bfd94abece2bea6fa71962eceaeef10c6d270aaa104764dd2f242991ddc2a78c

Analysis

max time kernel
187s
max time network
192s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-05-2024 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spacedesk_driver_Win_10_64_v2119.msi
Size

4.7MB
MD5

8538809ffaf669825da157d0ef65e99c
SHA1

3d8b64fd82e046caaa517b783bdf6bf8e088aca6
SHA256

bfd94abece2bea6fa71962eceaeef10c6d270aaa104764dd2f242991ddc2a78c
SHA512

d736b3299b03eeae61659e2d85f3f2d197a629ac86eff7bca054b90deee852805e11372a9fa5e983ed7fd118736729e43f217ee61844ddd576aba6c828211a35
SSDEEP

98304:Nfbnf/+/tZQ40Ty+10l+Ycn4akTejHDA:NfzMtZmzkq

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

Processes:

DrvInst.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\SET70E5.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET70E5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\spacedeskDriverBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\spacedeskDriverAndroidControl.sys	DrvInst.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

2 1472 msiexec.exe
4 1472 msiexec.exe

flow	pid	process
2	1472	msiexec.exe
4	1472	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in System32 directory 64 IoCs

Processes:

MSI690A.tmpDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_c78e51cb686ef158\spacedeskdriverandroidcontrol.PNF	MSI690A.tmp
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3d795c1-ac29-644b-a647-b2eddc3f7d51}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f912506a-a7f4-4540-85b7-c197df80b821}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{10bfe8bb-ead2-594b-908b-252d99592e7e}\amd64\SET6E19.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3d795c1-ac29-644b-a647-b2eddc3f7d51}\SET6B68.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f912506a-a7f4-4540-85b7-c197df80b821}\amd64\spacedeskDriverHid.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{10bfe8bb-ead2-594b-908b-252d99592e7e}\amd64\SET6E29.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ddc7589a-46e0-004c-ad91-ac0c1d7869ab}\amd64\SET703B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ddc7589a-46e0-004c-ad91-ac0c1d7869ab}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3d795c1-ac29-644b-a647-b2eddc3f7d51}\amd64\SET6B57.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca84e844-ed73-424d-a9de-e583640e6a4f}\amd64\SET6C51.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b7c04382-8133-344c-9c9b-cb1bdf5cd0b4}\spacedeskDriverAudio.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ca84e844-ed73-424d-a9de-e583640e6a4f}\SET6C52.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskktminputmouse.inf_amd64_96adfd1912f06435\spacedeskKtmInputmouse.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{25422141-56cf-5748-b8b9-c2868b4974c2}\amd64\SET6994.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3d795c1-ac29-644b-a647-b2eddc3f7d51}\spacedeskDriverAndroidUsb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidusb.inf_amd64_61add788f4d66839\spacedeskDriverAndroidUsb.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f912506a-a7f4-4540-85b7-c197df80b821}\amd64\SET6D3C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e3d795c1-ac29-644b-a647-b2eddc3f7d51}\SET6B68.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3d795c1-ac29-644b-a647-b2eddc3f7d51}\SET6B69.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidusb.inf_amd64_61add788f4d66839\amd64\spacedeskDriverAndroidUsb.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriveraudio.inf_amd64_5f028417c7e42db4\spacedeskDriverAudio.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{25422141-56cf-5748-b8b9-c2868b4974c2}\SET6983.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{25422141-56cf-5748-b8b9-c2868b4974c2}\spacedeskDriverAndroidControl.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f912506a-a7f4-4540-85b7-c197df80b821}\SET6D3D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdisplay.inf_amd64_24a24ddd75e05e73\amd64\spacedeskDisplayUmode1_0.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_c78e51cb686ef158\spacedeskDriverAndroidControl.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdisplay.inf_amd64_24a24ddd75e05e73\amd64\spacedeskDisplayUmode1_2.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_c78e51cb686ef158\amd64\spacedeskDriverAndroidControl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{25422141-56cf-5748-b8b9-c2868b4974c2}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverhid.inf_amd64_696ff26a48c2be30\amd64\spacedeskDriverHid.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ddc7589a-46e0-004c-ad91-ac0c1d7869ab}\spacedeskDriverBus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f912506a-a7f4-4540-85b7-c197df80b821}\SET6D4D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f912506a-a7f4-4540-85b7-c197df80b821}\SET6D4D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ddc7589a-46e0-004c-ad91-ac0c1d7869ab}\amd64\spacedeskDriverBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{10bfe8bb-ead2-594b-908b-252d99592e7e}\SET6E07.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{10bfe8bb-ead2-594b-908b-252d99592e7e}\amd64\spacedeskDisplayUmode1_0.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b7c04382-8133-344c-9c9b-cb1bdf5cd0b4}\SET6F20.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{25422141-56cf-5748-b8b9-c2868b4974c2}\SET6984.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidusb.inf_amd64_61add788f4d66839\spacedeskDriverAndroidUsb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f912506a-a7f4-4540-85b7-c197df80b821}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ddc7589a-46e0-004c-ad91-ac0c1d7869ab}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{25422141-56cf-5748-b8b9-c2868b4974c2}\spacedeskDriverAndroidControl.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca84e844-ed73-424d-a9de-e583640e6a4f}\spacedeskKtmInputmouse.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b7c04382-8133-344c-9c9b-cb1bdf5cd0b4}\SET6F31.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3d795c1-ac29-644b-a647-b2eddc3f7d51}\amd64\spacedeskDriverAndroidUsb.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b7c04382-8133-344c-9c9b-cb1bdf5cd0b4}\SET6F20.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverhid.inf_amd64_696ff26a48c2be30\spacedeskDriverHid.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ddc7589a-46e0-004c-ad91-ac0c1d7869ab}\SET702B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverbus.inf_amd64_35dce141b5899f0e\spacedeskDriverBus.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{25422141-56cf-5748-b8b9-c2868b4974c2}\SET6983.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{25422141-56cf-5748-b8b9-c2868b4974c2}\SET6984.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ca84e844-ed73-424d-a9de-e583640e6a4f}\amd64\spacedeskKtmInput.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b7c04382-8133-344c-9c9b-cb1bdf5cd0b4}\spacedeskdriveraudio.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverbus.inf_amd64_35dce141b5899f0e\amd64\spacedeskDriverBus.sys	DrvInst.exe

Drops file in Program Files directory 26 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDisplayUmode1_0.dll	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDisplayUmode1_2.dll	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverAndroidUsb.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverHid.dll	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverHid.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskKtmInput.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskServiceTray.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdisplay.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdisplay.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverAndroidControl.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdriveraudio.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdriverhid.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdriverbus.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskktminputmouse.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\SpacedeskSetupCustomAction64.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAudio.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverAudio.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverBus.inf	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\amd64\spacedeskDriverBus.sys	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskktminputmouse.cat	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskConsole.exe	msiexec.exe
File created	C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.inf	msiexec.exe

