004tvmrd1.ipo

MD5 699b17cf59f32d430f3d48f2e377227d
SHA1 6af4cc4e00d4d7adbb305a462cb2f619a999ff33
SHA256 1d7bba6c992eea73c01cf04fbb62433065441ee42983667aa94c67974a54dee9
SHA512 0c1882f437e5f58ffd330897d2f4e3780ac761487f3dea2d334bb349534d366987a90eacff7a3451320e16c8b8434762514928463de3b2fc0c51fc8bb039d822

C:\EC-APPS\INPA\SGDAT\08010405CM62F1.ipo

MD5 bbd8e8d59a70d3708fe2024640aa9a4a
SHA1 944f7f1b8b29679598566cb0f1b7d411c715114d
SHA256 8be07cb8289aa3199256e210d8283e5f6ea30852eb954dc3d2393d5c5e67102b
SHA512 c373023b4d5ca3aba8f19653928734cf958724b13e12f19d0903c8eb05b4b1230162446582ffbc8081f04e28a045c91e53ca5822df2c3b3dc1289e1cb7f7847a

C:\EC-APPS\INPA\SGDAT\08010408CI63F1.ipo

MD5 aa3b3b3534ccd568e71437fd2abb08a2
SHA1 0f63585ae936ecf90260b1f937f056afb0782cc8
SHA256 2aaefb8879ad9715870a29779d3541f6266d7aa3310dc501bc775b1cc8c67479
SHA512 ec923d9ebac59ea0bd74e2b7a30a36b403828e914dbcca620471bd48f8b9589e2f61d95fff2b121409b6a4329d1d9c542c0a2bffa49c2f1e78730ce1e9aa7624

C:\EC-APPS\INPA\SGDAT\19EK927.IPO

MD5 08cd1c2369d85c1dd6130c80db293026
SHA1 bbf4b15f8819eb3f5ec0255cc98805bf022d9c97
SHA256 18314ba0cf35009ca49bd52b3f2df6bfba8211bf8d877f01fb2275b22f397d64
SHA512 17e14618e8742639eedd88a645a293eb338df36505d045a44621437a4ea675e611197fc8f4212f691de0d4a882bc8b3720a4879fb9a07a2dfdc7175bde73bc62

C:\EC-APPS\INPA\SGDAT\A_EDCS70.IPO

MD5 c2008953fac282e90ea504d3879f48b1
SHA1 75694038212b77fd41e618da6e3f2e75a5b8958c
SHA256 82cf1648e1fe55253a3f036a6c77ff57829c3e069bfda5b6442324ecc398121b
SHA512 5312167f028561bdd8e2d0c6ea5c466e51d770658ac58559737056f4c5086d5c92ef9743fb813f443db790fe91499f2a8163dc83665029aa6a78e62a93b6e8e4

C:\EC-APPS\INPA\SGDAT\a_gbfa.ipo

MD5 26216c5ea3efd14ea89f2c44837dad80
SHA1 ee78df00d0075824c0eb0e6453b33daee3089582
SHA256 7ce94ac9ea6d8d8ef0e67e480bcc8a3cc8bc4596fbc3c1e2e9a76f5ce75e18e2
SHA512 5ee8e0c8201423758a9d244582c2e2b3b5a14df3d1809a6e7340795d9f32fc02269d42172cadb81740c1f5c082464b82bf2e01cd3cda17f3af2717da493db720

C:\EC-APPS\INPA\SGDAT\A_LWS5.IPO

MD5 2c15277965e8d0cec7832a84bc30d0b0
SHA1 9f868115bf8f4a407bcca0ccfdefe7e1576dfbcb
SHA256 42248e54a090ca40278ff0953157f408e8bee788d5aa7ea97ef34da77d2e9107
SHA512 10d07284da4577702d5e7c43a854d77d154c0648cb59db7c99ad6c36cb66fdb02499f2315c51317f96d6b5cfee738439dd4890c65a6b52d7474c7846f48bf03e

C:\EC-APPS\INPA\SGDAT\AMPT70.IPO

MD5 d24693fae5ca92892cdcb604af0e90eb
SHA1 320ed74693f18827bc71f1cfd6533dcf9a7e46c3
SHA256 08235a13eb65c7fa005345891159e0e82168767914aadc49da6eb7a420ee0f9e
SHA512 860ea7098fd85519bc941c8300f3591bbb45acd17792e7e22fa97d702bcb734eb3a4267ef3f643cfd3d1c3066ad7b99facef1b0cbb2a92687e681401e76bfaef

