Edit tour

Windows Analysis Report
CDM212364_Setup.exe

Overview

General Information

Sample name:	CDM212364_Setup.exe
Analysis ID:	1430184
MD5:	0c97e7b5de1b46fb723bed38f0de28a2
SHA1:	3ab353adb602908eddb884c8b2b587fcc0691bfa
SHA256:	835dd64b199190d20dc37c0cadeb064b7eaaaef271703781b2b259b7085437a4
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

CDM212364_Setup.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\CDM212364_Setup.exe" MD5: 0C97E7B5DE1B46FB723BED38F0DE28A2)

dp-chooser.exe (PID: 7360 cmdline: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe MD5: 461A3CE2E77143EC0E0015D80675911B)

dpinst-amd64.exe (PID: 7372 cmdline: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe /sa MD5: 0E7E8820A977D3B4B81C5188FA841C52)

drvinst.exe (PID: 7496 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\ftdibus.inf" "9" "4aa35cc23" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\users\user\appdata\local\temp\ftdi-driver" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

drvinst.exe (PID: 7732 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\ftdiport.inf" "9" "47472827f" "0000000000000160" "WinSta0\Default" "000000000000015C" "208" "c:\users\user\appdata\local\temp\ftdi-driver" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: CDM212364_Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CDM212364_Setup.exe

Static PE information: certificate valid

Source: CDM212364_Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2013\FTBUSUI\x64\Release\FTBUSUI.pdb source: ftbusui.dll
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2013\FTBUSUI\x64\Release\FTBUSUI.pdb~~ source: ftbusui.dll
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2013\FTBUSUI\Release\FTBUSUI.pdb source: ftbusui.dll
Source:	Binary string: d:\wm\minkernel\crts\crtw32\misc\nt\vc110.pdb source: ftd2xx.lib
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\x64\Release\FTDIBUS.pdb source: ftdibus.sys
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\Release\FTSER2K.pdb source: ftser2k.sys
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2013\FTLang\x64\Release\FTLang.pdb source: ftlang.dll
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\pp\ftserui2\objfre_wnet_x86\i386\ftserui2.pdb source: ftserui2.dll
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\x64\Release\FTSER2K.pdb source: ftser2k.sys
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\x64\Release\FTD2XX.pdb source: ftd2xx64.dll
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2013\FTLang\Release\FTLang.pdb source: ftlang.dll
Source:	Binary string: d:\8180\enduser\databaseaccess\src\mdac\odbc\core\cplib\vc110.pdb source: ftd2xx.lib
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdbH source: ftcserco.dll
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdb source: ftcserco.dll
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\Release\FTD2XX.pdb source: ftd2xx.dll
Source:	Binary string: DpInst.pdbH source: dpinst-amd64.exe
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\Release\FTDIBUS.pdb source: ftdibus.sys
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\pp\ftserui2\objfre_wnet_amd64\amd64\ftserui2.pdbH source: ftserui2.dll
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\coinst\ftcserco\objfre_wnet_x86\i386\ftcserco.pdb source: ftcserco.dll
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\pp\ftserui2\objfre_wnet_amd64\amd64\ftserui2.pdb source: ftserui2.dll
Source:	Binary string: DpInst.pdb source: dpinst-amd64.exe, dpinst-x86.exe
Source:	Binary string: DpInst.pdbp source: dpinst-x86.exe

Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://ocsp.digicert.com0O
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://s.symcd.com0_
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://sw.symcd.com0
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: CDM212364_Setup.exe	String found in binary or memory: http://www.disoriented.com(
Source: CDM212364_Setup.exe	String found in binary or memory: http://www.disoriented.com/
Source: CDM212364_Setup.exe	String found in binary or memory: http://www.disoriented.com/openConfirm
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: https://d.symcb.com/cps0%
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: https://d.symcb.com/rpa0
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: https://d.symcb.com/rpa0)
Source: ftbusui.dll, ftcserco.dll, ftdibus.sys, ftlang.dll, ftser2k.sys, ftserui2.dll	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\SETAA8E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\SET95D7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\ftdibus.cat (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftdibus.cat	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\SETA095.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\ftdiport.cat (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftdiport.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\ftdiport.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\ftdibus.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\SETACF8.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\CDM212364_Setup.exe

File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftdibus.sys

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Windows\DPINST.LOG	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\ftdibus.inf_amd64_27ad3b85ed46c2a0	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\ftdibus.inf_amd64_27ad3b85ed46c2a0\amd64	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\ftdibus.inf_amd64_27ad3b85ed46c2a0\i386	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\ftdiport.inf_amd64_02e6e8b10f1ee812	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\ftdiport.inf_amd64_02e6e8b10f1ee812\amd64	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem5.inf	Jump to behavior

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA024.tmp

Jump to behavior

Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Code function: 0_2_009C3F22	0_2_009C3F22
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Code function: 0_2_009C11FC	0_2_009C11FC
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Code function: 0_2_009C2A18	0_2_009C2A18
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Code function: 0_2_009C1114	0_2_009C1114
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	Code function: 1_2_00403ABC	1_2_00403ABC

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Code function: String function: 00404084 appears 38 times

Source: SETAA3D.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: SETACA7.tmp.6.dr	Static PE information: Number of sections : 11 > 10
Source: ftser2k.sys.0.dr	Static PE information: Number of sections : 11 > 10

Source: CDM212364_Setup.exe, 00000000.00000003.1683012927.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTD2XX.LIBJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1676851182.00000000033B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTBUSUI.dllJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1682742092.0000000004B80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTD2XX.LIBJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1676912429.0000000003520000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTBUSUI.dllJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1677168708.00000000033D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameftcserco.dllJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1677989063.0000000003520000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTD2XX.DLLJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1682344066.0000000004B40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameftserui2.dllJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1679198359.0000000003630000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameftserui2.dllJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1680154796.0000000003690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exed" vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1680154796.0000000003690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exe vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1680154796.0000000003690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exe\|. vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1680154796.0000000003690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exex, vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1680154796.0000000003690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exep( vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1680154796.0000000003690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exev+ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1680154796.0000000003690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exel& vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1680154796.0000000003690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exef# vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1680154796.0000000003690000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exe~/ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1679764173.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exed" vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1679764173.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exe vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1679764173.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exe\|. vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1679764173.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exex, vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1679764173.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exep( vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1679764173.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exev+ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1679764173.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exel& vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1679764173.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exef# vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1679764173.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPInst.exe~/ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1678662641.0000000003610000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTSER2KJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1681529752.00000000037B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTD2XX.DLLJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1681055575.0000000003770000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTBUSUI.dllJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1681271823.0000000003790000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameftcserco.dllJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1682178707.0000000004B20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTSER2KJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1677196163.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameftcserco.dllJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1681830936.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTDIBUSJ vs CDM212364_Setup.exe
Source: CDM212364_Setup.exe, 00000000.00000003.1678178038.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFTDIBUSJ vs CDM212364_Setup.exe

Source: CDM212364_Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ftdibus.sys	Binary string: \Device\USBFDO-USB#ROOT_HUB20#\DosDevices\
Source: ftdibus.sys	Binary string: CompositeDriverFTDIBUS\VID_PID_FTDIBUS\COMPORT&VID_&PID_&MI_\Device\Ftdiport_Com_0\DosDevices\Ftdiport_Com_0FTDIBUS\0000\REGISTRY\Machine\System\CurrentControlSet\SERVICES\FTDIBUS\ParametersRetryResetCountMaxDevsLocIdsNULLConfigDataSSIdleTimeoutIN
Source: ftdibus.sys	Binary string: \Device\Ftdiport_Com_0
Source: ftser2k.sys	Binary string: \Device\VCP
Source: ftdibus.sys	Binary string: \REGISTRY\Machine\System\CurrentControlSet\Control\usbflagsIgnoreHWSerNum\COMDeviceDescPortName ()FriendlyNameENUMEnum\\0000ConfigFlags\REGISTRY\Machine\System\CurrentControlSet\Enum\\Control\REGISTRY\Machine\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\\Device ParametersActiveServiceCSConfigFlags\Device\USBFDO-USB#ROOT_HUB20#\DosDevices\SymbolicNameIRP_MN_CHANGE_SINGLE_INSTANCEIRP_MN_CHANGE_SINGLE_ITEMIRP_MN_DISABLE_COLLECTIONIRP_MN_DISABLE_EVENTSIRP_MN_ENABLE_COLLECTION
Source: ftser2k.sys	Binary string: \Device\VCPIRP_MN_????UnknownRelations

Source: classification engine

Classification label: clean6.winEXE@7/82@0/0

Source: C:\Users\user\Desktop\CDM212364_Setup.exe

Code function: 0_2_009C6130 ReadFile,GetLastError,GetLastError,FormatMessageA,wsprintfA,MessageBoxA,

0_2_009C6130

Source: C:\Users\user\Desktop\CDM212364_Setup.exe

Code function: 0_2_009C6B05 lstrcpyA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,

0_2_009C6B05

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\DPINST_LOG_SCROLLER_MUTEX
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\CDM212364_Setup.exe

File created: C:\Users\user\AppData\Local\Temp\FE5EB6.tmp

Jump to behavior

Source: CDM212364_Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CDM212364_Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dpinst-amd64.exe	String found in binary or memory: Could not re-add '%s' to reference list of driver store entry '%s'
Source: dpinst-amd64.exe	String found in binary or memory: Successfully re-added '%s' to reference list of driver store entry '%s'
Source: dpinst-amd64.exe	String found in binary or memory: Install option set: Suppress pre-install of Plug and Play drivers if no matching devices are present.
Source: dpinst-amd64.exe	String found in binary or memory: Error 0x%X - Could not delete service info key for '%ws', even though there are no more DIFx-installed driver stores using this se
Source: dpinst-amd64.exe	String found in binary or memory: Some post-install cleanup tasks failed. Error code is 0x%X
Source: dpinst-amd64.exe	String found in binary or memory: During undo of install, we failed to re-install the driver. Error code 0x%X
Source: dpinst-amd64.exe	String found in binary or memory: ,Software\Policies\Microsoft\Windows\DriverInstall\RestrictionsAllowUserDeviceClasses DummyWindowWindow_CaptionRunAs****************************************Failed to get command line.Command Line: '%s'DPInst is a multi-lingual binary.DPInst is not multi-lingual.The module name was too long.There was an error getting the module name.Failed to initialize MUI or Multi-Lingual language support.Title: %s.Option to dump log info on console not available under Windows 2000. Ignoring the option.Option set: dumping log info to console.Failed to set option to dump log info to console.Failed to set the current working directory to: '%ws'Current working directory: '%ws'Returning with code 0x%XRunning on path '%ws'Invalid path '%ws'No valid '%s' file provided.Install option refused: will not force install if driver is not better because of command to prompt if driver is not better.Install option refused: Can't run in Quiet mode, command to prompt user in case driver is not better is set!Install option refused: Can't run in Quiet mode, UI will be shown because a EULA is required and not suppressed!Install option refused: 'Scan Hardware Display' will be ignored because not running in 'Scan Hardware Mode'.Install option refused: can't test wizard because quiet mode enabled.Install option set: Suppressing Wizard but no OS popups.Install option set: Running in quiet mode. Suppressing Wizard and OS popups.Install option set: legacy mode on.Install option set: Suppressing EULA.Install option set: create user uninstall script file '%s'.Install option set: Prompt if driver is not better.Install option set: Force install if driver is not better.Install option set: Suppress pre-install of Plug and Play drivers if no matching devices are present.Install option set: Suppress Add or Remove Programs entries.Install option set: Install all driver packages or none.Install option set: uninstall will be set to delete driver binaries.Install option set: test wizard cycling through all finish pages.Install option set: using scan hardware display mode. Will only display successfull installs or failures.Uninstall option set: Suppressing Wizard but no OS popups.Uninstall option set: Running in quiet mode. Suppressing Wizard and OS popups.Uninstall command: uninstall Inf '%ws'Uninstall command: uninstall script '%ws'Uninstall option set: if driver was installed, will make best effort to delete driver binaries.User cancelled uninstall.Starting uninstall of '%ws'Starting uninstall of script '%ws'Machine has to be rebooted to complete uninstall.Uninstall script self-reference. Script '%s' already uninstalled.Invalid uninstall script file: '%s'Uninstall script file '%s' not found.Failed to delete 'Add or Remove Programs' entry '%s'.User cancelled uninstall of driver package '%s'ERROR: Access denied to Non-admin user to install/uninstall driver package.DPInst.exe not supported on current OS.User UI Language is 0x%X.Will enable language 0x%X although not listed in descriptor.Current confi
Source: dpinst-amd64.exe	String found in binary or memory: Pronto all'uso/Installazione non riuscita (driver non firmato)0Installazione non riuscita (certificato scaduto)
Source: dpinst-amd64.exe	String found in binary or memory: re.4Guiden Installation af enhedsdriver blev annulleret.-Installationen mislykkedes (ugyldig signatur)eEs wird bereits der beste Ger
Source: dpinst-amd64.exe	String found in binary or memory: stata rilevata nessuna periferica da aggiornare.1Non necessario (nessuna periferica da aggiornare)8Annullamento installazione driver in corso. Attendere...5Installazione guidata driver di periferica annullata.-Installazione non riuscita (firma non valida):
Source: dpinst-amd64.exe	String found in binary or memory: FileDescriptionTreiberpaket-Installationsprogramm(
Source: dpinst-amd64.exe	String found in binary or memory: ProductNameTreiberpaket-Installationsprogramm (DPInst),
Source: dpinst-x86.exe	String found in binary or memory: ERROR: (Error code 0x%X.) (Error code 0x%X: %s)%02d/%02d/%04d %02d:%02d:%02dNon-Interactive Windows StationInteractive Windows StationFailed to check if running under Local System AccountRunning under Local System AccountArchitecture: X86.Suite: 0x%04x, Product Type: %uService Pack: %u.%uPlatform ID: %u (%s)9XNTVersion: %u.%u.%u %sProduct Version %s.****************************************Failed to delete 'Add or Remove Programs' entry '%s'.User cancelled uninstall of driver package '%s'Access denied to Non-admin user to install/uninstall driver package.System requires 64-bit version of DPInst.exe.DPInst.exe not supported on current OS.Requested language 0x%X is not supported on current systemDescriptor (DPInst.xml) does not support requested language 0x%X.Will read descriptor(DPInst.xml) elements in language 0x%X, but some or all of the other elements might be in the UI default language 0x%X.Will read descriptor(DPInst.xml) elements in language 0x%X.Running with language 0x%X.Current configuration does not support UI language 0x%X.Will enable language 0x%X although not listed in descriptor.User UI Language is 0x%X.Invalid path '%ws'Install option set: using scan hardware display mode. Will only display successfull installs or failures.Install option set: test wizard cycling through all finish pages.Install option set: uninstall will be set to delete driver binaries.Install option set: Install all driver packages or none.Install option set: Suppress Add or Remove Programs entries.Install option set: Suppress pre-install of Plug and Play drivers if no matching devices are present.Install option set: Force install if driver is not better.Install option set: Prompt if driver is not better.Install option set: create user uninstall script file '%s'.Install option set: Suppressing EULA.Install option set: legacy mode on.Install option set: Running in quiet mode. Suppressing Wizard and OS popups.Install option set: Suppressing Wizard but no OS popups.Install option refused: can't test wizard because quiet mode enabled.Install option refused: 'Scan Hardware Display' will be ignored because not running in 'Scan Hardware Mode'.Install option refused: Can't run in Quiet mode, UI will be shown because a EULA is required and not suppressed!Install option refused: Can't run in Quiet mode, command to prompt user in case driver is not better is set!Install option refused: will not force install if driver is not better because of command to prompt if driver is not better.No valid '%s' file provided.Running on path '%ws'Invalid uninstall script file '%s', invalid entry '%s'.Invalid uninstall script file '%s', missing hash after ID entry.Invalid uninstall script file '%s', missing path after USCRIPT entry.Invalid uninstall script file '%s', missing path after INF entry.IDUSCRIPTINFUninstall script self-reference. Script '%s' already uninstalled.Invalid uninstall script file: '%s'Machine has to be rebooted to complete uninstall.Starting uninstall of script '%ws'St
Source: dpinst-x86.exe	String found in binary or memory: @Error encountered while adding reference of installer '%s' to driver storeError encountered while setting installer information for driver storeUnknown ProductUnknown ManufacturerUnknown Display NameParameter is NULL.RETURN: DriverPackageGetPathW (0x%X)ENTER: DriverPackageGetPathWOne or more files referenced by '%s' cannot be found in the package.Unsigned driver. Possibly rejected by user.Invalid signature. Possibly rejected by user.Could not delete driver store entry '%s'.Failed to add catalog file for '%s'.Driver package is already preinstalled '%s'.The driver package type of %s is not supported.Could not remove driver store entry '%s'.Driver Store entry '%s' removed.Successfully removed '%s' from reference list of driver store entry '%s'Implementation error: Invalid Type %u.Installing INF file '%s' of Type %u.Could not get name of the inf file.Could not remove '%s' from reference list of driver store entry '%s'Could not get Type property for driver package.Installation completed with code 0x%X.Can't repair driver packages from the INF directory.The INSTALLERINFO structure passed in by the caller was non-NULL, but one or more fields of the structure was NULL or an empty string.Successfully deleted properties for driver store entry '%s'.Could not delete properties for driver store entry '%s'.Successfully deleted driver store entry '%s'.Installing INF file '%s' (Plug and Play).Can't preinstall and then install driver packages from the INF directory.DRIVER_PACKAGE_LEGACY_MODE flag set but not supported on Plug and Play driver on VISTA. Flag will be ignored.Successfully re-added '%s' to reference list of driver store entry '%s'Could not re-add '%s' to reference list of driver store entry '%s'Uninstall completed.Uninstall: Invalid Driver Store entry '%s'.Driver store entry '%s' removed.Best effort to delete driver package files copied to system...Error occurred while uninstalling driver package '%s'Uninstalling driver package %s...Could not remove the reference of driver '%s' from driver storeWill not uninstall because other Application depend on this package %s.Could not get Type property for driver package '%s'.Could not get INF PATH property for driver package '%s'.No driver store entry for '%s' found.An error occurred while uninstalling driver package '%s'Cannot uninstall inbox driver package '%s'Could not verify if there are any applications that are still dependent on driver '%s'.Could not remove the reference of application '%s' from driver '%s'RETURN: DriverPackagePreinstallW (0x%X)%s is preinstalled.ENTER: DriverPackagePreinstallWRETURN: DriverPackageInstallW (0x%X)ENTER: DriverPackageInstallWRETURN: DriverPackageUninstallW (0x%X)ENTER: DriverPackageUninstallWl
Source: dpinst-x86.exe	String found in binary or memory: Pronto all'uso/Installazione non riuscita (driver non firmato)0Installazione non riuscita (certificato scaduto)
Source: dpinst-x86.exe	String found in binary or memory: re.4Guiden Installation af enhedsdriver blev annulleret.-Installationen mislykkedes (ugyldig signatur)eEs wird bereits der beste Ger
Source: dpinst-x86.exe	String found in binary or memory: stata rilevata nessuna periferica da aggiornare.1Non necessario (nessuna periferica da aggiornare)8Annullamento installazione driver in corso. Attendere...5Installazione guidata driver di periferica annullata.-Installazione non riuscita (firma non valida):
Source: dpinst-x86.exe	String found in binary or memory: FileDescriptionTreiberpaket-Installationsprogramm(
Source: dpinst-x86.exe	String found in binary or memory: ProductNameTreiberpaket-Installationsprogramm (DPInst),

Source: C:\Users\user\Desktop\CDM212364_Setup.exe

File read: C:\Users\user\Desktop\CDM212364_Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CDM212364_Setup.exe "C:\Users\user\Desktop\CDM212364_Setup.exe"
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	Process created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe /sa
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\ftdibus.inf" "9" "4aa35cc23" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\users\user\appdata\local\temp\ftdi-driver"
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\ftdiport.inf" "9" "47472827f" "0000000000000160" "WinSta0\Default" "000000000000015C" "208" "c:\users\user\appdata\local\temp\ftdi-driver"
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	Process created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe /sa	Jump to behavior

Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Automated click: Extract
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Automated click: I accept this agreement
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Automated click: I accept this agreement

Source: CDM212364_Setup.exe

Static PE information: certificate valid

Source: CDM212364_Setup.exe

Static file information: File size 2264632 > 1048576

Source: CDM212364_Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2013\FTBUSUI\x64\Release\FTBUSUI.pdb source: ftbusui.dll
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2013\FTBUSUI\x64\Release\FTBUSUI.pdb~~ source: ftbusui.dll
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2013\FTBUSUI\Release\FTBUSUI.pdb source: ftbusui.dll
Source:	Binary string: d:\wm\minkernel\crts\crtw32\misc\nt\vc110.pdb source: ftd2xx.lib
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\x64\Release\FTDIBUS.pdb source: ftdibus.sys
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\Release\FTSER2K.pdb source: ftser2k.sys
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2013\FTLang\x64\Release\FTLang.pdb source: ftlang.dll
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\pp\ftserui2\objfre_wnet_x86\i386\ftserui2.pdb source: ftserui2.dll
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\x64\Release\FTSER2K.pdb source: ftser2k.sys
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\x64\Release\FTD2XX.pdb source: ftd2xx64.dll
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2013\FTLang\Release\FTLang.pdb source: ftlang.dll
Source:	Binary string: d:\8180\enduser\databaseaccess\src\mdac\odbc\core\cplib\vc110.pdb source: ftd2xx.lib
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdbH source: ftcserco.dll
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdb source: ftcserco.dll
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\Release\FTD2XX.pdb source: ftd2xx.dll
Source:	Binary string: DpInst.pdbH source: dpinst-amd64.exe
Source:	Binary string: c:\Jenkins2\workspace\J171-Windows-D2XX-VCP-VS2015\Release\FTDIBUS.pdb source: ftdibus.sys
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\pp\ftserui2\objfre_wnet_amd64\amd64\ftserui2.pdbH source: ftserui2.dll
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\coinst\ftcserco\objfre_wnet_x86\i386\ftcserco.pdb source: ftcserco.dll
Source:	Binary string: c:\jenkins2\worksp~1\j11a5a~1\pp\ftserui2\objfre_wnet_amd64\amd64\ftserui2.pdb source: ftserui2.dll
Source:	Binary string: DpInst.pdb source: dpinst-amd64.exe, dpinst-x86.exe
Source:	Binary string: DpInst.pdbp source: dpinst-x86.exe

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Code function: 1_2_004098C4 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

1_2_004098C4

Source: ftd2xx64.dll.0.dr	Static PE information: section name: .00cfg
Source: ftser2k.sys.0.dr	Static PE information: section name: PAGESRP0
Source: ftser2k.sys.0.dr	Static PE information: section name: PAGESER
Source: ftser2k.sys0.0.dr	Static PE information: section name: PAGESRP0
Source: ftser2k.sys0.0.dr	Static PE information: section name: PAGESER
Source: SETAA3D.tmp.2.dr	Static PE information: section name: PAGESRP0
Source: SETAA3D.tmp.2.dr	Static PE information: section name: PAGESER
Source: SET948B.tmp.2.dr	Static PE information: section name: .00cfg
Source: SETA024.tmp.4.dr	Static PE information: section name: .00cfg
Source: SETACA7.tmp.6.dr	Static PE information: section name: PAGESRP0
Source: SETACA7.tmp.6.dr	Static PE information: section name: PAGESER

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Code function: 1_2_004040C9 push ecx; ret

1_2_004040DC

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\ftcserco.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET951B.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftserui2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA4E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftbusui.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftdibus.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\ftd2xx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET94DA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftbusui.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftd2xx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\ftdibus.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftserui2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftser2k.sys	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA6E.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftbusui.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftd2xx64.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA064.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACE7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\i386\SET9721.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\i386\ftd2xx.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA3D.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA075.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftcserco.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\FTLang.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\ftbusui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\ftserui2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA044.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftserui2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftcserco.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftcserco.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\i386\ftd2xx.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACA7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET94FA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftlang.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftser2k.sys	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\i386\SETA0B6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\FTLang.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftlang.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftser2k.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\ftser2k.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACC7.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA024.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftdibus.sys	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftdibus.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	File created: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET948B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftd2xx.dll	Jump to dropped file

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftbusui.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftserui2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA064.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACE7.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\i386\SETA0B6.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\i386\ftd2xx.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftser2k.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA044.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftdibus.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACC7.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA075.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftd2xx64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA024.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftcserco.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\FTLang.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACA7.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Code function: 0_2_009C5D38 lstrlenA,lstrcpyA,GetPrivateProfileStringA,VirtualAlloc,lstrcatA,lstrcatA,ExpandEnvironmentStringsA,lstrcpyA,lstrcpyA,GetCurrentDirectoryA,lstrlenA,lstrcatA,GetTempPathA,lstrcpyA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrlenA,lstrcpyA,		0_2_009C5D38
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Code function: 0_2_009C5344 lstrlenA,GetTempPathA,GetCurrentDirectoryA,GetCurrentProcess,GetModuleFileNameA,CreateFileA,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,VirtualAlloc,ReadFile,GetTempPathA,GetTempFileNameA,CreateFileA,WriteFile,CloseHandle,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,wsprintfA,wsprintfA,GetPrivateProfileStringA,lstrlenA,lstrlenA,wsprintfA,GetPrivateProfileStringA,lstrlenA,lstrlenA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,VirtualFree,DeleteFileA,		0_2_009C5344

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\CDM212364_Setup.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-2387

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\ftcserco.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\ftbusui.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftserui2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET951B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA4E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\ftserui2.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftbusui.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA044.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftserui2.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftdibus.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\ftd2xx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET94DA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftbusui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftcserco.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftd2xx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\ftdibus.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftserui2.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftcserco.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftser2k.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\i386\ftd2xx.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACA7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA6E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET94FA.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftbusui.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftd2xx64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftser2k.sys	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftlang.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACE7.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA064.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\i386\SETA0B6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\FTLang.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\i386\SET9721.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftlang.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftser2k.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\i386\ftd2xx.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA3D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\ftser2k.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACC7.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA075.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA024.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftcserco.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftdibus.sys	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftdibus.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET948B.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\FTLang.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\CDM212364_Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftd2xx.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-9404

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_1-7602

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

API coverage: 9.2 %

Source: setupapi.dev.log.2.dr	Binary or memory string: sig: Key = vmci.inf
Source: setupapi.dev.log.2.dr	Binary or memory string: dvs: {Driver Setup Import Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.178
Source: setupapi.dev.log.2.dr	Binary or memory string: idb: Activating driver package 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.2.dr	Binary or memory string: cpy: Published 'vmci.inf_amd64_68ed49469341f563\vmci.inf' to 'oem2.inf'.
Source: setupapi.dev.log.2.dr	Binary or memory string: inf: {Add Service: vmci}
Source: setupapi.dev.log.2.dr	Binary or memory string: inf: Created new service 'vmci'.
Source: setupapi.dev.log.2.dr	Binary or memory string: inf: Display Name = VMware VMCI Bus Driver
Source: setupapi.dev.log.2.dr	Binary or memory string: inf: Service Name = vmci
Source: setupapi.dev.log.2.dr	Binary or memory string: idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.2.dr	Binary or memory string: idb: Indexed 4 device IDs for 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.2.dr	Binary or memory string: utl: Driver INF - oem2.inf (C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf)
Source: setupapi.dev.log.2.dr	Binary or memory string: sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf}
Source: setupapi.dev.log.2.dr	Binary or memory string: sto: {Stage Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.634
Source: setupapi.dev.log.2.dr	Binary or memory string: sig: Installed catalog 'vmci.cat' as 'oem2.cat'.
Source: setupapi.dev.log.2.dr	Binary or memory string: cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: setupapi.dev.log.2.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.inf' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf'.
Source: setupapi.dev.log.2.dr	Binary or memory string: sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf
Source: setupapi.dev.log.2.dr	Binary or memory string: inf: {Configure Driver Configuration: vmci.install.x64.NT}
Source: setupapi.dev.log.2.dr	Binary or memory string: idb: Created driver package object 'vmci.inf_amd64_68ed49469341f563' in SYSTEM database node.
Source: setupapi.dev.log.2.dr	Binary or memory string: inf: Image Path = System32\drivers\vmci.sys
Source: setupapi.dev.log.2.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.cat' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat'.
Source: setupapi.dev.log.2.dr	Binary or memory string: sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat
Source: setupapi.dev.log.2.dr	Binary or memory string: inf: Section Name = vmci.install.x64.NT
Source: setupapi.dev.log.2.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.sys' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.sys'.
Source: setupapi.dev.log.2.dr	Binary or memory string: idb: Registered driver package 'vmci.inf_amd64_68ed49469341f563' with 'oem2.inf'.
Source: setupapi.dev.log.2.dr	Binary or memory string: inf: Driver package 'vmci.inf' is configurable.
Source: setupapi.dev.log.2.dr	Binary or memory string: inf: {Configure Driver: VMware VMCI Bus Device}
Source: setupapi.dev.log.2.dr	Binary or memory string: inf: {Query Configurability: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.636
Source: setupapi.dev.log.2.dr	Binary or memory string: sto: {Core Driver Package Import: vmci.inf_amd64_68ed49469341f563} 11:48:39.704
Source: setupapi.dev.log.2.dr	Binary or memory string: idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.2.dr	Binary or memory string: flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys' to 'C:\Windows\System32\drivers\vmci.sys'.