Drops file in Windows directory 62 IoCs

Processes:

msiexec.exesvchost.exeDrvInst.exeDrvInst.exeDrvInst.exeMSI6CF5.tmpMSI6FC6.tmpDrvInst.exeDrvInst.exeMSI6DE0.tmpMSI690A.tmpDrvInst.exeDrvInst.exesvchost.exeDrvInst.exeMSI67C0.tmpDrvInst.exeMSI6B2E.tmpMSI6ECB.tmpsvchost.exeMSI6BEA.tmp

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem8.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem9.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI6CF5.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI6FC6.tmp
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI6DE0.tmp
File opened for modification	C:\Windows\Installer\{687C71C6-28A7-4B40-A545-F2B6A1DAC9EF}\installerIcon.ico	msiexec.exe
File created	C:\Windows\Installer\{687C71C6-28A7-4B40-A545-F2B6A1DAC9EF}\ShortCutIcon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65F8.tmp	msiexec.exe
File created	C:\Windows\INF\oem3.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI690A.tmp
File opened for modification	C:\Windows\Installer\MSI6BEA.tmp	msiexec.exe
File created	C:\Windows\INF\oem9.PNF	DrvInst.exe
File opened for modification	C:\Windows\Installer\e5864df.msi	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6DE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI690A.tmp	msiexec.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File opened for modification	C:\Windows\Installer\MSI6B2E.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	MSI67C0.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem7.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem8.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	MSI67C0.tmp
File created	C:\Windows\INF\oem1.PNF	MSI67C0.tmp
File opened for modification	C:\Windows\Installer\MSI6FC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{687C71C6-28A7-4B40-A545-F2B6A1DAC9EF}\ShortCutIcon.exe	msiexec.exe
File created	C:\Windows\Installer\e5864e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68DA.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI6B2E.tmp
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI6ECB.tmp
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{687C71C6-28A7-4B40-A545-F2B6A1DAC9EF}	msiexec.exe
File created	C:\Windows\inf\oem9.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI71BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI72A9.tmp	msiexec.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File opened for modification	C:\Windows\Installer\MSI6CF5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6ECB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI712F.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem7.inf	DrvInst.exe
File created	C:\Windows\Installer\{687C71C6-28A7-4B40-A545-F2B6A1DAC9EF}\installerIcon.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MSI6BEA.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\e5864df.msi	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 15 IoCs

Processes:

MSI67C0.tmpMSI68DA.tmpMSI690A.tmpMSI6B2E.tmpMSI6BEA.tmpMSI6CF5.tmpMSI6DE0.tmpMSI6ECB.tmpMSI6FC6.tmpMSI712F.tmpspacedeskService.exespacedeskServiceTray.exeMSI71BC.tmpMSI72A9.tmpspacedeskConsole.exe

pid	process
3676	MSI67C0.tmp
1120	MSI68DA.tmp
5060	MSI690A.tmp
3200	MSI6B2E.tmp
5096	MSI6BEA.tmp
4664	MSI6CF5.tmp
4296	MSI6DE0.tmp
1104	MSI6ECB.tmp
648	MSI6FC6.tmp
1868	MSI712F.tmp
3380	spacedeskService.exe
4704	spacedeskServiceTray.exe
624	MSI71BC.tmp
1456	MSI72A9.tmp
2320	spacedeskConsole.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

216 MsiExec.exe

pid	process
216	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeDrvInst.exeDrvInst.exeMSI6ECB.tmpMSI6FC6.tmpMSI690A.tmpDrvInst.exeDrvInst.exeDrvInst.exesvchost.exeMSI6DE0.tmpDrvInst.exeMSI6BEA.tmpMSI6CF5.tmpDrvInst.exeDrvInst.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MSI6ECB.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MSI6FC6.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	MSI690A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MSI6ECB.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	MSI6DE0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MSI6BEA.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	MSI6CF5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	MSI6FC6.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MSI6BEA.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MSI6BEA.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	MSI6ECB.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	MSI6ECB.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MSI690A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	MSI6CF5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exeMSI67C0.tmp

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\datronicsoft\v3DDK\RebootRequired = "1"	MSI67C0.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\ProductIcon = "C:\\Windows\\Installer\\{687C71C6-28A7-4B40-A545-F2B6A1DAC9EF}\\installerIcon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\Version = "33619987"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6C17C7867A8204B45A542F6B1AAD9CFE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6C17C7867A8204B45A542F6B1AAD9CFE\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\ProductName = "spacedesk Windows DRIVER"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7D4CBC34A6B7014BBE966DEFF93900B\6C17C7867A8204B45A542F6B1AAD9CFE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\PackageCode = "A611B1D5F2A802341A9F01CE1F3949B3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7D4CBC34A6B7014BBE966DEFF93900B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\SourceList\PackageName = "spacedesk_driver_Win_10_64_v2119.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C17C7867A8204B45A542F6B1AAD9CFE\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

msiexec.exeMSI67C0.tmpspacedeskConsole.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3404	msiexec.exe
3404	msiexec.exe
3676	MSI67C0.tmp
3676	MSI67C0.tmp
2320	spacedeskConsole.exe
2320	spacedeskConsole.exe
2320	spacedeskConsole.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
5012	powershell.exe
1060	powershell.exe
3596	powershell.exe
3596	powershell.exe
3596	powershell.exe
3596	powershell.exe
3384	powershell.exe
3384	powershell.exe
3384	powershell.exe
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
4920	powershell.exe
4920	powershell.exe
4920	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
632

pid
4
4
4
4
4
632

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	3404	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeMachineAccountPrivilege	1472	msiexec.exe
Token: SeTcbPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeLoadDriverPrivilege	1472	msiexec.exe
Token: SeSystemProfilePrivilege	1472	msiexec.exe
Token: SeSystemtimePrivilege	1472	msiexec.exe
Token: SeProfSingleProcessPrivilege	1472	msiexec.exe
Token: SeIncBasePriorityPrivilege	1472	msiexec.exe
Token: SeCreatePagefilePrivilege	1472	msiexec.exe
Token: SeCreatePermanentPrivilege	1472	msiexec.exe
Token: SeBackupPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeDebugPrivilege	1472	msiexec.exe
Token: SeAuditPrivilege	1472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1472	msiexec.exe
Token: SeChangeNotifyPrivilege	1472	msiexec.exe
Token: SeRemoteShutdownPrivilege	1472	msiexec.exe
Token: SeUndockPrivilege	1472	msiexec.exe
Token: SeSyncAgentPrivilege	1472	msiexec.exe
Token: SeEnableDelegationPrivilege	1472	msiexec.exe
Token: SeManageVolumePrivilege	1472	msiexec.exe
Token: SeImpersonatePrivilege	1472	msiexec.exe
Token: SeCreateGlobalPrivilege	1472	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1472	msiexec.exe
Token: SeMachineAccountPrivilege	1472	msiexec.exe
Token: SeTcbPrivilege	1472	msiexec.exe
Token: SeSecurityPrivilege	1472	msiexec.exe
Token: SeTakeOwnershipPrivilege	1472	msiexec.exe
Token: SeLoadDriverPrivilege	1472	msiexec.exe
Token: SeSystemProfilePrivilege	1472	msiexec.exe
Token: SeSystemtimePrivilege	1472	msiexec.exe
Token: SeProfSingleProcessPrivilege	1472	msiexec.exe
Token: SeIncBasePriorityPrivilege	1472	msiexec.exe
Token: SeCreatePagefilePrivilege	1472	msiexec.exe
Token: SeCreatePermanentPrivilege	1472	msiexec.exe
Token: SeBackupPrivilege	1472	msiexec.exe
Token: SeRestorePrivilege	1472	msiexec.exe
Token: SeShutdownPrivilege	1472	msiexec.exe
Token: SeDebugPrivilege	1472	msiexec.exe
Token: SeAuditPrivilege	1472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1472	msiexec.exe
Token: SeChangeNotifyPrivilege	1472	msiexec.exe
Token: SeRemoteShutdownPrivilege	1472	msiexec.exe
Token: SeUndockPrivilege	1472	msiexec.exe
Token: SeSyncAgentPrivilege	1472	msiexec.exe
Token: SeEnableDelegationPrivilege	1472	msiexec.exe
Token: SeManageVolumePrivilege	1472	msiexec.exe
Token: SeImpersonatePrivilege	1472	msiexec.exe
Token: SeCreateGlobalPrivilege	1472	msiexec.exe
Token: SeCreateTokenPrivilege	1472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1472	msiexec.exe
Token: SeLockMemoryPrivilege	1472	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msiexec.exespacedeskServiceTray.exespacedeskConsole.exe

