71e462aaca0f2d8c8a685756b070d017c796de6ac22021a79d922f2f182d4fb0

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dxkqdn.msi
Size

1.1MB
MD5

9794bd903f9baf249251c3beb693fbc9
SHA1

7484ff4f837cad55c85cac20c3597eb683852068
SHA256

71e462aaca0f2d8c8a685756b070d017c796de6ac22021a79d922f2f182d4fb0
SHA512

f0bcd8ad6dd273d19088244c97ca7d1eb25aabebd5be1eafaf35ba0238484d57c7820882a7456862f4d15f773be82e477877a3e2bc0096a9c66df3e6db6608f3
SSDEEP

24576:3XZFaDUZ09brk4FtSVUfTH59GPUvETHFarClEziowgF2JNtfSJJAUQKo:3XKDUC9brNYVULH79vqlExFmNtMXS

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\SetPoint Update = "\"C:\\Users\\Admin\\VirtualFile\\LDeviceDetectionHelper.exe\" 495"	LDeviceDetectionHelper.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76b1a3.msi	msiexec.exe
File created	C:\Windows\Installer\f76b1a4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b1a3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB27D.tmp	msiexec.exe
File created	C:\Windows\Installer\f76b1a6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b1a4.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1828	LDeviceDetectionHelper.exe
2796	LDeviceDetectionHelper.exe

Loads dropped DLL 3 IoCs

pid	Process
1828	LDeviceDetectionHelper.exe
1828	LDeviceDetectionHelper.exe
2796	LDeviceDetectionHelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1956	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDeviceDetectionHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDeviceDetectionHelper.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector	LDeviceDetectionHelper.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 36003800330037003700440032003700460045003600340032004300430045000000	LDeviceDetectionHelper.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	LDeviceDetectionHelper.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\ms-pu	LDeviceDetectionHelper.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1708	msiexec.exe
1708	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2348	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeCreateTokenPrivilege	1956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1956	msiexec.exe
Token: SeLockMemoryPrivilege	1956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1956	msiexec.exe
Token: SeMachineAccountPrivilege	1956	msiexec.exe
Token: SeTcbPrivilege	1956	msiexec.exe
Token: SeSecurityPrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeLoadDriverPrivilege	1956	msiexec.exe
Token: SeSystemProfilePrivilege	1956	msiexec.exe
Token: SeSystemtimePrivilege	1956	msiexec.exe
Token: SeProfSingleProcessPrivilege	1956	msiexec.exe
Token: SeIncBasePriorityPrivilege	1956	msiexec.exe
Token: SeCreatePagefilePrivilege	1956	msiexec.exe
Token: SeCreatePermanentPrivilege	1956	msiexec.exe
Token: SeBackupPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeShutdownPrivilege	1956	msiexec.exe
Token: SeDebugPrivilege	1956	msiexec.exe
Token: SeAuditPrivilege	1956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1956	msiexec.exe
Token: SeChangeNotifyPrivilege	1956	msiexec.exe
Token: SeRemoteShutdownPrivilege	1956	msiexec.exe
Token: SeUndockPrivilege	1956	msiexec.exe
Token: SeSyncAgentPrivilege	1956	msiexec.exe
Token: SeEnableDelegationPrivilege	1956	msiexec.exe
Token: SeManageVolumePrivilege	1956	msiexec.exe
Token: SeImpersonatePrivilege	1956	msiexec.exe
Token: SeCreateGlobalPrivilege	1956	msiexec.exe
Token: SeBackupPrivilege	2116	vssvc.exe
Token: SeRestorePrivilege	2116	vssvc.exe
Token: SeAuditPrivilege	2116	vssvc.exe
Token: SeBackupPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	2688	DrvInst.exe
Token: SeRestorePrivilege	2688	DrvInst.exe
Token: SeRestorePrivilege	2688	DrvInst.exe
Token: SeRestorePrivilege	2688	DrvInst.exe
Token: SeRestorePrivilege	2688	DrvInst.exe
Token: SeRestorePrivilege	2688	DrvInst.exe
Token: SeRestorePrivilege	2688	DrvInst.exe
Token: SeLoadDriverPrivilege	2688	DrvInst.exe
Token: SeLoadDriverPrivilege	2688	DrvInst.exe
Token: SeLoadDriverPrivilege	2688	DrvInst.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1956	msiexec.exe
1956	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2348	AcroRd32.exe
2348	AcroRd32.exe
2348	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1828	1708	msiexec.exe	34
PID 1708 wrote to memory of 1828	1708	msiexec.exe	34
PID 1708 wrote to memory of 1828	1708	msiexec.exe	34
PID 1708 wrote to memory of 1828	1708	msiexec.exe	34
PID 1828 wrote to memory of 2348	1828	LDeviceDetectionHelper.exe	35
PID 1828 wrote to memory of 2348	1828	LDeviceDetectionHelper.exe	35
PID 1828 wrote to memory of 2348	1828	LDeviceDetectionHelper.exe	35
PID 1828 wrote to memory of 2348	1828	LDeviceDetectionHelper.exe	35
PID 1828 wrote to memory of 2796	1828	LDeviceDetectionHelper.exe	36
PID 1828 wrote to memory of 2796	1828	LDeviceDetectionHelper.exe	36
PID 1828 wrote to memory of 2796	1828	LDeviceDetectionHelper.exe	36
PID 1828 wrote to memory of 2796	1828	LDeviceDetectionHelper.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\dxkqdn.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\omYiIL\LDeviceDetectionHelper.exe
  C:\Users\Admin\AppData\Local\omYiIL\LDeviceDetectionHelper.exe
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Meeting request.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2348
- - C:\Users\Admin\VirtualFile\LDeviceDetectionHelper.exe
    C:\Users\Admin\VirtualFile\LDeviceDetectionHelper.exe 784
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "00000000000003C0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76b1a5.rbs