Source: C:\Users\user\Desktop\CDM212364_Setup.exe

API call chain: ExitProcess graph end node

graph_0-2429

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Code function: 1_2_0040427B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_0040427B

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

1_2_004098C4

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Code function: 1_2_00401B10 _memset,_memset,GetProcessHeap,_wcslen,HeapAlloc,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,GetExitCodeThread,CloseHandle,CloseHandle,HeapFree,

1_2_00401B10

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	Code function: 1_2_0040851F SetUnhandledExceptionFilter,	1_2_0040851F
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	Code function: 1_2_0040427B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040427B
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	Code function: 1_2_00405608 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00405608
Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	Code function: 1_2_00401E95 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00401E95

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Code function: GetLocaleInfoA,

1_2_0041051F

Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\ftdibus.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\ftdiport.cat VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Code function: 1_2_00402EE7 GetSystemTimeAsFileTime,__aulldiv,

1_2_00402EE7

Source: C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Code function: 1_2_0040D6BF __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

1_2_0040D6BF

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	3 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CDM212364_Setup.exe	0%	ReversingLabs
CDM212364_Setup.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftbusui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftbusui.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftcserco.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftcserco.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftd2xx64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftd2xx64.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftdibus.sys	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftdibus.sys	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftlang.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftlang.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftser2k.sys	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftser2k.sys	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftserui2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftserui2.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-x86.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-x86.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftbusui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftbusui.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftcserco.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftcserco.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftd2xx.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftd2xx.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftdibus.sys	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftdibus.sys	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftlang.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftlang.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftser2k.sys	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftser2k.sys	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftserui2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftserui2.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA3D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA3D.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA4E.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA4E.tmp	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://www.disoriented.com/	0%	Virustotal		Browse
http://www.disoriented.com/openConfirm	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.disoriented.com(	CDM212364_Setup.exe	false		low
http://www.disoriented.com/	CDM212364_Setup.exe	false	0%, Virustotal, Browse	unknown
http://www.disoriented.com/openConfirm	CDM212364_Setup.exe	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430184
Start date and time:	2024-04-23 09:20:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CDM212364_Setup.exe
Detection:	CLEAN
Classification:	clean6.winEXE@7/82@0/0
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target dpinst-amd64.exe, PID 7372 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	275
Entropy (8bit):	5.280241042166445
Encrypted:	false
SSDEEP:	6:eWlBB9sc29JfD9scWXK1ezbPqbrZEucMiRgOXLvEP:e+YcKfycQBPPU9iTXbg
MD5:	50F2BBF24A14BE4E408F94BC3849C38D
SHA1:	CA3512C6847A2B82A7DB2E2599EF7E5F7D18423D
SHA-256:	D99B9414E6B4C20127BD62BB105010BF980A5F1C2922B1D900629F498473095A
SHA-512:	0C341554D7891424BD4B4E96667F879589A1E76FDC58627AA813419D5E5F2127A218DD26F6F0F3328798D761D01B62CA84A961EEE112BCF124C9E6EFF72C298E
Malicious:	false
Reputation:	low
Preview:	[FE].Name=FTDI CDM Drivers.ZipSize=2184467.Exec=$temp$\FTDI-Driver\dp-chooser.exe.DefaultPath=$temp$\FTDI-Driver.Intro=Click 'Extract' to unpack version 2.12.36.4 of FTDI's Windows driver package and launch the installer..URL=www.ftdichip.com.Author=W.AutoExtract=1.Delete=1.

C:\Users\user\AppData\Local\Temp\FTDI-Driver\Static\amd64\ftd2xx.lib

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	697006
Entropy (8bit):	5.53172072416843
Encrypted:	false
SSDEEP:	6144:BYIrAP1zgaVebdmSBP3AGGmj8OyLWbcbahChz9Tgn7KpXYXCMp3jw1bJGb/+8pa4:BYft+cg+JdHjzrsNl
MD5:	BA64A708FBF2A444D4E112A521805EDB
SHA1:	BEC9BEABCB47906500D4D59D5B086079CB9AFC22
SHA-256:	1121A0456624BCDF768C70FE73EA649741C70160E85EDB5007DE950D4C646A57
SHA-512:	CA1AE58D93070BE1DD840503C601A5F684D6B64D50CFB8F313D8F155004F423E532B1FB0F27BC1B03D793E094E36D39966FDE4FC30B060B542EC0B1640E57D8D
Malicious:	false
Reputation:	low
Preview:	!<arch>./ 1625488689 0 60971 `........L.........$...$.................p...p...........>...>.................z...z...........X...X...........,...,.................r...r...........L...L.........$...$.................d...d...........6...6.................x...x...........R...R...........,...,.................\|...\|...........X...X.................................h...h...........B...B........."..."...................d...d...........4...4.................n...n...........B...B...................~...~...........T...T.................................n...n...........@...@...................z...z...........N...N..........."..."...................f...f...........:...:...................\|...\|...........N...N.................................v...v...........T...T...........0...0...................h...h...........>...>...................~...~...........N...N...................................X...X..........."..."...................X...X....

C:\Users\user\AppData\Local\Temp\FTDI-Driver\Static\i386\ftd2xx.lib

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	574566
Entropy (8bit):	5.676338629359648
Encrypted:	false
SSDEEP:	6144:eEmHzfsK3HBcwMNs81YO5Gyry1VinPzud+kpJZft:eEUfsKJdy/6Vft
MD5:	9DFB51E72110BC90D87CF2D1E9610384
SHA1:	F1E199F43B49F3D0C42FA77043D4262449D00A1D
SHA-256:	D47E7AE0F5D17058677CDB84CF39F61EA2363020F9D01C14E91B9E71EA1598CA
SHA-512:	28D4B65D54E7F7190E661167C95674076ACA3A6E3A16051CBC8CD78AD5E04D8168B2C9AA926B208ABF2991649115B59A222ECC8738D1B93EAD5F2BA663C15056
Malicious:	false
Reputation:	low
Preview:	!<arch>./ 1625488758 0 66728 `............j...j...........X...X...........2...2...................r...r...........P...P...........6...6...................................d...d...........F...F...........&...&...................r...r...........L...L.................................\|...\|...........^...^...........F...F...........,...,...................z...z...........R...R...................................................j...j...........D...D.......... ... ... ... ... ... ...!f..!f..!...!..."@.."@.."..."...#...#...#...#...#...#...$d..$d..$...$...%B..%B..%...%...&"..&"..&...&...&...&...'h..'h..'...'...(B..(B..(...(...)...)...)...)...)...)...j..j........+J..+J..+...+...,&..,&..,...,...-...-...-t..-t..-...-....N...N........../2../2../.../...0...0...0...0...0...0...1p..1p..1...1...2T..2T..2...2...3..3..3...3...4...4...4r..4r..4...4...5P..5P..5...5...6&..6&..6...6...7...7...7n..7n..7...7...8J..8J..8...8...9...9...9...9...9...9...:\..:\..:...:...;2

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftbusui.dll

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	168456
Entropy (8bit):	6.246480364593094
Encrypted:	false
SSDEEP:	3072:a+f/hrqTv5CgCn2p+WsDC7wQGXLCoeofwaqVcppnx1um75JXZ4:a+cTglYOQwQ4uoebaq4r5n4
MD5:	D79A5E34F684B547FA2F963DFCC15A21
SHA1:	81CCA464D4C8773B00F0A6F170F402FFE2D6A9C8
SHA-256:	4BBC0B301A7C5A6B1B73878CE3AEEB191F5FCEAC05835372142206D79AC81559
SHA-512:	E199F40F06F674EB8EC0E599FFF47A36D4495F4F2FFEE96CADFD00ABA9D5BB127F4461090322244EC973FCC2C8AE119FB12CE65AD585CCAA570115B7D957EA28
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d...d...d...5v..d...5w..d...5H..d....\..d...d...d..\|.v..d..\|.K..d...6L..d...d...d..\|.I..d..Rich.d..........PE..d......`.........." .....x...........5.................................................... .................. ......................P...h.......d.......@....p.......V...<..............8...........................0...p............................................text...Tw.......x.................. ..`.rdata...............\|..............@..@.data...`:...0......................@....pdata.......p.......(..............@..@.rsrc...@............>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftcserco.dll

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	75272
Entropy (8bit):	6.176258876551271
Encrypted:	false
SSDEEP:	1536:lxRShQnixg3RolUmf71kjy3JIO64l7Xuuy+fk+QI:lHShQnixg3RolUmzCy3JIO64l7euVfkQ
MD5:	AA69BF96E10F463082A0664B7A2E9FAE
SHA1:	D9CC34D613E8655FD7DA5293093E050D4D24AF5F
SHA-256:	C0224B9EF14365F6DDA96134CC77D978E69FBD61EFDADE6FD1EB676418C41023
SHA-512:	778599EEEE6C6F3F8C46E4BB774697E8528F03B30381BE3BA06298E23D1514039CC926E89AADAC2771074657A9478DCF60D4D92BDD69C7A5A094D59ED32F2993
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............................u.......u.......u.............u.......u.......u.......u......Rich....................PE..d...i..`.........." .........6......<d.......................................@............@.........................................p...Q... ...x.... ..X................<...0..`...0................................................................................text............................... ..`.data....&..........................@....pdata..............................@..@.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftd2xx.lib

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	20260
Entropy (8bit):	5.168343134023792
Encrypted:	false
SSDEEP:	384:J8L2SzQdYpFvkSgIIMxim0e9D5tLvpc8Dj4ioCQtfc0j59jQ:J8L4dYpFvkSkqim0gDLvpbDcBCQtfR5i
MD5:	2C6C133941002E602D1AC6831CBB7368
SHA1:	A1006940F09C815F37F6B850532EF95EE9A9E538
SHA-256:	7C3A73D3A2441B460F03358BC8CC81E5F3FB43523BFA35E4EEF3BBE8BAD5788D
SHA-512:	0DEA1BC4AC315E27896E6D4AB5E52FA25ECD70116A88B5686331B99D1A303A4C5A70C69188A4FBEBD511B618BA9362459CAC84B69AE3CFCD72877ABB556FB464
Malicious:	false
Preview:	!<arch>./ 1625488698 0 4440 `.......#:..%`..&...7l..7l..'...'...8...8...NZ..NZ..6...6...:0..:0..;n..;n..=~..=~..?...?...>...>...(R..(R..@...@...(...(...4...4...=...=...86..86..A`..A`..4...4...?4..?4..34..34..5...5...<...<...<B..<B..B:..B:..M...M...>d..>d..7...7...7...7...@...@...3...3...;...;...0...0...A...A.../.../...8...8...N...N...+...+...,...,....&...&..................F...F...F...F...J\|..J\|..M...M...I...I...E...E...E...E...F...F...G...G...HH..HH..H...H...I..I..J...J...J...J...KX..KX..K...K...L6..L6..L...L...M...M...1v..1v..D...D...B...B...;...;...@...@...:...:...,...,...-...-...l..l..)...)...2T..2T..1...1...=...=...2...2...4...4...Gd..Gd..9...9...9d..9d..1...1...,...,.../`../`..-T..-T..5\..5\..+B..+B........)...)...)...)...C...C...C...C...Cz..Cz..DT..DT..64..64..04..04__IMPORT_DESCRIPTOR_FTD2XX.__NULL_IMPORT_DESCRIPTOR..FTD2XX_NULL_THUNK_DATA.FT_Open.__imp_FT_Open.FT_Close.__imp_FT_Close.FT_Read.__imp_FT_Read.FT_Write.__imp_FT_Write.FT_I

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftd2xx64.dll

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	647616
Entropy (8bit):	5.8372260150013044
Encrypted:	false
SSDEEP:	12288:k2Ruad22Cu6+wfhZLF5lfDOHc/aFMmymLRt+i2:332xNfhZLF5lfDOHvMTmLRt2
MD5:	BEFBC1A8F6C2B8E143DDD97CCB6561B5
SHA1:	44B085C25026DABE6280C539F43DD0755FB28499
SHA-256:	774AF8B12C85D03562742ACDF222AF5E0432167BF107BA4B260757E4A5E36866
SHA-512:	A41B29E0493AD8ED57F55B8AA557AED460794894A5A53B057EEEF017A81F071A09DD298FB63EB0277344A9B69D790699131642106124320FB80BA87D1AD60DD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.H.I...I...I..p.J..I..p.H.VI..p.I..I.......I.......I.......I....p..I...I..GI..S....I..S....I..V.D..I...I,..I..S....I..Rich.I..................PE..d...;..`.........." .........D......3A.......................................0.......'....`.................................................@...d.......i....`...U.......!...........w..8............................x..................@............................text...J........................... ..`.rdata...k.......l..................@..@.data....:... ......................@....pdata..4_...`...`...$..............@..@.idata..............................@..@.gfids..............................@..@.00cfg..............................@..@.rsrc...i...........................@..@.reloc..P...........................@..B........................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftdibus.sys

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145192
Entropy (8bit):	6.492981302114183
Encrypted:	false
SSDEEP:	3072:np+Tpx5m9iS1H41Un58rdppcZxPtlGU1WopW:n8x5sJ4q58rdppcjPt9WoU
MD5:	AB7418C8DFBBB97BEFB4F0ADED3D4663
SHA1:	B9A7A3FBBA707BA52F8AC4339070473A486CE7B7
SHA-256:	3BD5BB7E646E67469EC25A37CAA5131CF992759703B0FC170DF7AF265B9F8E74
SHA-512:	BE19D2CFE8C9198CE43470FDB6B6030EB4BD1B4080887CB6F1D69C2B661BBD79FFA85B4B70FDBE97BADADF2B75CE7FBE7B627FE08FB1DF3104CC16842E609A40
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........VAA.7/..7/..7/..W)..7/..7...7/..W...7/..W,..7/..W+..7/..i+..7/..i...7/..i-..7/.Rich.7/.................PE..d......`.........."..........<.................@.............................@......W.....`.....................................................P.... ..p...............(G...0..\|.......8............................................................................text...3z.......\|.................. ..h.rdata..p........ ..................@..H.data...............................@....pdata..............................@..H.gfids..............................@..HPAGE.....%.......&.................. ..`INIT....B........................... ..b.rsrc...p.... ......................@..B.reloc..\|....0......................@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftlang.dll

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	274944
Entropy (8bit):	5.978951711504469
Encrypted:	false
SSDEEP:	3072:VTwkcrbAg7JNtvh8vULQzOdtsK9g0BIGpY29ZR0qhJRYxEda6sEsOkXlYJkveT/s:VTPzg5JSULQz2tsKi0B9305E9P+3
MD5:	662679682F491FBAF3D15953D13EC72E
SHA1:	9EA41242F7945A6814D757DA232359DFD7D421BD
SHA-256:	C2729911C4B82D8F9E22E057A1570D0265D7A9ECA44D6FE8DC0658F47263CE12
SHA-512:	E5305020F3BC11342EE9073780BAAE37FF700434B7C695980345C7E9DB56B03F8199CE0C278E549C4EB92B4294F1FC91A0DBBB1C033B13794648A24DC94837E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;L..hL..hL..h..\hn..h..]h(..h..bhE..h.MvhO..hL..h...h.,\hN..h.,ahM..hA.fhM..hL.*hM..h.,chM..hRichL..h........................PE..d......`.........." .........:...............................................P............ .................................................@...(.......h0...............<...@..@... ...8............................c..p............................................text...;........................... ..`.rdata..&...........................@..@.data...X<..........................@....pdata..............................@..@.rsrc...h0.......2..................@..@.reloc..@....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftser2k.sys

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	99296
Entropy (8bit):	6.544765616961625
Encrypted:	false
SSDEEP:	1536:ateH5nh6Lk8irGapY1hgw+8wWXZ43CV5h9zYWSYZz8ITF:LZhck8irB4gXWp43g53UWSYtJF
MD5:	B66678FF4E347E22146609B3D5B7B2C4
SHA1:	632A3B4365F9256B13FF0F671260463A8972070D
SHA-256:	7A303AA880CC746D13F71E565874FB7C174747372CCF358B928A72219D2A50DD
SHA-512:	07D73174638953074165EEFB804394F21A1A115116459B96903FCB34A6656450BDCD2A9ABD0590EC5A63D3DF153301A8DDB527405D67DFF3065BB5108C52F575
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x....{...{...{...z..{..yz...{..yx...{..y....{.]G....{.XG....{.]Gy...{.Rich..{.........PE..d......`.........."...........................@..........................................`.....................................................<....................>...E.......... ...8...........................`...................@............................text....n.......n.................. ..h.rdata..p............r..............@..H.data...............................@....pdata..............................@..H.gfids..............................@..HPAGESRP0.E.......F.................. ..`PAGESER..@... ...B.................. ..`PAGE.........p.......".............. ..`INIT.................(.............. ..b.rsrc................8..............@..B.reloc...............<..............@..B................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftserui2.dll

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65544
Entropy (8bit):	6.240264971246993
Encrypted:	false
SSDEEP:	768:eNz2GaueQUOHlpEhZf25HY/Q2KDJko4zfrW86F+12Rer30bbYrc/a0FpJvh9Rebt:ex7eWvE3KMSQT12R60T/PP8H/3F
MD5:	3E5BCD980AF8B20313005D9A492CEC8A
SHA1:	060B9D1444327D3FAA56E3B35FC2BB606B692DD7
SHA-256:	55A23A2AC263E10B77D7E95601439F771062F2C248A8D93039A968D66100C39C
SHA-512:	DC4BA803EB3EAB0D5BA452ACA2C57095A74B1B3DBD82078ED17BBC34C5DB3F791EAB4A418D4C822C170B4D561D36D0E47BA6A2DA915A8B1797A88666B19C69F3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q.\.Q.\.Q.\..\.Q.\.)H\.Q.\.)^\.Q.\.)Y\.Q.\.Q.\)Q.\.)N\.Q.\..\.Q.\.)O\.Q.\.)T\.Q.\...\.Q.\.)I\.Q.\.)L\.Q.\Rich.Q.\........PE..d......`.........." .........B......@]...............................................&....@......................................... ....................$...............<......0....................................................................................text.............................. ..`.data... ...........................@....pdata..............................@..@.rsrc....$.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90160
Entropy (8bit):	6.501864323247129
Encrypted:	false
SSDEEP:	1536:lspRtFBtCzec2R7ixCiyLab5t2HLCvXSrPPr5wg5I:8LtCVKicTLabEi89wg5I
MD5:	461A3CE2E77143EC0E0015D80675911B
SHA1:	3D39E3C12D1424CFBBDDA20CCE48F18CBECA1D06
SHA-256:	003310B93A1A237FB022C7D7F40515DAF25FA1B91690965D3B98C1829A92ED37
SHA-512:	95B4F646FD655ED598360638D0A384E548F40C00B6FE8373C070719FD1F37BCC42522A7C0006AD33E63DF9179A8E8302A962F40C81249476BA530D64B6F1AD3A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\...2...2...2.....2.....2...g.2...I...2...3...2.....2.....2.Rich..2.................PE..L.....R`.....................X......D2....... ....@..................................D......................................d<..P....................F..0............................................6..@............ ..p............................text...$........................... ..`.rdata...$... ...&..................@..@.data....1...P.......0..............@...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1047056
Entropy (8bit):	5.608247345375391
Encrypted:	false
SSDEEP:	6144:ksSOzpPId26dQcEaUrPvwgwkRVagRoDHTj8K1sqI6VLp4XOigSbduP/1HHm/hHAn:4IId79EaUTvwieMozMEcOigSpuPMaLiW
MD5:	0E7E8820A977D3B4B81C5188FA841C52
SHA1:	A6D6831A4A097BD47AF267727A4AD6B38B14CDE3
SHA-256:	65054D27C91C21AF7C7F1838427A0AC64089DC51DD27EB220B589C26B94903A1
SHA-512:	5A2D572B77D59A342ED997586CC7F7741DFB386A2C4243638F1C6933AB1722720953AC8AFF3A8097BDC60E807CA51B9912A534D91C76D359E3D819D61235BE3D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g9I.#X'.#X'.#X'.* ..!X'.* ..7X'.* ..<X'.#X&.Y'.* ..fX'.* ...X'...Y."X'.* .."X'.* .."X'.Rich#X'.................PE..d......J..........".................................................................d.....@.......... ......................................H...@.......pY...0..\m...................................................................................................text............................... ..`.data... ...........................@....pdata..\m...0...n..................@..@.rsrc....`.......Z...v..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-x86.exe

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	921616
Entropy (8bit):	5.697380535538133
Encrypted:	false
SSDEEP:	6144:pZtaKSpwmx5ATm/LC3fwf3OoU9xkYSr/mdBTRhKWIjsRP/1HHm/hHAM8i6r+LyIt:pZxSpwmxvL/f3vCN1PMaLi6rAyIQjY
MD5:	C2F2C1398C5CDB55A67676527EA29404
SHA1:	891ABFAC154546FFF98EE70C542C8908EDB32F81
SHA-256:	2BCA1650E3F7B9F98B06ED894CFD5EBC758E2B96EEB5D6C340D96E3F137D4472
SHA-512:	983AF518FCC6100E43B5F80A0665ACBB2E69BFF94B4D37618D9FD728745E77556724ADD40E7C413916B3BC12925C384B30CB1A5524CB23CA87895F4587AD9A06
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p..o4..<4..<4..<=.`<"..<=.v<...<=.f<)..<4..<@..<=.q<o..<=.a<5..<=.d<5..<Rich4..<................PE..L......J................. ..........j........0...............................0......u.....@...... ..............................,....p..lY......................XC...................................=..@...............L............................text............ .................. ..`.data...`>...0.......$..............@....rsrc....`...p...Z...<..............@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst.xml

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	19875
Entropy (8bit):	4.57337875560836
Encrypted:	false
SSDEEP:	384:GhdradsTChQnGFUcDyRAX2XARyDcN+fnQhCTsPup47Kl0HmeZor6VoZe/kV6rgxh:GhdradsTChQnGFUcDyRAX2XARyDcN+fJ
MD5:	BBB46E3360F3FCABC5D03CA33DC10458
SHA1:	C442CAB7EA74D8A1DD3BF97786BAD844E8913B44
SHA-256:	65E9BC1F59DE53462ED2E6B002C0BE26CD3F37B1E360938A0A32AA452ED58030
SHA-512:	1594E0BD1BA7D9541FF5A44F65DA6ACDF1B27CFDD72F4A04C07BE0F815F6D05D773D8980595DA18ECC1AB1BC2587FC248E0997873B02C151DCA096A741CD4D78
Malicious:	false
Preview:	<?xml version="1.0" ?><dpinst>..<language code="0x0000"><eula type="txt" path="licence.txt"/></language>..<language code="0x0004"><eula type="txt" path="licence.txt"/></language>..<language code="0x001A"><eula type="txt" path="licence.txt"/></language>..<language code="0x007F"><eula type="txt" path="licence.txt"/></language>..<language code="0x0400"><eula type="txt" path="licence.txt"/></language>..<language code="0x0401"><eula type="txt" path="licence.txt"/></language>..<language code="0x0402"><eula type="txt" path="licence.txt"/></language>..<language code="0x0403"><eula type="txt" path="licence.txt"/></language>..<language code="0x0404"><eula type="txt" path="licence.txt"/></language>..<language code="0x0405"><eula type="txt" path="licence.txt"/></language>..<language code="0x0406"><eula type="txt" path="licence.txt"/></language>..<language code="0x0407"><eula type="txt" path="licence.txt"/></language>..<language code="0x0408"><eula type="txt" path="licence.txt"/></language>..<langu

C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftd2xx.h

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	C source, ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	51546
Entropy (8bit):	5.526589371806313
Encrypted:	false
SSDEEP:	1536:WUZMw6FdU0yCSg9OU3bTn87cnRx6EHzRR0zBUIwUfTuxTGpQA:Llg9OUHnpnyKXA
MD5:	08FBBF757A92B079CA66FF62D99A6C82
SHA1:	905BA742B149172E5EC437C13B0E2D2816A83775
SHA-256:	EE0C6358BA2F13015EC7B07AEA16BF3ADA33508851CC494FC256A8B28AF31147
SHA-512:	8A2F64CC408FEE0933517529727E48CDCEC74CB1DFB3D8E169510D763774EEE7F0F60DC04A4792D102E39F3194DDA102476F493F6997A68A0625E9366AEF6926
Malicious:	false
Preview:	/*++....Copyright . 2001-2021 Future Technology Devices International Limited....THIS SOFTWARE IS PROVIDED BY FUTURE TECHNOLOGY DEVICES INTERNATIONAL LIMITED "AS IS"..AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES..OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL..FUTURE TECHNOLOGY DEVICES INTERNATIONAL LIMITED BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,..SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT..OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE, DATA, OR PROFITS OR BUSINESS INTERRUPTION)..HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR..TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,..EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.....FTDI DRIVERS MAY BE USED ONLY IN CONJUNCTION WITH PRODUCTS BASED ON FTDI PARTS.....FTDI DRIVERS MAY BE DISTRIBUTED IN ANY FORM AS LONG

C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftdibus.cat

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	23417
Entropy (8bit):	5.948769892863068
Encrypted:	false
SSDEEP:	192:wIWIdFWkGHHPj24Y2f22U222bk2L2h2d2N252Z2L22V2z21232S282e282C2a22g:vyl4rPFRXp4hlTJdkC
MD5:	B392C785B9C2AA31187D1BD0A4F5EBA5
SHA1:	BD80456EAC30AE84B2A0E1CE9A4A364A01C68F39
SHA-256:	B286055896DEA79D4521368293DEEE801930F3FB503CC3076AC97716B338B0F7
SHA-512:	A22007089580CF066FF30D405F607B88F499754F7859EA98915FA2F5E35D21E91BBE4C25271F8C62357F11C2469FD20556D805A52071B96E30FBA8657C6338E6
Malicious:	false
Preview:	0.[u...H........[f0.[b...1.0...`.H.e......0.:...+.....7....:.0.:.0...+.....7............@..5;.t.u..210708145418Z0...+.....7.....0...0....R2.F.D.9.A.3.9.F.1.7.B.4.F.8.9.C.E.C.D.7.5.2.8.F.5.8.7.6.7.2.7.D.C.0.0.C.7.A.7.8...1..G08..+.....7...10(...F.i.l.e........f.t.d.2.x.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+......../........R.Xvr}..zx0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.5.C.D.6.B.7.1.5.A.A.2.D.4.E.7.E.E.1.9.1.E.C.B.D.F.B.8.C.7.F.7.5.4.D.4.1.7.6.2...1..I0:..+.....7...1,0*...F.i.l.e........f.t.d.i.b.u.s...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........E.kqZ..........T..b0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R5.3.F.D.E.7.C.9.4.8.8

C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftdibus.inf

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	30650
Entropy (8bit):	5.516268884073016
Encrypted:	false
SSDEEP:	768:tDAm640CejlZtOojWnXD8yVxaQZdHwG5B8ZJDsyPxSQZXH4G7tVB03F3PPvZh/6:tbSjWJD8/5B03DU
MD5:	B404B591DCAE1E28603479A7963CB6F6
SHA1:	5D4AE8370FB8A05189B0ED9430459BCB97BB9E54
SHA-256:	FF361CDD7C814DB0BEA98578A731EF5C03BF457E06BCA9950FDBAB57A4D3C7F6
SHA-512:	F928FD950A1F57172DFDF2CC8D23A54381715EE79D492D3491EAEAF4ADCC11241F87A00E91F03B504F78DF1DEF4D7C4569A192D62E21088ABD6DBFD721134B04
Malicious:	false
Preview:	; FTDIBUS.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..; ..; USB serial converter driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016...; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In cons

C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftdiport.cat

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	22608
Entropy (8bit):	5.965323528440976
Encrypted:	false
SSDEEP:	192:whASiyWWICmejj24Y2f22U222bk2L2h2d2N252Z2L22V2z21232S282e282C2a2E:YAw4rPFRO+NJ/AlGsJPY9
MD5:	60238C00694F838EED4757D1CE167D8B
SHA1:	0E39502D2CBD03ECF3973AD2F5F94DDB21C74B37
SHA-256:	113A35E6161F3AE8BB9D0E0F31913872C4B32FD6211ECE27DDDEB238F601EB59
SHA-512:	578A026793F2A30814A31BB9A63360BC2142E3263CB752B67CF8FFD3A65253D30E0BBA5BBD5D57759BA3455AB8F2D766FC14F6D6B5085833EA44936A08B8C713
Malicious:	false
Preview:	0.XL...H........X=0.X9...1.0...`.H.e......0.6...+.....7....6.0.6.0...+.....7.......;...@..:.T8-...210708145418Z0...+.....7.....0...0....R0.3.A.4.7.E.F.E.F.0.0.6.9.1.7.6.4.3.0.A.C.8.A.2.E.3.9.0.8.5.F.D.3.2.2.E.8.2.D.3...1..I0:..+.....7...1,0...F.i.l.e........f.t.s.e.r.2.k...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+..........~....vC....2...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.6.4.D.6.B.E.E.E.6.1.A.B.B.F.2.0.5.7.4.D.E.3.B.4.2.5.5.F.3.C.5.E.2.1.2.E.2.7.6...1..K0<..+.....7...1.0,...F.i.l.e........f.t.s.e.r.u.i.2...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.........Mk......t.;BU.....v0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.9.2.9.B.B.A.B.9

C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftdiport.inf

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	18369
Entropy (8bit):	5.49132972724957
Encrypted:	false
SSDEEP:	384:KRD7TYsKwdRFr+40CejlZtOoggvxUkHlfD0fsEc886YVeZgTey:WDAm640CejlZtOoV5DfX88t
MD5:	B16B75B545A296EFC49805C94DFD334C
SHA1:	88DA6E6C3C9D94F6725D854CD866EA2CF305D67A
SHA-256:	00627112CF622CC6FB99A6B5DE24FCC61B6D0A211A6BD1E90B985BCF9950F6D9
SHA-512:	18C2B08A06AE87F5F2EEB79DEE4A3725FB5F8516D9C9F1CA60C5C96F06BA07493D4FB4199FBD67A042132201EC32C3E5B4331CF0671F787B3DA7A2C5A7197357
Malicious:	false
Preview:	; FTDIPORT.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..;..; USB serial port driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016.....; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In conside