pid process

1472 msiexec.exe
4704 spacedeskServiceTray.exe
4704 spacedeskServiceTray.exe
1472 msiexec.exe
4704 spacedeskServiceTray.exe
2320 spacedeskConsole.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

spacedeskServiceTray.exe

pid process

4704 spacedeskServiceTray.exe
4704 spacedeskServiceTray.exe
4704 spacedeskServiceTray.exe

pid	process
1472	msiexec.exe
4704	spacedeskServiceTray.exe
4704	spacedeskServiceTray.exe
1472	msiexec.exe
4704	spacedeskServiceTray.exe
2320	spacedeskConsole.exe

pid	process
4704	spacedeskServiceTray.exe
4704	spacedeskServiceTray.exe
4704	spacedeskServiceTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exesvchost.exespacedeskService.exespacedeskConsole.exe

description	pid	process	target process
PID 3404 wrote to memory of 216	3404	msiexec.exe	MsiExec.exe
PID 3404 wrote to memory of 216	3404	msiexec.exe	MsiExec.exe
PID 3404 wrote to memory of 216	3404	msiexec.exe	MsiExec.exe
PID 3404 wrote to memory of 5016	3404	msiexec.exe	srtasks.exe
PID 3404 wrote to memory of 5016	3404	msiexec.exe	srtasks.exe
PID 3404 wrote to memory of 3676	3404	msiexec.exe	MSI67C0.tmp
PID 3404 wrote to memory of 3676	3404	msiexec.exe	MSI67C0.tmp
PID 3404 wrote to memory of 1120	3404	msiexec.exe	MSI68DA.tmp
PID 3404 wrote to memory of 1120	3404	msiexec.exe	MSI68DA.tmp
PID 3404 wrote to memory of 5060	3404	msiexec.exe	MSI690A.tmp
PID 3404 wrote to memory of 5060	3404	msiexec.exe	MSI690A.tmp
PID 4748 wrote to memory of 4168	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 4168	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 2756	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 2756	4748	svchost.exe	DrvInst.exe
PID 3404 wrote to memory of 3200	3404	msiexec.exe	MSI6B2E.tmp
PID 3404 wrote to memory of 3200	3404	msiexec.exe	MSI6B2E.tmp
PID 4748 wrote to memory of 4764	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 4764	4748	svchost.exe	DrvInst.exe
PID 3404 wrote to memory of 5096	3404	msiexec.exe	MSI6BEA.tmp
PID 3404 wrote to memory of 5096	3404	msiexec.exe	MSI6BEA.tmp
PID 4748 wrote to memory of 4488	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 4488	4748	svchost.exe	DrvInst.exe
PID 3404 wrote to memory of 4664	3404	msiexec.exe	MSI6CF5.tmp
PID 3404 wrote to memory of 4664	3404	msiexec.exe	MSI6CF5.tmp
PID 4748 wrote to memory of 972	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 972	4748	svchost.exe	DrvInst.exe
PID 3404 wrote to memory of 4296	3404	msiexec.exe	MSI6DE0.tmp
PID 3404 wrote to memory of 4296	3404	msiexec.exe	MSI6DE0.tmp
PID 4748 wrote to memory of 992	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 992	4748	svchost.exe	DrvInst.exe
PID 3404 wrote to memory of 1104	3404	msiexec.exe	backgroundTaskHost.exe
PID 3404 wrote to memory of 1104	3404	msiexec.exe	backgroundTaskHost.exe
PID 4748 wrote to memory of 1444	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 1444	4748	svchost.exe	DrvInst.exe
PID 3404 wrote to memory of 648	3404	msiexec.exe	MSI6FC6.tmp
PID 3404 wrote to memory of 648	3404	msiexec.exe	MSI6FC6.tmp
PID 4748 wrote to memory of 5040	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 5040	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 3328	4748	svchost.exe	DrvInst.exe
PID 4748 wrote to memory of 3328	4748	svchost.exe	DrvInst.exe
PID 3404 wrote to memory of 1868	3404	msiexec.exe	MSI712F.tmp
PID 3404 wrote to memory of 1868	3404	msiexec.exe	MSI712F.tmp
PID 3380 wrote to memory of 4704	3380	spacedeskService.exe	spacedeskServiceTray.exe
PID 3380 wrote to memory of 4704	3380	spacedeskService.exe	spacedeskServiceTray.exe
PID 3380 wrote to memory of 4704	3380	spacedeskService.exe	spacedeskServiceTray.exe
PID 3404 wrote to memory of 624	3404	msiexec.exe	MSI71BC.tmp
PID 3404 wrote to memory of 624	3404	msiexec.exe	MSI71BC.tmp
PID 3404 wrote to memory of 1456	3404	msiexec.exe	MSI72A9.tmp
PID 3404 wrote to memory of 1456	3404	msiexec.exe	MSI72A9.tmp
PID 2320 wrote to memory of 5012	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 5012	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 1060	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 1060	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 3596	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 3596	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 3384	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 3384	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 2640	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 2640	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 4920	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 4920	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 2572	2320	spacedeskConsole.exe	powershell.exe
PID 2320 wrote to memory of 2572	2320	spacedeskConsole.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\spacedesk_driver_Win_10_64_v2119.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1472

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 812453BB40859291D1D412C3B1F0EF30 C
2⤵
- Loads dropped DLL
PID:216

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:5016

C:\Windows\Installer\MSI67C0.tmp
"C:\Windows\Installer\MSI67C0.tmp" -preInstallCheck_W10
2⤵
- Drops file in Windows directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3676

C:\Windows\Installer\MSI68DA.tmp
"C:\Windows\Installer\MSI68DA.tmp" -qWaveCheck
2⤵
- Executes dropped EXE
PID:1120