Filesize
8KB

MD5
8f25a1bbb07815dc51a8970dd658d35e

SHA1
50fa7d4aceacd0b5c64658a4e5cc5f09985ba711

SHA256
ea84cb7be87c6f9ca05a7a7ce498fe53e51d7acac87af5cba0b2448ea76446d6

SHA512
79a79e40f500c30d26f0d1e08367d66f09f7bfb4d87f746af81ab3ed7e6c7955aa78abd4720d315dac55c2c7e4b6a074f370783060ef1f509ee16b18eb0ad73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Meeting request.pdf

Filesize
17KB

MD5
c145592950d5724fcfc2b5da5890b761

SHA1
90210e04f48ff60ff0df191e22212d4705fdf28a

SHA256
9d844b275725e6241f6e70d17ed68bb7eb90b684832ef5952a91a5040ffe5d94

SHA512
ddd4a05168ec650325a05d181fd10cdf9d96153e50a1fc371354feec73e54a3341cd9082ec34400f65190562732816e0ac1a16f0caa231e02c7700c75a0810b8

Download Submit
C:\Users\Admin\AppData\Local\omYiIL\LDevice.dat

Filesize
673KB

MD5
d55000e2cae6781323ce121622529394

SHA1
f4891f1997b460170673edff6bc69f2f2fe814a0

SHA256
d188e877066f0932440d4cd8e8e2e856d7b92d40b475b7c0f0c996b34a2847a4

SHA512
410c8d00123bdaa405f119466d03f67dda983bb152cea672c80137ab3fd956b2b9685f8c8874ab9f93d50b9c7a2a6fccd7698e608bf3117a9d753a270bf8def7

Download Submit
C:\Users\Admin\AppData\Local\omYiIL\LDeviceDetectionHelper.exe

Filesize
1.7MB

MD5
084fe5e54dbf4d7287b48c5695d02d17

SHA1
58a2693e67491569e9c8f17730159c64ffb5e6dd

SHA256
282fc12e4f36b6e2558f5dd33320385f41e72d3a90d0d3777a31ef1ba40722d6

SHA512
15fdad9fcebb45cce0c45fe82b387cd2f2602884f9b7f85d9805e26e7edd442b8ee814f5cdce12d207a74c3b38d524ec61738d45f72d2523d4fad31dabb1e154

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e05f85018867c099b8f2cdfc0c0fa3ec

SHA1
a89d45d6b8a8fdb2b4d8b7abe2f420192f59d666

SHA256
b0f12229f85f552141bfc928b3782c937be200c57d5320db5b3ed54a1fe61a55

SHA512
2a1d2bc669d1d01b078ce5d70ab100a8f0cf04a6a9290507df4ebd2ec4b7f1afed033cb3c48423f1312d268bd757fecf2c50f2a517d32229fedb90d4edcd4a63

Download Submit
C:\Windows\Installer\f76b1a3.msi

Filesize
1.1MB

MD5
9794bd903f9baf249251c3beb693fbc9

SHA1
7484ff4f837cad55c85cac20c3597eb683852068

SHA256
71e462aaca0f2d8c8a685756b070d017c796de6ac22021a79d922f2f182d4fb0

SHA512
f0bcd8ad6dd273d19088244c97ca7d1eb25aabebd5be1eafaf35ba0238484d57c7820882a7456862f4d15f773be82e477877a3e2bc0096a9c66df3e6db6608f3

Download Submit
\Users\Admin\AppData\Local\omYiIL\hid.dll

Filesize
259KB

MD5
46c7df4387eac84be4e81e40cde0d9ea

SHA1
7dbb43023a78a1c8eb3412e2463454cece664d41

SHA256
c5aa22163eb302ef72c553015ae78f1efe79e0167acad10047b0b25844087205

SHA512
16328644688b91d465ca0a5243a93944c7acadcc0f01b58bb7cd5ffb8afbe5c351a6c555e9a71bb9512451a4d178abb9643f49ed901f0f8f464fab1b4c3012f0

Download Submit
memory/1828-49-0x00000000749F0000-0x0000000074A28000-memory.dmp

Filesize
224KB

Download
memory/1828-30-0x0000000003420000-0x00000000070CE000-memory.dmp

Filesize
60.7MB

Download
memory/1828-31-0x0000000003420000-0x00000000070CE000-memory.dmp

Filesize
60.7MB

Download
memory/1828-45-0x0000000003420000-0x00000000070CE000-memory.dmp

Filesize
60.7MB

Download
memory/1828-29-0x0000000003370000-0x0000000003419000-memory.dmp

Filesize
676KB

Download
memory/2796-69-0x0000000003430000-0x00000000070DE000-memory.dmp

Filesize
60.7MB

Download
memory/2796-70-0x0000000003430000-0x00000000070DE000-memory.dmp

Filesize
60.7MB

Download
memory/2796-71-0x0000000003430000-0x00000000070DE000-memory.dmp

Filesize
60.7MB

Download
memory/2796-72-0x0000000073670000-0x00000000736A8000-memory.dmp

Filesize
224KB

Download