C:\EC-APPS\INPA\SGDAT\BZM_E65.IPO

MD5 f28aa23322b1517fe9edddb25266fbd4
SHA1 27086e62514017db360f6899e192dd6a1b5f3298
SHA256 1623a7bd0cdfebe7eaa58336749db8945b578ea4a2b47aa761eeb11bcb33d10b
SHA512 96214a4f48774e1b79208272f7b50e9bd39bec07964f0af63df807608b68282f865def4c8b9e9488209f14ad188272c6a8030bda17eec9c0fa5f097e3bf80edb

C:\EC-APPS\INPA\SGDAT\CDC_E65.IPO

MD5 dea719d732dc927de767d4349c387af6
SHA1 5f075485530ae5560f7c8dde30e6bd6d7007ccc6
SHA256 9549a5c7a9d99634a3ce128fb7835e6335b2deb8258294f4e8722667c3a7998e
SHA512 9ed0a9cc1023d0fa39cf0654b6d278f423b0585b156bd25df78e4971a15882be344307bf308a5128bd9059bf7e0b5dc4b31cc9469b7388dd132399115dce2e32

C:\EC-APPS\INPA\SGDAT\D60PSA0.IPO

MD5 dc14e5d73335deb1bb44e0cea8576a1d
SHA1 5cd45a6f8f63175c29a5f28616dce077e52e7c33
SHA256 b2787b19aec0a31c7ccf0e1226246990d532e11f439945d1a2aa7381e690ba55
SHA512 a3e8213f1775bf627a479f2281c2dae91390fa661e1075ac8620cbd9a746f56c2d8c535511a0fbcc6d2a1391be1e2688c50672f0b4c99993576ddbeee66c5185

C:\EC-APPS\INPA\SGDAT\DWA_E65.IPO

MD5 591c4d3a16dac911209ce14c6bdcbdaa
SHA1 3273356f4274b51fb84ce95b25a8a5ad9a3d0fd5
SHA256 30614e9e6356fad83cafa74342a38a2d89c5648a4685f6ac209833fcce7cd21f
SHA512 8a61f80a5e964230fdc112aaa11849a3e052753d83bce56a2b30cefb02300950c8c08c3dbd9aa7c3ae7fd5c3b25e28dfe6f422fa29203e29a0c4f327a47a1ea2

C:\EC-APPS\INPA\SGDAT\fle_r.ipo

MD5 0659ced7385beaf6404ad8dbbd0d62d4
SHA1 e19cedde31d28a9e07db94df5afa77361709a366
SHA256 2b699afb603be59c770bf516499404a88ae372a3ab25a7754199f0bc7b019ad5
SHA512 4ab87161b128f5c14334506fe16898fa199f13c76cd5596c3bdb1ec04dd05ea424eeea2de73a02c7b8602915d9dcd6334166b9c13bf251f2ca532568111d6dfd

C:\EC-APPS\INPA\SGDAT\LM_60.IPO

MD5 a556230700be7ed7230e510e9b1a0234
SHA1 7799ace2f1a8910246905fab021c517fe2c7c521
SHA256 7063f68f3ffbd04e4b25caa08c13eac8c4b2be3a7b99ed453d124b44a7c85f6f
SHA512 4210e70ffaa20883556647f5520fb057fa01388f5a2b0893ff8c1354a11d0bd72c6eca44a4d7b4c42b23ac2398667851bd534b99f9e761f5967ec280f2ea5a90

C:\EC-APPS\INPA\SGDAT\SECUR1.IPO

MD5 69a8e19d1360017e485dbb0f6fb9e6b3
SHA1 3ef22085efd8bcac841e386080dea807571607d0
SHA256 c3a8bcb5d94ff15d30a37355822935f158113d995128e6218dc68ce145c02f52
SHA512 b94108aca92f0f3693d12a4026af6d31231cd40a40ef5a4d15b481744c9bc072ddec87674c386c93c525969d3099a8bab59f1f22cfb670a1f3100f31d200210c