C:\Windows\Installer\MSI690A.tmp
"C:\Windows\Installer\MSI690A.tmp" -install_android_control,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5060

C:\Windows\Installer\MSI6B2E.tmp
"C:\Windows\Installer\MSI6B2E.tmp" -install_android_usb,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
2⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:3200

C:\Windows\Installer\MSI6BEA.tmp
"C:\Windows\Installer\MSI6BEA.tmp" -install_ktm,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
2⤵
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5096

C:\Windows\Installer\MSI6CF5.tmp
"C:\Windows\Installer\MSI6CF5.tmp" -install_hid,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
2⤵
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4664

C:\Windows\Installer\MSI6DE0.tmp
"C:\Windows\Installer\MSI6DE0.tmp" -install_iddcx,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\,0
2⤵
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4296

C:\Windows\Installer\MSI6ECB.tmp
"C:\Windows\Installer\MSI6ECB.tmp" -install_audio,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
2⤵
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1104

C:\Windows\Installer\MSI6FC6.tmp
"C:\Windows\Installer\MSI6FC6.tmp" -install_bus,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
2⤵
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:648

C:\Windows\Installer\MSI712F.tmp
"C:\Windows\Installer\MSI712F.tmp" -install_server,C:\Program Files\datronicsoft\spacedesk\
2⤵
- Executes dropped EXE
PID:1868

C:\Windows\Installer\MSI71BC.tmp
"C:\Windows\Installer\MSI71BC.tmp" -spacedeskProgramFilesDelete,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\
2⤵
- Executes dropped EXE
PID:624

C:\Windows\Installer\MSI72A9.tmp
"C:\Windows\Installer\MSI72A9.tmp" -otherFirewallCheck
2⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4224

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:4348

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:4420

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:4204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2568

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
PID:992

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1328

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.inf" "9" "44282f7e3" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4168

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "11" "ROOT\SPACEDESK_ANDROID_CONTROL\0000" "C:\Windows\INF\oem3.inf" "spacedeskdriverandroidcontrol.inf:c14ce884dabec260:spacedeskDriverAndroidControl_Device:1.0.452.9:root\vid_datronicsoft_pid_spacedesk_driver_usb_android_0001," "44282f7e3" "0000000000000138"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2756

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.inf" "9" "4c4c2d17b" "0000000000000188" "WinSta0\Default" "0000000000000194" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4764

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskKtmInputmouse.inf" "9" "431da1b7b" "0000000000000184" "WinSta0\Default" "0000000000000138" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4488

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverHid.inf" "9" "4427793e7" "0000000000000170" "WinSta0\Default" "0000000000000194" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:972

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdisplay.inf" "9" "442436977" "00000000000001A8" "WinSta0\Default" "00000000000001AC" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:992

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAudio.inf" "9" "447268673" "00000000000001AC" "WinSta0\Default" "0000000000000194" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1444

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverBus.inf" "9" "4522ade83" "00000000000001A0" "WinSta0\Default" "0000000000000138" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5040

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "11" "ROOT\SPACEDESK_VIRTUAL_BUS\0000" "C:\Windows\INF\oem9.inf" "spacedeskdriverbus.inf:c14ce884b35b134e:spacedeskDriverBus_Device:1.0.452.41:root\vid_datronicsoft_pid_spacedesk_virtual_bus_0001," "4522ade83" "00000000000001A0"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3328

C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe
"C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380

C:\Program Files\datronicsoft\spacedesk\spacedeskServiceTray.exe
This is spacedesk Service calling.
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4704

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:1104

C:\Program Files\datronicsoft\spacedesk\spacedeskConsole.exe
"C:\Program Files\datronicsoft\spacedesk\spacedeskConsole.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" /c Get-NetConnectionProfile > "C:\Users\Public\netconnectionprofile.txt"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" /c Get-AppXPackage -Name AppleInc.AppleDevices > "C:\Users\Public\spAppxpackageinstalled.txt"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" /c Get-AppXPackage -Name AppleInc.AppleDevices > "C:\Users\Public\spAppxpackageinstalled.txt"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" /c Get-AppXPackage -Name AppleInc.iTunes > "C:\Users\Public\spAppxpackageinstalled.txt"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" /c Get-AppXPackage -Name AppleInc.AppleDevices > "C:\Users\Public\spAppxpackageinstalled.txt"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5864e0.rbs

Filesize
540KB

MD5
a061368e6012c2a15e8074fbc523db43

SHA1
470806956e9d2d888255aba09e394e351fd37b92

SHA256
359a07b2918bcc460bde2b8c3812420db363522ceaa8450ba16993e31e68322e

SHA512
00fdf5a9b5886c2a024792499b34ecf2e96e70474b0fe1b66ae7ae9d59ce6d867920631faabee970cf12ea77054292fba06dfbe07cdcd94bf6d9e8790833a7de

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDisplayUmode1_0.dll

Filesize
136KB

MD5
61ca37c0f525639d335c072395db5583

SHA1
22c2144fac657311d596edf01633c4dcd44eb7f1

SHA256
cd06c9a3499a6a0c39d247ca2f762016c07f4f424a53917dec06819a0d489803

SHA512
85d1314a02e987977f8e377f44d33a32161a0bef81d5875e60f9bbf621c01c72bb736036a5b59c7d3b8040c8bc867986f029cd3514a6407fc44700ee81e9760e

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDisplayUmode1_2.dll

Filesize
136KB

MD5
e7162bda03b7d309f5e45699cf126446

SHA1
802dc50367b678c858d7f6a8cb859f80947098e7

SHA256
250888b00cd42b3f16bd1f9296e591d4435a5973319878afae4515a98222a7cb

SHA512
d5f7c4c0a23e8946a664c9db049e8aa1effdda496cf3533fdf5671c77649fca17f30f8478697caa852c6a2fec5d423cd75c9206953c885416b5204c4980c4360

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverAndroidControl.sys

Filesize
51KB

MD5
3c4582ccc12d41c6ddcb8bebc3ffb62e

SHA1
799a3809b91768d081b994ae1e98fa548275de71

SHA256
d7c80666182b9e9418f24dac56f05dfe53bd28d37f7764572e2bc325d96054fa

SHA512
abd3265fc3e5c16167befe800d755678e2d4ac3008ae03c51f1c251a23e250be9bd72e05f1d10727edcd0334eed6c3f4ba76852a37a9d47fb93c9a97854dbb9d

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverAndroidUsb.sys

Filesize
43KB

MD5
abcf6e9cb55dec1ae68854a91a4199a6

SHA1
0d9471bcc595277ab5a27b2bf91cca0bef8e4336

SHA256
97c816a005b7a066176fab07ae5dd324a7dcca93839eaa6ffe22c3a27e230df3

SHA512
d6c506c77eb1f9c36f93991af91321dda6f76195ab09cc6db916f73f3c6eb1cc14dca98104a54651c03cbe08f72e5a00ec28f75825b388ce3acd5a72e2c9a839