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftbusui.dll

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	156168
Entropy (8bit):	6.6398910374074775
Encrypted:	false
SSDEEP:	3072:Ha9TWOAIKR1PA/RrTjzgKcKb9OoyYAJgsP:iWwKbP6Rr01P
MD5:	107815287E29854DEF48BFB8341B9453
SHA1:	AD65501AF88E92E9E17A0E23C0F99231375B83B3
SHA-256:	CE0B628933BECB2060A3B11A85C06146807ED03949F756036E6F93F597EC54C2
SHA-512:	55856D5158B4C689464031F4785DEAA3E3EBB82F07D80CD8BD39C3F22846F3451DF1D8E1D0994B064AAFA03C5163F386D771B74C72029076315834F1A1BB06CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J...+.[.+.[.+.[.z.[.+.[.z#[.+.[.z.[.+.[}.7[.+.[.+.[.+.[...[.+.[.. [.+.[.y'[.+.[.+k[.+.[.."[.+.[Rich.+.[........PE..L......`...........!.................1.......................................p.......a............... ..................h...H...d....0..@............&...<...P..,......8...............................@............................................text............................... ..`.rdata..._.......`..................@..@.data..../..........................@....rsrc...@....0......................@..@.reloc..,....P......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftcserco.dll

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78856
Entropy (8bit):	6.448107183476905
Encrypted:	false
SSDEEP:	1536:JwpJ3AxCnwhDpQnP8xat+h4siLIgHmE4KtMxPMpBT:JwpJ3AxCnwhNQP8xb4sngNtMt+T
MD5:	73FF9164F917526997E2838715FA7779
SHA1:	1DCEA840FC97445898777D40571C09D410D90911
SHA-256:	239161AB87C6BE9D7996033777FFB62786A0F609D9F7270ACF56AD7A03008070
SHA-512:	30919855C0129218C73C64F300177B519017A57E47EBE12B7ADA9E1408FADBCF812CBFBB334BCBB1B78E80FAD5D481447B4BD50F4D771070E2FC9E7EBE65D796
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=k..S8..S8..S8s..8..S8..R8..S8...8..S8...8..S8...8..S8...8..S8...8..S8...8..S8Rich..S8................PE..L......`...........!.........0......D_....................................... ...........@.........................0...Q.......x.......X................<...........................................E..@...............\|............................text............................... ..`.data...............................@....rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftd2xx.dll

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	392128
Entropy (8bit):	6.675882265173621
Encrypted:	false
SSDEEP:	6144:6cumjO3f6acDJuRkgm3qP12tHi3b+cVZhPTlqWMTZ4Rp71RpeRjK3q:6cBjQf6acERkkP12tqbBxTlqWUop5ywa
MD5:	6FFEB45E0137622EBBBA8361107D304E
SHA1:	01B3F848148A276F6317D6C98EDBDB1133F458DA
SHA-256:	60BB0D6348B1EB0127401AA902F34C963D9196D2778C66F4008A6CF0C6F098A5
SHA-512:	BC3D9DDCB1FC249CF1A3A11EEFE9131280F18CB538C381C46B1818354E947690D52FD38B14674A7BB51CE5FF73F4B8721D19FD4960694B3442ECC90C58F75052
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.6._je._je._jei.e._jei.eO_jei.e._je..id._je..od._je..nd._je...e._je._ke\_jeJ.od._jeJ.jd._jeO..e._je._.e._jeJ.hd._jeRich._je................PE..L......`...........!.........................................................0......Tq..........................................d.......X................!.......(.....T...........................(...@............................................text............................... ..`.rdata..............................@..@.data...X$..........................@....gfids..............................@..@.rsrc...X...........................@..@.reloc...(.......(..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftd2xx.lib

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	22190
Entropy (8bit):	5.177107513443205
Encrypted:	false
SSDEEP:	384:w+I6eDqEP41C1plVjZ/C/nkemxe9iTkR98jHFHgrS/pJj+pl4fFF6ripgpSQSE0h:w+FEP4qTG/aTK98jHv+T4olpSzE0ebR+
MD5:	0BEC36AA3B1CF8C98D9B4F4A2D433FAE
SHA1:	6320C8F1027FADD63652F75D05D8A0523F45DB51
SHA-256:	3E9C6D57C4B3563E04B20BE5ADC419A0854D3A2ABAD93A39F49B973B52475314
SHA-512:	C392159578E892E70C97CC6A8BB3DB3BC9D7BF870849CC2A85171E6BE922A4D0ECC37E5EBAE5A8C79B2636BE649BA8475AF5048BD5CE958C790B945E1DDAF835
Malicious:	false
Preview:	!<arch>./ 1625488767 0 5072 `.......)...+...,...>:..>:...B...B..?r..?r..U...U...=d..=d..A...A...B^..B^..D...D...F...F...E...E...........H...H.../.../...;:..;:..D...D...?...?...H~..H~..;...;...FB..FB..9...9...<...<...C...C...C:..C:..I`..I`..Up..Up..En..En..>...>...=...=...G,..G,..:T..:T..B...B...7:..7:..H...H...6f..6f..?...?...VD..VD..2...2...2...2...4...4...5...5...5...5...M...M...MV..MV..Q...Q...U...U...P...P...Ll..Ll..L...L...N:..N:..O$..O$..O...O...P...P...P...P...Qp..Qp..RP..RP..R...R...S4..S4..S...S...T...T...T...T...8...8...K...K...I...I...A...A...G...G...A...A...2...2...4B..4B..0...0...0\..0\..8...8...8...8...D...D...9r..9r..:...:...N...N...@...@...@D..@D..7...7...3d..3d..5...5...3...3...<...<...1...1...1>..1>../.../.../z../z..J:..J:..K...K...J...J...K...K...<...<...6...6.__IMPORT_DESCRIPTOR_FTD2XX.__NULL_IMPORT_DESCRIPTOR..FTD2XX_NULL_THUNK_DATA._FT_Open@8.__imp__FT_Open@8._FT_Close@4.__imp__FT_Close@4._FT_Read@16.__imp__FT_Read@16._FT_Writ

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftdibus.sys

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	119376
Entropy (8bit):	6.73457938895639
Encrypted:	false
SSDEEP:	1536:516Fjux5YtPCotU4eAiJHDrgdXUR0JgN1srjQM9F9L2URlW96VTvsTVBIU:f6FjubcPC1Dr2UlYfFcUDDVTAVj
MD5:	AD4D72EEA5D4D9E6823C606104AD3984
SHA1:	B577FF68EC18F733DEC282AA714992F01F58BC67
SHA-256:	65B3DDE7820B256ECFA4BA3F8B757E3D4E30B139C005E8C00D1F831E5A378B5D
SHA-512:	48851E057AC02F79989F627FF25AC1B487024B0E4F0F600CFBEFDBBEF30BBC991AA4BF590828FFDFF26F1232ACBECC8047AFB922BF7558528B2337AFA84DBD8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`\f.3\f.3\f.3~..2[f.3\f.3(f.3~..2Uf.3~..2Yf.3.8.2\|f.3.8,3]f.3.8.2]f.3Rich\f.3................PE..L...R..`.................f...&...............P....@..................................a....@.................................L...d.......p...............PF..........@W..8...........................xW..@............P...............................text....5.......6.................. ..h.rdata.......P.......:..............@..H.data...P....`.......D..............@...PAGE..... ...p..."...F.............. ..`INIT.................h.............. ..b.rsrc...p............v..............@..B.reloc...............z..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftlang.dll

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	255496
Entropy (8bit):	6.224431630683055
Encrypted:	false
SSDEEP:	3072:7NyYHXj3jtoBavVDctpMrNnIMpZ+vsViALa6sEsOkXlYJkveT/nQmiAj:79OBadOICAvPQmN
MD5:	D7F0ED8E9DB372C643E4E2F65A0561B7
SHA1:	DB0931D58D3AD19E6CF8FA71F577E62F6736631C
SHA-256:	8509256648E0797098F59978C2DC8CE5159152ED76301C88C0A72E2557E1A4C6
SHA-512:	9D936FDBE5559B9C0E910F03613CF5C27707B92A4965245747CBD21B2BFA5E4BC9CA4FC80797BABE002A19A79260A7DC96A7901B25A01B77C67F46D087319B13
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........~..-..-..-...-..-..!-..-...-...-.a5-...-..-...-v..-...-v."-..-..%-..-.i-..-v. -..-Rich..-........................PE..L.../..`...........!.................................................................{...............................Q.......R..(.......h0...............<..............8............................G..@...............@............................text............................... ..`.rdata...i.......j..................@..@.data....1...`.......J..............@....rsrc...h0.......2...^..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftser2k.sys

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	85256
Entropy (8bit):	6.703919353941749
Encrypted:	false
SSDEEP:	1536:vVafdJikomtrqzLYuYk5/FM7deMu6IMjxp0uZh1lPP1D:aJipmlqYuY/deMuPcZhxD
MD5:	890A2E572CC94CF2D9CE7408CE9C2C49
SHA1:	1E58A6D04F93C8234F083DCC0A6EB11C21D40009
SHA-256:	C43D9D3940B212DB26471D240351E1DED48082A6ED3DD2B440688AADF672E74B
SHA-512:	E06D43B4ADF3AC23669530B75692C0A1F1D0241EB9A4400E7FF8EF0A43E590B76CCF1BD5BA2A87AFD6FDAE4F9DE0C5E855913749F8E77D7E877ADF0672778E93
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........FT..':W.':W.':W.';W.':W.G;V.':W.G9V.':W.G>V.':W.y>V.':W.y.W.':W.y8V.':WRich.':W........PE..L...d..`.............................$.......p....@..........................P......s@....@..................................%..P....0...................E...@......@z..8...........................xz..@............p..H............................text...h\.......^.................. ..h.rdata..D....p.......b..............@..H.data................p..............@...PAGESRP0@8.......:...r.............. ..`PAGESER..7.......8.................. ..`PAGE................................ ..`INIT....D.... ...................... ..b.rsrc........0......................@..B.reloc.......@......................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftserui2.dll

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63496
Entropy (8bit):	6.349433261481209
Encrypted:	false
SSDEEP:	768:s3A4LlOEsxNaCSUeR4rJ+9rMr+5AMAaWAaWbH+Dda0FpJFo2Lh9W6Hbdgk:CA4LmsIeA+tMrAAMAaXEDdPPc967N
MD5:	6C13E579F94763A2299FB4AD27100E8C
SHA1:	95DF447E8895A28669AFB8D02E6C66AA6EEB865B
SHA-256:	4B8D9B66F76599DD8E309E08A92A63470CFF5AFC5814261B2E1C3C2023E4284E
SHA-512:	FAF4E73A7324AA3230A2CECE743C862B40A8D441A2B8394797A85CB1ADB9EB2585B83D755CC37D32CEA62C8A3F0256B6984F53DE5F7D22C9C3C8E0C5CB5A2D2D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........E....................C......R.........T....E......D......U......'.......B......G.....Rich....................PE..L...'..`...........!.....z...D......G]....................................................@..................................\|...........$...............<......8.......................................@............................................text...qx.......z.................. ..`.data...P............~..............@....CRT................................@..@.rsrc....$.......&..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FTDI-Driver\licence.txt

Download File

Process:	C:\Users\user\Desktop\CDM212364_Setup.exe
File Type:	ASCII text, with very long lines (583), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	9143
Entropy (8bit):	4.831278761499327
Encrypted:	false
SSDEEP:	192:ICqecUMJI11ixmC0SD7TjVONTT3fmGJ0+Ga:IE/bvmdD7TjVYfDS+V
MD5:	5F2BD5BD92FB7740033159C59A8D1215
SHA1:	B8E38A2F4EBCC4DAD9DD5E73CFF82509F6043511
SHA-256:	4097665303729E520334B2DB9915DC3EF955E3518D08846AF73D464BFDAEA3A6
SHA-512:	18B59C28AF8BA6BAB439FBDF32868E63AEF6E8A6432847CE44B551F40ECB3C66F797C77D6EBD4E271563BCF71E7357A9301FF73FF0E5E70577584A91807C4E28
Malicious:	false
Preview:	IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT SOFTWARE: ..This licence agreement (Licence) is a legal agreement between you (Licensee or you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of driver software provided by the Licensor(Software).....BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE INSTALLATION OF THE SOFTWARE NOW.....1..GRANT AND SCOPE OF LICENCE....1.1.In consideration of you agreeing to abide by the terms of this Licence, the Licensor hereby grants to you a non-exclusive, non-transferable, royalty free licence to use the Software on the terms of this Licence.....1.2.In this Licence a "Genuine FTDI Component" means an item of hardware that was manufa

C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\SETAA8E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	data
Category:	dropped
Size (bytes):	22608
Entropy (8bit):	5.965323528440976
Encrypted:	false
SSDEEP:	192:whASiyWWICmejj24Y2f22U222bk2L2h2d2N252Z2L22V2z21232S282e282C2a2E:YAw4rPFRO+NJ/AlGsJPY9
MD5:	60238C00694F838EED4757D1CE167D8B
SHA1:	0E39502D2CBD03ECF3973AD2F5F94DDB21C74B37
SHA-256:	113A35E6161F3AE8BB9D0E0F31913872C4B32FD6211ECE27DDDEB238F601EB59
SHA-512:	578A026793F2A30814A31BB9A63360BC2142E3263CB752B67CF8FFD3A65253D30E0BBA5BBD5D57759BA3455AB8F2D766FC14F6D6B5085833EA44936A08B8C713
Malicious:	false
Preview:	0.XL...H........X=0.X9...1.0...`.H.e......0.6...+.....7....6.0.6.0...+.....7.......;...@..:.T8-...210708145418Z0...+.....7.....0...0....R0.3.A.4.7.E.F.E.F.0.0.6.9.1.7.6.4.3.0.A.C.8.A.2.E.3.9.0.8.5.F.D.3.2.2.E.8.2.D.3...1..I0:..+.....7...1,0...F.i.l.e........f.t.s.e.r.2.k...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+..........~....vC....2...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.6.4.D.6.B.E.E.E.6.1.A.B.B.F.2.0.5.7.4.D.E.3.B.4.2.5.5.F.3.C.5.E.2.1.2.E.2.7.6...1..K0<..+.....7...1.0,...F.i.l.e........f.t.s.e.r.u.i.2...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.........Mk......t.;BU.....v0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.9.2.9.B.B.A.B.9

C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\SETAAAE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	18369
Entropy (8bit):	5.49132972724957
Encrypted:	false
SSDEEP:	384:KRD7TYsKwdRFr+40CejlZtOoggvxUkHlfD0fsEc886YVeZgTey:WDAm640CejlZtOoV5DfX88t
MD5:	B16B75B545A296EFC49805C94DFD334C
SHA1:	88DA6E6C3C9D94F6725D854CD866EA2CF305D67A
SHA-256:	00627112CF622CC6FB99A6B5DE24FCC61B6D0A211A6BD1E90B985BCF9950F6D9
SHA-512:	18C2B08A06AE87F5F2EEB79DEE4A3725FB5F8516D9C9F1CA60C5C96F06BA07493D4FB4199FBD67A042132201EC32C3E5B4331CF0671F787B3DA7A2C5A7197357
Malicious:	false
Preview:	; FTDIPORT.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..;..; USB serial port driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016.....; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In conside

C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA3D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	99296
Entropy (8bit):	6.544765616961625
Encrypted:	false
SSDEEP:	1536:ateH5nh6Lk8irGapY1hgw+8wWXZ43CV5h9zYWSYZz8ITF:LZhck8irB4gXWp43g53UWSYtJF
MD5:	B66678FF4E347E22146609B3D5B7B2C4
SHA1:	632A3B4365F9256B13FF0F671260463A8972070D
SHA-256:	7A303AA880CC746D13F71E565874FB7C174747372CCF358B928A72219D2A50DD
SHA-512:	07D73174638953074165EEFB804394F21A1A115116459B96903FCB34A6656450BDCD2A9ABD0590EC5A63D3DF153301A8DDB527405D67DFF3065BB5108C52F575
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x....{...{...{...z..{..yz...{..yx...{..y....{.]G....{.XG....{.]Gy...{.Rich..{.........PE..d......`.........."...........................@..........................................`.....................................................<....................>...E.......... ...8...........................`...................@............................text....n.......n.................. ..h.rdata..p............r..............@..H.data...............................@....pdata..............................@..H.gfids..............................@..HPAGESRP0.E.......F.................. ..`PAGESER..@... ...B.................. ..`PAGE.........p.......".............. ..`INIT.................(.............. ..b.rsrc................8..............@..B.reloc...............<..............@..B................................................................................

C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA4E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65544
Entropy (8bit):	6.240264971246993
Encrypted:	false
SSDEEP:	768:eNz2GaueQUOHlpEhZf25HY/Q2KDJko4zfrW86F+12Rer30bbYrc/a0FpJvh9Rebt:ex7eWvE3KMSQT12R60T/PP8H/3F
MD5:	3E5BCD980AF8B20313005D9A492CEC8A
SHA1:	060B9D1444327D3FAA56E3B35FC2BB606B692DD7
SHA-256:	55A23A2AC263E10B77D7E95601439F771062F2C248A8D93039A968D66100C39C
SHA-512:	DC4BA803EB3EAB0D5BA452ACA2C57095A74B1B3DBD82078ED17BBC34C5DB3F791EAB4A418D4C822C170B4D561D36D0E47BA6A2DA915A8B1797A88666B19C69F3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q.\.Q.\.Q.\..\.Q.\.)H\.Q.\.)^\.Q.\.)Y\.Q.\.Q.\)Q.\.)N\.Q.\..\.Q.\.)O\.Q.\.)T\.Q.\...\.Q.\.)I\.Q.\.)L\.Q.\Rich.Q.\........PE..d......`.........." .........B......@]...............................................&....@......................................... ....................$...............<......0....................................................................................text.............................. ..`.data... ...........................@....pdata..............................@..@.rsrc....$.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\SETAA6E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	75272
Entropy (8bit):	6.176258876551271
Encrypted:	false
SSDEEP:	1536:lxRShQnixg3RolUmf71kjy3JIO64l7Xuuy+fk+QI:lHShQnixg3RolUmzCy3JIO64l7euVfkQ
MD5:	AA69BF96E10F463082A0664B7A2E9FAE
SHA1:	D9CC34D613E8655FD7DA5293093E050D4D24AF5F
SHA-256:	C0224B9EF14365F6DDA96134CC77D978E69FBD61EFDADE6FD1EB676418C41023
SHA-512:	778599EEEE6C6F3F8C46E4BB774697E8528F03B30381BE3BA06298E23D1514039CC926E89AADAC2771074657A9478DCF60D4D92BDD69C7A5A094D59ED32F2993
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............................u.......u.......u.............u.......u.......u.......u......Rich....................PE..d...i..`.........." .........6......<d.......................................@............@.........................................p...Q... ...x.... ..X................<...0..`...0................................................................................text............................... ..`.data....&..........................@....pdata..............................@..@.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\ftcserco.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	75272
Entropy (8bit):	6.176258876551271
Encrypted:	false
SSDEEP:	1536:lxRShQnixg3RolUmf71kjy3JIO64l7Xuuy+fk+QI:lHShQnixg3RolUmzCy3JIO64l7euVfkQ
MD5:	AA69BF96E10F463082A0664B7A2E9FAE
SHA1:	D9CC34D613E8655FD7DA5293093E050D4D24AF5F
SHA-256:	C0224B9EF14365F6DDA96134CC77D978E69FBD61EFDADE6FD1EB676418C41023
SHA-512:	778599EEEE6C6F3F8C46E4BB774697E8528F03B30381BE3BA06298E23D1514039CC926E89AADAC2771074657A9478DCF60D4D92BDD69C7A5A094D59ED32F2993
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............................u.......u.......u.............u.......u.......u.......u......Rich....................PE..d...i..`.........." .........6......<d.......................................@............@.........................................p...Q... ...x.... ..X................<...0..`...0................................................................................text............................... ..`.data....&..........................@....pdata..............................@..@.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\ftser2k.sys (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	99296
Entropy (8bit):	6.544765616961625
Encrypted:	false
SSDEEP:	1536:ateH5nh6Lk8irGapY1hgw+8wWXZ43CV5h9zYWSYZz8ITF:LZhck8irB4gXWp43g53UWSYtJF
MD5:	B66678FF4E347E22146609B3D5B7B2C4
SHA1:	632A3B4365F9256B13FF0F671260463A8972070D
SHA-256:	7A303AA880CC746D13F71E565874FB7C174747372CCF358B928A72219D2A50DD
SHA-512:	07D73174638953074165EEFB804394F21A1A115116459B96903FCB34A6656450BDCD2A9ABD0590EC5A63D3DF153301A8DDB527405D67DFF3065BB5108C52F575
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x....{...{...{...z..{..yz...{..yx...{..y....{.]G....{.XG....{.]Gy...{.Rich..{.........PE..d......`.........."...........................@..........................................`.....................................................<....................>...E.......... ...8...........................`...................@............................text....n.......n.................. ..h.rdata..p............r..............@..H.data...............................@....pdata..............................@..H.gfids..............................@..HPAGESRP0.E.......F.................. ..`PAGESER..@... ...B.................. ..`PAGE.........p.......".............. ..`INIT.................(.............. ..b.rsrc................8..............@..B.reloc...............<..............@..B................................................................................

C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\amd64\ftserui2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65544
Entropy (8bit):	6.240264971246993
Encrypted:	false
SSDEEP:	768:eNz2GaueQUOHlpEhZf25HY/Q2KDJko4zfrW86F+12Rer30bbYrc/a0FpJvh9Rebt:ex7eWvE3KMSQT12R60T/PP8H/3F
MD5:	3E5BCD980AF8B20313005D9A492CEC8A
SHA1:	060B9D1444327D3FAA56E3B35FC2BB606B692DD7
SHA-256:	55A23A2AC263E10B77D7E95601439F771062F2C248A8D93039A968D66100C39C
SHA-512:	DC4BA803EB3EAB0D5BA452ACA2C57095A74B1B3DBD82078ED17BBC34C5DB3F791EAB4A418D4C822C170B4D561D36D0E47BA6A2DA915A8B1797A88666B19C69F3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q.\.Q.\.Q.\..\.Q.\.)H\.Q.\.)^\.Q.\.)Y\.Q.\.Q.\)Q.\.)N\.Q.\..\.Q.\.)O\.Q.\.)T\.Q.\...\.Q.\.)I\.Q.\.)L\.Q.\Rich.Q.\........PE..d......`.........." .........B......@]...............................................&....@......................................... ....................$...............<......0....................................................................................text.............................. ..`.data... ...........................@....pdata..............................@..@.rsrc....$.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\ftdiport.cat (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	data
Category:	dropped
Size (bytes):	22608
Entropy (8bit):	5.965323528440976
Encrypted:	false
SSDEEP:	192:whASiyWWICmejj24Y2f22U222bk2L2h2d2N252Z2L22V2z21232S282e282C2a2E:YAw4rPFRO+NJ/AlGsJPY9
MD5:	60238C00694F838EED4757D1CE167D8B
SHA1:	0E39502D2CBD03ECF3973AD2F5F94DDB21C74B37
SHA-256:	113A35E6161F3AE8BB9D0E0F31913872C4B32FD6211ECE27DDDEB238F601EB59
SHA-512:	578A026793F2A30814A31BB9A63360BC2142E3263CB752B67CF8FFD3A65253D30E0BBA5BBD5D57759BA3455AB8F2D766FC14F6D6B5085833EA44936A08B8C713
Malicious:	false
Preview:	0.XL...H........X=0.X9...1.0...`.H.e......0.6...+.....7....6.0.6.0...+.....7.......;...@..:.T8-...210708145418Z0...+.....7.....0...0....R0.3.A.4.7.E.F.E.F.0.0.6.9.1.7.6.4.3.0.A.C.8.A.2.E.3.9.0.8.5.F.D.3.2.2.E.8.2.D.3...1..I0:..+.....7...1,0...F.i.l.e........f.t.s.e.r.2.k...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+..........~....vC....2...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.6.4.D.6.B.E.E.E.6.1.A.B.B.F.2.0.5.7.4.D.E.3.B.4.2.5.5.F.3.C.5.E.2.1.2.E.2.7.6...1..K0<..+.....7...1.0,...F.i.l.e........f.t.s.e.r.u.i.2...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.........Mk......t.;BU.....v0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.9.2.9.B.B.A.B.9

C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\ftdiport.inf (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	18369
Entropy (8bit):	5.49132972724957
Encrypted:	false
SSDEEP:	384:KRD7TYsKwdRFr+40CejlZtOoggvxUkHlfD0fsEc886YVeZgTey:WDAm640CejlZtOoV5DfX88t
MD5:	B16B75B545A296EFC49805C94DFD334C
SHA1:	88DA6E6C3C9D94F6725D854CD866EA2CF305D67A
SHA-256:	00627112CF622CC6FB99A6B5DE24FCC61B6D0A211A6BD1E90B985BCF9950F6D9
SHA-512:	18C2B08A06AE87F5F2EEB79DEE4A3725FB5F8516D9C9F1CA60C5C96F06BA07493D4FB4199FBD67A042132201EC32C3E5B4331CF0671F787B3DA7A2C5A7197357
Malicious:	false
Preview:	; FTDIPORT.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..;..; USB serial port driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016.....; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In conside

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\SET95D7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	data
Category:	dropped
Size (bytes):	23417
Entropy (8bit):	5.948769892863068
Encrypted:	false
SSDEEP:	192:wIWIdFWkGHHPj24Y2f22U222bk2L2h2d2N252Z2L22V2z21232S282e282C2a22g:vyl4rPFRXp4hlTJdkC
MD5:	B392C785B9C2AA31187D1BD0A4F5EBA5
SHA1:	BD80456EAC30AE84B2A0E1CE9A4A364A01C68F39
SHA-256:	B286055896DEA79D4521368293DEEE801930F3FB503CC3076AC97716B338B0F7
SHA-512:	A22007089580CF066FF30D405F607B88F499754F7859EA98915FA2F5E35D21E91BBE4C25271F8C62357F11C2469FD20556D805A52071B96E30FBA8657C6338E6
Malicious:	false
Preview:	0.[u...H........[f0.[b...1.0...`.H.e......0.:...+.....7....:.0.:.0...+.....7............@..5;.t.u..210708145418Z0...+.....7.....0...0....R2.F.D.9.A.3.9.F.1.7.B.4.F.8.9.C.E.C.D.7.5.2.8.F.5.8.7.6.7.2.7.D.C.0.0.C.7.A.7.8...1..G08..+.....7...10(...F.i.l.e........f.t.d.2.x.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+......../........R.Xvr}..zx0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.5.C.D.6.B.7.1.5.A.A.2.D.4.E.7.E.E.1.9.1.E.C.B.D.F.B.8.C.7.F.7.5.4.D.4.1.7.6.2...1..I0:..+.....7...1,0*...F.i.l.e........f.t.d.i.b.u.s...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........E.kqZ..........T..b0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R5.3.F.D.E.7.C.9.4.8.8

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\SET95E8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	30650
Entropy (8bit):	5.516268884073016
Encrypted:	false
SSDEEP:	768:tDAm640CejlZtOojWnXD8yVxaQZdHwG5B8ZJDsyPxSQZXH4G7tVB03F3PPvZh/6:tbSjWJD8/5B03DU
MD5:	B404B591DCAE1E28603479A7963CB6F6
SHA1:	5D4AE8370FB8A05189B0ED9430459BCB97BB9E54
SHA-256:	FF361CDD7C814DB0BEA98578A731EF5C03BF457E06BCA9950FDBAB57A4D3C7F6
SHA-512:	F928FD950A1F57172DFDF2CC8D23A54381715EE79D492D3491EAEAF4ADCC11241F87A00E91F03B504F78DF1DEF4D7C4569A192D62E21088ABD6DBFD721134B04
Malicious:	false
Preview:	; FTDIBUS.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..; ..; USB serial converter driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016...; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In cons

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\FTLang.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	274944
Entropy (8bit):	5.978951711504469
Encrypted:	false
SSDEEP:	3072:VTwkcrbAg7JNtvh8vULQzOdtsK9g0BIGpY29ZR0qhJRYxEda6sEsOkXlYJkveT/s:VTPzg5JSULQz2tsKi0B9305E9P+3
MD5:	662679682F491FBAF3D15953D13EC72E
SHA1:	9EA41242F7945A6814D757DA232359DFD7D421BD
SHA-256:	C2729911C4B82D8F9E22E057A1570D0265D7A9ECA44D6FE8DC0658F47263CE12
SHA-512:	E5305020F3BC11342EE9073780BAAE37FF700434B7C695980345C7E9DB56B03F8199CE0C278E549C4EB92B4294F1FC91A0DBBB1C033B13794648A24DC94837E5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;L..hL..hL..h..\hn..h..]h(..h..bhE..h.MvhO..hL..h...h.,\hN..h.,ahM..hA.fhM..hL.*hM..h.,chM..hRichL..h........................PE..d......`.........." .........:...............................................P............ .................................................@...(.......h0...............<...@..@... ...8............................c..p............................................text...;........................... ..`.rdata..&...........................@..@.data...X<..........................@....pdata..............................@..@.rsrc...h0.......2..................@..@.reloc..@....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET948B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	647616
Entropy (8bit):	5.8372260150013044
Encrypted:	false
SSDEEP:	12288:k2Ruad22Cu6+wfhZLF5lfDOHc/aFMmymLRt+i2:332xNfhZLF5lfDOHvMTmLRt2
MD5:	BEFBC1A8F6C2B8E143DDD97CCB6561B5
SHA1:	44B085C25026DABE6280C539F43DD0755FB28499
SHA-256:	774AF8B12C85D03562742ACDF222AF5E0432167BF107BA4B260757E4A5E36866
SHA-512:	A41B29E0493AD8ED57F55B8AA557AED460794894A5A53B057EEEF017A81F071A09DD298FB63EB0277344A9B69D790699131642106124320FB80BA87D1AD60DD4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.H.I...I...I..p.J..I..p.H.VI..p.I..I.......I.......I.......I....p..I...I..GI..S....I..S....I..V.D..I...I,..I..S....I..Rich.I..................PE..d...;..`.........." .........D......3A.......................................0.......'....`.................................................@...d.......i....`...U.......!...........w..8............................x..................@............................text...J........................... ..`.rdata...k.......l..................@..@.data....:... ......................@....pdata..4_...`...`...$..............@..@.idata..............................@..@.gfids..............................@..@.00cfg..............................@..@.rsrc...i...........................@..@.reloc..P...........................@..B........................................................................................................