C:\EC-APPS\NFS\SGDAT\30ASK_CD.ipo

MD5 15c60521168f2aa8476a971ca3dae9ad
SHA1 1c9191b04511e32ae4a0275161f331c9fe0e5232
SHA256 743930b8803865a06458f6c917ffc844ad89d551bb82b6322d824c32825a9a16
SHA512 5c224d8d2ba9287022fb278ebbefd7df52cee5edbeee04ab6efb8ac8f73d88e2ceb65280121d4ab962e23b5f0cc386ec05db682e018b97fa2010d94983d9d6ee

C:\EC-APPS\NFS\SGDAT\10GD8604.ipo

MD5 12a07f62813c2f7f4fe34975e29584cb
SHA1 741b998e998779e09129d4e9f381fa5971148143
SHA256 c79f84ee0106c182bac0127250b19d6a9f9be589c348ae581dc3f50a3b94cdeb
SHA512 237034cd2df519601d084ebdae8a83418c06980b91ba11aa6f5187273e4160a059bc058194fc4b3e5ff398f3febc64172a6295c385dc2ac87f0810077ff74452

C:\EC-APPS\NFS\SGDAT\11MDS52.ipo

MD5 42b3d39bbae8248d93af7e891ef1fef2
SHA1 17aedcac88b753edbd6be3e63ffcacc7bddd2088
SHA256 3634a4b9aea17fb6fa8b5f16869ebf0bf0bc09dc1b4a046a3f4c431c43e0f054
SHA512 13a3463de78016ba546adac97ddd4cc7279e86c7bdd093652bf871c800c0f8cb8fc399eff9c5c3bec3942ff2a25325be1783089d764e2da8bf66582766610ff9

C:\EC-APPS\NFS\SGDAT\13DDE63.IPO

MD5 e9feff7333fbeee20c665f7c89b1fd02
SHA1 a8f61eb67c120fbfa767fa279a59c3cb95d9d9bb
SHA256 b6904e7c94a1b81fe23910a816f82b745f1ed7833609dd5e0631ec5f1c92236e
SHA512 8940e39f14deda798f03ccea24c7303657fcb83452d79e119e3e641a7c15502bd9b1042759c97a5dec6ebaacf60fda8f5fe75ddd287730d1b69aac12e96e71a7

C:\EC-APPS\NFS\SGDAT\13DXC883.ipo

MD5 1afb81ffefb0467012207d637cf3c9d3
SHA1 f0127146c9b13ebf2ebdc01afb0052eae94d198b
SHA256 a0593126a9ad213f19de9d5c9c347737cad53a4b26bca683f15368bd24f39ee0
SHA512 3cb13b301b2cf7bb14f92aec3f2278a8296a47f77a0968316f5268e25b4b1bff93d258f0974cfe4430bb355eb27cd80be233d39ba38aa60f62504cbb67e9d9b7

C:\EC-APPS\NFS\SGDAT\46CC6260.ipo

MD5 bcac5f90e01d7bf9f50323e6575b34be
SHA1 86fe950e673d4d99bc1818c832f49161d565205a
SHA256 a9d2f458bd37d6523d05a063d0c12d84378c82918c368414483ad3b290107552
SHA512 61abfa3eca675227f5b7faaf60c57a9f63908da59c28bf36bc4111de5d82dfd3d8ff567ec61af0ee0fe352d3880071ebced1d814d92438d9806eafcc89d258c7

C:\EC-APPS\NFS\SGDAT\08000100VMHFB1.ipo

MD5 8aca226a5fede1cf87dd6d9c54c29d5c
SHA1 d8ad247025712e699662a0af80761f70776a8676
SHA256 3761ce97c57d9c2c9a8a1dfc19dd7663e52d77fb28fd4d4ef65510baea867e89
SHA512 1a6f0bf206f9b1278ee7e9fa1518f2839b4183da05044203fd0cf188f28b5688ae72ac40b9e9fc69249ebaf110c86a2f251afacbbe8f894bfa655a3dca6f50c9

C:\EC-APPS\NFS\SGDAT\A_6MOT.ipo

MD5 7eabd174d7fc5202cbe60d72c7260801
SHA1 48a53ca89de7e3e1003db25aede8e897d3abff80
SHA256 17ad58c65bea04889122d3a18a44486b072e07999a10b2c7cee0d53291a9e83a
SHA512 93300987c9439ca83e4a37c084afe11b2cc65eab74a9148cfa8d0289d93a4041ea334aafc4f889e477a668421d3b277e94da4055cf1bb699789b36779cc6acf8