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverAudio.sys

Filesize
135KB

MD5
330c31805c9e2f8b594f79b7d8c63cd7

SHA1
af865cda469126d0f7208f92d8e5dd30331810d1

SHA256
ff09c098f44679fc668a10a837ca9de8f57d986c26bdec73513c7df58b06b800

SHA512
e23d5a1f1fbf75e5565dcf91555a025fb416bcee739b1c83d56c3f015668971b6422673ece28f2f4086b66d3bf1dbe3c00629cd2514c44459793581d03c1bbe2

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverBus.sys

Filesize
110KB

MD5
9984f3f49ffe048fbd471ef0f43df93d

SHA1
c4c1131b29a26e2488356fc5153ed6750cc81cca

SHA256
038e0d0a33a3198b3ccb08286d5ff40501a3ff7fd5df1c2778cbb5a56ff82bc7

SHA512
0d63d09e696788ad5f39ec22ed2e0871d3117389cb23548cc49bc2b75136c847cc35cc78ba67b6e53ca95a1acae52b6f38647f23770acd9190babec9805ebcdf

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskDriverHid.dll

Filesize
97KB

MD5
5095a2b55a1b7831a558ab8990e9801b

SHA1
bd157677e737b7238dee44d6405c4d6c36a5862d

SHA256
80e4565cca358710288c7bbc6a3287cbc03e61cf682eeadeb30d72e24b417224

SHA512
c5a6f1a81722297ca745cdd9bd74d86daf8d75f6bc5156f24d6647eeece0cdb0c00c0c77cfc75bb4d553a449e36ca1da77dbebf2d3ffc6b457d42ac00cda019a

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\amd64\spacedeskKtmInput.sys

Filesize
41KB

MD5
fad80e5e02e03e48609c852a489f6cd3

SHA1
b711d9025e0b6f6567d1407d65d7f67daca292a5

SHA256
398582f8456f404653129df83d04b40f85c6b61cf213c86b75766cf77d323386

SHA512
fcc2bac894faae66c28168775bb97d75a708443bb4000c64e74ca21a3c357215f6a7bd626bbdbc090e6a55eec707de2faa7e7631129d3d4ed196fc6804033c06

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDisplay.cat

Filesize
13KB

MD5
0ec09de9e91d4756f1a77a978a2722a7

SHA1
7ceb26ff0728b0c06ce3736af7d3e5896185ef0b

SHA256
b97ec9c0cdb7374929cdafd4d40f441fa6423fce9d7a2d70c2cbc2ad8e00ba2b

SHA512
b81e20ae2c6bcdef995b9442c3f9dd5e5f8d000eaabba984adbf5aaf755d7922e5e54a5137409445c96f0dba69773c5305533b9c979931712f5cd2bb93bec03e

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDriverAndroidControl.cat

Filesize
12KB

MD5
71832827d1b1780b3151c6c1a75dace0

SHA1
dca0d64d9cc14d31c52d4cbf45653796ed935373

SHA256
6d638c3d97337d40f9d7863913e1bd588064a697475ddb43949d4924d4364835

SHA512
cf99c7314dc16abb13d7cbb948654be6b70a0e9baeebece5bb887362f0f2ddfef3e165e578b11606ea9ecb63b1f24760787f464b96d38212cac8192809f203ba

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDriverBus.cat

Filesize
12KB

MD5
03fc09e2bd5756a97b2a66b1d4842d71

SHA1
be51e8e53cb635055139f47dd9f538906e5509c7

SHA256
f6819b0d3807d3cb2aead1e4e929c84a6262566d33a9e1280be75da6c6018dfb

SHA512
8a46c84504b07784355df275f332fd1aea2e561e3468ac572b862d6e9b85dbd747e6cad01686b9d8d1fee31cdc8df42c6d9e3178a0e973a15f9c398ae87b4503

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskDriverHid.cat

Filesize
12KB

MD5
b6264f45c48cf007079dab66a0817025

SHA1
033f03ff29eebe1ca7fca1112fa5c1bf1358e00d

SHA256
c90188d91977544ea6bb213d6b7b648a313a8b751b41799b6b9ef89d661b9567

SHA512
f35e78482c98f6400063ab09621fe856634caa46513dfec84924f7415c2b132faac097b9ec433ed390e72c86c897048d3deb0af4d9e814b7405363b1baa58c97

Download Submit
C:\PROGRA~1\DATRON~1\SPACED~1\SPACED~1\spacedeskKtmInputmouse.cat

Filesize
12KB

MD5
42a4ed6e6b94e1b74e9c5538ea3af0b4

SHA1
b394e9f6c9cde7985a86c87ab2823641f32c8eea

SHA256
6d363492a43aa06bf2e5ee919c3a1d4cdd4de1ae6eca0c6d94cedd0490d1e530

SHA512
5d9620a8f7c6b7033ead1e99ef74976c6fec066d56e5ba51abfbb616b93c970e73961aae8511656779a36d6c799363f1cf57eec889bb06223077a304a9f8848a

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.inf

Filesize
3KB

MD5
b53adfc1d7f2a50f2964aefb0319ec28

SHA1
e3d1e97cc0c1e3654ead6a79b0cbb45daf415c00

SHA256
97238c12c44025580e4393f0b4e9f0d7e08d85f4b4496fd905e3cd99501b9a0b

SHA512
87f7886d85eba57c8546669bc1d3e72563e7cbb3bd65948d2274866dc3a451512dcd8c389e9117286e2e1bf5141d2a8ea67677d6872d5485e507611d7b8d03eb

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidUsb.inf

Filesize
4KB

MD5
6b3ab204d23fb8584728074c0d097511

SHA1
6e007ee626269538cc4c5283642568b82c9aca55

SHA256
fa7c3d6b72d8adf875c2446c6ff17a26ef785893a0279e87f675ea0d51a13aa0

SHA512
f1fd1bc5364b2e4c703c5597d04f710cb544ab99da99ee274005a62b278dd97c33b366151c1cac4107048ed76acb24775bbf6a73852716eba3040ddc11886ff7

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAudio.inf

Filesize
20KB

MD5
23e653a98b3ebfb5a474a30c0fb7f770

SHA1
8e9f5b638451379a5706df066e11657c484ae160

SHA256
6f1ea7acb6c668695d64cfe3d4323eaa6e997702b9ccb588e32d8e8156c5ed4b

SHA512
16d8acc399c92e94066b2e14a64e468363fb3e47e13b9cbe9da033ba085cf7054b8db57457ba1e1b437f0c5239a12e21a23070fce6bab9035d1f25f546f3c9b6

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverBus.inf

Filesize
2KB

MD5
f40de711392f30ef75cf59853df22117

SHA1
62056d618793785e7256c6918a26484c78700f74

SHA256
2ae04f4fb34c5adf65f80c53a0450c953526c941197ae222d8afa7170fdb109d

SHA512
634f5650904fd6576cd3aa986bc0935031b6bf2fc3acf29feed5109cbd7e3473adfb0abdde5b7adc3365e679aa89700edd674356cdb8621c909dc7d0b91c362e