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET94DA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	168456
Entropy (8bit):	6.246480364593094
Encrypted:	false
SSDEEP:	3072:a+f/hrqTv5CgCn2p+WsDC7wQGXLCoeofwaqVcppnx1um75JXZ4:a+cTglYOQwQ4uoebaq4r5n4
MD5:	D79A5E34F684B547FA2F963DFCC15A21
SHA1:	81CCA464D4C8773B00F0A6F170F402FFE2D6A9C8
SHA-256:	4BBC0B301A7C5A6B1B73878CE3AEEB191F5FCEAC05835372142206D79AC81559
SHA-512:	E199F40F06F674EB8EC0E599FFF47A36D4495F4F2FFEE96CADFD00ABA9D5BB127F4461090322244EC973FCC2C8AE119FB12CE65AD585CCAA570115B7D957EA28
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d...d...d...5v..d...5w..d...5H..d....\..d...d...d..\|.v..d..\|.K..d...6L..d...d...d..\|.I..d..Rich.d..........PE..d......`.........." .....x...........5.................................................... .................. ......................P...h.......d.......@....p.......V...<..............8...........................0...p............................................text...Tw.......x.................. ..`.rdata...............\|..............@..@.data...`:...0......................@....pdata.......p.......(..............@..@.rsrc...@............>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET94FA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145192
Entropy (8bit):	6.492981302114183
Encrypted:	false
SSDEEP:	3072:np+Tpx5m9iS1H41Un58rdppcZxPtlGU1WopW:n8x5sJ4q58rdppcjPt9WoU
MD5:	AB7418C8DFBBB97BEFB4F0ADED3D4663
SHA1:	B9A7A3FBBA707BA52F8AC4339070473A486CE7B7
SHA-256:	3BD5BB7E646E67469EC25A37CAA5131CF992759703B0FC170DF7AF265B9F8E74
SHA-512:	BE19D2CFE8C9198CE43470FDB6B6030EB4BD1B4080887CB6F1D69C2B661BBD79FFA85B4B70FDBE97BADADF2B75CE7FBE7B627FE08FB1DF3104CC16842E609A40
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........VAA.7/..7/..7/..W)..7/..7...7/..W...7/..W,..7/..W+..7/..i+..7/..i...7/..i-..7/.Rich.7/.................PE..d......`.........."..........<.................@.............................@......W.....`.....................................................P.... ..p...............(G...0..\|.......8............................................................................text...3z.......\|.................. ..h.rdata..p........ ..................@..H.data...............................@....pdata..............................@..H.gfids..............................@..HPAGE.....%.......&.................. ..`INIT....B........................... ..b.rsrc...p.... ......................@..B.reloc..\|....0......................@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\SET951B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	274944
Entropy (8bit):	5.978951711504469
Encrypted:	false
SSDEEP:	3072:VTwkcrbAg7JNtvh8vULQzOdtsK9g0BIGpY29ZR0qhJRYxEda6sEsOkXlYJkveT/s:VTPzg5JSULQz2tsKi0B9305E9P+3
MD5:	662679682F491FBAF3D15953D13EC72E
SHA1:	9EA41242F7945A6814D757DA232359DFD7D421BD
SHA-256:	C2729911C4B82D8F9E22E057A1570D0265D7A9ECA44D6FE8DC0658F47263CE12
SHA-512:	E5305020F3BC11342EE9073780BAAE37FF700434B7C695980345C7E9DB56B03F8199CE0C278E549C4EB92B4294F1FC91A0DBBB1C033B13794648A24DC94837E5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;L..hL..hL..h..\hn..h..]h(..h..bhE..h.MvhO..hL..h...h.,\hN..h.,ahM..hA.fhM..hL.*hM..h.,chM..hRichL..h........................PE..d......`.........." .........:...............................................P............ .................................................@...(.......h0...............<...@..@... ...8............................c..p............................................text...;........................... ..`.rdata..&...........................@..@.data...X<..........................@....pdata..............................@..@.rsrc...h0.......2..................@..@.reloc..@....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\ftbusui.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	168456
Entropy (8bit):	6.246480364593094
Encrypted:	false
SSDEEP:	3072:a+f/hrqTv5CgCn2p+WsDC7wQGXLCoeofwaqVcppnx1um75JXZ4:a+cTglYOQwQ4uoebaq4r5n4
MD5:	D79A5E34F684B547FA2F963DFCC15A21
SHA1:	81CCA464D4C8773B00F0A6F170F402FFE2D6A9C8
SHA-256:	4BBC0B301A7C5A6B1B73878CE3AEEB191F5FCEAC05835372142206D79AC81559
SHA-512:	E199F40F06F674EB8EC0E599FFF47A36D4495F4F2FFEE96CADFD00ABA9D5BB127F4461090322244EC973FCC2C8AE119FB12CE65AD585CCAA570115B7D957EA28
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d...d...d...5v..d...5w..d...5H..d....\..d...d...d..\|.v..d..\|.K..d...6L..d...d...d..\|.I..d..Rich.d..........PE..d......`.........." .....x...........5.................................................... .................. ......................P...h.......d.......@....p.......V...<..............8...........................0...p............................................text...Tw.......x.................. ..`.rdata...............\|..............@..@.data...`:...0......................@....pdata.......p.......(..............@..@.rsrc...@............>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\ftd2xx64.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	647616
Entropy (8bit):	5.8372260150013044
Encrypted:	false
SSDEEP:	12288:k2Ruad22Cu6+wfhZLF5lfDOHc/aFMmymLRt+i2:332xNfhZLF5lfDOHvMTmLRt2
MD5:	BEFBC1A8F6C2B8E143DDD97CCB6561B5
SHA1:	44B085C25026DABE6280C539F43DD0755FB28499
SHA-256:	774AF8B12C85D03562742ACDF222AF5E0432167BF107BA4B260757E4A5E36866
SHA-512:	A41B29E0493AD8ED57F55B8AA557AED460794894A5A53B057EEEF017A81F071A09DD298FB63EB0277344A9B69D790699131642106124320FB80BA87D1AD60DD4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.H.I...I...I..p.J..I..p.H.VI..p.I..I.......I.......I.......I....p..I...I..GI..S....I..S....I..V.D..I...I,..I..S....I..Rich.I..................PE..d...;..`.........." .........D......3A.......................................0.......'....`.................................................@...d.......i....`...U.......!...........w..8............................x..................@............................text...J........................... ..`.rdata...k.......l..................@..@.data....:... ......................@....pdata..4_...`...`...$..............@..@.idata..............................@..@.gfids..............................@..@.00cfg..............................@..@.rsrc...i...........................@..@.reloc..P...........................@..B........................................................................................................

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\amd64\ftdibus.sys (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145192
Entropy (8bit):	6.492981302114183
Encrypted:	false
SSDEEP:	3072:np+Tpx5m9iS1H41Un58rdppcZxPtlGU1WopW:n8x5sJ4q58rdppcjPt9WoU
MD5:	AB7418C8DFBBB97BEFB4F0ADED3D4663
SHA1:	B9A7A3FBBA707BA52F8AC4339070473A486CE7B7
SHA-256:	3BD5BB7E646E67469EC25A37CAA5131CF992759703B0FC170DF7AF265B9F8E74
SHA-512:	BE19D2CFE8C9198CE43470FDB6B6030EB4BD1B4080887CB6F1D69C2B661BBD79FFA85B4B70FDBE97BADADF2B75CE7FBE7B627FE08FB1DF3104CC16842E609A40
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........VAA.7/..7/..7/..W)..7/..7...7/..W...7/..W,..7/..W+..7/..i+..7/..i...7/..i-..7/.Rich.7/.................PE..d......`.........."..........<.................@.............................@......W.....`.....................................................P.... ..p...............(G...0..\|.......8............................................................................text...3z.......\|.................. ..h.rdata..p........ ..................@..H.data...............................@....pdata..............................@..H.gfids..............................@..HPAGE.....%.......&.................. ..`INIT....B........................... ..b.rsrc...p.... ......................@..B.reloc..\|....0......................@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\ftdibus.cat (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	data
Category:	dropped
Size (bytes):	23417
Entropy (8bit):	5.948769892863068
Encrypted:	false
SSDEEP:	192:wIWIdFWkGHHPj24Y2f22U222bk2L2h2d2N252Z2L22V2z21232S282e282C2a22g:vyl4rPFRXp4hlTJdkC
MD5:	B392C785B9C2AA31187D1BD0A4F5EBA5
SHA1:	BD80456EAC30AE84B2A0E1CE9A4A364A01C68F39
SHA-256:	B286055896DEA79D4521368293DEEE801930F3FB503CC3076AC97716B338B0F7
SHA-512:	A22007089580CF066FF30D405F607B88F499754F7859EA98915FA2F5E35D21E91BBE4C25271F8C62357F11C2469FD20556D805A52071B96E30FBA8657C6338E6
Malicious:	false
Preview:	0.[u...H........[f0.[b...1.0...`.H.e......0.:...+.....7....:.0.:.0...+.....7............@..5;.t.u..210708145418Z0...+.....7.....0...0....R2.F.D.9.A.3.9.F.1.7.B.4.F.8.9.C.E.C.D.7.5.2.8.F.5.8.7.6.7.2.7.D.C.0.0.C.7.A.7.8...1..G08..+.....7...10(...F.i.l.e........f.t.d.2.x.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+......../........R.Xvr}..zx0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.5.C.D.6.B.7.1.5.A.A.2.D.4.E.7.E.E.1.9.1.E.C.B.D.F.B.8.C.7.F.7.5.4.D.4.1.7.6.2...1..I0:..+.....7...1,0*...F.i.l.e........f.t.d.i.b.u.s...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........E.kqZ..........T..b0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R5.3.F.D.E.7.C.9.4.8.8

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\ftdibus.inf (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	30650
Entropy (8bit):	5.516268884073016
Encrypted:	false
SSDEEP:	768:tDAm640CejlZtOojWnXD8yVxaQZdHwG5B8ZJDsyPxSQZXH4G7tVB03F3PPvZh/6:tbSjWJD8/5B03DU
MD5:	B404B591DCAE1E28603479A7963CB6F6
SHA1:	5D4AE8370FB8A05189B0ED9430459BCB97BB9E54
SHA-256:	FF361CDD7C814DB0BEA98578A731EF5C03BF457E06BCA9950FDBAB57A4D3C7F6
SHA-512:	F928FD950A1F57172DFDF2CC8D23A54381715EE79D492D3491EAEAF4ADCC11241F87A00E91F03B504F78DF1DEF4D7C4569A192D62E21088ABD6DBFD721134B04
Malicious:	false
Preview:	; FTDIBUS.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..; ..; USB serial converter driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016...; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In cons

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\i386\SET9721.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	392128
Entropy (8bit):	6.675882265173621
Encrypted:	false
SSDEEP:	6144:6cumjO3f6acDJuRkgm3qP12tHi3b+cVZhPTlqWMTZ4Rp71RpeRjK3q:6cBjQf6acERkkP12tqbBxTlqWUop5ywa
MD5:	6FFEB45E0137622EBBBA8361107D304E
SHA1:	01B3F848148A276F6317D6C98EDBDB1133F458DA
SHA-256:	60BB0D6348B1EB0127401AA902F34C963D9196D2778C66F4008A6CF0C6F098A5
SHA-512:	BC3D9DDCB1FC249CF1A3A11EEFE9131280F18CB538C381C46B1818354E947690D52FD38B14674A7BB51CE5FF73F4B8721D19FD4960694B3442ECC90C58F75052
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.6._je._je._jei.e._jei.eO_jei.e._je..id._je..od._je..nd._je...e._je._ke\_jeJ.od._jeJ.jd._jeO..e._je._.e._jeJ.hd._jeRich._je................PE..L......`...........!.........................................................0......Tq..........................................d.......X................!.......(.....T...........................(...@............................................text............................... ..`.rdata..............................@..@.data...X$..........................@....gfids..............................@..@.rsrc...X...........................@..@.reloc...(.......(..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\i386\ftd2xx.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	392128
Entropy (8bit):	6.675882265173621
Encrypted:	false
SSDEEP:	6144:6cumjO3f6acDJuRkgm3qP12tHi3b+cVZhPTlqWMTZ4Rp71RpeRjK3q:6cBjQf6acERkkP12tqbBxTlqWUop5ywa
MD5:	6FFEB45E0137622EBBBA8361107D304E
SHA1:	01B3F848148A276F6317D6C98EDBDB1133F458DA
SHA-256:	60BB0D6348B1EB0127401AA902F34C963D9196D2778C66F4008A6CF0C6F098A5
SHA-512:	BC3D9DDCB1FC249CF1A3A11EEFE9131280F18CB538C381C46B1818354E947690D52FD38B14674A7BB51CE5FF73F4B8721D19FD4960694B3442ECC90C58F75052
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.6._je._je._jei.e._jei.eO_jei.e._je..id._je..od._je..nd._je...e._je._ke\_jeJ.od._jeJ.jd._jeO..e._je._.e._jeJ.hd._jeRich._je................PE..L......`...........!.........................................................0......Tq..........................................d.......X................!.......(.....T...........................(...@............................................text............................... ..`.rdata..............................@..@.data...X$..........................@....gfids..............................@..@.rsrc...X...........................@..@.reloc...(.......(..................@..B................................................................................................................................................................................................................................................

C:\Windows\DPINST.LOG

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	6322
Entropy (8bit):	3.6711467130211832
Encrypted:	false
SSDEEP:	96:857JdrR40Q2uEQ6TDQ63Uy9saGJsaxhHJBy9iJN8HB57k:a75WaFaXqBP7k
MD5:	3A9C494A395BFC495BA8C3901352844C
SHA1:	A8CA0A1B302FDE87058555B072F7679A37523FC9
SHA-256:	157FD4E008C74C6AE5D21F6483F3973CA87E669EA6F13F3B2D78FA1CDF762F68
SHA-512:	97C5992B8352A79B8BF80AE1C572DD1B198C227E28447F192132B7C618F4C24E13CFA7C79B59C0B8B2814C953FB05BE15C7000671FF4369381077195CCB9976C
Malicious:	false
Preview:	..I.N.F.O.:. . . .............................................I.N.F.O.:. . . .0.4./.2.3./.2.0.2.4. .0.9.:.2.1.:.0.6.....I.N.F.O.:. . . .P.r.o.d.u.c.t. .V.e.r.s.i.o.n. .2...1...0...0.......I.N.F.O.:. . . .V.e.r.s.i.o.n.:. .6...2...9.2.0.0. .....I.N.F.O.:. . . .P.l.a.t.f.o.r.m. .I.D.:. .2. .(.N.T.).....I.N.F.O.:. . . .S.e.r.v.i.c.e. .P.a.c.k.:. .0...0.....I.N.F.O.:. . . .S.u.i.t.e.:. .0.x.0.1.0.0.,. .P.r.o.d.u.c.t. .T.y.p.e.:. .1.....I.N.F.O.:. . . .A.r.c.h.i.t.e.c.t.u.r.e.:. .A.M.D.6.4.......I.N.F.O.:. . . .I.n.t.e.r.a.c.t.i.v.e. .W.i.n.d.o.w.s. .S.t.a.t.i.o.n.....I.N.F.O.:. . . .C.o.m.m.a.n.d. .L.i.n.e.:. .'.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.F.T.D.I.-.D.r.i.v.e.r.\.d.p.i.n.s.t.-.a.m.d.6.4...e.x.e. ./.s.a.'.....I.N.F.O.:. . . .D.P.I.n.s.t. .i.s. .n.o.t. .m.u.l.t.i.-.l.i.n.g.u.a.l.......I.N.F.O.:. . . .............................................I.N.F.O.:. . . .C.u.r.r.e.n.t.

C:\Windows\INF\oem4.inf

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	30650
Entropy (8bit):	5.516268884073016
Encrypted:	false
SSDEEP:	768:tDAm640CejlZtOojWnXD8yVxaQZdHwG5B8ZJDsyPxSQZXH4G7tVB03F3PPvZh/6:tbSjWJD8/5B03DU
MD5:	B404B591DCAE1E28603479A7963CB6F6
SHA1:	5D4AE8370FB8A05189B0ED9430459BCB97BB9E54
SHA-256:	FF361CDD7C814DB0BEA98578A731EF5C03BF457E06BCA9950FDBAB57A4D3C7F6
SHA-512:	F928FD950A1F57172DFDF2CC8D23A54381715EE79D492D3491EAEAF4ADCC11241F87A00E91F03B504F78DF1DEF4D7C4569A192D62E21088ABD6DBFD721134B04
Malicious:	false
Preview:	; FTDIBUS.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..; ..; USB serial converter driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016...; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In cons

C:\Windows\INF\oem5.inf

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	18369
Entropy (8bit):	5.49132972724957
Encrypted:	false
SSDEEP:	384:KRD7TYsKwdRFr+40CejlZtOoggvxUkHlfD0fsEc886YVeZgTey:WDAm640CejlZtOoV5DfX88t
MD5:	B16B75B545A296EFC49805C94DFD334C
SHA1:	88DA6E6C3C9D94F6725D854CD866EA2CF305D67A
SHA-256:	00627112CF622CC6FB99A6B5DE24FCC61B6D0A211A6BD1E90B985BCF9950F6D9
SHA-512:	18C2B08A06AE87F5F2EEB79DEE4A3725FB5F8516D9C9F1CA60C5C96F06BA07493D4FB4199FBD67A042132201EC32C3E5B4331CF0671F787B3DA7A2C5A7197357
Malicious:	false
Preview:	; FTDIPORT.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..;..; USB serial port driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016.....; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In conside

C:\Windows\INF\setupapi.dev.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
File Type:	Generic INItialization configuration [BeginLog]
Category:	dropped
Size (bytes):	49873
Entropy (8bit):	5.263777111024947
Encrypted:	false
SSDEEP:	768:Own95cdyYloiwQ+c2mwPvvYCVdTaEAg8eo/iD:O+5cdyeoiwQ+cJiD
MD5:	A6CB45DCFE03B70C5E7CBAC7DBE7FAE0
SHA1:	DC003D46581E21E6DADDC4EE804339D029233EFB
SHA-256:	FD15E5AA69EF9CE8933DAB759EEEC04AC3444DC09500DD48316E1E518136279E
SHA-512:	AF4A461BDAB6684C48B804DAD34736E200C09057D66DEFE5680865413A93425F48D12F8E8FC2F9260D0EE775877DB8FD43869B4377A411A8017E7AFFBCE767F0
Malicious:	false
Preview:	[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\SETACF8.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	22608
Entropy (8bit):	5.965323528440976
Encrypted:	false
SSDEEP:	192:whASiyWWICmejj24Y2f22U222bk2L2h2d2N252Z2L22V2z21232S282e282C2a2E:YAw4rPFRO+NJ/AlGsJPY9
MD5:	60238C00694F838EED4757D1CE167D8B
SHA1:	0E39502D2CBD03ECF3973AD2F5F94DDB21C74B37
SHA-256:	113A35E6161F3AE8BB9D0E0F31913872C4B32FD6211ECE27DDDEB238F601EB59
SHA-512:	578A026793F2A30814A31BB9A63360BC2142E3263CB752B67CF8FFD3A65253D30E0BBA5BBD5D57759BA3455AB8F2D766FC14F6D6B5085833EA44936A08B8C713
Malicious:	false
Preview:	0.XL...H........X=0.X9...1.0...`.H.e......0.6...+.....7....6.0.6.0...+.....7.......;...@..:.T8-...210708145418Z0...+.....7.....0...0....R0.3.A.4.7.E.F.E.F.0.0.6.9.1.7.6.4.3.0.A.C.8.A.2.E.3.9.0.8.5.F.D.3.2.2.E.8.2.D.3...1..I0:..+.....7...1,0...F.i.l.e........f.t.s.e.r.2.k...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+..........~....vC....2...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.6.4.D.6.B.E.E.E.6.1.A.B.B.F.2.0.5.7.4.D.E.3.B.4.2.5.5.F.3.C.5.E.2.1.2.E.2.7.6...1..K0<..+.....7...1.0,...F.i.l.e........f.t.s.e.r.u.i.2...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.........Mk......t.;BU.....v0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.9.2.9.B.B.A.B.9

C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\SETAD18.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	18369
Entropy (8bit):	5.49132972724957
Encrypted:	false
SSDEEP:	384:KRD7TYsKwdRFr+40CejlZtOoggvxUkHlfD0fsEc886YVeZgTey:WDAm640CejlZtOoV5DfX88t
MD5:	B16B75B545A296EFC49805C94DFD334C
SHA1:	88DA6E6C3C9D94F6725D854CD866EA2CF305D67A
SHA-256:	00627112CF622CC6FB99A6B5DE24FCC61B6D0A211A6BD1E90B985BCF9950F6D9
SHA-512:	18C2B08A06AE87F5F2EEB79DEE4A3725FB5F8516D9C9F1CA60C5C96F06BA07493D4FB4199FBD67A042132201EC32C3E5B4331CF0671F787B3DA7A2C5A7197357
Malicious:	false
Preview:	; FTDIPORT.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..;..; USB serial port driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016.....; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In conside

C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACA7.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	99296
Entropy (8bit):	6.544765616961625
Encrypted:	false
SSDEEP:	1536:ateH5nh6Lk8irGapY1hgw+8wWXZ43CV5h9zYWSYZz8ITF:LZhck8irB4gXWp43g53UWSYtJF
MD5:	B66678FF4E347E22146609B3D5B7B2C4
SHA1:	632A3B4365F9256B13FF0F671260463A8972070D
SHA-256:	7A303AA880CC746D13F71E565874FB7C174747372CCF358B928A72219D2A50DD
SHA-512:	07D73174638953074165EEFB804394F21A1A115116459B96903FCB34A6656450BDCD2A9ABD0590EC5A63D3DF153301A8DDB527405D67DFF3065BB5108C52F575
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x....{...{...{...z..{..yz...{..yx...{..y....{.]G....{.XG....{.]Gy...{.Rich..{.........PE..d......`.........."...........................@..........................................`.....................................................<....................>...E.......... ...8...........................`...................@............................text....n.......n.................. ..h.rdata..p............r..............@..H.data...............................@....pdata..............................@..H.gfids..............................@..HPAGESRP0.E.......F.................. ..`PAGESER..@... ...B.................. ..`PAGE.........p.......".............. ..`INIT.................(.............. ..b.rsrc................8..............@..B.reloc...............<..............@..B................................................................................

C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACC7.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65544
Entropy (8bit):	6.240264971246993
Encrypted:	false
SSDEEP:	768:eNz2GaueQUOHlpEhZf25HY/Q2KDJko4zfrW86F+12Rer30bbYrc/a0FpJvh9Rebt:ex7eWvE3KMSQT12R60T/PP8H/3F
MD5:	3E5BCD980AF8B20313005D9A492CEC8A
SHA1:	060B9D1444327D3FAA56E3B35FC2BB606B692DD7
SHA-256:	55A23A2AC263E10B77D7E95601439F771062F2C248A8D93039A968D66100C39C
SHA-512:	DC4BA803EB3EAB0D5BA452ACA2C57095A74B1B3DBD82078ED17BBC34C5DB3F791EAB4A418D4C822C170B4D561D36D0E47BA6A2DA915A8B1797A88666B19C69F3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q.\.Q.\.Q.\..\.Q.\.)H\.Q.\.)^\.Q.\.)Y\.Q.\.Q.\)Q.\.)N\.Q.\..\.Q.\.)O\.Q.\.)T\.Q.\...\.Q.\.)I\.Q.\.)L\.Q.\Rich.Q.\........PE..d......`.........." .........B......@]...............................................&....@......................................... ....................$...............<......0....................................................................................text.............................. ..`.data... ...........................@....pdata..............................@..@.rsrc....$.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\SETACE7.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	75272
Entropy (8bit):	6.176258876551271
Encrypted:	false
SSDEEP:	1536:lxRShQnixg3RolUmf71kjy3JIO64l7Xuuy+fk+QI:lHShQnixg3RolUmzCy3JIO64l7euVfkQ
MD5:	AA69BF96E10F463082A0664B7A2E9FAE
SHA1:	D9CC34D613E8655FD7DA5293093E050D4D24AF5F
SHA-256:	C0224B9EF14365F6DDA96134CC77D978E69FBD61EFDADE6FD1EB676418C41023
SHA-512:	778599EEEE6C6F3F8C46E4BB774697E8528F03B30381BE3BA06298E23D1514039CC926E89AADAC2771074657A9478DCF60D4D92BDD69C7A5A094D59ED32F2993
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............................u.......u.......u.............u.......u.......u.......u......Rich....................PE..d...i..`.........." .........6......<d.......................................@............@.........................................p...Q... ...x.... ..X................<...0..`...0................................................................................text............................... ..`.data....&..........................@....pdata..............................@..@.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftcserco.dll (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	75272
Entropy (8bit):	6.176258876551271
Encrypted:	false
SSDEEP:	1536:lxRShQnixg3RolUmf71kjy3JIO64l7Xuuy+fk+QI:lHShQnixg3RolUmzCy3JIO64l7euVfkQ
MD5:	AA69BF96E10F463082A0664B7A2E9FAE
SHA1:	D9CC34D613E8655FD7DA5293093E050D4D24AF5F
SHA-256:	C0224B9EF14365F6DDA96134CC77D978E69FBD61EFDADE6FD1EB676418C41023
SHA-512:	778599EEEE6C6F3F8C46E4BB774697E8528F03B30381BE3BA06298E23D1514039CC926E89AADAC2771074657A9478DCF60D4D92BDD69C7A5A094D59ED32F2993
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............................u.......u.......u.............u.......u.......u.......u......Rich....................PE..d...i..`.........." .........6......<d.......................................@............@.........................................p...Q... ...x.... ..X................<...0..`...0................................................................................text............................... ..`.data....&..........................@....pdata..............................@..@.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftser2k.sys (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	99296
Entropy (8bit):	6.544765616961625
Encrypted:	false
SSDEEP:	1536:ateH5nh6Lk8irGapY1hgw+8wWXZ43CV5h9zYWSYZz8ITF:LZhck8irB4gXWp43g53UWSYtJF
MD5:	B66678FF4E347E22146609B3D5B7B2C4
SHA1:	632A3B4365F9256B13FF0F671260463A8972070D
SHA-256:	7A303AA880CC746D13F71E565874FB7C174747372CCF358B928A72219D2A50DD
SHA-512:	07D73174638953074165EEFB804394F21A1A115116459B96903FCB34A6656450BDCD2A9ABD0590EC5A63D3DF153301A8DDB527405D67DFF3065BB5108C52F575
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x....{...{...{...z..{..yz...{..yx...{..y....{.]G....{.XG....{.]Gy...{.Rich..{.........PE..d......`.........."...........................@..........................................`.....................................................<....................>...E.......... ...8...........................`...................@............................text....n.......n.................. ..h.rdata..p............r..............@..H.data...............................@....pdata..............................@..H.gfids..............................@..HPAGESRP0.E.......F.................. ..`PAGESER..@... ...B.................. ..`PAGE.........p.......".............. ..`INIT.................(.............. ..b.rsrc................8..............@..B.reloc...............<..............@..B................................................................................