C:\EC-APPS\NFS\SGDAT\A_E60CT1.ipo

MD5 a017c50c7b17715a8e8c15a8a01c011a
SHA1 708f2c3ff3582e2d5f671a977076c1b604496463
SHA256 feb427d61a2fb236e94c29bbcf4ba37f78c929afec9ab0e68d7bbc26f00f2f67
SHA512 16ae714f145bd4828b87f3252ff675cb8173a052a2903aa19217853075eb8092fedb479666da386c3edb35829b34ecb7479a4b85db4a5e1bac69694052548987

C:\EC-APPS\NFS\SGDAT\A_E60LM.ipo

MD5 026c3ecd450a168c085a629ae4ec5cd3
SHA1 68a896885e50a26bfd68d4fc0422411ed57a1323
SHA256 c20682ff5b8b234df1ed7499a558c6d19ab5e0ae427efa15642d91060e6c47c4
SHA512 33973975271589657a9a98450023edf9b73e472750d877858bc208be7ace324f08b8f4aca4bb3ecb70692bad3a8edfea9a0c75d6355118d09cecbbf0574792db

C:\EC-APPS\NFS\SGDAT\A_E65R.ipo

MD5 7ae1e096503c51a943cf74f6e6d89e01
SHA1 49b5d51c2b02dfaee96e781b6c4a209a90f1a60f
SHA256 90be28f82c6a93d0aa96ef1cb07e185d5150aec679150954d71ca39e7a8c1739
SHA512 b8e8889e418c20f068992d3d5850c6bf3617aff7bd5ad77c3fba2bcd097f6cae05dbb58bc4c12094335cfea2cb4c2b64c585383e88678017f6796dfd8c1f7fa9

C:\EC-APPS\NFS\SGDAT\A_GT.ipo

MD5 bcbba96224a282d0b1dd7beca05b2c9b
SHA1 59b8f075809f7257fd41107d681b2d7cc7bf7af9
SHA256 b1c0c0b36c5d535c474cdd615eed980525657baa1d198d438461dcec05c99d9d
SHA512 484cbbf7f3a96ec8f066ba8ee12b51999503f04a37fe859017e8ebfb9ec332103b5e777e1a979002570b4d1d7e459551464139bf585102dc455b3c7aa55aaca0

C:\EC-APPS\NFS\SGDAT\A_SMCDSL.ipo

MD5 83bb5b700047c87fe1f34ac3abbf49dc
SHA1 b86265b5f68569d1c83434bfda12eb4615be80e5
SHA256 53cd7a35124dd063fdaeaccb4cd0c10dc6eb3b2cec5e38ea7de08ab0ae5b4f5c
SHA512 104011fad71de3a048fd633dc9404b2fcb5eee3bf91e1a3e8a14c9bf98456cd124897d8020c4d45c7788b3898bcc2b0c0c1bd90fc33ded0836a968b46e8477f9

C:\EC-APPS\NFS\SGDAT\A_SMCKWL.ipo

MD5 120165bcc58b5d2f1a1ac32437f6b36b
SHA1 b6f49557308b283ff849500f10c07bc6227571ca
SHA256 3c73ac583c0a74a1cb87b22a91d604762ae3fc2148df7bc0dde49ce1271ac67c
SHA512 f0ef8a4755e38746ce8ab3cdda5ff3fef4f3cae0d0d8df9c4f267ddd1a7ff996b1e0c9c9a620ae9c791268cfe36f60c223e5d641e813966162f1a424a307b8bb

C:\EDIABAS\Ecu\33CM63F1_01.prg

MD5 88d12c09afdce519f2f36707d6e79afa
SHA1 3fa4fda0acd95701f701adc0fc936aee630d1cf7
SHA256 678077f28d994b4501c15fd5b162731dbad3caad175933cfaf5a577aacfa658e
SHA512 868cd5d9e506a9ec3927c3ed1a143d7dbe7f940a3da7c0251a14a20f7ed55638809c074180f16eff826690efdc5e6499fbd23b0230bb6a350e5ef8aaa36f6791

C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\winkfpt.exe_C8F2E55ACE9547F7997DE018526DF035.exe