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverHid.inf

Filesize
6KB

MD5
7ededd3c7eab082b9ddc718b7db642e6

SHA1
53be30a1f2892ef54bbee533aad022cdb3b32d55

SHA256
a99a951bd2ef1362f5d2700fb5c2f326ed3def7a31824718d46bb802b83a07c0

SHA512
ff50e4a65bfd26e482367b620c13150c9bb0d95661627e0cd8494980d0ed0bee26586feffd5c7871527999d3c1356ad85119ddc66bcb0503890576264146adcf

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskKtmInputmouse.inf

Filesize
2KB

MD5
c8e701ea27a2a1d0abc8bfa99509c5c4

SHA1
b3bd4debbd0ae0499a9da6867c83014f7328753d

SHA256
bfd53b3c4e0bbbda52a631f882eafb946d62c50ae6f8df0f446984b64eb5b474

SHA512
7dcc00c31c952d84858c34354214f738f58e1d20698a2f33ba5692b6ceda41e0dec78923739427392cbe14c7114dc73a0d89429727661b86fab21a260a335bef

Download Submit
C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskdisplay.inf

Filesize
4KB

MD5
1a26d9000f4f98b8709d0745d11974d0

SHA1
bf17ca852de9a0a2266366919af8f1037a0505c7

SHA256
d23f24c69153f4ee1aec3b1d05f205eee71d39c6af8705432b6b23534b17bc9f

SHA512
3be8687f4917d3b24b3d99fea1c0c1c3c6a5f9dbc97719cf1a22940d7b1811f4397814fda6a7fac3a89b4b2fcbcffe5d71eb4c0c9a32a00444c58ab86899773f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
a8cc22618e868e1ee10efdfa626e7721

SHA1
3ed13535d1494e2d7749769d341332dffaec6370

SHA256
246744cdc79a5585f68d95d6a98473ee12383c85471f6e4f7e0fcfcd655868f5

SHA512
18a3036d061558b11fee0d914904521d06970c3a9dd7fe65826b45f7037d463e538e40142647c9cd97c7a6c3346dc9745b80c35b48ab5c30df4fc73752ab5b94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_15A751EAC52E3BDD7E5151D6C1F63C61

Filesize
727B

MD5
49cbe12f01476bfe81fb8e1f4b238e2f

SHA1
86233c2e6153e9c879747e5913e8f7088db0c6b0

SHA256
965dc1292707495f2b7a6b3b0cb0af80bbb5ded4efd41c38269b8d4efae71eb5

SHA512
945c774420a8538be6c70d27c6878bf70d73482bd4b2fb1358e64aa24af040abb7c28ef1bed0e1d42b62120a734731183a5ca5fe859c322627d7c915795f0562

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
a90ff749a13166b81da25cdcbc82c54d

SHA1
a09692688b0a86d9e06b6a3697d2a1793f367961

SHA256
4b1553fdbeca127a257bed3bd232cad24df64166cd39a54159893d5c350ac742

SHA512
54dfe43bb1c88eac7d29e641171a27f72270bea50d3d989217f3a739943f4a3d751689dab68319ed7e800986cac1c5053305252a5f92fe14f1566f425f7994b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
8a6b87796aaa717a62f6c27ec20f7b88

SHA1
9dcf62bc9aa5ec36b7f54fecb0f6c68e0933b51b

SHA256
5df6d7518e24d104d10aabc3757fa2a6d258ef2c1dc8ba9deea03eb76c041770

SHA512
fe9f7f804848a923bfac8e2ce5c3a7e7d90e3bab1127b71beea26dd809c8c0a619c68782b2e13661c19ad62545dfde19eabcb55149292aef629cb7ba858ca2e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_15A751EAC52E3BDD7E5151D6C1F63C61

Filesize
408B

MD5
43af7ded2c33a89a0d5e8a9935b3f05a

SHA1
471ee28458e8dc5804478da0b2bb16084c9d5fd3

SHA256
02a77da45112b94b9dc151c33cd88b0f11389558401543f7294c9c3e363fb3a3

SHA512
4830e6f465e4bdcf7d6cdc2b9c6a12f7faf80331329dd3b015d098af485f4eb3f10ecb99d4b25f6af3100ad051d67449a3926bb6678b739b176ab5e5174799c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
27d584a5f12c030dec46ce48419eab4a

SHA1
a4257a0eb1ba4ef0e87d5acb8df1df0b7dcc3f8c

SHA256
e9308d5e3e34edf13b1292e3050093828650cbe582e9a998593846fbdc7f63f7

SHA512
1a764f25ed07fe42f52549d1e3ab8b5a1e481bd55b1512d1efd9b0f55c7741f56a3212d527088fdd3be134ba5942daca023d858272e9fc13cb883802c334217a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3EE.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bob3kzom.3kf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
1KB

MD5
dc1c544eafc2eb2a793fd7fc8779cf2b

SHA1
524ec0a8289e404e1aa38f92891e43ab5027ca19

SHA256
ad89ca5c097e33a6cade089f86e90338f1a8ed6097673617c4d06a074cf4242b

SHA512
c734ddb0febdd6b36e2cd9b371b8b63ed88d6bb992a1bdca2e407d2b8bc961923d9bbf6303cf66c0ce16e60dbd2a508cd30f47a2271a6c7f344eae9f919041ba

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
2KB

MD5
f8f94081fa74e96c6562fb8a256d3351

SHA1
13755c53f34d743b89e08c83290a7428bdf2b61d

SHA256
96581384e86b6753c9f2aacf0ab62266a277cfcbdf792b90b06d82f6baf4da18

SHA512
334b3d439d508442681cd81d15290304c7173781aab63e39225e01b1b7d797df69bbb536df8241b6e35e1c0e41efe927b76ebd6623f7007b1c93c941ebb22174

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
4KB

MD5
848c6ec2d70f4a4c9f1b2ab9201b6196

SHA1
3d9e28b6affbbd870b77888dfd82a1e95b9aed43

SHA256
898e7f841900c6a2bf469375f29bf57cd38085f64db011fe77e4fab2c268c6a6

SHA512
82cf03090643cae40b6e1af0131403a8c03e08ab750f673ef93ffd5a9dc87a57a76dc349bf81f6d297975f9dbba9a7b8009460185504dd3bb61cae27197e5358

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
10KB

MD5
69f3c1bf004d28a08f3ed63f2567ff20

SHA1
ba26b1600438504b557ef1d1d765f8014852ff0e

SHA256
aa2d987fee7da487b2b7bc3bf271f9429a798eeb018d2867f57f49b7a30c27ad

SHA512
dc9bfcc25b76dd77895b1c0f8a3f8cdbc05941d4f1847d0f5fc030d25975122c9607058ba75bd190d49c048f8f0741cf8fe25390ab5d0e0f3210af32d00b39ad

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
10KB

MD5
db5639beb12e666cefb154dd12c0ceb6

SHA1
e725db87fd8c05374191062e5bcf760602abda59

SHA256
8e4e18352e82b0ee18a1a6ce6290aaf034c80d0537845fb325a0096f74c980d8

SHA512
54a39b780a18a9f2aa6a98dc5f105616d27901c3db949d70f20249cd5269cbebd5c6253363cf4fb8df3eeb2cf1bd2c8cb8124db70347d0f20a68075bd801eca9