C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\amd64\ftserui2.dll (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65544
Entropy (8bit):	6.240264971246993
Encrypted:	false
SSDEEP:	768:eNz2GaueQUOHlpEhZf25HY/Q2KDJko4zfrW86F+12Rer30bbYrc/a0FpJvh9Rebt:ex7eWvE3KMSQT12R60T/PP8H/3F
MD5:	3E5BCD980AF8B20313005D9A492CEC8A
SHA1:	060B9D1444327D3FAA56E3B35FC2BB606B692DD7
SHA-256:	55A23A2AC263E10B77D7E95601439F771062F2C248A8D93039A968D66100C39C
SHA-512:	DC4BA803EB3EAB0D5BA452ACA2C57095A74B1B3DBD82078ED17BBC34C5DB3F791EAB4A418D4C822C170B4D561D36D0E47BA6A2DA915A8B1797A88666B19C69F3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q.\.Q.\.Q.\..\.Q.\.)H\.Q.\.)^\.Q.\.)Y\.Q.\.Q.\)Q.\.)N\.Q.\..\.Q.\.)O\.Q.\.)T\.Q.\...\.Q.\.)I\.Q.\.)L\.Q.\Rich.Q.\........PE..d......`.........." .........B......@]...............................................&....@......................................... ....................$...............<......0....................................................................................text.............................. ..`.data... ...........................@....pdata..............................@..@.rsrc....$.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\ftdiport.cat (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	22608
Entropy (8bit):	5.965323528440976
Encrypted:	false
SSDEEP:	192:whASiyWWICmejj24Y2f22U222bk2L2h2d2N252Z2L22V2z21232S282e282C2a2E:YAw4rPFRO+NJ/AlGsJPY9
MD5:	60238C00694F838EED4757D1CE167D8B
SHA1:	0E39502D2CBD03ECF3973AD2F5F94DDB21C74B37
SHA-256:	113A35E6161F3AE8BB9D0E0F31913872C4B32FD6211ECE27DDDEB238F601EB59
SHA-512:	578A026793F2A30814A31BB9A63360BC2142E3263CB752B67CF8FFD3A65253D30E0BBA5BBD5D57759BA3455AB8F2D766FC14F6D6B5085833EA44936A08B8C713
Malicious:	false
Preview:	0.XL...H........X=0.X9...1.0...`.H.e......0.6...+.....7....6.0.6.0...+.....7.......;...@..:.T8-...210708145418Z0...+.....7.....0...0....R0.3.A.4.7.E.F.E.F.0.0.6.9.1.7.6.4.3.0.A.C.8.A.2.E.3.9.0.8.5.F.D.3.2.2.E.8.2.D.3...1..I0:..+.....7...1,0...F.i.l.e........f.t.s.e.r.2.k...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+..........~....vC....2...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.6.4.D.6.B.E.E.E.6.1.A.B.B.F.2.0.5.7.4.D.E.3.B.4.2.5.5.F.3.C.5.E.2.1.2.E.2.7.6...1..K0<..+.....7...1.0,...F.i.l.e........f.t.s.e.r.u.i.2...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.........Mk......t.;BU.....v0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.9.2.9.B.B.A.B.9

C:\Windows\System32\DriverStore\Temp\{bd487de8-903b-3d4c-bbd6-993dcd855b21}\ftdiport.inf (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	18369
Entropy (8bit):	5.49132972724957
Encrypted:	false
SSDEEP:	384:KRD7TYsKwdRFr+40CejlZtOoggvxUkHlfD0fsEc886YVeZgTey:WDAm640CejlZtOoV5DfX88t
MD5:	B16B75B545A296EFC49805C94DFD334C
SHA1:	88DA6E6C3C9D94F6725D854CD866EA2CF305D67A
SHA-256:	00627112CF622CC6FB99A6B5DE24FCC61B6D0A211A6BD1E90B985BCF9950F6D9
SHA-512:	18C2B08A06AE87F5F2EEB79DEE4A3725FB5F8516D9C9F1CA60C5C96F06BA07493D4FB4199FBD67A042132201EC32C3E5B4331CF0671F787B3DA7A2C5A7197357
Malicious:	false
Preview:	; FTDIPORT.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..;..; USB serial port driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016.....; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In conside

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\SETA095.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	23417
Entropy (8bit):	5.948769892863068
Encrypted:	false
SSDEEP:	192:wIWIdFWkGHHPj24Y2f22U222bk2L2h2d2N252Z2L22V2z21232S282e282C2a22g:vyl4rPFRXp4hlTJdkC
MD5:	B392C785B9C2AA31187D1BD0A4F5EBA5
SHA1:	BD80456EAC30AE84B2A0E1CE9A4A364A01C68F39
SHA-256:	B286055896DEA79D4521368293DEEE801930F3FB503CC3076AC97716B338B0F7
SHA-512:	A22007089580CF066FF30D405F607B88F499754F7859EA98915FA2F5E35D21E91BBE4C25271F8C62357F11C2469FD20556D805A52071B96E30FBA8657C6338E6
Malicious:	false
Preview:	0.[u...H........[f0.[b...1.0...`.H.e......0.:...+.....7....:.0.:.0...+.....7............@..5;.t.u..210708145418Z0...+.....7.....0...0....R2.F.D.9.A.3.9.F.1.7.B.4.F.8.9.C.E.C.D.7.5.2.8.F.5.8.7.6.7.2.7.D.C.0.0.C.7.A.7.8...1..G08..+.....7...10(...F.i.l.e........f.t.d.2.x.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+......../........R.Xvr}..zx0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.5.C.D.6.B.7.1.5.A.A.2.D.4.E.7.E.E.1.9.1.E.C.B.D.F.B.8.C.7.F.7.5.4.D.4.1.7.6.2...1..I0:..+.....7...1,0*...F.i.l.e........f.t.d.i.b.u.s...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........E.kqZ..........T..b0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R5.3.F.D.E.7.C.9.4.8.8

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\SETA0A6.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	30650
Entropy (8bit):	5.516268884073016
Encrypted:	false
SSDEEP:	768:tDAm640CejlZtOojWnXD8yVxaQZdHwG5B8ZJDsyPxSQZXH4G7tVB03F3PPvZh/6:tbSjWJD8/5B03DU
MD5:	B404B591DCAE1E28603479A7963CB6F6
SHA1:	5D4AE8370FB8A05189B0ED9430459BCB97BB9E54
SHA-256:	FF361CDD7C814DB0BEA98578A731EF5C03BF457E06BCA9950FDBAB57A4D3C7F6
SHA-512:	F928FD950A1F57172DFDF2CC8D23A54381715EE79D492D3491EAEAF4ADCC11241F87A00E91F03B504F78DF1DEF4D7C4569A192D62E21088ABD6DBFD721134B04
Malicious:	false
Preview:	; FTDIBUS.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..; ..; USB serial converter driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016...; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In cons

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\FTLang.dll (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	274944
Entropy (8bit):	5.978951711504469
Encrypted:	false
SSDEEP:	3072:VTwkcrbAg7JNtvh8vULQzOdtsK9g0BIGpY29ZR0qhJRYxEda6sEsOkXlYJkveT/s:VTPzg5JSULQz2tsKi0B9305E9P+3
MD5:	662679682F491FBAF3D15953D13EC72E
SHA1:	9EA41242F7945A6814D757DA232359DFD7D421BD
SHA-256:	C2729911C4B82D8F9E22E057A1570D0265D7A9ECA44D6FE8DC0658F47263CE12
SHA-512:	E5305020F3BC11342EE9073780BAAE37FF700434B7C695980345C7E9DB56B03F8199CE0C278E549C4EB92B4294F1FC91A0DBBB1C033B13794648A24DC94837E5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;L..hL..hL..h..\hn..h..]h(..h..bhE..h.MvhO..hL..h...h.,\hN..h.,ahM..hA.fhM..hL.*hM..h.,chM..hRichL..h........................PE..d......`.........." .........:...............................................P............ .................................................@...(.......h0...............<...@..@... ...8............................c..p............................................text...;........................... ..`.rdata..&...........................@..@.data...X<..........................@....pdata..............................@..@.rsrc...h0.......2..................@..@.reloc..@....@......................@..B................................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA024.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	647616
Entropy (8bit):	5.8372260150013044
Encrypted:	false
SSDEEP:	12288:k2Ruad22Cu6+wfhZLF5lfDOHc/aFMmymLRt+i2:332xNfhZLF5lfDOHvMTmLRt2
MD5:	BEFBC1A8F6C2B8E143DDD97CCB6561B5
SHA1:	44B085C25026DABE6280C539F43DD0755FB28499
SHA-256:	774AF8B12C85D03562742ACDF222AF5E0432167BF107BA4B260757E4A5E36866
SHA-512:	A41B29E0493AD8ED57F55B8AA557AED460794894A5A53B057EEEF017A81F071A09DD298FB63EB0277344A9B69D790699131642106124320FB80BA87D1AD60DD4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.H.I...I...I..p.J..I..p.H.VI..p.I..I.......I.......I.......I....p..I...I..GI..S....I..S....I..V.D..I...I,..I..S....I..Rich.I..................PE..d...;..`.........." .........D......3A.......................................0.......'....`.................................................@...d.......i....`...U.......!...........w..8............................x..................@............................text...J........................... ..`.rdata...k.......l..................@..@.data....:... ......................@....pdata..4_...`...`...$..............@..@.idata..............................@..@.gfids..............................@..@.00cfg..............................@..@.rsrc...i...........................@..@.reloc..P...........................@..B........................................................................................................

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA044.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	168456
Entropy (8bit):	6.246480364593094
Encrypted:	false
SSDEEP:	3072:a+f/hrqTv5CgCn2p+WsDC7wQGXLCoeofwaqVcppnx1um75JXZ4:a+cTglYOQwQ4uoebaq4r5n4
MD5:	D79A5E34F684B547FA2F963DFCC15A21
SHA1:	81CCA464D4C8773B00F0A6F170F402FFE2D6A9C8
SHA-256:	4BBC0B301A7C5A6B1B73878CE3AEEB191F5FCEAC05835372142206D79AC81559
SHA-512:	E199F40F06F674EB8EC0E599FFF47A36D4495F4F2FFEE96CADFD00ABA9D5BB127F4461090322244EC973FCC2C8AE119FB12CE65AD585CCAA570115B7D957EA28
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d...d...d...5v..d...5w..d...5H..d....\..d...d...d..\|.v..d..\|.K..d...6L..d...d...d..\|.I..d..Rich.d..........PE..d......`.........." .....x...........5.................................................... .................. ......................P...h.......d.......@....p.......V...<..............8...........................0...p............................................text...Tw.......x.................. ..`.rdata...............\|..............@..@.data...`:...0......................@....pdata.......p.......(..............@..@.rsrc...@............>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA064.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145192
Entropy (8bit):	6.492981302114183
Encrypted:	false
SSDEEP:	3072:np+Tpx5m9iS1H41Un58rdppcZxPtlGU1WopW:n8x5sJ4q58rdppcjPt9WoU
MD5:	AB7418C8DFBBB97BEFB4F0ADED3D4663
SHA1:	B9A7A3FBBA707BA52F8AC4339070473A486CE7B7
SHA-256:	3BD5BB7E646E67469EC25A37CAA5131CF992759703B0FC170DF7AF265B9F8E74
SHA-512:	BE19D2CFE8C9198CE43470FDB6B6030EB4BD1B4080887CB6F1D69C2B661BBD79FFA85B4B70FDBE97BADADF2B75CE7FBE7B627FE08FB1DF3104CC16842E609A40
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........VAA.7/..7/..7/..W)..7/..7...7/..W...7/..W,..7/..W+..7/..i+..7/..i...7/..i-..7/.Rich.7/.................PE..d......`.........."..........<.................@.............................@......W.....`.....................................................P.... ..p...............(G...0..\|.......8............................................................................text...3z.......\|.................. ..h.rdata..p........ ..................@..H.data...............................@....pdata..............................@..H.gfids..............................@..HPAGE.....%.......&.................. ..`INIT....B........................... ..b.rsrc...p.... ......................@..B.reloc..\|....0......................@..B................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\SETA075.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	274944
Entropy (8bit):	5.978951711504469
Encrypted:	false
SSDEEP:	3072:VTwkcrbAg7JNtvh8vULQzOdtsK9g0BIGpY29ZR0qhJRYxEda6sEsOkXlYJkveT/s:VTPzg5JSULQz2tsKi0B9305E9P+3
MD5:	662679682F491FBAF3D15953D13EC72E
SHA1:	9EA41242F7945A6814D757DA232359DFD7D421BD
SHA-256:	C2729911C4B82D8F9E22E057A1570D0265D7A9ECA44D6FE8DC0658F47263CE12
SHA-512:	E5305020F3BC11342EE9073780BAAE37FF700434B7C695980345C7E9DB56B03F8199CE0C278E549C4EB92B4294F1FC91A0DBBB1C033B13794648A24DC94837E5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;L..hL..hL..h..\hn..h..]h(..h..bhE..h.MvhO..hL..h...h.,\hN..h.,ahM..hA.fhM..hL.*hM..h.,chM..hRichL..h........................PE..d......`.........." .........:...............................................P............ .................................................@...(.......h0...............<...@..@... ...8............................c..p............................................text...;........................... ..`.rdata..&...........................@..@.data...X<..........................@....pdata..............................@..@.rsrc...h0.......2..................@..@.reloc..@....@......................@..B................................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftbusui.dll (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	168456
Entropy (8bit):	6.246480364593094
Encrypted:	false
SSDEEP:	3072:a+f/hrqTv5CgCn2p+WsDC7wQGXLCoeofwaqVcppnx1um75JXZ4:a+cTglYOQwQ4uoebaq4r5n4
MD5:	D79A5E34F684B547FA2F963DFCC15A21
SHA1:	81CCA464D4C8773B00F0A6F170F402FFE2D6A9C8
SHA-256:	4BBC0B301A7C5A6B1B73878CE3AEEB191F5FCEAC05835372142206D79AC81559
SHA-512:	E199F40F06F674EB8EC0E599FFF47A36D4495F4F2FFEE96CADFD00ABA9D5BB127F4461090322244EC973FCC2C8AE119FB12CE65AD585CCAA570115B7D957EA28
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d...d...d...5v..d...5w..d...5H..d....\..d...d...d..\|.v..d..\|.K..d...6L..d...d...d..\|.I..d..Rich.d..........PE..d......`.........." .....x...........5.................................................... .................. ......................P...h.......d.......@....p.......V...<..............8...........................0...p............................................text...Tw.......x.................. ..`.rdata...............\|..............@..@.data...`:...0......................@....pdata.......p.......(..............@..@.rsrc...@............>..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftd2xx64.dll (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	647616
Entropy (8bit):	5.8372260150013044
Encrypted:	false
SSDEEP:	12288:k2Ruad22Cu6+wfhZLF5lfDOHc/aFMmymLRt+i2:332xNfhZLF5lfDOHvMTmLRt2
MD5:	BEFBC1A8F6C2B8E143DDD97CCB6561B5
SHA1:	44B085C25026DABE6280C539F43DD0755FB28499
SHA-256:	774AF8B12C85D03562742ACDF222AF5E0432167BF107BA4B260757E4A5E36866
SHA-512:	A41B29E0493AD8ED57F55B8AA557AED460794894A5A53B057EEEF017A81F071A09DD298FB63EB0277344A9B69D790699131642106124320FB80BA87D1AD60DD4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.H.I...I...I..p.J..I..p.H.VI..p.I..I.......I.......I.......I....p..I...I..GI..S....I..S....I..V.D..I...I,..I..S....I..Rich.I..................PE..d...;..`.........." .........D......3A.......................................0.......'....`.................................................@...d.......i....`...U.......!...........w..8............................x..................@............................text...J........................... ..`.rdata...k.......l..................@..@.data....:... ......................@....pdata..4_...`...`...$..............@..@.idata..............................@..@.gfids..............................@..@.00cfg..............................@..@.rsrc...i...........................@..@.reloc..P...........................@..B........................................................................................................

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\amd64\ftdibus.sys (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145192
Entropy (8bit):	6.492981302114183
Encrypted:	false
SSDEEP:	3072:np+Tpx5m9iS1H41Un58rdppcZxPtlGU1WopW:n8x5sJ4q58rdppcjPt9WoU
MD5:	AB7418C8DFBBB97BEFB4F0ADED3D4663
SHA1:	B9A7A3FBBA707BA52F8AC4339070473A486CE7B7
SHA-256:	3BD5BB7E646E67469EC25A37CAA5131CF992759703B0FC170DF7AF265B9F8E74
SHA-512:	BE19D2CFE8C9198CE43470FDB6B6030EB4BD1B4080887CB6F1D69C2B661BBD79FFA85B4B70FDBE97BADADF2B75CE7FBE7B627FE08FB1DF3104CC16842E609A40
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........VAA.7/..7/..7/..W)..7/..7...7/..W...7/..W,..7/..W+..7/..i+..7/..i...7/..i-..7/.Rich.7/.................PE..d......`.........."..........<.................@.............................@......W.....`.....................................................P.... ..p...............(G...0..\|.......8............................................................................text...3z.......\|.................. ..h.rdata..p........ ..................@..H.data...............................@....pdata..............................@..H.gfids..............................@..HPAGE.....%.......&.................. ..`INIT....B........................... ..b.rsrc...p.... ......................@..B.reloc..\|....0......................@..B................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\ftdibus.cat (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	23417
Entropy (8bit):	5.948769892863068
Encrypted:	false
SSDEEP:	192:wIWIdFWkGHHPj24Y2f22U222bk2L2h2d2N252Z2L22V2z21232S282e282C2a22g:vyl4rPFRXp4hlTJdkC
MD5:	B392C785B9C2AA31187D1BD0A4F5EBA5
SHA1:	BD80456EAC30AE84B2A0E1CE9A4A364A01C68F39
SHA-256:	B286055896DEA79D4521368293DEEE801930F3FB503CC3076AC97716B338B0F7
SHA-512:	A22007089580CF066FF30D405F607B88F499754F7859EA98915FA2F5E35D21E91BBE4C25271F8C62357F11C2469FD20556D805A52071B96E30FBA8657C6338E6
Malicious:	false
Preview:	0.[u...H........[f0.[b...1.0...`.H.e......0.:...+.....7....:.0.:.0...+.....7............@..5;.t.u..210708145418Z0...+.....7.....0...0....R2.F.D.9.A.3.9.F.1.7.B.4.F.8.9.C.E.C.D.7.5.2.8.F.5.8.7.6.7.2.7.D.C.0.0.C.7.A.7.8...1..G08..+.....7...10(...F.i.l.e........f.t.d.2.x.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+......../........R.Xvr}..zx0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.5.C.D.6.B.7.1.5.A.A.2.D.4.E.7.E.E.1.9.1.E.C.B.D.F.B.8.C.7.F.7.5.4.D.4.1.7.6.2...1..I0:..+.....7...1,0*...F.i.l.e........f.t.d.i.b.u.s...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........E.kqZ..........T..b0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R5.3.F.D.E.7.C.9.4.8.8

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\ftdibus.inf (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	30650
Entropy (8bit):	5.516268884073016
Encrypted:	false
SSDEEP:	768:tDAm640CejlZtOojWnXD8yVxaQZdHwG5B8ZJDsyPxSQZXH4G7tVB03F3PPvZh/6:tbSjWJD8/5B03DU
MD5:	B404B591DCAE1E28603479A7963CB6F6
SHA1:	5D4AE8370FB8A05189B0ED9430459BCB97BB9E54
SHA-256:	FF361CDD7C814DB0BEA98578A731EF5C03BF457E06BCA9950FDBAB57A4D3C7F6
SHA-512:	F928FD950A1F57172DFDF2CC8D23A54381715EE79D492D3491EAEAF4ADCC11241F87A00E91F03B504F78DF1DEF4D7C4569A192D62E21088ABD6DBFD721134B04
Malicious:	false
Preview:	; FTDIBUS.INF..; ..; Copyright . 2000-2021 Future Technology Devices International Limited..; ..; USB serial converter driver installation file for Windows 7, Windows 8, Windows 8.1, Windows 10,..; Server 2008 R2, Server 2012 R2 and Server 2016...; ..; ..; IMPORTANT NOTICE: PLEASE READ CAREFULLY BEFORE INSTALLING THE RELEVANT ..; SOFTWARE: This licence agreement (Licence) is a legal agreement between you (Licensee or ..; you) and Future Technology Devices International Limited of 2 Seaward Place, Centurion Business ..; Park, Glasgow G41 1HH, Scotland (UK Company Number SC136640) (Licensor or we) for use of ..; driver software provided by the Licensor(Software)...; ..; BY INSTALLING OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS LICENCE ..; WHICH WILL BIND YOU. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENCE, WE ARE ..; UNWILLING TO LICENSE THE SOFTWARE TO YOU AND YOU MUST DISCONTINUE ..; INSTALLATION OF THE SOFTWARE NOW...; ..; 1..GRANT AND SCOPE OF LICENCE..; ..; 1.1.In cons

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\i386\SETA0B6.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	392128
Entropy (8bit):	6.675882265173621
Encrypted:	false
SSDEEP:	6144:6cumjO3f6acDJuRkgm3qP12tHi3b+cVZhPTlqWMTZ4Rp71RpeRjK3q:6cBjQf6acERkkP12tqbBxTlqWUop5ywa
MD5:	6FFEB45E0137622EBBBA8361107D304E
SHA1:	01B3F848148A276F6317D6C98EDBDB1133F458DA
SHA-256:	60BB0D6348B1EB0127401AA902F34C963D9196D2778C66F4008A6CF0C6F098A5
SHA-512:	BC3D9DDCB1FC249CF1A3A11EEFE9131280F18CB538C381C46B1818354E947690D52FD38B14674A7BB51CE5FF73F4B8721D19FD4960694B3442ECC90C58F75052
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.6._je._je._jei.e._jei.eO_jei.e._je..id._je..od._je..nd._je...e._je._ke\_jeJ.od._jeJ.jd._jeO..e._je._.e._jeJ.hd._jeRich._je................PE..L......`...........!.........................................................0......Tq..........................................d.......X................!.......(.....T...........................(...@............................................text............................... ..`.rdata..............................@..@.data...X$..........................@....gfids..............................@..@.rsrc...X...........................@..@.reloc...(.......(..................@..B................................................................................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{f899b98f-10ca-f24e-afd1-784cf97872a3}\i386\ftd2xx.dll (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	392128
Entropy (8bit):	6.675882265173621
Encrypted:	false
SSDEEP:	6144:6cumjO3f6acDJuRkgm3qP12tHi3b+cVZhPTlqWMTZ4Rp71RpeRjK3q:6cBjQf6acERkkP12tqbBxTlqWUop5ywa
MD5:	6FFEB45E0137622EBBBA8361107D304E
SHA1:	01B3F848148A276F6317D6C98EDBDB1133F458DA
SHA-256:	60BB0D6348B1EB0127401AA902F34C963D9196D2778C66F4008A6CF0C6F098A5
SHA-512:	BC3D9DDCB1FC249CF1A3A11EEFE9131280F18CB538C381C46B1818354E947690D52FD38B14674A7BB51CE5FF73F4B8721D19FD4960694B3442ECC90C58F75052
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.6._je._je._jei.e._jei.eO_jei.e._je..id._je..od._je..nd._je...e._je._ke\_jeJ.od._jeJ.jd._jeO..e._je._.e._jeJ.hd._jeRich._je................PE..L......`...........!.........................................................0......Tq..........................................d.......X................!.......(.....T...........................(...@............................................text............................... ..`.rdata..............................@..@.data...X$..........................@....gfids..............................@..@.rsrc...X...........................@..@.reloc...(.......(..................@..B................................................................................................................................................................................................................................................

C:\Windows\System32\catroot2\dberr.txt

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	4627
Entropy (8bit):	5.38191832705647
Encrypted:	false
SSDEEP:	96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3hpTpbCpEpDk+psNVpsLX2oa5oG:QO00eO00erMwmkB1kAIrN4tBG
MD5:	513C92CDA39AD67BF9E2EBE2C92A4C53
SHA1:	11C97A98DF35CB4979D22E90EB15699768C07EF4
SHA-256:	0789A6D840B052949E3AED8E22BE6E458E05A038617040E7618269E9C729ECD3
SHA-512:	EEDBFA2EF0D1BDBB706D4988ED594226264BED678ED9F7D5923989E8AAABDB146DD1DD0906FA71F408B555CDB559BDFEF890952585DB211033C85782C32694CB
Malicious:	false
Preview:	CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.989700528926337
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CDM212364_Setup.exe
File size:	2'264'632 bytes
MD5:	0c97e7b5de1b46fb723bed38f0de28a2
SHA1:	3ab353adb602908eddb884c8b2b587fcc0691bfa
SHA256:	835dd64b199190d20dc37c0cadeb064b7eaaaef271703781b2b259b7085437a4
SHA512:	534e698728462b5103263194b42619da560ed9547e8e9de0240190606097eff1f20d560cf7d320164d0609b474a3d3dceb788e3c2ff813ae8bccd629833ebee0
SSDEEP:	49152:e0YNuL7q5Mj5dWZdLUVK5IECejW+N5X6kQ9rY/vuvs0SS/y:e0YEL758dLU0vC1+skQxY/vgsE/y
TLSH:	ABA5230E97B3F269EE33D07E8F96096A54E21483677E8DB5C60BA49C9C13141DF5B283
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... #.NdB{.dB{.dB{.....fB{.....eB{.....iB{.dBz..B{.....eB{.....hB{.i...eB{.dB..eB{.....eB{.RichdB{.................PE..L.....Q`...

File Icon


Icon Hash:	1b2f575757572f9b

Static PE Info

General

Entrypoint:	0x406700
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6051F6A5 [Wed Mar 17 12:31:33 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	02184023c46b09c1acf1ff24f0feed1e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 Extended Validation Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/11/2018 00:00:00 24/11/2021 23:59:59
Subject Chain	CN=Future Technology Devices International Ltd, O=Future Technology Devices International Ltd, L=Glasgow, C=GB, SERIALNUMBER=SC136640, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Glasgow, OID.1.3.6.1.4.1.311.60.2.1.2=ABD, OID.1.3.6.1.4.1.311.60.2.1.3=GB
Version:	3
Thumbprint MD5:	A2390DBD0652FF86FDC61933410F06DC
Thumbprint SHA-1:	116E4D55D3691C00D3C96500A4CE15D73BC4B377
Thumbprint SHA-256:	90E354805042603C3A1F5498AF2403457647FB107458DB3123F3BD6C9C70111A
Serial:	53B59D44F72E8BB2764D4193926E95AF

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 44h
push esi
call dword ptr [004070D0h]
mov esi, eax
mov al, byte ptr [esi]
cmp al, 22h
jne 00007F9C9CFB2BC3h
cmp al, 22h
je 00007F9C9CFB2BCFh
inc esi
mov al, byte ptr [esi]
test al, al
jne 00007F9C9CFB2BA7h
cmp al, 22h
jne 00007F9C9CFB2BC5h
jmp 00007F9C9CFB2BC2h
cmp al, 20h
jle 00007F9C9CFB2BBFh
inc esi
cmp byte ptr [esi], 00000020h
jnle 00007F9C9CFB2BACh
jmp 00007F9C9CFB2BB7h
cmp al, 20h
jnle 00007F9C9CFB2BB9h
inc esi
mov al, byte ptr [esi]
test al, al
jne 00007F9C9CFB2BA7h
and dword ptr [ebp-18h], 00000000h
lea eax, dword ptr [ebp-44h]
push eax
call dword ptr [00407098h]
test byte ptr [ebp-18h], 00000001h
movzx eax, word ptr [ebp-14h]
push 0000000Ah
pop ecx
cmovne ecx, eax
push ecx
push esi
push 00000000h
push 00000000h
call dword ptr [00407078h]
push eax
call 00007F9C9CFB2A7Bh
push eax
call dword ptr [00407060h]
int3
push ebp
mov ebp, esp
push esi
push edi
push dword ptr [ebp+08h]
xor esi, esi
call dword ptr [004070D4h]
mov edi, dword ptr [ebp+10h]
cmp edi, eax
jle 00007F9C9CFB2BC9h
mov eax, 00407872h
jmp 00007F9C9CFB2BE9h
push esi
call 00007F9C9CFB2BEAh
mov esi, eax
add esp, 0Ch
test esi, esi
je 00007F9C9CFB2B9Ch
dec edi
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
test edi, edi
jnle 00007F9C9CFB2B98h
inc esi
push esi
call 00007F9C9CFB2BCFh
add esp, 0Ch
test eax, eax
jle 00007F9C9CFB2B83h
sub eax, esi
push eax
push esi
push dword ptr [ebp+08h]
call 00007F9C9CFB2DA8h
add esp, 0Ch

Rich Headers

Programming Language:

[C++] VS2013 UPD5 build 40629
[ C ] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7eac	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x89c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x227428	0x1a10
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0x604	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x198	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c3e	0x5e00	d1a237469fd265ab32438fafe0e9f632	False	0.5597157579787234	data	6.3422506068151225	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x176c	0x1800	cf87202b318f36dcf2ed62f72a2523aa	False	0.57080078125	data	5.760277047752672	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x58a8	0x1200	5beaa4553d7aa210dc7640059c344f1c	False	0.23914930555555555	data	2.518593090870782	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf000	0x89c8	0x8a00	405597a0a0904d53b8fce03c6e62d462	False	0.1908401268115942	data	3.966180350876218	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18000	0x604	0x800	2c223a97e77912b6cfdb18d3dc2ef5d7	False	0.67578125	data	5.7257335131649745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x16c88	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_BITMAP	0xfa58	0x66ae	Device independent bitmap graphic, 163 x 312 x 4, image size 0, resolution 2834 x 2834 px/m, 9 important colors	English	United States	0.08552080955641786
RT_BITMAP	0x16108	0xb60	Device independent bitmap graphic, 43 x 42 x 8, image size 1848	English	United States	0.4491758241758242
RT_ICON	0x16dd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.5573104693140795
RT_MENU	0x16c68	0x20	data	English	United States	1.09375
RT_DIALOG	0xf340	0x182	data	English	United States	0.5673575129533679
RT_DIALOG	0xf4c8	0xa0	data	English	United States	0.6375
RT_DIALOG	0xf568	0x1dc	data	English	United States	0.542016806722689
RT_DIALOG	0xf748	0x12a	data	English	United States	0.610738255033557
RT_DIALOG	0xf878	0x1dc	data	English	United States	0.5630252100840336
RT_GROUP_CURSOR	0x16dc0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_ICON	0x17680	0x14	data	English	United States	1.25
RT_MANIFEST	0x17698	0x330	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (756), with CRLF line terminators	English	United States	0.5012254901960784

Imports

DLL	Import
KERNEL32.dll	LocalFileTimeToFileTime, RemoveDirectoryA, SetFileTime, WriteFile, GetLastError, WaitForSingleObject, Sleep, GetCurrentProcess, ExitProcess, CreateThread, CreateProcessA, GetSystemDirectoryA, MapViewOfFile, GetModuleFileNameA, GetModuleHandleA, GetFullPathNameA, DosDateTimeToFileTime, FormatMessageA, lstrcmpA, lstrcpyA, lstrcatA, CreateFileMappingA, GetStartupInfoA, GetPrivateProfileIntA, GetPrivateProfileStringA, GetTempPathA, GetTempFileNameA, IsBadReadPtr, MultiByteToWideChar, GetFileAttributesA, DeleteFileA, CreateDirectoryA, GetCurrentDirectoryA, SetCurrentDirectoryA, CreateFileA, ExpandEnvironmentStringsA, GetCommandLineA, lstrlenA, VirtualFree, VirtualAlloc, CloseHandle, SetFilePointer, ReadFile, WinExec
USER32.dll	ReleaseDC, BeginPaint, EndPaint, SetWindowTextA, MessageBoxA, SetCursor, ClientToScreen, ChildWindowFromPoint, SetClassLongA, LoadBitmapA, LoadCursorA, LoadIconA, GetDC, DestroyMenu, LoadMenuA, EnableWindow, GetDialogBaseUnits, GetDlgItemTextA, SetDlgItemTextA, GetDlgItem, EndDialog, DialogBoxParamA, CreateDialogParamA, ShowWindow, DestroyWindow, UpdateWindow, TrackPopupMenu, GetSubMenu, wsprintfA, SendMessageA, PostMessageA, SetWindowPos
GDI32.dll	Rectangle, SelectObject, SetBkMode, GetStockObject, SetROP2, SetTextColor, GetObjectA, DeleteObject, CreateFontIndirectA, StretchBlt, CreateCompatibleDC
SHELL32.dll	SHBrowseForFolderA, SHGetPathFromIDListA, ShellExecuteA
ole32.dll	CoCreateInstance, CoUninitialize, CoInitialize
ADVAPI32.dll	RegOpenKeyExA, RegCloseKey, RegQueryValueExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	09:21:01
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\CDM212364_Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CDM212364_Setup.exe"
Imagebase:	0x9c0000
File size:	2'264'632 bytes
MD5 hash:	0C97E7B5DE1B46FB723BED38F0DE28A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:21:06
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe
Imagebase:	0x400000
File size:	90'160 bytes
MD5 hash:	461A3CE2E77143EC0E0015D80675911B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:21:06
Start date:	23/04/2024
Path:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe /sa
Imagebase:	0x7ff6d88c0000
File size:	1'047'056 bytes
MD5 hash:	0E7E8820A977D3B4B81C5188FA841C52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:21:16
Start date:	23/04/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{acb1cab5-f3d4-1e43-9370-b4e26f098f9f}\ftdibus.inf" "9" "4aa35cc23" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\users\user\appdata\local\temp\ftdi-driver"
Imagebase:	0x7ff6adc40000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:21:21
Start date:	23/04/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a2d08f8b-9618-ed46-a926-40b2e07ae3d4}\ftdiport.inf" "9" "47472827f" "0000000000000160" "WinSta0\Default" "000000000000015C" "208" "c:\users\user\appdata\local\temp\ftdi-driver"
Imagebase:	0x7ff6adc40000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	36.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.3%
Total number of Nodes:	595
Total number of Limit Nodes:	13