MD5 c59e49a506d05d3f1283282fddd8b753
SHA1 ead12a9731f9d36c6500420584d8e290520c21fa
SHA256 8eef9ccdb24a83ecf221d302ed328432003cbe55415e0d68641805a9c04ad887
SHA512 35a694d3a4e09d8eec7c4172c16ea6cec815c824a19cae1e712bb9a5a6f5ef123b926aafd1933ddd757f6b9706a6a0257ac7528a13c2d8fd5e04f5cd1d0cbd40

C:\Windows\Installer\{CC94D767-0DEA-4D47-AD8F-641268491ACC}\INPA.exe1_C6EC8CA68FF942ED94E23AF7F179D2F9.exe

MD5 c996c76c0bf1c6791d5e622527230af4
SHA1 b8d86074a86cff0a3d8c2075a6d77e7759efdcae
SHA256 c5b4af9afbe7e82cce6cb23b289b43e482bf11eb85cd455e368e517e372dc98f
SHA512 1c4ed972532e690f43d3afa1e289e0afbe886d1a7fba6b9a30d2760692b68cd471a11e9b8117326592b7905add8c8f2ad129b3af536ce0baaaee60fd4c82ff95

C:\USB Driver\checkOS.bat

MD5 06cb42a749ae4a0bd75602c173f06cad
SHA1 009c4be3645f915242189b93893dd8818ce0fee3
SHA256 f8f580082cbc86d27e7fee25576adf403e28cf671ed26f120114ab94c0ba40e9
SHA512 90c1b26128f8ac3216be2ec249f6c9cf027923aa86f70154adfca746f3fb2fe99d1df80fa31399f243b595a85917f104024d07fd5c72020b6479fdcb3b5fe8a8

C:\USB Driver\dpinst-amd64.exe

MD5 051cfc801aebf138613e2aac61dd4321
SHA1 0dfd251b3e09c30e7448da6929b5b73c14f1d05c
SHA256 d770482f49e8825f9339dde01e98ba8085a901d1f56137015bfc159191f43ba3
SHA512 d6554c82888b345da1fd6779f43d5ebbcc65e7c19c99511a0bfc631fb85a2ddc4dac720d50e8fd207ff9f52b0ffffa966f3495e67332fca40bf65c6358c3ffe6

C:\USB Driver\dpinst.xml

MD5 bbb46e3360f3fcabc5d03ca33dc10458
SHA1 c442cab7ea74d8a1dd3bf97786bad844e8913b44
SHA256 65e9bc1f59de53462ed2e6b002c0be26cd3f37b1e360938a0a32aa452ed58030
SHA512 1594e0bd1ba7d9541ff5a44f65da6acdf1b27cfdd72f4a04c07be0f815f6d05d773d8980595da18ecc1ab1bc2587fc248e0997873b02c151dca096a741cd4d78

C:\USB Driver\licence.txt

MD5 5f2bd5bd92fb7740033159c59a8d1215
SHA1 b8e38a2f4ebcc4dad9dd5e73cff82509f6043511
SHA256 4097665303729e520334b2db9915dc3ef955e3518d08846af73d464bfdaea3a6
SHA512 18b59c28af8ba6bab439fbdf32868e63aef6e8a6432847ce44b551f40ecb3c66f797c77d6ebd4e271563bcf71e7357a9301ff73ff0e5e70577584a91807c4e28

C:\Config.Msi\e58e9b0.rbs

MD5 2048755c4954870c508545dddc34d401
SHA1 0eb8b9856fe945252496dced480e39889ab57b42
SHA256 0f7cc28dfda9703e1142ee8e2a0b007442d72a56bc14d32efb63993f486ede01
SHA512 c87524e9acaa9ecb180196344e2ba96fb996894d12064256492def3705acd59c5c134f56ea454470de193a464db75540d1b77d475a00fb56dafb201d17705c9a

C:\Users\Admin\AppData\Local\Temp\MSI7630.tmp

MD5 04289ede648990e01435a99f616c8fdf
SHA1 bc81ff546d812d0f88ed7a98717e77d5e34b61fb
SHA256 6629a2fe72efaded5d12e072a18b0cf065b2c9600a6401645ca1d7804f7edd14
SHA512 cacbadaa96d1f6200fa02ff0c643324c870f95b587e27460af0da525105815380fede9d8d196fbdcabfaa007c404b7487e43407b46585b919f6fa68ea8de358d