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
11KB

MD5
d8b29628c75584c0a8063cf3be9215ad

SHA1
7562bed5f9d1cd8c5a2abd89875d237a44e82706

SHA256
218bde483502504af6db77b264262aaf999aa244141547f75355cd07190f4f78

SHA512
85f8163e02863edbc7bbb199a5ed40b02472bb021fd4571a6fec73fe6ef8fb7c69136dd82cf9c92d977bc46930fabbd08ffdd5390eff65662594ee0cb63bae85

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
11KB

MD5
00b3aa6230cc887f7fe345c81354f03c

SHA1
e83d3d1fc9c9b78e4c1eae7b02219405399ae289

SHA256
23d2469ccfe1e827c6f0b5dbe779cfa27ea0e87059cc0e2bf18b56b9e8b5857f

SHA512
06594c493ef3fdc76f1f10e0ab42d8ab29e0d3ad4c5af5b095e7641a4a78307ffa18400db9a1631870c1da80cdf28aebb28a17af64bc1b28b8596d7ee31b6609

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
12KB

MD5
d5fb843103a6e707064fcc9ecac7b224

SHA1
7b46e47b8a54e2397f1ce46087eadf8648ce50c2

SHA256
f167dfb3d6effbdb25e6439fc4871aa9afe71b6f56c9b5a773ce253c441534cf

SHA512
125d26a81036ae51ffed0c17e999d41bd9f4683eedb8b2b4531904eae368a0468a0d8b2751e2a60bb1d738713e05fd12d4ef67dbe1655ab6a94fe28b6a247ac6

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
12KB

MD5
342cfab0ee97a46de9a1838dbe871254

SHA1
3c79287707d5739ffc8fa60bb677b241f722e657

SHA256
bfff01c2785ed12dc9e722334fe523fb54549fd6ae3d560e9166f1917e3fe6cc

SHA512
537811d241646f94a51914320e90184fbfa99f867769f62df920a2a76130332474dd84e42d6dc160ac81ae768d8e3c125150a85735dd2f4aadac374b6b747d96

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
13KB

MD5
d39825c99d9ebea2376b762768be213c

SHA1
2ec5155e4c0050764a3eb2ed465fe0900cad7851

SHA256
5ee44a129ab118f9c4e34700ad3819d9ea69019f417db33c598dc4260aa8e7a9

SHA512
21944fc4a4ab60d1a373633a2e01d77f5baf6229adde57f2c2e9be9c3f090c4cb2b2d033eccae42b6ed86d5da7d081fd6d3f64fccf96d00bc6439d13083d7f99

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
13KB

MD5
68d31b9e91830558400d1eebe0896067

SHA1
83824c62a2838ae53bf15947cd8dbd965197f4f5

SHA256
16aed69bfdc05cf017d3911f194d1508bd0f100bb3a32fa6b1ebf573c4b2df48

SHA512
a885f84dfa2ff50d7cdb396da60c4ff64d32b4a0af8cbe29ef7ae3e8ef2a503d9cf779e475982d733e3f782bb0df152bcd0adace4e0d96f4da6994bb03ab9fe0

Download Submit
C:\Users\Public\spacedeskSetup.log

Filesize
251B

MD5
72f11fc3589538e8465de8d802889443

SHA1
4979b37fb85258b540a73d73603c270eaa1a1b55

SHA256
ace8c6f273416332ea8e9b2d270be5fa1a4fac251cb783a22a87f07ee845ebe5

SHA512
5003a3552f902e684c0f740d7e37f0b12e2a1c3a68362e959fd537d13f3ce9bc324ae5e160fd22eb16be0a05850c954d85652ddb0749f781e6d244a255de91c6

Download Submit
C:\Users\Public\spacedesklist.xml

Filesize
636B

MD5
09dc1faa2be8ccf3ad7e2d24259b00b7

SHA1
24cbd5d2ff77ffc50f22729118d5922ec98699ad

SHA256
b57f5a4dcda2eebe0a80effeb7c0af7546875ba0cfae7d42fa52e7079b218964

SHA512
21111dfbb31535a1c35f947e64d9c540efddec3a15721025442349bf1d694d0955645c9992ced27c4236bf87e1a66e9f44b68326d78b2c579f8ceb436a075378

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
C:\Windows\INF\oem0.PNF

Filesize
5KB

MD5
4cf0b7bb845102f02139fc7e8098cdb0

SHA1
414e41bbeb20464e3582c60151685f3eba45328f

SHA256
acfb386d95ac84fae7fae68919461b796bd3caa203a2589bd285055d75980bce

SHA512
b5ae16b21d65e8f37cf0ac1a907253a63237c2e639fe9ba6e43592ca7b7379fee29ff11f2c6e7b37fb5ad374039c2abf0c6eb9206719ba26ba11df1b32b7c2ba

Download Submit
C:\Windows\INF\oem1.PNF

Filesize
5KB

MD5
9f177fb4eaaf73dacd3f44ddf74f38d0

SHA1
a82555e6b154adc7a7fa5740da515126bc18a2b9

SHA256
3cd3d388d37beb32b0e493f1d3f767618f790276212e9ace703687f42343ab37

SHA512
864bd8defd5ee7cc16047c8de14a56c71fc55ab3cb91f6e1cbbf40f1f0ec58c898603e9f1eb7ea4fca37a0a46d2dd2e882897b5eceab72c7d8fb5e4f96e1010d

Download Submit
C:\Windows\INF\oem2.PNF

Filesize
6KB

MD5
25ef36a2732c882257ea13d43e854a21

SHA1
92c7c8765925be8e24aa35b68a968b949afddcb7

SHA256
9fe6fcd38d0daa0e88bed233bb5473f216cbac1d4ee29430409c7ecdafae9bc3

SHA512
195ea07e709a22fad11d929a97e4bb7e135b2a816a3b2ecfba323e218b6827ede1ae3ba183c594edcfdf22354573be5377abbe7f673ccea8a55f839974973a4d

Download Submit
C:\Windows\INF\oem3.PNF

Filesize
9KB

MD5
4cadde9bd6e4a14db52cd553bb603c33

SHA1
27f2d84abf4d932625a2bed51f847ff7adc84a7d

SHA256
7056afdb1db458452ee325185829307e6e74bf77873ac48e20af37241ec22c7e

SHA512
e8c1dc485170586eafd953988ccf4eb2d6d38950d3d645718694affe5945bb03c65886090bb4de1e640b823ccf24c3c8b9d85b2c5d6b220ee872a5ddb2be23b5

Download Submit
C:\Windows\Installer\MSI67C0.tmp

Filesize
524KB

MD5
219bca8a3a3a069e2b6db9609d5809f2

SHA1
6df4956793ab894993ab7313ce5331da1fb11e12

SHA256
28fcb04db01900bf5b8ac39e375f4610fa5cc45669fbe0f24451adbab4d34c1a

SHA512
d560269b4a49904df25c984f415a8038c490fd2241a76c42091676471b7debf5cd9d813cb9fffb93bf3ed112bbd3a1f45dac34219d9f07550ad50ab65dd7f891