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 009C5344 Relevance: 136.9, APIs: 46, Strings: 32, Instructions: 446
stringfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C53E8
GetTempPathA.KERNEL32(00000000,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C53EF
GetCurrentDirectoryA.KERNEL32(00000104,C:\Users\user\Desktop,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C53FE
GetCurrentProcess.KERNEL32(?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5404
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\CDM212364_Setup.exe,00000104,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5418
CreateFileA.KERNELBASE(C:\Users\user\Desktop\CDM212364_Setup.exe,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00000103,?,00000000,00000103), ref: 009C542D
SetFilePointer.KERNELBASE(00000000,00004E20,00000000,00000000,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5444
SetFilePointer.KERNELBASE(000000FD,00000000,00000001), ref: 009C5477
ReadFile.KERNELBASE(?,00000004,?,00000000,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5499
SetFilePointer.KERNELBASE(000000FD,00000000,00000001), ref: 009C54D5
ReadFile.KERNELBASE(?,00000004,0000005B,00000000), ref: 009C54F8
SetFilePointer.KERNELBASE(00004E20,00000000,00000000), ref: 009C5518
VirtualAlloc.KERNELBASE(00000000,00004E1E,00001000,00000004), ref: 009C552C
ReadFile.KERNEL32(00000000,00004E1C,00000050,00000000), ref: 009C5545
GetTempPathA.KERNEL32(00000104,?), ref: 009C5554
GetTempFileNameA.KERNELBASE(?,009C7C5C,00000000,?), ref: 009C556E
CreateFileA.KERNELBASE(?,40000000,00000003,00000000,00000002,00000000,00000000), ref: 009C5585
WriteFile.KERNELBASE(00000000,00004E1C,?,00000000), ref: 009C55A7
CloseHandle.KERNEL32 ref: 009C55B3
GetPrivateProfileIntA.KERNEL32(009C7C5C,ZipSize,00000000,?), ref: 009C55CB
GetPrivateProfileIntA.KERNEL32(009C7C5C,Delete,00000000,?), ref: 009C55DE
GetPrivateProfileIntA.KERNEL32(009C7C5C,NoGUI,00000000,?), ref: 009C55F1
GetPrivateProfileIntA.KERNEL32(009C7C5C,Debug,00000000,?), ref: 009C5604
GetPrivateProfileStringA.KERNEL32(009C7C5C,Name,Unnamed Archive,FTDI CDM Drivers,000000FF,?), ref: 009C562C
GetPrivateProfileStringA.KERNEL32(009C7C5C,Exec,009C7872,%temp%\FTDI-Driver\dp-chooser.exe\,000000FF,?), ref: 009C564A
GetPrivateProfileStringA.KERNEL32(009C7C5C,DefaultPath,009C7872,C:\Users\user\AppData\Local\Temp\FTDI-Driver,00000104,?), ref: 009C5662
GetPrivateProfileStringA.KERNEL32(009C7C5C,Intro,009C7872,Click 'Extract' to unpack version 2.12.36.4 of FTDI's Windows driver package and launch the installer.,00000400,?), ref: 009C567F
GetPrivateProfileStringA.KERNEL32(009C7C5C,AutoExtract,FALSE,?,00000006,?), ref: 009C569D
GetPrivateProfileStringA.KERNEL32(009C7C5C,OpenFolder,FALSE,?,00000006,?), ref: 009C56B7
GetPrivateProfileStringA.KERNEL32(009C7C5C,URL,009C7872,www.ftdichip.com,00000080,?), ref: 009C56D3
GetPrivateProfileStringA.KERNEL32(009C7C5C,Author,009C7872,009CADD0,000000FF,?), ref: 009C56EB
wsprintfA.USER32 ref: 009C56FF
GetPrivateProfileStringA.KERNEL32(009C7C5C,?,009C7872,?,00000400,?), ref: 009C5721
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5731
wsprintfA.USER32 ref: 009C5759
GetPrivateProfileStringA.KERNEL32(009C7C5C,?,009C7872,?,00000400,?), ref: 009C577F
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000103,?,00000000), ref: 009C5789
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C57DE
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver,$curdir$,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5800
lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5812
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver,?,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C581D
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver\,C:\Users\user\AppData\Local\Temp\FTDI-Driver,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5826
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver,00000000,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5831
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C583C
VirtualFree.KERNELBASE(00000000,00008000,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5870
DeleteFileA.KERNELBASE(?,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C587B

Part of subcall function 009C6BF4: VirtualAlloc.KERNELBASE(00000000,00000104,00001000,00000004,?,009C574D,009CD900,?,?,?,?,?,?,?,?,00000103), ref: 009C6C03

Strings

K, xrefs: 009C54B4
C:\Users\user\Desktop, xrefs: 009C53F5
Intro, xrefs: 009C5679
P, xrefs: 009C54AD
C:\Users\user\AppData\Local\Temp\FTDI-Driver, xrefs: 009C5656, 009C57D2, 009C57D7, 009C57FF, 009C5802, 009C581C, 009C581F, 009C5828, 009C5830
C:\Users\user\Desktop\CDM212364_Setup.exe, xrefs: 009C540B, 009C5415, 009C542C
FTDI CDM Drivers, xrefs: 009C5616
%temp%\FTDI-Driver\dp-chooser.exe\, xrefs: 009C5639
DefaultPath, xrefs: 009C565C
OpenFolder, xrefs: 009C56AC
www.ftdichip.com, xrefs: 009C56C3
Shortcut%d, xrefs: 009C56F9, 009C5753
Could not read the source SFX., xrefs: 009C549F
Debug, xrefs: 009C55FE
Author, xrefs: 009C56E5
], xrefs: 009C5465
FALSE, xrefs: 009C5685, 009C5692, 009C56AB
AutoExtract, xrefs: 009C5693
$temp$, xrefs: 009C57F3
NoGUI, xrefs: 009C55EB
$curdir$, xrefs: 009C57FA
Unnamed Archive, xrefs: 009C561B
Click 'Extract' to unpack version 2.12.36.4 of FTDI's Windows driver package and launch the installer., xrefs: 009C5668, 009C5673, 009C578F, 009C5794
E, xrefs: 009C545E
Name, xrefs: 009C5620
ZipSize, xrefs: 009C55C5
C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C5820, 009C5825, 009C5833, 009C583B
Can't write temp file, xrefs: 009C5893
Could not get file info. This archive is likely corrupted., xrefs: 009C588C
Delete, xrefs: 009C55D8
URL, xrefs: 009C56CD
Exec, xrefs: 009C563F

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: PrivateProfile$File$String$lstrcpy$Pointerlstrlen$ReadTempVirtual$AllocCreateCurrentNamePathwsprintf$CloseDeleteDirectoryFreeHandleModuleProcessWrite
String ID: $curdir$$$temp$$%temp%\FTDI-Driver\dp-chooser.exe\$Author$AutoExtract$C:\Users\user\AppData\Local\Temp\FTDI-Driver$C:\Users\user\AppData\Local\Temp\FTDI-Driver\$C:\Users\user\Desktop$C:\Users\user\Desktop\CDM212364_Setup.exe$Can't write temp file$Click 'Extract' to unpack version 2.12.36.4 of FTDI's Windows driver package and launch the installer.$Could not get file info. This archive is likely corrupted.$Could not read the source SFX.$Debug$DefaultPath$Delete$E$Exec$FALSE$FTDI CDM Drivers$Intro$K$Name$NoGUI$OpenFolder$P$Shortcut%d$URL$Unnamed Archive$ZipSize$]$www.ftdichip.com
API String ID: 3084389332-1662369998
Opcode ID: a229526f7b40bd7c85fe2c7cde46612c31c16367f18d2baf348cd96586b72490
Instruction ID: 512604cb6c2efe0be672a398a8b5ecf910459344dd1ce1b7b807a312be7c8c63
Opcode Fuzzy Hash: a229526f7b40bd7c85fe2c7cde46612c31c16367f18d2baf348cd96586b72490
Instruction Fuzzy Hash: 50E182B1D5C349BEE320DBA4DC85FABBBECEB84714F00082DBA45D2190D674A9449F63

Uniqueness

Uniqueness Score: -1.00%

Function 009C3F22 Relevance: 73.8, APIs: 38, Strings: 4, Instructions: 293
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadMenuA.USER32(00000071), ref: 009C3F72
ClientToScreen.USER32(?), ref: 009C3F9A
GetSubMenu.USER32(00000000,00000000), ref: 009C3FA4
TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,00000000), ref: 009C3FBF
DestroyMenu.USER32(00000000), ref: 009C3FCC
DestroyMenu.USER32(00000000), ref: 009C3FCF
ChildWindowFromPoint.USER32(?,?), ref: 009C3FEB
GetDlgItem.USER32(000003F2), ref: 009C3FFE
lstrlenA.KERNEL32(www.ftdichip.com), ref: 009C400E
ShellExecuteA.SHELL32(?,open,www.ftdichip.com,00000000,00000000,00000001), ref: 009C402B
ChildWindowFromPoint.USER32(?,?), ref: 009C4065
GetDlgItem.USER32(000003F2), ref: 009C4078
lstrlenA.KERNEL32(www.ftdichip.com), ref: 009C408B
SetCursor.USER32 ref: 009C409F
GetDlgItem.USER32(000003F9), ref: 009C40C8
DialogBoxParamA.USER32(00000081,Function_00003D2E,00000000), ref: 009C4188
ShowWindow.USER32(?,00000005), ref: 009C4200
LoadCursorA.USER32(0000007B), ref: 009C4227
LoadCursorA.USER32(00000000,00007F00), ref: 009C4235
BeginPaint.USER32(?), ref: 009C425D
SetROP2.GDI32(00000000,00000010), ref: 009C4268
GetDialogBaseUnits.USER32 ref: 009C4274
GetDialogBaseUnits.USER32 ref: 009C4289
Rectangle.GDI32(00000000,00000000,00000000,?), ref: 009C42A3
CreateCompatibleDC.GDI32(00000000), ref: 009C42AA
LoadBitmapA.USER32(00000067), ref: 009C42BA
SelectObject.GDI32(00000000,00000000), ref: 009C42C2
GetDialogBaseUnits.USER32 ref: 009C42DA
GetDialogBaseUnits.USER32 ref: 009C42EF
StretchBlt.GDI32(?,00000000,00000000,?), ref: 009C430A
ReleaseDC.USER32(00000000), ref: 009C4317
EndPaint.USER32(?), ref: 009C4328

Strings

www.ftdichip.com, xrefs: 009C4008, 009C400D, 009C401E, 009C4086
MS Shell Dlg, xrefs: 009C4146
Tahoma, xrefs: 009C40DB, 009C4118
open, xrefs: 009C401F

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: DialogMenu$BaseLoadUnits$CursorItemWindow$ChildDestroyFromPaintPointlstrlen$BeginBitmapClientCompatibleCreateExecuteObjectParamPopupRectangleReleaseScreenSelectShellShowStretchTrack
String ID: MS Shell Dlg$Tahoma$open$www.ftdichip.com
API String ID: 1442380583-1245537460
Opcode ID: 473a9f9f6d86c788b4c303e0044cb264f61d199ee0cca9306c139f1725de5155
Instruction ID: 688bb9614ededc66ee5730b27e96a3e7380b1b64e7e2b661e02c3e8989812fde
Opcode Fuzzy Hash: 473a9f9f6d86c788b4c303e0044cb264f61d199ee0cca9306c139f1725de5155
Instruction Fuzzy Hash: AAA1F371E6C305AFD720AFA5DC09F2ABAACFB49354F444828F642E61A1D7719900FF52

Uniqueness

Uniqueness Score: -1.00%

Function 009C5D38 Relevance: 72.1, APIs: 19, Strings: 22, Instructions: 321
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000105,00001000,00000004,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver,74DF0440), ref: 009C5D89

Part of subcall function 009C6856: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,75BF6C10,009C65C9,www.ftdichip.com,00000007,mailto:), ref: 009C6868

lstrcatA.KERNEL32(?,009C78C4,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver,74DF0440), ref: 009C5DC2
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,?,?,?,?,?,74DEB530), ref: 009C5E08
lstrcpyA.KERNEL32(?,00000000), ref: 009C5E34
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 009C5F77
lstrcpyA.KERNEL32(00000000,?), ref: 009C60B1
lstrcatA.KERNEL32(00000000,?), ref: 009C60BE
lstrcatA.KERNEL32(00000000,009C78C4), ref: 009C60C6
lstrcpyA.KERNEL32(?,00000000), ref: 009C60E8
lstrlenA.KERNEL32(00000000), ref: 009C610F
lstrcpyA.KERNEL32(00000000,00000000), ref: 009C6121

Part of subcall function 009C6A4F: lstrlenA.KERNEL32(?,?,00000000,74DE8A60,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530), ref: 009C6A5D
Part of subcall function 009C6A4F: lstrlenA.KERNEL32(?,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver,74DF0440), ref: 009C6A68
Part of subcall function 009C6A4F: lstrcmpA.KERNEL32(?,?,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C6A71
Part of subcall function 009C6A4F: lstrlenA.KERNEL32(?,00000000,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C6A99
Part of subcall function 009C6A4F: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530), ref: 009C6AB6

Strings

AppData, xrefs: 009C5FB3
%quicklaunch%, xrefs: 009C5F89
%sendto%, xrefs: 009C5EC4
Favorites, xrefs: 009C5EFE
%startmenu%, xrefs: 009C5E5D
C:\Users\user\AppData\Local\Temp\FTDI-Driver, xrefs: 009C5D3F
Startup, xrefs: 009C5F22
%targetdir%, xrefs: 009C5F3A
%startup%, xrefs: 009C5F0C
Programs, xrefs: 009C5E87
ProgramFilesDir, xrefs: 009C6068
%programfiles%, xrefs: 009C600A
C:\Program Files, xrefs: 009C601B
Desktop, xrefs: 009C5EB6
%desktop%, xrefs: 009C5EA0
C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C5F4B
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 009C6033
%curdir%, xrefs: 009C5F5C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 009C5FCF
%favorites%, xrefs: 009C5EE8
SendTo, xrefs: 009C5EDA
%sysdir%, xrefs: 009C608A

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: lstrcpylstrlen$AllocVirtuallstrcat$CurrentDirectoryEnvironmentExpandStringslstrcmp
String ID: %curdir%$%desktop%$%favorites%$%programfiles%$%quicklaunch%$%sendto%$%startmenu%$%startup%$%sysdir%$%targetdir%$AppData$C:\Program Files$C:\Users\user\AppData\Local\Temp\FTDI-Driver$C:\Users\user\AppData\Local\Temp\FTDI-Driver\$Desktop$Favorites$ProgramFilesDir$Programs$SOFTWARE\Microsoft\Windows\CurrentVersion$SendTo$Startup$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4187263582-1324585981
Opcode ID: 3ba31f342f1d50491207b2592efbbb63a79a0059c0c451f4a64eb893a527ce23
Instruction ID: 741eeaebe25f7e61eec697978f7cea5f5ce9a2614b427e85766766ac594cd153
Opcode Fuzzy Hash: 3ba31f342f1d50491207b2592efbbb63a79a0059c0c451f4a64eb893a527ce23
Instruction Fuzzy Hash: 52A17572D4C305BBD614EAA09C46FABB7ECABC9758F50082EF644D60C1E674E6448B23

Uniqueness

Uniqueness Score: -1.00%

Function 009C11FC Relevance: .7, Instructions: 698COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b12f68b57cc0df2c5c788ea16277d731b5847035a9a21d8208ad53fdb187807
Instruction ID: e7e03de23df46b024b1c52bd50ffafd7a57cf03456359e00a1b8ac44adb5d734
Opcode Fuzzy Hash: 6b12f68b57cc0df2c5c788ea16277d731b5847035a9a21d8208ad53fdb187807
Instruction Fuzzy Hash: 555227B1A087069FC704CF29C890A2AFBF5FF89350F108A2DE49987652D375E954CF96

Uniqueness

Uniqueness Score: -1.00%

Function 009C61A1 Relevance: 122.9, APIs: 62, Strings: 8, Instructions: 379
stringwindowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DestroyWindow.USER32(0002047C), ref: 009C61AB
ShowWindow.USER32(00000005,00000000,74DF3550,?,00004E21), ref: 009C61C3
GetDlgItem.USER32(000003EB,00000001), ref: 009C61E9
EnableWindow.USER32(00000000), ref: 009C61F2
GetDlgItem.USER32(000003E8,00000001), ref: 009C6201
EnableWindow.USER32(00000000), ref: 009C6204
SetDlgItemTextA.USER32(000003F7), ref: 009C6223
SetDlgItemTextA.USER32(000003F9), ref: 009C623C
GetDlgItem.USER32(000003FB,00000005), ref: 009C624B
ShowWindow.USER32(00000000), ref: 009C624E
GetDlgItem.USER32(000003FE,00000000), ref: 009C6265
SetWindowPos.USER32(00000000), ref: 009C626E
GetDlgItem.USER32(000003F7,00000000), ref: 009C6286
SetWindowPos.USER32(00000000), ref: 009C6289
GetDlgItem.USER32(000003F9,00000000), ref: 009C62A1
SetWindowPos.USER32(00000000), ref: 009C62A4
GetDlgItem.USER32(000003E8,Tahoma), ref: 009C62BE
GetDlgItem.USER32(000003EB,Tahoma), ref: 009C62E1
GetDlgItem.USER32(000003ED,Tahoma), ref: 009C6304

Part of subcall function 009C523B: GetDC.USER32(?), ref: 009C525A
Part of subcall function 009C523B: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 009C527C
Part of subcall function 009C523B: GetObjectA.GDI32(00000000,?,75C08FB0), ref: 009C527F
Part of subcall function 009C523B: lstrcpyA.KERNEL32(?,?), ref: 009C52AC
Part of subcall function 009C523B: CreateFontIndirectA.GDI32(?), ref: 009C52B7
Part of subcall function 009C523B: SetBkMode.GDI32(00000000,00000002), ref: 009C52C6
Part of subcall function 009C523B: SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 009C52D5
Part of subcall function 009C523B: ReleaseDC.USER32(?,00000000), ref: 009C52DC

GetDlgItem.USER32(000003FB,Tahoma), ref: 009C6327
GetDlgItem.USER32(000003EB,00000000), ref: 009C635A
KiUserCallbackDispatcher.NTDLL(00000000), ref: 009C635D
GetDlgItem.USER32(000003E8,00000000), ref: 009C636B
KiUserCallbackDispatcher.NTDLL(00000000), ref: 009C636E
GetDlgItem.USER32(000003F8,Tahoma), ref: 009C6388
GetDlgItem.USER32(000003FA,Tahoma), ref: 009C63A6
CreateThread.KERNELBASE(00000000,00000000,009C4D4C,00000000,00000000,?), ref: 009C63BF
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C63D0
SetDlgItemTextA.USER32(000003EA,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C63EE
GetDlgItem.USER32(000003EA,000000C5), ref: 009C6403
SendMessageA.USER32(00000000), ref: 009C640C
GetDlgItem.USER32(000003F6,000000F1), ref: 009C6422
SendMessageA.USER32(00000000), ref: 009C6425
GetDlgItem.USER32(000003E8,00000001), ref: 009C6434
EnableWindow.USER32(00000000), ref: 009C6437
GetDlgItem.USER32(000003EB,00000001), ref: 009C6446
EnableWindow.USER32(00000000), ref: 009C6449
GetDlgItem.USER32(000003ED,00000001), ref: 009C6458
EnableWindow.USER32(00000000), ref: 009C645B
GetDlgItem.USER32(000003F8,Tahoma), ref: 009C6477
GetDlgItem.USER32(000003EA,Tahoma), ref: 009C6491
GetDlgItem.USER32(000003EC,Tahoma), ref: 009C64AF
GetDlgItem.USER32(000003F6,Tahoma), ref: 009C64CD
GetDlgItem.USER32(000003F7,00000001), ref: 009C64F7
SetWindowPos.USER32(00000000), ref: 009C64FA
GetDlgItem.USER32(000003F9,00000001), ref: 009C6516
SetWindowPos.USER32(00000000), ref: 009C6519
GetDlgItem.USER32(000003FE,00000001), ref: 009C6535
SetWindowPos.USER32(00000000), ref: 009C6538
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 009C6549
GetDlgItem.USER32(000003FB,00000000), ref: 009C6559
ShowWindow.USER32(00000000), ref: 009C655C
GetDlgItem.USER32(000003E8,00000000), ref: 009C656E
KiUserCallbackDispatcher.NTDLL(00000000), ref: 009C6571
GetDlgItem.USER32(000003EB,00000001), ref: 009C6580
EnableWindow.USER32(00000000), ref: 009C6583
SetDlgItemTextA.USER32(000003F1,FTDI CDM Drivers), ref: 009C6595
SetDlgItemTextA.USER32(000003F9,Click 'Extract' to unpack version 2.12.36.4 of FTDI's Windows driver package and launch the installer.), ref: 009C65A7
lstrlenA.KERNEL32(www.ftdichip.com), ref: 009C65B5
lstrlenA.KERNEL32(www.ftdichip.com), ref: 009C65EB

Strings

&Extract, xrefs: 009C661A
www.ftdichip.com, xrefs: 009C65AF, 009C65B4, 009C65C3, 009C65DC, 009C65EA, 009C65F8, 009C6604
Tahoma, xrefs: 009C62AE, 009C62D1, 009C62F4, 009C6317, 009C6377, 009C637C, 009C639A, 009C645F, 009C646B, 009C6489, 009C64A3, 009C64C1
C:\Users\user\AppData\Local\Temp\FTDI-Driver, xrefs: 009C63CA, 009C63CF, 009C63E1
C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C63DA
FTDI CDM Drivers, xrefs: 009C6585
Click 'Extract' to unpack version 2.12.36.4 of FTDI's Windows driver package and launch the installer., xrefs: 009C6597
mailto:, xrefs: 009C65BC

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: Item$Window$Enable$Text$MessageSend$CallbackDispatcherShowUserlstrlen$Create$DestroyFontIndirectModeObjectReleaseThreadlstrcpy
String ID: &Extract$C:\Users\user\AppData\Local\Temp\FTDI-Driver$C:\Users\user\AppData\Local\Temp\FTDI-Driver\$Click 'Extract' to unpack version 2.12.36.4 of FTDI's Windows driver package and launch the installer.$FTDI CDM Drivers$Tahoma$mailto:$www.ftdichip.com
API String ID: 2631855608-3092188083
Opcode ID: 7b60d0fde4ea3cd2631ea3d12ee8f7bebdb2d424e61aa2be1833024290787506
Instruction ID: 60f3534c3258fab4765c82d36860fb259d7eb66237c8d350d79745b8e7cd883e
Opcode Fuzzy Hash: 7b60d0fde4ea3cd2631ea3d12ee8f7bebdb2d424e61aa2be1833024290787506
Instruction Fuzzy Hash: A2B157B1EA93497FFA213B75DC8BF2B3E5DEB44744F050424B601A90F1C9A25E10AA26

Uniqueness

Uniqueness Score: -1.00%

Function 009C58D8 Relevance: 77.3, APIs: 36, Strings: 8, Instructions: 324
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextA.USER32(00000001), ref: 009C5935
SetDlgItemTextA.USER32(000003F7), ref: 009C5958
SetDlgItemTextA.USER32(000003F9), ref: 009C5971
GetModuleHandleA.KERNEL32(00000000,00000065), ref: 009C5977
LoadIconA.USER32(00000000), ref: 009C597E
SetClassLongA.USER32(000000F2,00000000), ref: 009C598D
ShowWindow.USER32(00000005), ref: 009C599B
PostMessageA.USER32(00000111,000003ED,00000000), ref: 009C59BB
BeginPaint.USER32(?), ref: 009C59DC
SetROP2.GDI32(00000000,00000010), ref: 009C59E7
GetDialogBaseUnits.USER32 ref: 009C59F5
Rectangle.GDI32(00000000,00000000,00000000,00000000), ref: 009C5A0F
CreateCompatibleDC.GDI32(00000000), ref: 009C5A16
LoadBitmapA.USER32(0000007E), ref: 009C5A26
SelectObject.GDI32(00000000,00000000), ref: 009C5A2E
GetDialogBaseUnits.USER32 ref: 009C5A44
GetDialogBaseUnits.USER32 ref: 009C5A56
StretchBlt.GDI32(?,?), ref: 009C5A6F
ReleaseDC.USER32(00000000), ref: 009C5A7C
EndPaint.USER32(?), ref: 009C5A8D
DialogBoxParamA.USER32(00000081,009C3D2E,?), ref: 009C5AE8
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000), ref: 009C5B29
GetDlgItemTextA.USER32(000003EA,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000104), ref: 009C5B51
GetDlgItem.USER32(000003F6,000000F0), ref: 009C5B7C
SendMessageA.USER32(00000000), ref: 009C5B83
MessageBoxA.USER32(00000000,The target directory doesn't exist. Create it?,Create Directory?,00000024), ref: 009C5B9A
ShellExecuteA.SHELL32(00000000,explore,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000,00000000,00000005), ref: 009C5BE3
MessageBoxA.USER32(Are you sure you want to exit?,Confirm exit,00000034), ref: 009C5C1A
LoadMenuA.USER32(00000071), ref: 009C5C51
ClientToScreen.USER32(?), ref: 009C5C76
GetSubMenu.USER32(00000000,00000000), ref: 009C5C80
TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,00000000), ref: 009C5C9B
DestroyMenu.USER32(00000000), ref: 009C5CA8
DestroyMenu.USER32(00000000), ref: 009C5CAB
GetDlgItem.USER32(000003F7), ref: 009C5CD1
GetDlgItem.USER32(000003F9), ref: 009C5D0F

Part of subcall function 009C61A1: DestroyWindow.USER32(0002047C), ref: 009C61AB
Part of subcall function 009C61A1: ShowWindow.USER32(00000005,00000000,74DF3550,?,00004E21), ref: 009C61C3
Part of subcall function 009C61A1: GetDlgItem.USER32(000003EB,00000001), ref: 009C61E9
Part of subcall function 009C61A1: EnableWindow.USER32(00000000), ref: 009C61F2
Part of subcall function 009C61A1: GetDlgItem.USER32(000003E8,00000001), ref: 009C6201
Part of subcall function 009C61A1: EnableWindow.USER32(00000000), ref: 009C6204
Part of subcall function 009C61A1: SetDlgItemTextA.USER32(000003F7), ref: 009C6223
Part of subcall function 009C61A1: SetDlgItemTextA.USER32(000003F9), ref: 009C623C
Part of subcall function 009C61A1: GetDlgItem.USER32(000003FB,00000005), ref: 009C624B
Part of subcall function 009C61A1: ShowWindow.USER32(00000000), ref: 009C624E
Part of subcall function 009C61A1: GetDlgItem.USER32(000003FE,00000000), ref: 009C6265
Part of subcall function 009C61A1: SetWindowPos.USER32(00000000), ref: 009C626E
Part of subcall function 009C61A1: GetDlgItem.USER32(000003F7,00000000), ref: 009C6286
Part of subcall function 009C61A1: SetWindowPos.USER32(00000000), ref: 009C6289
Part of subcall function 009C61A1: GetDlgItem.USER32(000003F9,00000000), ref: 009C62A1
Part of subcall function 009C61A1: SetWindowPos.USER32(00000000), ref: 009C62A4
Part of subcall function 009C61A1: GetDlgItem.USER32(000003E8,Tahoma), ref: 009C62BE
Part of subcall function 009C61A1: GetDlgItem.USER32(000003EB,Tahoma), ref: 009C62E1

Strings

Tahoma, xrefs: 009C5CE1, 009C5D1F
Create Directory?, xrefs: 009C5B8F
C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C5B13, 009C5B20, 009C5B28, 009C5B37, 009C5B45, 009C5B57, 009C5BAB, 009C5BB6, 009C5BDC
Are you sure you want to exit?, xrefs: 009C5C0F
The target directory doesn't exist. Create it?, xrefs: 009C5B94
explore, xrefs: 009C5BDD
FTDI CDM Drivers, xrefs: 009C5928
Confirm exit, xrefs: 009C5C0A

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: Item$Window$Text$Menu$DialogMessage$BaseDestroyLoadShowUnits$EnablePaint$BeginBitmapClassClientCompatibleCreateExecuteHandleIconLongModuleObjectParamPopupPostRectangleReleaseScreenSelectSendShellStretchTracklstrcpy
String ID: Are you sure you want to exit?$C:\Users\user\AppData\Local\Temp\FTDI-Driver\$Confirm exit$Create Directory?$FTDI CDM Drivers$Tahoma$The target directory doesn't exist. Create it?$explore
API String ID: 2714460918-2621332878
Opcode ID: d6d68bd7ec428f3b2793d465dada1c906d3632c9f0e713e74d6888572a9ad65a
Instruction ID: a22db34354de299b8e8d42e7dc01e70e4fad7c9d454b3a62ea4e2cda5c804b9b
Opcode Fuzzy Hash: d6d68bd7ec428f3b2793d465dada1c906d3632c9f0e713e74d6888572a9ad65a
Instruction Fuzzy Hash: BCA1E531E6C605BFDB106BA5EC0AF2A7AADEB45355F4A442CF502D90F0C671A940BF63

Uniqueness

Uniqueness Score: -1.00%

Function 009C4878 Relevance: 65.1, APIs: 17, Strings: 20, Instructions: 387
stringprocesssynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000), ref: 009C48FE
lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000), ref: 009C4920
lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000), ref: 009C4939
lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000), ref: 009C4952
lstrlenA.KERNEL32(%temp%\FTDI-Driver\dp-chooser.exe\), ref: 009C4A01
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\FTDI-Driver\,?,?,00000000,00000040,?,00000000,00000103), ref: 009C4A4D