C:\EC-APPS\readme.rtf

MD5 aebc6c69b046c0f0a523f756d4d3ce30
SHA1 286c793588e5b7d75349162b04f7ee583a660676
SHA256 6bc8d7baa9e9fca3ae4123a231222dc4d53df97e123e2e60a889af66c8e7b6d8
SHA512 4f9a8356476b30c0bb2a7ca4947d6199e5c0c08f4a8cd0b5fb2b93b6b1f69174cfe232083185a5313c73e09d7972617fe4b21e7344b8a55deeeb61b1043f0227

memory/3752-6718-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

memory/3752-6720-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

memory/3752-6722-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

memory/3752-6721-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

memory/3752-6719-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

memory/3752-6723-0x00007FFC8AF30000-0x00007FFC8AF40000-memory.dmp

memory/3752-6724-0x00007FFC8AF30000-0x00007FFC8AF40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{B7AA5505-3F6A-43A1-BDFE-08972ED674B7}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 06cc88c561ea3a0834d4a1a4e3f6ebc6
SHA1 6f11b0b611920180eb608de47f4e6e6722a95eb1
SHA256 ed75b63aa27827cc123ec0c9816702886ef6a4f7aa7b4abdd46ece07da5cce0b
SHA512 47a328ce1d5493498f3cba150faf31cd11f656bb8c1ca9d7b7270a6ba05f4a23983a9a5c840e4bfa7a2629e09af926277781a41cf7bc14183234fd9df504e01b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 1c8d67f3a68241c1516f90d537f1b487
SHA1 c9446c9473568d7c51f0d01a05a9a3d80b309f91
SHA256 ac19e154a806617e75e9acb5a3a308a88903349ff07851fdc8eaf2de138bedfd
SHA512 c434d6003b2ba5faf104007bc36abb3a8c1a1393c5697c663f7277711eb20ed5ba3cbe4c9a7266aa5c9da5a7b0262f087dbc0803093114c9d505441fb3794597

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f13577e44c6a7794ae92cf4fad654289
SHA1 b014e367b253b1f13c68649bbe5c03e59c06190d
SHA256 21d96c6862ffd88a5d49be63606c97de3ab7728154bc344d5a8e01c20f6efa9e
SHA512 c8648497bf76275f7ae8e6712d2939d543c8ebcab81b2014727cecda58349a03aa80fa525c5e37aefc58f73cc51d6c8bc7542a99f919b198e85b709d89216000

C:\Users\Admin\AppData\Local\Temp\TCDBED4.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/3752-7273-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

memory/3752-7274-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

memory/3752-7272-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

memory/3752-7275-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

C:\EC-APPS\INPA\BIN\INPALOAD.exe

MD5 90760cabb19dabc994d486bb8ebf2e3e
SHA1 04194d70665ceab2ded4e6245f2cc26df1cf3994
SHA256 41add167c149db9c10162f8813d47210b0c8afcdb5cf1683bd023623d294a753
SHA512 858ac96e9509e1b6a3fbfa857091b3378cce77021ee56d2c22439c3f170882f815363bdebde7a96c8329198ecb43f168a79218647f8b9e76b22aff30d83785c1

C:\EDIABAS\Bin\api32.dll

MD5 dc7c5ac055897b49387e7509fdb0f02f
SHA1 0f4acce46e73f4a01fb49e3da606ff5a9623d48c
SHA256 15265157215b814f44397df49c9964448f5f0a9f8a02e1b432406c92e6215a48
SHA512 1972b909c7ca9b65e0bd0de8f72e7d323ed7b9a6f019b5cdd00fc239ebe47e0c2e0ba5d5826e88036adc6c648eeb4753ee193a0073714921d2d77349c41da8f4

C:\EC-APPS\INPA\BIN\INPAUS.dll

MD5 a5adad8efd85b258e00a15286d52d183
SHA1 d12df0299b455939e2ec002c525ad1ae467ca016
SHA256 bec615148a6b50d352a3504919176712ceecc4fe609063ab3adcfbf9798a711a
SHA512 90c7a6cacfc0d9172b3651bec4597fc2a707e103760fd98bec7a87a30927fc93935b5ab511f193f2f37b11e797cabf20df01280ee3dd67fe9cf0ad126f8a8036

memory/4100-7284-0x0000000001FE0000-0x0000000001FFC000-memory.dmp

C:\EC-APPS\INPA\cfgdat\inpa.ini

MD5 21a0b3c6943255ede696db5675fa4407
SHA1 d290f56b4994588569651fb7ce996a5885932403
SHA256 9b3e546fab5fd507e7ef2aeaf3961df2fd6d6d6bf18f84fff07645057861e632
SHA512 39c7cacbe37a89066932b71b4abcfa162376d2166d6eacabe2fb55603a6d09a54ff18d92a4a567829c7c350f970b3a8dd4296479bfa91ac87939b5aa4351b3d3