Download Submit
C:\Windows\Installer\e5864df.msi

Filesize
4.7MB

MD5
8538809ffaf669825da157d0ef65e99c

SHA1
3d8b64fd82e046caaa517b783bdf6bf8e088aca6

SHA256
bfd94abece2bea6fa71962eceaeef10c6d270aaa104764dd2f242991ddc2a78c

SHA512
d736b3299b03eeae61659e2d85f3f2d197a629ac86eff7bca054b90deee852805e11372a9fa5e983ed7fd118736729e43f217ee61844ddd576aba6c828211a35

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
93KB

MD5
203aefd6bc3e706c9f62bb278ee5501e

SHA1
c1b80f426599e2e6d92ae52f2cd716796fead5d7

SHA256
729a7b6f12d82a66441312708d5fc756de837b435f13780a75355475227b5b5a

SHA512
27436184ed89df3d917dfb4f1c19b7df677d30f0b7db0f26b446926b7563f92551f60a8a357d88e16ad9ebb91718f4d3f9133598c5b3017272d5fd61e858e42f

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
93KB

MD5
c938aafa4c6d55bd3cefdda5b4579b8a

SHA1
07d08dbc8b8efb9ca04622077522b5646aec23a9

SHA256
966176467b929d2f57025c212e05a3e30a037399d9ff768150efe61b29a7980c

SHA512
b17d7a4dba21a70eefc337d8ba8b9eee358ea69caf88014951396dbc8fed273b23f9662fc29ea40eaf1ad0eed979386bb928774786354c249b22b9912daa173a

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
93KB

MD5
b5966dd4e680a64029a9a4e8ef729ceb

SHA1
f6f2e15f626ea49fb927de46e4bc8b5693a81b92

SHA256
706c4329222c92ef9bedd6f717172b154a31c642a647318251c30d3be6fe40ee

SHA512
d69c060bb8a1f960e18ad90eb103185a0352fd319b94b1742ed33e20e113093b16deba3c31d9c66f32a82c44882a0302fdbbea39f0f428b1b83172b3f719f484

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
93KB

MD5
bfb64a79e6f96c5960d9df65402903b8

SHA1
8cb5757e027e79fa88e6675f46aa6ca31a95e6b0

SHA256
ea6e5bffb3bffc3d058fa59773bd4c39499052154166cd692e6eeaf6be6c33bf

SHA512
f669ec8a187d2ed2f34ce47753edf30b5a671e87335499abf4477541d47cadff7433db527c8e64bc6e70fe75e77ee96528a0f2ee6d4eb6a359d1f4b7d5986235

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
93KB

MD5
011618aab65c788718d3f811420b702f

SHA1
bcb34a7386413985e5c9c975e390bb336e4e4647

SHA256
9602b81e2effa420baf2aed1904d3209d01aab182bf2e576767cd537bcd52c04

SHA512
844846731135e7a9e5adf2f1eedd73222a719f69108c795246b3d28e072f4ed4347d35bd9a4a0da8021688a7938f96989a143c297a1df66565afb297f8cd654a

Download Submit
C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_c78e51cb686ef158\spacedeskdriverandroidcontrol.PNF

Filesize
9KB

MD5
f09b55cb5407a85633d053bd7ee283d4

SHA1
066c8c4fe8ab43269e80ca6ad644ab68a19705ab

SHA256
f35acf513ed29daf4df213e10acfa66b2d889576d9ea268eab4235a1a6bcc105

SHA512
975ae4e8ab18bff8db6381dce114f574810a2fe3a86ddf598e2414a80a213c856db670cd309a38714128660a598bd6be1de9a83bdf2fbb8cc9b0e19dfd6b3db1

Download Submit
C:\Windows\System32\DriverStore\FileRepository\spacedeskdriverbus.inf_amd64_35dce141b5899f0e\spacedeskdriverbus.PNF

Filesize
8KB

MD5
824a26059d1fbbe1149e04ee43df2c1e

SHA1
0d43b0cd0be59b9a6bb71d7cde0dbc94b22206e3

SHA256
32dba9b4dccaafea14705ab4e253862b2c33b3cd0f68c13d3b85a7cadb6a2232

SHA512
763c680f730a1d8de0100b1ba7cbbc81a558db35c34e8c5efe2937d89bbff17e04e42662da5c8ac1f024792c62394f9e9865dc9f8f1a317a5aafb112e631f15c

Download Submit
C:\Windows\System32\DriverStore\Temp\{b7c04382-8133-344c-9c9b-cb1bdf5cd0b4}\spacedeskdriveraudio.cat

Filesize
15KB

MD5
710ee13c1f6ba72e25414ee4bff1e993

SHA1
50993cf17f397fe7f8b06df7af50b750781b76da

SHA256
34ffd8509dc23002d2d1dd9c1fef27ae8cd14bac5a99db73d427314c46c5ae8c

SHA512
4034b3eb2c2b03ba05f7215eba863c87a87f79389d55a3ac481b87256c21af2938d08d4549d089264e06e44e5d56eea21e1167331db32f4c602823487bd0c721

Download Submit
C:\Windows\System32\DriverStore\Temp\{e3d795c1-ac29-644b-a647-b2eddc3f7d51}\spacedeskDriverAndroidUsb.cat

Filesize
12KB

MD5
b8aeea537343fbe8a2bf6019cf537339

SHA1
6d869527f5660264fe6ad77e50b9739f93585546

SHA256
002a10228b378af9df703bebff0d27633d3e0b6e9954a88a3779f14743bffe4a

SHA512
963bc4aefe9bf784336652bd78b66848e7510048adebe81730dd685a9af7e3aabb0f3856a07e4a75616b76e29be981759cf884981d296c3f873e1192c28b0ea2

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
93KB

MD5
b13e23ab56915ca4c779b80e03371a92

SHA1
25479f8794f72a7b33185aa9bc880fd2dfb3d0b9

SHA256
90ac60c39518e866062d93c3645883e08d642ad7e08a45a9f6e6e3dc875fdcea

SHA512
c3e5a05f65601c05df155383445d7d0e118f7791fe49731af49e84bb8ea3954b72a67342e809abf90520fe4a63abf2e323ce7dd252f8f807637fa977d83b05bb

Download Submit
memory/2320-789-0x000001AE4E150000-0x000001AE4E1C8000-memory.dmp

Filesize
480KB

Download
memory/2320-790-0x000001AE4E590000-0x000001AE4E598000-memory.dmp

Filesize
32KB

Download
memory/2320-791-0x000001AE69FC0000-0x000001AE69FF8000-memory.dmp

Filesize
224KB

Download
memory/5012-796-0x0000019258F10000-0x0000019258F32000-memory.dmp

Filesize
136KB

Download
memory/5012-804-0x0000019259220000-0x0000019259296000-memory.dmp

Filesize
472KB

Download
memory/5012-894-0x00000192591E0000-0x00000192591F4000-memory.dmp

Filesize
80KB

Download
memory/5012-897-0x0000019258F70000-0x0000019258F7A000-memory.dmp

Filesize
40KB

Download