Part of subcall function 009C5D38: VirtualAlloc.KERNELBASE(00000000,00000105,00001000,00000004,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver,74DF0440), ref: 009C5D89
Part of subcall function 009C5D38: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,?,?,?,?,?,74DEB530), ref: 009C5E08
Part of subcall function 009C5D38: lstrcpyA.KERNEL32(?,00000000), ref: 009C5E34
Part of subcall function 009C5D38: lstrcpyA.KERNEL32(00000000,?), ref: 009C60B1

lstrcpyA.KERNEL32(?,00000000,?,?,00000000,00000040,?,00000000,00000103), ref: 009C4A60

Part of subcall function 009C6A2E: lstrlenA.KERNEL32(00000003,00000003,009C4A7A,?,00000003,?,?,?,00000000,00000040,?,00000000,00000103), ref: 009C6A34

GetCurrentDirectoryA.KERNEL32(00000104,009C7872), ref: 009C4C38
ShellExecuteA.SHELL32(open,?,00000000,009C7872,0000000A), ref: 009C4C52
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009C4C89
ShowWindow.USER32(00000000,?,?,?,?,?,?,?,00000000,00000040,?,00000000,00000103), ref: 009C4CA0
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,00000000,00000040,?,00000000,00000103), ref: 009C4CA8
ShowWindow.USER32(00000005,?,?,?,?,?,?,?,00000000,00000040,?,00000000,00000103), ref: 009C4CB6
wsprintfA.USER32 ref: 009C4CE6
MessageBoxA.USER32(00000000,?,Error,00000010), ref: 009C4CFF
WinExec.KERNEL32(?), ref: 009C4D16
CreateThread.KERNEL32(00000000,00000000,009C458B,00000000,00000000,?), ref: 009C4D3B

Strings

doc, xrefs: 009C4ADE
ppt, xrefs: 009C4B62
pdf, xrefs: 009C4B41
Error, xrefs: 009C4CF8
tml, xrefs: 009C4BC1
com, xrefs: 009C4A9C
mp3, xrefs: 009C4BFB
bat, xrefs: 009C4ABD
open, xrefs: 009C4C47
%s could not be executed., xrefs: 009C4CE0
%temp%\FTDI-Driver\dp-chooser.exe\, xrefs: 009C49FB, 009C4A00, 009C4A53
htm, xrefs: 009C4BA4
txt, xrefs: 009C4B83
D, xrefs: 009C4A38
xml, xrefs: 009C4BDE
exe, xrefs: 009C4A7B
C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C4881, 009C4A33, 009C4A43, 009C4A4C
xls, xrefs: 009C4AFF
prc, xrefs: 009C4B20
chm, xrefs: 009C4C18

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: lstrcpy$CreateCurrentDirectoryShowWindowlstrlen$AllocEnvironmentExecExecuteExpandMessageObjectProcessShellSingleStringsThreadVirtualWaitwsprintf
String ID: %s could not be executed.$%temp%\FTDI-Driver\dp-chooser.exe\$C:\Users\user\AppData\Local\Temp\FTDI-Driver\$D$Error$bat$chm$com$doc$exe$htm$mp3$open$pdf$ppt$prc$tml$txt$xls$xml
API String ID: 2626025147-2000828445
Opcode ID: fc3de33de5de644b8b529ca59dac5fcbb8a72207792c9cd5d1ce8fb60d88294b
Instruction ID: d0245458ff9cdc5a5cdad9574744d2d20dd5f8b0ebe1caffaea742cc93f67c25
Opcode Fuzzy Hash: fc3de33de5de644b8b529ca59dac5fcbb8a72207792c9cd5d1ce8fb60d88294b
Instruction Fuzzy Hash: 31B164B2D483047AD620F7B19D5AFEB76DCDF99754F04081DFA49D6082EA34E6048A73

Uniqueness

Uniqueness Score: -1.00%

Function 009C4EEF Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 202
filestringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000FFFF,00001000,00000004,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000), ref: 009C4F49
wsprintfA.USER32 ref: 009C4F98
GetFullPathNameA.KERNEL32(?,00000104,?,00000000), ref: 009C4FBE
lstrcpyA.KERNEL32(?,00000000), ref: 009C4FDB
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 009C4FF8
lstrlenA.KERNEL32(00000000), ref: 009C5031
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 009C5069
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 009C50A5
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 009C50BC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009C50C8
SetFileTime.KERNELBASE(00000000,00000000,00000000,?), ref: 009C50D8
FindCloseChangeNotification.KERNELBASE(00000000), ref: 009C50DF
VirtualFree.KERNELBASE(00000000,00000000,00004000), ref: 009C50ED
wsprintfA.USER32 ref: 009C5116
lstrcpyA.KERNEL32(?,00000000), ref: 009C5135

Strings

C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C4EF5, 009C4F39
Could not get file info. This archive is likely corrupted., xrefs: 009C5156, 009C5160
Could not extract the current file., xrefs: 009C5076
%s%s, xrefs: 009C4F92, 009C5110

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: File$Time$CreateVirtuallstrcpywsprintf$AllocChangeCloseDateFindFreeFullLocalNameNotificationPathWritelstrlen
String ID: %s%s$C:\Users\user\AppData\Local\Temp\FTDI-Driver\$Could not extract the current file.$Could not get file info. This archive is likely corrupted.
API String ID: 4283028209-2570833432
Opcode ID: 72482748f2593edca82935147d872dbca37aedebd1fee612b0184b56757b8d8d
Instruction ID: 5254ba37f5851270f67789c442dbb2b7e875c35943a62f0d707978cedc94f47e
Opcode Fuzzy Hash: 72482748f2593edca82935147d872dbca37aedebd1fee612b0184b56757b8d8d
Instruction Fuzzy Hash: D95181B2D0C3457FE620E7B09C49FABB7ACABC4744F44492DF645D2181EA34A9458B73

Uniqueness

Uniqueness Score: -1.00%

Function 009C4D4C Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 130
windowsleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver\,009C78C4,00000000), ref: 009C4D5F
GetFullPathNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000104,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000), ref: 009C4D6E

Part of subcall function 009C326D: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C3290
Part of subcall function 009C326D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C32B5

GetDlgItem.USER32(000003EF,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C4DB0
SendMessageA.USER32(00000000,00000401,00000000,?), ref: 009C4DCF
wsprintfA.USER32 ref: 009C4E17
SetDlgItemTextA.USER32(000003FA,?), ref: 009C4E33

Part of subcall function 009C4EEF: VirtualAlloc.KERNELBASE(00000000,0000FFFF,00001000,00000004,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000), ref: 009C4F49
Part of subcall function 009C4EEF: wsprintfA.USER32 ref: 009C4F98
Part of subcall function 009C4EEF: GetFullPathNameA.KERNEL32(?,00000104,?,00000000), ref: 009C4FBE
Part of subcall function 009C4EEF: lstrcpyA.KERNEL32(?,00000000), ref: 009C4FDB
Part of subcall function 009C4EEF: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 009C4FF8

Part of subcall function 009C6BF4: VirtualAlloc.KERNELBASE(00000000,00000104,00001000,00000004,?,009C574D,009CD900,?,?,?,?,?,?,?,?,00000103), ref: 009C6C03

SendMessageA.USER32(00000000,00000402,?,00000000), ref: 009C4E79
SendMessageA.USER32(00000000,00000402,?,00000000), ref: 009C4EA3
Sleep.KERNELBASE(0000012C), ref: 009C4EAA
PostMessageA.USER32(00000111,000003EB,00000000), ref: 009C4EC2

Strings

Could not read SFX info. It's likely corrupt., xrefs: 009C4EDA
C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C4D59, 009C4D5E, 009C4D67, 009C4D6D, 009C4D74, 009C4DA4, 009C4E39
Could not extract the current file., xrefs: 009C4ED3
Could not get file info. This archive is likely corrupted., xrefs: 009C4EE4
Extracting %s ..., xrefs: 009C4E11
C:\Users\user\Desktop\CDM212364_Setup.exe, xrefs: 009C4D81

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: Message$FileSend$AllocCreateFullItemNamePathVirtualwsprintf$PointerPostSleepTextlstrcatlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\FTDI-Driver\$C:\Users\user\Desktop\CDM212364_Setup.exe$Could not extract the current file.$Could not get file info. This archive is likely corrupted.$Could not read SFX info. It's likely corrupt.$Extracting %s ...
API String ID: 195090891-4207902004
Opcode ID: 98b9e6c4e90ad038dd56547911aa6e8a9696b78a25d91acf5fb1f27f533fed23
Instruction ID: 4a76dbc5ed73c7fa11d9375f80f14b4a59022d83e889add5cd97464e56e59ac2
Opcode Fuzzy Hash: 98b9e6c4e90ad038dd56547911aa6e8a9696b78a25d91acf5fb1f27f533fed23
Instruction Fuzzy Hash: 3431A0B2E4C3047FE711ABA4AC46FABB79CEB84705F00482DF611950D2E7B19A149B67

Uniqueness

Uniqueness Score: -1.00%

Function 009C6631 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 67
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009C5344: lstrlenA.KERNEL32(?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C53E8
Part of subcall function 009C5344: GetTempPathA.KERNEL32(00000000,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C53EF
Part of subcall function 009C5344: GetCurrentDirectoryA.KERNEL32(00000104,C:\Users\user\Desktop,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C53FE
Part of subcall function 009C5344: GetCurrentProcess.KERNEL32(?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5404
Part of subcall function 009C5344: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\CDM212364_Setup.exe,00000104,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5418
Part of subcall function 009C5344: CreateFileA.KERNELBASE(C:\Users\user\Desktop\CDM212364_Setup.exe,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,00000103,?,00000000,00000103), ref: 009C542D
Part of subcall function 009C5344: SetFilePointer.KERNELBASE(00000000,00004E20,00000000,00000000,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5444
Part of subcall function 009C5344: ReadFile.KERNELBASE(?,00000004,?,00000000,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C5499

lstrcpyA.KERNEL32(Tahoma,MS Shell Dlg,?,00000000,009C676B,00000000), ref: 009C66B2
DialogBoxParamA.USER32(00000066,00000000,009C58D8,00000000), ref: 009C66D1

Part of subcall function 009C4752: GetFileAttributesA.KERNELBASE(?,009C5FE5,?), ref: 009C4756

ShellExecuteA.SHELL32(00000000,explore,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000,00000000,00000005), ref: 009C66F4

Part of subcall function 009C446F: GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,?,00000000,?,00000000,?), ref: 009C44C2
Part of subcall function 009C446F: lstrcatA.KERNEL32(?,009C78C4,?,?,00000000,?,00000000,?), ref: 009C44DC
Part of subcall function 009C446F: lstrlenA.KERNEL32(00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 009C44FA
Part of subcall function 009C446F: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4509
Part of subcall function 009C446F: lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4515
Part of subcall function 009C446F: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 009C451D
Part of subcall function 009C446F: lstrcatA.KERNEL32(?,009C78C4,?,?,?,?,?,00000000,?,00000000,?), ref: 009C452A
Part of subcall function 009C446F: GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4539
Part of subcall function 009C446F: CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4554
Part of subcall function 009C446F: lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C457A

Strings

Tahoma, xrefs: 009C6695, 009C669A, 009C66A5
MS Shell Dlg, xrefs: 009C66A8
Tahoma, xrefs: 009C66AD
C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C6664, 009C6669, 009C6674, 009C66ED
Couldn't create output directory., xrefs: 009C66DF
explore, xrefs: 009C66EE

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: File$lstrlen$NamePathlstrcat$CreateCurrentDirectoryFulllstrcpy$AttributesDialogExecuteModuleParamPointerProcessReadShellTemp
String ID: C:\Users\user\AppData\Local\Temp\FTDI-Driver\$Couldn't create output directory.$MS Shell Dlg$Tahoma$Tahoma$explore
API String ID: 2524295343-4059282012
Opcode ID: ae2045db155f37e79086c0f3c132fc8d203a9214212ea0d2421d7454a78b4e4f
Instruction ID: c90b0840a166636fa36892bfa3597d8ea011d0cf9f92bc05304ad7dc616c2eab
Opcode Fuzzy Hash: ae2045db155f37e79086c0f3c132fc8d203a9214212ea0d2421d7454a78b4e4f
Instruction Fuzzy Hash: FD110831E5E712A6D72077A2AC1AF6F6AA8DFC2B65B10042DF00555081CB749541DB77

Uniqueness

Uniqueness Score: -1.00%

Function 009C446F Relevance: 15.1, APIs: 10, Instructions: 99
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,?,00000000,?,00000000,?), ref: 009C44C2
lstrcatA.KERNEL32(?,009C78C4,?,?,00000000,?,00000000,?), ref: 009C44DC

Part of subcall function 009C6773: lstrlenA.KERNEL32(009C78C4,?,00000000,00000000,009C5E22,?,009C78C4,00000000), ref: 009C677D

lstrlenA.KERNEL32(00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 009C44FA
lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4509
lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4515
lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 009C451D
lstrcatA.KERNEL32(?,009C78C4,?,?,?,?,?,00000000,?,00000000,?), ref: 009C452A
GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4539
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4554
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C457A

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: lstrlen$lstrcat$FullNamePath$CreateDirectorylstrcpy
String ID:
API String ID: 3912926673-0
Opcode ID: ee9d3e19baa8ff3dc074b3cee9f7e05287924a93ce752550bdf25d0a4fdd8688
Instruction ID: 4e5944f0af13a02a04dddc090dcdd59a3e79e1e1c199b7f8065a69a3a64e7da7
Opcode Fuzzy Hash: ee9d3e19baa8ff3dc074b3cee9f7e05287924a93ce752550bdf25d0a4fdd8688
Instruction Fuzzy Hash: 103132B1908349ABD610DBA4DC85FEBB7ECEB89754F00082EB654D3101E634DD088BB3

Uniqueness

Uniqueness Score: -1.00%

Function 009C47E6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000001,80000000,00000001,00000000,00000003,00000080,00000000,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000,009C4C67,?), ref: 009C47FE
CreateFileMappingA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 009C4817
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00000040,?,00000000,00000103), ref: 009C4824
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,00000040,?,00000000), ref: 009C4836
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00000040,?,00000000,00000103), ref: 009C4847
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00000040,?,00000000,00000103), ref: 009C484A
IsBadReadPtr.KERNEL32(?,000000F8,?,?,?,?,?,?,?,00000000,00000040,?,00000000,00000103), ref: 009C4863

Strings

C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C47E7

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: CloseFileHandle$Create$MappingReadView
String ID: C:\Users\user\AppData\Local\Temp\FTDI-Driver\
API String ID: 3293654376-1448782821
Opcode ID: 5ffdc15f5caa9b5d68a475843aa9061543d53221c23f30c5a6b7450833a5815a
Instruction ID: 84d0b0e5e2b7e9967e4a28bb02dce7e51f79cacc87e88e0e5e8e57a07bd0f749
Opcode Fuzzy Hash: 5ffdc15f5caa9b5d68a475843aa9061543d53221c23f30c5a6b7450833a5815a
Instruction Fuzzy Hash: DF019271F18125BFF6311B709CA8F7B256CEF45BEAF114528FA01A60D1E6644C016BB2

Uniqueness

Uniqueness Score: -1.00%

Function 009C523B Relevance: 12.1, APIs: 8, Instructions: 61
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(?), ref: 009C525A
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 009C527C
GetObjectA.GDI32(00000000,?,75C08FB0), ref: 009C527F
lstrcpyA.KERNEL32(?,?), ref: 009C52AC
CreateFontIndirectA.GDI32(?), ref: 009C52B7
SetBkMode.GDI32(00000000,00000002), ref: 009C52C6
SendMessageA.USER32(00000000,00000030,00000000,00000001), ref: 009C52D5
ReleaseDC.USER32(?,00000000), ref: 009C52DC

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: MessageSend$CreateFontIndirectModeObjectReleaselstrcpy
String ID:
API String ID: 603193727-0
Opcode ID: 3e16706cc2991718459bffeca474f08da2baa12d928b92ff9ffec872ab4528b9
Instruction ID: 58c4cd1784f849a2ce13ca58942cef5f6d4ec2a823fed9ddb04575992eb744c8
Opcode Fuzzy Hash: 3e16706cc2991718459bffeca474f08da2baa12d928b92ff9ffec872ab4528b9
Instruction Fuzzy Hash: 8E116A7590C304AFD7119BA4DC84F6BBBECEB88751F00082DFA44D2260D6B5D9089F22

Uniqueness

Uniqueness Score: -1.00%

Function 009C3AED Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00000000,009C32AC,00000000,00000002,00000000,00000000,00000000,?,?,009C32AC,00000000,?,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C3B11
VirtualAlloc.KERNELBASE(00000000,00000404,00001000,00000004,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,?,?,009C32AC,00000000,?,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C3B39
SetFilePointer.KERNELBASE(00000000,009C32AC,00000000,00000000,?,?,009C32AC,00000000,?,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C3B7B
ReadFile.KERNELBASE(009C32AC,00000000,009C32AC,009C32AC,00000000,?,?,009C32AC,00000000,?,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C3B93
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,009C32AC,00000000,?,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C3BE2

Strings

C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C3B23

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: File$PointerVirtual$AllocFreeRead
String ID: C:\Users\user\AppData\Local\Temp\FTDI-Driver\
API String ID: 3108635511-1448782821
Opcode ID: 929f651043d6f3e5268978cfae15b54a85f2540655752f89dbe3547f690f7ff0
Instruction ID: 2dd915832ca940efdd6b0de0f60ab104d2fe7b2bab26a0400414f69a46427a46
Opcode Fuzzy Hash: 929f651043d6f3e5268978cfae15b54a85f2540655752f89dbe3547f690f7ff0
Instruction Fuzzy Hash: 5C310071A083046FE7208A669C48F3BBB99EB84758F10C66DF655860E1D771DE048B52

Uniqueness

Uniqueness Score: -1.00%

Function 009C6A4F Relevance: 10.1, APIs: 8, Instructions: 71
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000,74DE8A60,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530), ref: 009C6A5D
lstrlenA.KERNEL32(?,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver,74DF0440), ref: 009C6A68
lstrcmpA.KERNEL32(?,?,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C6A71
lstrlenA.KERNEL32(?,00000000,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C6A99
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530), ref: 009C6AB6
lstrcpyA.KERNEL32(00000000,?,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C6ACE
lstrcpyA.KERNEL32(00000000,00000000,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C6AE5
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0), ref: 009C6AF3

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: lstrlen$Virtuallstrcpy$AllocFreelstrcmp
String ID:
API String ID: 1979252130-0
Opcode ID: 09e614850b475128c3029e86740a077e52184c9a5eefcdca5812a4a59425d37e
Instruction ID: 8a19a059f59a94d5ca5d6eeb37eadde67d5b50a9c34975a9f7e0f2e292d49931
Opcode Fuzzy Hash: 09e614850b475128c3029e86740a077e52184c9a5eefcdca5812a4a59425d37e
Instruction Fuzzy Hash: 3011B272A0C345AFD610DFA9DC04F1BFBACEF94B50F10492DF681A2190DB71E8089B66

Uniqueness

Uniqueness Score: -1.00%

Function 009C3821 Relevance: 9.3, APIs: 6, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,?,00000000,00000000,?,00000000,00000000,00000000), ref: 009C3845

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: aadb4083c6b64a645ff14e18a8fdcd014086d7699b4209958e5d8ab4c3cb6a74
Instruction ID: 15a22dc8b9113a4b6f672955ae5ef240a02a70855dd693963d3007dba051e904
Opcode Fuzzy Hash: aadb4083c6b64a645ff14e18a8fdcd014086d7699b4209958e5d8ab4c3cb6a74
Instruction Fuzzy Hash: 44918176A08305AFE7219E61CC80F6BB7E9AF84350F50C52DF9A5D21A0EB71DD248B52

Uniqueness

Uniqueness Score: -1.00%

Function 009C326D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,C:\Users\user\AppData\Local\Temp\FTDI-Driver\,00000000,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C3290

Part of subcall function 009C3AED: SetFilePointer.KERNELBASE(00000000,009C32AC,00000000,00000002,00000000,00000000,00000000,?,?,009C32AC,00000000,?,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C3B11

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C32B5
CloseHandle.KERNEL32(00000000), ref: 009C3381
VirtualAlloc.KERNELBASE(00000000,00000080,00001000,00000004), ref: 009C33B3

Strings

C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C3273, 009C3276

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: File$Pointer$AllocCloseCreateHandleVirtual
String ID: C:\Users\user\AppData\Local\Temp\FTDI-Driver\
API String ID: 4021238690-1448782821
Opcode ID: 2234325f7fc5d58a41f202f2fb2dca027ddf9a2a32360eccd3ce181954f9f7ad
Instruction ID: 03eeb9624b616a7134d45da514541a435b66f4bfcd7a40040bdc6a7f15df1378
Opcode Fuzzy Hash: 2234325f7fc5d58a41f202f2fb2dca027ddf9a2a32360eccd3ce181954f9f7ad
Instruction Fuzzy Hash: FD41B672A08344AFD3219E61DC40FAB76ECEBC9794F00C62DFD85E6181EA25DE494793

Uniqueness

Uniqueness Score: -1.00%

Function 009C476E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C69D5: RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,00000103,?,00000000,00000103), ref: 009C69F0
Part of subcall function 009C69D5: RegQueryValueExA.KERNELBASE(?,00000104,00000000,?,?,?), ref: 009C6A1B
Part of subcall function 009C69D5: RegCloseKey.KERNELBASE(?), ref: 009C6A24

lstrcatA.KERNEL32(00000000,009C78C4,?,?,?,?,00000000), ref: 009C47B8
lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,00000000), ref: 009C47C4
lstrcatA.KERNEL32(00000000,.ttf,?,?,?,?,00000000), ref: 009C47D2

Part of subcall function 009C516B: GetFileAttributesA.KERNELBASE(?,?,?,?,Tahoma,74DE8A60,?,009C47E0,00000000,?,?,?,?,00000000), ref: 009C519C

Strings

.ttf, xrefs: 009C47C6
Fonts, xrefs: 009C4799

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: lstrcat$AttributesCloseFileOpenQueryValue
String ID: .ttf$Fonts
API String ID: 2582290769-938498235
Opcode ID: 18623c6b6805f32e0491770d717d86f22091352ea80501ece5c0e34027424a4d
Instruction ID: 09629a03cc2aa3af661ce52e229c57baa32b3e33e84f6199656a9b216884907f
Opcode Fuzzy Hash: 18623c6b6805f32e0491770d717d86f22091352ea80501ece5c0e34027424a4d
Instruction Fuzzy Hash: E6F036B1C0422C67DF20E6A49D86FDABB6CDB54718F0000D6BA4CA3041D5B4A7D48F91

Uniqueness

Uniqueness Score: -1.00%

Function 009C69D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,00000103,?,00000000,00000103), ref: 009C69F0
RegQueryValueExA.KERNELBASE(?,00000104,00000000,?,?,?), ref: 009C6A1B
RegCloseKey.KERNELBASE(?), ref: 009C6A24

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 009C69E6

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 3677997916-2036018995
Opcode ID: 217b9d6361f36d86f9ff67b516b6299650bcba19b4794bf17adcb78845b5c9e2
Instruction ID: 09b533269466365173970034ac754777742df204a70edaa2ff324d3e010b28b4
Opcode Fuzzy Hash: 217b9d6361f36d86f9ff67b516b6299650bcba19b4794bf17adcb78845b5c9e2
Instruction Fuzzy Hash: 5FF0D47494420CBFEB11DF90DD49F9CBB78EB04718F504094BE04A1190D7B15A54AF81

Uniqueness

Uniqueness Score: -1.00%

Function 009C33DA Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

1.1.3, xrefs: 009C34AA

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID:
String ID: 1.1.3
API String ID: 0-2347784635
Opcode ID: 8cb414bf44e197a9a9002ee910cec8fd4ef921a8df888ab50287ad5b800b3927
Instruction ID: 0912537dc52a36ed8fd3a5c789b44208b9384e73252d4db983cc96a0f4a9c46a
Opcode Fuzzy Hash: 8cb414bf44e197a9a9002ee910cec8fd4ef921a8df888ab50287ad5b800b3927
Instruction Fuzzy Hash: 6B414AB1909B16AFD325CF2AD841F52B7E8FB48750B10C91EE996D2A90DB30F540CF55

Uniqueness

Uniqueness Score: -1.00%

Function 009C43AF Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(0002047C,009C61A0), ref: 009C43B9
DestroyWindow.USER32(00020460,009C61A0), ref: 009C43C9
FindCloseChangeNotification.KERNELBASE(00000190,009C61A0), ref: 009C43D9
ExitProcess.KERNEL32 ref: 009C43E1

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: DestroyWindow$ChangeCloseExitFindNotificationProcess
String ID:
API String ID: 1096592630-0
Opcode ID: 4ae0c1677e9d84da88c9be8254d7b4fab15d87c5267318ce910a19a931f6e3b4
Instruction ID: 5ae20a55755c9af46eace810b628a9e2564de579ece21256d6507995fc7e6d6d
Opcode Fuzzy Hash: 4ae0c1677e9d84da88c9be8254d7b4fab15d87c5267318ce910a19a931f6e3b4
Instruction Fuzzy Hash: B7E04270F6C3419BDB10AFBAAE5CF1676ECBB447417084418B906D22A4DA64D900EF21

Uniqueness

Uniqueness Score: -1.00%

Function 009C516B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 009C6A4F: lstrlenA.KERNEL32(?,?,00000000,74DE8A60,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530), ref: 009C6A5D
Part of subcall function 009C6A4F: lstrlenA.KERNEL32(?,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver,74DF0440), ref: 009C6A68
Part of subcall function 009C6A4F: lstrcmpA.KERNEL32(?,?,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C6A71
Part of subcall function 009C6A4F: lstrlenA.KERNEL32(?,00000000,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C6A99
Part of subcall function 009C6A4F: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530), ref: 009C6AB6

Part of subcall function 009C6A4F: lstrcpyA.KERNEL32(00000000,?,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C6ACE
Part of subcall function 009C6A4F: lstrcpyA.KERNEL32(00000000,00000000,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0,C:\Users\user\AppData\Local\Temp\FTDI-Driver), ref: 009C6AE5
Part of subcall function 009C6A4F: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,009C5DE6,?,009C791C,009C7920,00000104,?,?,?,?,?,74DEB530,74DE83C0), ref: 009C6AF3

GetFileAttributesA.KERNELBASE(?,?,?,?,Tahoma,74DE8A60,?,009C47E0,00000000,?,?,?,?,00000000), ref: 009C519C

Strings

Tahoma, xrefs: 009C516D

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: lstrlen$Virtuallstrcpy$AllocAttributesFileFreelstrcmp
String ID: Tahoma
API String ID: 446193826-3580928618
Opcode ID: 251004778c635f561c0ac7ed40407f3881fa7d44436414ca18d395825d915cce
Instruction ID: 441961ceda8fd816e6b2c67f62787dce29302027c518d40373f6c540e23c23ee
Opcode Fuzzy Hash: 251004778c635f561c0ac7ed40407f3881fa7d44436414ca18d395825d915cce
Instruction Fuzzy Hash: CCE086B29082103FD7115A699C99E5FBEEDDFCA770B10953DF124A51E0C6628C50D673

Uniqueness

Uniqueness Score: -1.00%

Function 009C34F8 Relevance: 3.1, APIs: 2, Instructions: 138fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,00000000,00000000,?,00000000,00000000,?,?,?,009C508C,?,00000000,0000FFFF), ref: 009C3574
ReadFile.KERNELBASE(?,?,00004000,?,00000000,?,?,009C508C,?,00000000,0000FFFF), ref: 009C3590

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 8fffc68718d75a293aa8068e246cfaddd69ab733e1505b78fb45cfd04521fafc
Instruction ID: 904928eab97cd6e2e3c9e4b9fa7e7647fd5c6b9a92f62151a74314df141b5c3b
Opcode Fuzzy Hash: 8fffc68718d75a293aa8068e246cfaddd69ab733e1505b78fb45cfd04521fafc
Instruction Fuzzy Hash: D9513371A04359AFCF11CF29C985AAA7BA9FF84760F24C52EF85986240D770DE50CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009C30E6 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,009C4E95,00000000,00000000), ref: 009C3103
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009C3111

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: ChangeCloseFindFreeNotificationVirtual
String ID:
API String ID: 560371109-0
Opcode ID: 750c50348f906839b42ba5db32ab8511077e46245e84f3b0d9bab36ef7cd9130
Instruction ID: 47eea3377517d831f24358e8f8c4ba55bef26f8f1052ef2bf53ed4bf7bf1901e
Opcode Fuzzy Hash: 750c50348f906839b42ba5db32ab8511077e46245e84f3b0d9bab36ef7cd9130
Instruction Fuzzy Hash: 3EE0C23291C620AEEA329B54BC09F9A7794AF08770F25C40DF191A50E0CB605A818F85

Uniqueness

Uniqueness Score: -1.00%

Function 009C589E Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

CreateDialogParamA.USER32(?,009C3F22,00000000,74DF3550,009C61D5), ref: 009C58BB
SetWindowPos.USER32(00000000,00000000,0000002C,00000046,00000000,00000000,00000001,?,00004E21), ref: 009C58D0

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: CreateDialogParamWindow
String ID:
API String ID: 1135826248-0
Opcode ID: 1ffb9e4c85ceb34bce06c9f40cd3ef2df65fa5d7133a159a8359f4f29628e2ac
Instruction ID: 91e3b60ce182d3f1d483eec0a4178e2ea613dda6ad2605ad77f7c0c886ca75f8
Opcode Fuzzy Hash: 1ffb9e4c85ceb34bce06c9f40cd3ef2df65fa5d7133a159a8359f4f29628e2ac
Instruction Fuzzy Hash: 2BE01271D6D220BFEA605F95BC0DFA77EADEB4A750F444405B209D50A0C2654800FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C311B Relevance: 2.5, APIs: 2, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cefd2eeb41b204236065d8ecc9bbb055378bb85eb1bea734c16eb12342bde10
Instruction ID: 74bf6a505b888eaacda6971813c4a750e687d44cb5bf6497c50cdad0897f2e25
Opcode Fuzzy Hash: 0cefd2eeb41b204236065d8ecc9bbb055378bb85eb1bea734c16eb12342bde10
Instruction Fuzzy Hash: 09018432608B10AFD7318E55DC45F52B3E4BB45B66F24CA1DE1669A0E0C774E448CB55