C:\EC-APPS\INPA\cfgdat\startus.ipo

MD5 8331084d935307ce3efeb734c3f82332
SHA1 966180fdbd73ad41b30fb2db9fb856fec5c4e329
SHA256 35cadbe21185954946079476dfa07ce875113abe17cce5473d3ab7403ad43bad
SHA512 fd7731f137512c81b6c4ff11c15c9e12a2bf36020aa8c53f2f80f77be59c807028ffabded653714e573846334cd9e4707d2e998979af9c958339462ce87bf309

C:\EC-APPS\INPA\cfgdat\startus.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\EC-APPS\INPA\prt\englisch\E3ETIKET.DMF

MD5 44f1836a2347dc692981fa1668421249
SHA1 5e09e2abb84b5673b4bc16025996dbdda268c25f
SHA256 31342d3dac8e7102c89b10b1450af1c6dd181c92e42235978760f3605ed96092
SHA512 4951e7e7773aa4baa2f212061fd129e678ccc76c0491a26651960ab7bbf1ee65085a66b861f34b07eb5b01b7b38b66b1c0e00bd8259f56f74e05a53dcfdd0d59

C:\EC-APPS\INPA\prt\englisch\E3PROTOK.DMF

MD5 e9e04d15d60154b941339ff72fc15ff9
SHA1 1d98815be279cb6cf91b8a3c262a77b596f50b82
SHA256 81920208683ddf6b7ee02630a405b42f503b03734ecae5d8f610820e862b0545
SHA512 89b8befc1b7c4cb3eb834c82e45932a1b070d94ad7b4b7867575949a2d7b976ef569424c353a004cce0d3341d8510421ff2c2864395d6630d309e1e957bee18a

C:\EC-APPS\INPA\BIN\edierror.txt

MD5 1d86dfc5d038da807cba53ad04a3bc24
SHA1 50ec2407344815934ac8895a4359055fb06a1987
SHA256 54d04147e92ca3cc74477d87a311046858501e410584d6c23981cecc7d720468
SHA512 a0485c8d36ca791a745ec0b1e52c2de5b3de594f5efcf914d911ac713ea2f2f07c946e67c206269694ef706acc1471ced82d71d185a2d50aee2f3dc7bb4fe4e6

memory/4100-7310-0x0000000000640000-0x0000000000650000-memory.dmp

C:\EDIABAS\Bin\twfile32.dll

MD5 679068b1bd36e0738ebfff63a0eea438
SHA1 2112359055a8941d47c96b0faebcb3acff41d71f
SHA256 cad3e8b3e0d47fb19ddf65f66dc8b05040e7fc0b49ad12787b4114d5c6665332
SHA512 43f26d0bc8c92e1f89a93f043d0c0e41968408e4033ab76ca59f211b829a90d0d11dc4164edf454f0e760945266809aca311fcb86fa7f6ce17f74314bd179127

C:\ediabas\bin\ediabas.ini

MD5 04482dc4573ef2dd080cba4157d8b748
SHA1 ef09b0dcbe6551cef1adfe5b3fcb4b7fa154ed5a
SHA256 27cb98b35bdc2641c802522225c490b9e951e94c3b224a961803ba96be0f7ac1
SHA512 2ee6d309f1f107a36f6a6ee099e885c3549c641bf727c2548886b06f419ba59d9f372c245ef34fc51c29e4e85986bc11d5c45c2466779ace691bff9b1469ecfb

C:\ediabas\bin\EBAS32.EXE

MD5 0cced2ea2f326c38bc9c3f1ca4bda6e8
SHA1 1412fae1a69fc9bbdf7e0f12c3d55047b4db96d4
SHA256 41292745323a4b51919eb2e41577901bd6861fb743301ceda1164addfe7227a3
SHA512 4ec6429f674c4837b3a6cbbbb8639dd954f71a886b79cfa10697a3a9c5cf36a2ba91c77bd30a49e297bb7659a14576badd155cd9e3d638cc4970346d02873dcb

memory/4100-7305-0x00000000022A0000-0x00000000022B7000-memory.dmp

C:\EDIABAS\Bin\ebascc32.dll

MD5 65212f506fb205d2502d3daff98c4caf
SHA1 1914b5bb1a57eaed173db70b6ffc146e48befd0e
SHA256 38491ba8d3ad1511a00615ad898f8af2c5e315c9bb064587a5b0c9cdcb741204
SHA512 70d70b314b1566c576c315b5e98255ce9dd832bcb1af68887a819bb7c8e6c148e19623a1b43a128b1882223cf355720588354d617f81065810c868accc09a868

memory/4100-7303-0x0000000002280000-0x000000000229A000-memory.dmp

C:\EDIABAS\Bin\tracex32.dll

MD5 68c6ffe9676611e9ed391641d71ce48c
SHA1 1e86e7c23dea1b4f58389e8156fa9355eb1347a1
SHA256 1d9bbf1a6085ec08f8b000b4383319c15bbe6008627e12dbac2f2919988dafe3
SHA512 5fc8b7fadb0e8b10712c8dec5936f4eb68cab04b19dea87464268c45f7bd7dc939572bf43e72889aafb32875bbb0c61aa2bb51f4b8690a410bbd000f3ab4d49a

memory/4100-7297-0x0000000004770000-0x000000000484D000-memory.dmp

C:\EDIABAS\Bin\ebas32.dll

MD5 9a3ead06dd0e7e184c58d5b00ac939ec
SHA1 741565f6f77a2cc755e8d91783444a10dc20058a
SHA256 c4876e43aac09bacd1a761cec413bcd0bbead53b9e038e2de0dfee01d91a4857
SHA512 359123477de5df0a745af5fa87a683db4bbabb0aeea9790c95393fce4b0bcde445e72bf350214d69f31e4053f5aac19b5d327156fae822fb0c0951964555ccb3

C:\ediabas\bin\63477BC6

MD5 c60dd09173cc6062ceb6a4e424b6c3c0
SHA1 ccf3dfeb82fc3db9c700fb4c57b94a310bf4de90
SHA256 ab498c208ef2ce68bf42c9a1e1719c66db3637419070f3d2aaff6b641ba66883
SHA512 9d43c6c01bbcf9b043c24362d1949d58f7e76b69e6a281fd342cc9bfae12d5ccf5339929b33fa0f4ac02fbd4f2e8f4f2baa6995ba28eb5298ae5a0a01ce63307

C:\ediabas\bin\Xstd32.dll

MD5 50b4a6b41e526aaa224118471b1ee62e
SHA1 a12ad915d45cad9849a5a580ebad91455b412f3c
SHA256 91301996c770290af14e525dfc8cf5ceaf1bcf31ecd287f2679c51dc8190de39
SHA512 d1fea2b5e58b63eb7d5ccdd994bd618eec8042c68d68023d01128942b16be0cb739542ee13dc9060d80af2c355ee7d1050b10265de2be959a2df6fc3500cca41

memory/4100-7322-0x0000000002890000-0x00000000028AD000-memory.dmp

C:\EDIABAS\Bin\OBD32.dll

MD5 94bc54f10ebad33972954b0388061aac
SHA1 25422bc629917a70a4f97a8b9ac4c14e5f348e53
SHA256 9c64451944a20bb351989249058a400a09fa39f22764ff3e8934796cd0bb0a54
SHA512 d471539a5d3efc63a52baa8c56e66044b3fb0655370611b59f2c4de4e50f4ca104e90912c85bb970a317e0bdc7faf42a1a432d1f0b1e2441a49cc7e6b46ebd93

memory/4100-7318-0x0000000002760000-0x000000000288B000-memory.dmp

C:\EDIABAS\ECU\utility.prg

MD5 8335463fe053cbe46d710dfa6cebec22
SHA1 aeef5aefe247b197f8f5312e35f4ca4d635d8957
SHA256 3895428a8e9918fe8cc433610b3c4516b12a3bcfbfded2a253bcf80532d1226e
SHA512 c479f57a6b54dba83aef33641b170d33486c3b004a065cb1f5a18e36cc06b16c661304b789028b4f67d3d4a04bfb7b95f5dd360e5468eac01b97b9fd77ea706a