Uniqueness

Uniqueness Score: -1.00%

Function 009C6BF4 Relevance: 2.5, APIs: 2, Instructions: 27memorystringCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000104,00001000,00000004,?,009C574D,009CD900,?,?,?,?,?,?,?,?,00000103), ref: 009C6C03
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000103,?,00000000,00000103,?,00000000), ref: 009C6C16

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: AllocVirtuallstrcpy
String ID:
API String ID: 4117716100-0
Opcode ID: 1108a5fdfda8f0019bae9627dc5c86b19d8097bd00d514cb275d92233cf66be4
Instruction ID: c79b7999a312aaac6445062615b7891083230feefd11698b26e1fc069154d598
Opcode Fuzzy Hash: 1108a5fdfda8f0019bae9627dc5c86b19d8097bd00d514cb275d92233cf66be4
Instruction Fuzzy Hash: 02E0927599A3109FD7228F10EC04FE6BBA4EF19762F01846DFAC69B290C77088819F51

Uniqueness

Uniqueness Score: -1.00%

Function 009C3668 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,00000000,00000000,?,?,00000000,?,009C341A,?,?,00000000,?,00000000,00000000), ref: 009C3690

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c2ecb1b47e668711009feb87f7f0a29cb41dc9c69c7256d41b7b7730f4566945
Instruction ID: 0f2e4202ac805c77a8d25181af56b42637b7e1b55dd0adac604253f6f3a42969
Opcode Fuzzy Hash: c2ecb1b47e668711009feb87f7f0a29cb41dc9c69c7256d41b7b7730f4566945
Instruction Fuzzy Hash: 785195B29083129F9721CE25DD50F6AB7D8EF84360F10CA2DFC51D7191DB21EE548B92

Uniqueness

Uniqueness Score: -1.00%

Function 009C3BF3 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00000001,00000000,00000000,?,?,?,009C3C3F,00000000,?,00000000,?,00000000,009C32D0,00000000), ref: 009C3C07

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ed02633bfe25bf37228c3a0a89bb50f2d728d6beee3a7194a1c62aa5e7222bcc
Instruction ID: c0f0c913ad147ea28f7bf0a2b1a6388a5488ef6482b925189338a7a24a4be64f
Opcode Fuzzy Hash: ed02633bfe25bf37228c3a0a89bb50f2d728d6beee3a7194a1c62aa5e7222bcc
Instruction Fuzzy Hash: A4E0927061810DBFEB08CB91CC15FBE7BACEB04340F0085A8FC46D6180E7729E448B61

Uniqueness

Uniqueness Score: -1.00%

Function 009C4752 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,009C5FE5,?), ref: 009C4756

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0b89fd83990b0859caf35c45bfdadfa1a61d66078d153193e69084d5636f6e48
Instruction ID: 9894ea57ba36b1ab3498bbcc744df9e7d7649ba02e64435e2e70360836f9b0a8
Opcode Fuzzy Hash: 0b89fd83990b0859caf35c45bfdadfa1a61d66078d153193e69084d5636f6e48
Instruction Fuzzy Hash: 52C09271928500669A005734AE199697593FBD2A36BD48BE8F275C08F0C729CA15FA12

Uniqueness

Uniqueness Score: -1.00%

Function 009C6856 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,75BF6C10,009C65C9,www.ftdichip.com,00000007,mailto:), ref: 009C6868

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e45fd8ba87ab367b44723afa623e2dda96a68d751d6bb3341f298ac107895d30
Instruction ID: bb782bc60a6df5e3626c2f2cb9cb17dd7afbb31a381a57f8dd017b62886fe8de
Opcode Fuzzy Hash: e45fd8ba87ab367b44723afa623e2dda96a68d751d6bb3341f298ac107895d30
Instruction Fuzzy Hash: 77E02B32A492515EE315867C9C10F66F7DE6FDAB50F19405DF1C08B194C5B05C4183A1

Uniqueness

Uniqueness Score: -1.00%

Function 009C3D02 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 009C3D15

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 34b0e98da92b837252510b91d98e1de23fe64942fb63a9213db4e675750c9389
Instruction ID: facbdb41caa5adce9967c64e0926ebf502b05f7728eb0de31767d459414efa56
Opcode Fuzzy Hash: 34b0e98da92b837252510b91d98e1de23fe64942fb63a9213db4e675750c9389
Instruction Fuzzy Hash: 01C09B7164C341BFF910C740DD46F16B794D794752F008404F3449D0D0C1B094408B15

Uniqueness

Uniqueness Score: -1.00%

Function 009C3D1C Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 009C3D27

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 227ed292042aeb00ab62df2dbde57c8654d9baedd5d70dacfcdc61c486cb6146
Instruction ID: 0badd9c8d3b958152850b7b18d74e02a43f00bfb1e2e50581c369a2052ede6f3
Opcode Fuzzy Hash: 227ed292042aeb00ab62df2dbde57c8654d9baedd5d70dacfcdc61c486cb6146
Instruction Fuzzy Hash: 79A00230AAC741ABFE61DF51DD0AF09FB61BB90B02F204854B295A80F08BA1645CEF09

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009C6130 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000), ref: 009C6141
GetLastError.KERNEL32(00000400,009C7872,00000000,00000000), ref: 009C6158
FormatMessageA.KERNEL32(00001100,00000000,00000000), ref: 009C6165
wsprintfA.USER32 ref: 009C617D
MessageBoxA.USER32(00000000,?,FreeExtractor Error,00000010), ref: 009C6195

Strings

FreeExtractor Error, xrefs: 009C618E
An error prevents this program from continuing: %s %s, xrefs: 009C6177

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: ErrorLastMessage$Formatwsprintf
String ID: An error prevents this program from continuing: %s %s$FreeExtractor Error
API String ID: 1581998817-4084750130
Opcode ID: a08e8fff25515dc8e794be98c5f156edcfbf26ec05940764f99a6e6322be7c06
Instruction ID: 2f98f93c8fef08e4709471b59f735736f057868cf7173bd83d9d96b0e51e560d
Opcode Fuzzy Hash: a08e8fff25515dc8e794be98c5f156edcfbf26ec05940764f99a6e6322be7c06
Instruction Fuzzy Hash: FAF01DB5D4C108BBDB10ABE59D4DFAEBA7CAB88B05F000098B715A1091D6708611EF26

Uniqueness

Uniqueness Score: -1.00%

Function 009C6B05 Relevance: 6.1, APIs: 4, Instructions: 65comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009C6B12
CoCreateInstance.OLE32(009C7E9C,00000000,00000001,009C7E7C,?), ref: 009C6B29
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009C6B5B
CoUninitialize.OLE32 ref: 009C6BA1

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: ByteCharCreateInitializeInstanceMultiUninitializeWide
String ID:
API String ID: 2968213145-0
Opcode ID: 96029eb0b060ac6b8ef550eba53fb69eeddeeceaa229a7b1aad6854c74b5f0a4
Instruction ID: f51f13ce9e93e7c3ff26d7b21dbe98f50ea7afcc7ae3722574df6d697e64bac1
Opcode Fuzzy Hash: 96029eb0b060ac6b8ef550eba53fb69eeddeeceaa229a7b1aad6854c74b5f0a4
Instruction Fuzzy Hash: 7B210875A04118BFDB00DF94CC88EAABBB9EF49715F100198B509DB1A0CB71AE45DF61

Uniqueness

Uniqueness Score: -1.00%

Function 009C2A18 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04263c2ff9d96fd38a895ad8ef9b974066c304e932d3302d1531fd5a9585c8b
Instruction ID: f64b71123d29b66c873ae65de54d1698c9f152bf5c45a871ea790a6c808673ad
Opcode Fuzzy Hash: b04263c2ff9d96fd38a895ad8ef9b974066c304e932d3302d1531fd5a9585c8b
Instruction Fuzzy Hash: FEE13370A083598FC724DF28C080A6ABBE5FBD9714F604A2EE599C7351E770E945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 009C1114 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b2ec2cef3ecba2fd2295ceed20fea03133440fd447a3d8aa8a6f6ea2d88776
Instruction ID: c91d0206dd84a958bb109413840c4e337fb3a406be616ce78f49b69d08c5fee6
Opcode Fuzzy Hash: 75b2ec2cef3ecba2fd2295ceed20fea03133440fd447a3d8aa8a6f6ea2d88776
Instruction Fuzzy Hash: FD216873E2C0920B871DCF65DCA2932F751FB5620270E467DDA97D6481C52DE621DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C3D2E Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 159windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,000000A1,00000002,?), ref: 009C3D73
GetDlgItem.USER32(?,000003F2), ref: 009C3D8C
ShellExecuteA.SHELL32(?,open,http://www.disoriented.com/,00000000,00000000,00000001), ref: 009C3E34
wsprintfA.USER32 ref: 009C3E76
SetDlgItemTextA.USER32(?,00002732,?), ref: 009C3E8E
BeginPaint.USER32(?,?), ref: 009C3E9D
SetROP2.GDI32(00000000,00000010), ref: 009C3EA8
Rectangle.GDI32(00000000,00000000,00000000,000001F4,000001F4), ref: 009C3EBA
CreateCompatibleDC.GDI32(00000000), ref: 009C3EC1
LoadBitmapA.USER32(0000007E), ref: 009C3ED1
SelectObject.GDI32(00000000,00000000), ref: 009C3ED9
StretchBlt.GDI32(?,00000008,00000012,0000002B,0000002A,00000000,00000000,00000000,0000002B,0000002A,00CC0020), ref: 009C3EF6
ReleaseDC.USER32(?,00000000), ref: 009C3F00
EndPaint.USER32(?,?), ref: 009C3F0D

Strings

v1.44, xrefs: 009C3E65
MS Shell Dlg, xrefs: 009C3D9B
Tahoma, xrefs: 009C3DD1, 009C3DFC
http://www.disoriented.com/, xrefs: 009C3E27
FreeExtractor %s, xrefs: 009C3E70
open, xrefs: 009C3E2C

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: ItemPaint$BeginBitmapCompatibleCreateExecuteLoadMessageObjectPostRectangleReleaseSelectShellStretchTextwsprintf
String ID: FreeExtractor %s$MS Shell Dlg$Tahoma$http://www.disoriented.com/$open$v1.44
API String ID: 1220389699-1489544392
Opcode ID: 1d0980ce7d7535fb0dd1628e0e2c3288e43210dca71b1e56459eaeb66548afcc
Instruction ID: 751c5db2fd420b52ea1b6ca0118c49839cf3a0aa1efe916119556f56cc308a57
Opcode Fuzzy Hash: 1d0980ce7d7535fb0dd1628e0e2c3288e43210dca71b1e56459eaeb66548afcc
Instruction Fuzzy Hash: CA419871E9C209BFEB215FA1DC49FBA7A6CEB04785F04C428FA06A50E1C7B14E51AF51

Uniqueness

Uniqueness Score: -1.00%

Function 009C458B Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 129sleepwindowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(000003EF), ref: 009C459F
ShowWindow.USER32(00000005), ref: 009C45C3
SetDlgItemTextA.USER32(000003F7,File Cleanup), ref: 009C45DF
SetDlgItemTextA.USER32(000003F9,Removing temp files), ref: 009C45F1
SetDlgItemTextA.USER32(000003FA,Cleaning up ...), ref: 009C4603
SendMessageA.USER32(00000000,00000401,00000000,?), ref: 009C461B
SetDlgItemTextA.USER32(000003F8,The extracted files are being removed.), ref: 009C4631
Sleep.KERNEL32(000001F4), ref: 009C463E
wsprintfA.USER32 ref: 009C4673
wsprintfA.USER32 ref: 009C468D
SetDlgItemTextA.USER32(000003FA,?), ref: 009C46A5
RemoveDirectoryA.KERNEL32(00000000), ref: 009C46D4
DeleteFileA.KERNEL32(00000000), ref: 009C46EE
SendMessageA.USER32(?,00000402,?,00000000), ref: 009C4719
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\FTDI-Driver\), ref: 009C473D
Sleep.KERNEL32(000001F4), ref: 009C4748

Strings

File Cleanup, xrefs: 009C45CF
Removing temp files, xrefs: 009C45E1
C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C4664, 009C4738
Cleaning up ..., xrefs: 009C45F3
%s%s, xrefs: 009C466D
The extracted files are being removed., xrefs: 009C4621
Deleting %s ..., xrefs: 009C4687

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: Item$Text$DirectoryMessageRemoveSendSleepwsprintf$DeleteFileShowWindow
String ID: %s%s$C:\Users\user\AppData\Local\Temp\FTDI-Driver\$Cleaning up ...$Deleting %s ...$File Cleanup$Removing temp files$The extracted files are being removed.
API String ID: 2665098269-4245776221
Opcode ID: 359d3701607ea537f39954f0aa1c58692fc11f3208d4edb24c605698cad25944
Instruction ID: 8311e6f24117cb0898527ce80cd2d751e2dd196217bc3a0666d9426b602415b4
Opcode Fuzzy Hash: 359d3701607ea537f39954f0aa1c58692fc11f3208d4edb24c605698cad25944
Instruction Fuzzy Hash: 38419671E5D3057FD700ABB4ED4AF6A7B9CEB85B00F00082DF645A50E2DA719A449B23

Uniqueness

Uniqueness Score: -1.00%

Function 009C43E8 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C446F: GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,?,00000000,?,00000000,?), ref: 009C44C2
Part of subcall function 009C446F: lstrcatA.KERNEL32(?,009C78C4,?,?,00000000,?,00000000,?), ref: 009C44DC
Part of subcall function 009C446F: lstrlenA.KERNEL32(00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 009C44FA
Part of subcall function 009C446F: lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4509
Part of subcall function 009C446F: lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4515
Part of subcall function 009C446F: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 009C451D
Part of subcall function 009C446F: lstrcatA.KERNEL32(?,009C78C4,?,?,?,?,?,00000000,?,00000000,?), ref: 009C452A
Part of subcall function 009C446F: GetFullPathNameA.KERNEL32(?,00000104,?,00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4539
Part of subcall function 009C446F: CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C4554
Part of subcall function 009C446F: lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 009C457A

GetLastError.KERNEL32 ref: 009C4407
GetLastError.KERNEL32(00000400,009C7872,00000000,00000000), ref: 009C441E
FormatMessageA.KERNEL32(00001100,00000000,00000000), ref: 009C442C
wsprintfA.USER32 ref: 009C4441
MessageBoxA.USER32(?,Couldn't create directory,00000010), ref: 009C445E

Strings

Could not create the target directory. %sBe sure that it does not contain an invalid character: / \ : * ? " < > | , xrefs: 009C443B
C:\Users\user\AppData\Local\Temp\FTDI-Driver\, xrefs: 009C43F1
Couldn't create directory, xrefs: 009C4452

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: lstrcatlstrlen$ErrorFullLastMessageNamePath$CreateDirectoryFormatlstrcpywsprintf
String ID: C:\Users\user\AppData\Local\Temp\FTDI-Driver\$Could not create the target directory. %sBe sure that it does not contain an invalid character: / \ : * ? " < > | $Couldn't create directory
API String ID: 3332223613-3842080595
Opcode ID: f8f94aa62f04e8af6d7136aa9f3f833315a2d734f9020df854628d0afc1b3264
Instruction ID: c39293418cafe2ceefcb6b784bd51e3a62cc60f83fe42c28788f2b6b7e0a7b35
Opcode Fuzzy Hash: f8f94aa62f04e8af6d7136aa9f3f833315a2d734f9020df854628d0afc1b3264
Instruction Fuzzy Hash: F1016D71F5C208BBDB10DBF09D06FA9B7BC9B44B05F500058BB05E50D1D67059159F57

Uniqueness

Uniqueness Score: -1.00%

Function 009C51B0 Relevance: 13.5, APIs: 9, Instructions: 43stringwindowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 009C51C5
GetObjectA.GDI32(00000000), ref: 009C51CC
lstrcpyA.KERNEL32(00000000,?,?,?,00000000,009C5CFC,?,?,000001F4,00000000,Tahoma,00000000,00000002,00000000), ref: 009C51EB
CreateFontIndirectA.GDI32(?), ref: 009C51F5
SelectObject.GDI32(?,00000000), ref: 009C5204
SetBkMode.GDI32(?,000001F4), ref: 009C5210
SetTextColor.GDI32(?,00000000), ref: 009C521C
DeleteObject.GDI32 ref: 009C5228
GetStockObject.GDI32(?), ref: 009C5231

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: Object$ColorCreateDeleteFontIndirectMessageModeSelectSendStockTextlstrcpy
String ID:
API String ID: 3306163807-0
Opcode ID: 044ec9351cd64a96a972046291dacb901af66a9b339ccf90b2e6228220e92ebf
Instruction ID: 4a8f8338be2810a486522785c939c0adebed6cfd6082bf53d82acad9b3e67493
Opcode Fuzzy Hash: 044ec9351cd64a96a972046291dacb901af66a9b339ccf90b2e6228220e92ebf
Instruction Fuzzy Hash: 5E119072C18208EFCF01AFE4EC09E9DBBB9FB08211F008115FA15A6260D6319920AF60

Uniqueness

Uniqueness Score: -1.00%

Function 009C6700 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 009C6707
GetStartupInfoA.KERNEL32(?), ref: 009C6745
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 009C675F
ExitProcess.KERNEL32 ref: 009C676C

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 621bc9420892257b85a3443267e5a8b32e152f6d4c8c5ab8acaed6cb145528bc
Instruction ID: 6af4cac44dc4e4054663fa9622cec1037b1c041257ab934768aca0c1c0b546b8
Opcode Fuzzy Hash: 621bc9420892257b85a3443267e5a8b32e152f6d4c8c5ab8acaed6cb145528bc
Instruction Fuzzy Hash: 0901A771C583485AEF304BA88849FB97BECAB1E318F24081DE8C1D1182D2584D839767

Uniqueness

Uniqueness Score: -1.00%

Function 009C52E9 Relevance: 5.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009C68DE: lstrlenA.KERNEL32(009C501A,00000000,?,009C501A,?), ref: 009C68F0

lstrcpyA.KERNEL32(00000000,00000000,009CD900,74DE83C0,00000000,009C4980,?,?,?,?), ref: 009C5302
lstrcpyA.KERNEL32(00000000,00000000), ref: 009C531E
lstrlenA.KERNEL32(00000000), ref: 009C5321

Part of subcall function 009C6856: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,75BF6C10,009C65C9,www.ftdichip.com,00000007,mailto:), ref: 009C6868

lstrcpyA.KERNEL32(00000000,00000000), ref: 009C5334

Memory Dump Source

Source File: 00000000.00000002.1871378385.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1871346781.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871410051.00000000009C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871442928.00000000009C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871475800.00000000009CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1871539768.00000000009CF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_CDM212364_Setup.jbxd

Similarity

API ID: lstrcpy$lstrlen$AllocVirtual
String ID:
API String ID: 1716591843-0
Opcode ID: 39670086fbc585195a384360b9601a423bc6de2af7fc816c48b3d087a84af4f9
Instruction ID: 69011f5e8ba4602d7030d1bddcb985c4a1ed818c5a2257b71b42d9a4d8652deb
Opcode Fuzzy Hash: 39670086fbc585195a384360b9601a423bc6de2af7fc816c48b3d087a84af4f9
Instruction Fuzzy Hash: 3FF039E29083557FF120BB75AC8EF2BAF6CDAC0364B10086DF50582193DA25AC118A72

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dp-chooser.exePID: 7360, Parent PID: 7300COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	69

Executed Functions

Function 00401B10 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 118
memoryprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00401B33
_memset.LIBCMT ref: 00401B43
GetProcessHeap.KERNEL32 ref: 00401B52
_wcslen.LIBCMT ref: 00401B6F
HeapAlloc.KERNEL32(?,00000000,00000000), ref: 00401B89
CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00000000,00000000), ref: 00401BCB
CloseHandle.KERNEL32(00000000), ref: 00401C33
CloseHandle.KERNEL32(00000000), ref: 00401C43
HeapFree.KERNEL32(?,00000000,00000000), ref: 00401C59

Strings

D, xrefs: 00401B4B
CreateProcess, xrefs: 00401BD5

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: Heap$CloseHandleProcess_memset$AllocCreateFree_wcslen
String ID: CreateProcess$D
API String ID: 1666308248-1329926510
Opcode ID: 20ab9308e1e1c26868c00edbb6ea90f406d726e51395cc1f3feb6fb268d50c95
Instruction ID: 3acb6ec7c73ae5423c3dcef7ba7d9905e27e3eac382146a571e97e23c8031e46
Opcode Fuzzy Hash: 20ab9308e1e1c26868c00edbb6ea90f406d726e51395cc1f3feb6fb268d50c95
Instruction Fuzzy Hash: F1416EB1D00208EBDB10DBE5CD49BDEBB79AB48704F108229F605BB2D0D7B99A44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401490 Relevance: 37.0, APIs: 9, Strings: 12, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401960: _wcslen.LIBCMT ref: 00401995
Part of subcall function 00401960: __wassert.LIBCMT ref: 004019B5

__wassert.LIBCMT ref: 0040156D
swprintf.LIBCMT ref: 0040178F
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004017B9
swprintf.LIBCMT ref: 004017DB

Part of subcall function 00401190: __wassert.LIBCMT ref: 004011CD
Part of subcall function 00401190: __wfopen_s.LIBCMT ref: 004011E2

Strings

logFile != NULL, xrefs: 00401568
Further information might be found in %s\DPINST.LOG, xrefs: 004017CA
Not enough (or too many) driver package(s) installed., xrefs: 0040172F
ResultCode = %d, xrefs: 0040177E
FTDI installer ended., xrefs: 004017F9
main.c, xrefs: 00401563
DPInst returned 0x%08X, xrefs: 00401605
FTDI installer started., xrefs: 00401575
%d driver package(s) could not be installed., xrefs: 00401657
$Rev: 1031 $, xrefs: 00401589
Copied %d driver package(s)., xrefs: 004016A7
Installed %d driver package(s)., xrefs: 004016EF

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: __wassert$swprintf$DirectoryWindows__wfopen_s_wcslen
String ID: $Rev: 1031 $$%d driver package(s) could not be installed.$Copied %d driver package(s).$DPInst returned 0x%08X$FTDI installer ended.$FTDI installer started.$Further information might be found in %s\DPINST.LOG$Installed %d driver package(s).$Not enough (or too many) driver package(s) installed.$ResultCode = %d$logFile != NULL$main.c
API String ID: 2947281746-2661179990
Opcode ID: d6eaacdd840932ac38cec4fe94fdc6c2bfac7612f9a6c7f02e7a5f3e0bea199b
Instruction ID: 484ba96ead3dfa6146db54edbd7b7b9dea31c8accaf61f7106540faa07a17432
Opcode Fuzzy Hash: d6eaacdd840932ac38cec4fe94fdc6c2bfac7612f9a6c7f02e7a5f3e0bea199b
Instruction Fuzzy Hash: 569181B2D41218ABEB24EB60DC4AFDD7374AB58308F1441EDE60D77291E7789B848F58

Uniqueness

Uniqueness Score: -1.00%

Function 004030F6 Relevance: 21.1, APIs: 14, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 00403141
__mtinit.LIBCMT ref: 00403147
_fast_error_exit.LIBCMT ref: 00403152
__RTC_Initialize.LIBCMT ref: 00403158
__ioinit.LIBCMT ref: 00403160
__amsg_exit.LIBCMT ref: 0040316B
GetCommandLineW.KERNEL32 ref: 00403171
__wsetargv.LIBCMT ref: 00403185
__amsg_exit.LIBCMT ref: 00403190
__wsetenvp.LIBCMT ref: 00403196
__amsg_exit.LIBCMT ref: 004031A1
__cinit.LIBCMT ref: 004031A8
__amsg_exit.LIBCMT ref: 004031B3
__wwincmdln.LIBCMT ref: 004031B9

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
String ID:
API String ID: 2477803136-0
Opcode ID: 861832da3e6310289cc748a1fa56adcf2919517b035b23b7a9df681ffc10cd83
Instruction ID: 4a1827040d1f0703309e421be1b468782f8e80d36599849b8495b8abb8375983
Opcode Fuzzy Hash: 861832da3e6310289cc748a1fa56adcf2919517b035b23b7a9df681ffc10cd83
Instruction Fuzzy Hash: 512191B0A503049ADB147FB3A94677E2A689F4070EF10483FF540BE1C2EE7C8A409B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401430 Relevance: 4.5, APIs: 3, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(?), ref: 00401441
CommandLineToArgvW.SHELL32(00000000), ref: 00401448
LocalFree.KERNEL32(00000000), ref: 00401475

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: CommandLine$ArgvFreeLocal
String ID:
API String ID: 1415666456-0
Opcode ID: c6ac9a1cbfff1988d8d1e004cf089e05d44469c8248fcd75bbd96b16ed7fe844
Instruction ID: a342b854f37cd1745f27ca3db59662c3e5596d5c18dcc2d6371728c26bf67b1b
Opcode Fuzzy Hash: c6ac9a1cbfff1988d8d1e004cf089e05d44469c8248fcd75bbd96b16ed7fe844
Instruction Fuzzy Hash: 3BF0FE79D0020CABCB00DBE4D948ADDBBB8EB08301F1085A6E505E3250D6789A54DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040444D Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00404455

Part of subcall function 00404422: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040445A,004010FC,?,004034FA,000000FF,0000001E,00413808,0000000C,004035A6,004010FC,?,?,0040E293,00000004), ref: 0040442C
Part of subcall function 00404422: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040443C

ExitProcess.KERNEL32 ref: 0040445E

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 8a532a709fe30bb54004cd88c3994b86d3ff600b16a55a1d25812f80729a834c
Instruction ID: 7c793f781e6bfddcb2b4c9c8bcaa5f7cd33cff614bd7cc2c817c46c4df4c916d
Opcode Fuzzy Hash: 8a532a709fe30bb54004cd88c3994b86d3ff600b16a55a1d25812f80729a834c
Instruction Fuzzy Hash: 1EB0923100010CBFCB012F16DD0AA893F6AFB803A1B90C035FA0849071DFB2ADA2DA88

Uniqueness

Uniqueness Score: -1.00%

Function 004033DF Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004033F4

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: c524bde13de9b478851c672f967ddda832626126e13c55cb73d43075e7313a50
Instruction ID: e8f06c329b9a9b72761e70bfc2cef84193c9b19d8f0e1315e6d5e66aa704ee6f
Opcode Fuzzy Hash: c524bde13de9b478851c672f967ddda832626126e13c55cb73d43075e7313a50
Instruction Fuzzy Hash: 3CD05E36A94305AEDB009F706C097A33FDCD784395F148436FA0CCA190F674C551C508

Uniqueness

Uniqueness Score: -1.00%

Function 00404669 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 00404675

Part of subcall function 0040453D: __lock.LIBCMT ref: 0040454B
Part of subcall function 0040453D: __decode_pointer.LIBCMT ref: 00404582
Part of subcall function 0040453D: __decode_pointer.LIBCMT ref: 00404597
Part of subcall function 0040453D: __decode_pointer.LIBCMT ref: 004045C1
Part of subcall function 0040453D: __decode_pointer.LIBCMT ref: 004045D7
Part of subcall function 0040453D: __decode_pointer.LIBCMT ref: 004045E4
Part of subcall function 0040453D: __initterm.LIBCMT ref: 00404613
Part of subcall function 0040453D: __initterm.LIBCMT ref: 00404623

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 7df0be61210875fca1dcea23ccfd344dfdd9d9465ce4bf9c7cd061f9649e3be0
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: 9DB0927258020833DA202542AC03F063A6987C0B68EA40061BB0C291E1A9A2A9658489

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401E95 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00403309
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040331E
UnhandledExceptionFilter.KERNEL32(0041243C), ref: 00403329
GetCurrentProcess.KERNEL32(C0000409), ref: 00403345
TerminateProcess.KERNEL32(00000000), ref: 0040334C

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 0fcaa61a01a5a65c5835962a5d6060e3b9b403c52bba525712831fdf1eddb371
Instruction ID: 3377c8c6cb80db1faa1612c9126c8ba6d9e122c869a1c658892009bbfd72c89e
Opcode Fuzzy Hash: 0fcaa61a01a5a65c5835962a5d6060e3b9b403c52bba525712831fdf1eddb371
Instruction Fuzzy Hash: 5A21DDB4901200EFD700DF65F9456C43BBABB08345F52863AE908D72AAE7B5A981CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040851F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000084DD), ref: 00408524

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8d1cde61a576b0c2af8279566cb17cacc78ccda57faa5f831edfb31dc79dc9ed
Instruction ID: 52a412ea41b4537fabbf33173f763ca88ad0c26342de1cb336fe76b27e07c7fa
Opcode Fuzzy Hash: 8d1cde61a576b0c2af8279566cb17cacc78ccda57faa5f831edfb31dc79dc9ed
Instruction Fuzzy Hash: 659002A06512015796001B707E0964639905A4C71275145756185E4094EEA44154A529

Uniqueness

Uniqueness Score: -1.00%

Function 00401190 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wassert.LIBCMT ref: 004011CD

Part of subcall function 00402439: __set_error_mode.LIBCMT ref: 00402465
Part of subcall function 00402439: __set_error_mode.LIBCMT ref: 00402476
Part of subcall function 00402439: __invoke_watson.LIBCMT ref: 004024B2
Part of subcall function 00402439: __invoke_watson.LIBCMT ref: 004024D9
Part of subcall function 00402439: __invoke_watson.LIBCMT ref: 004024FF
Part of subcall function 00402439: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040251D
Part of subcall function 00402439: __invoke_watson.LIBCMT ref: 00402549

__wfopen_s.LIBCMT ref: 004011E2
__wsplitpath_s.LIBCMT ref: 00401214

Strings

main.c, xrefs: 004011C3
logName != NULL, xrefs: 004011C8

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: __invoke_watson$__set_error_mode$FileModuleName__wassert__wfopen_s__wsplitpath_s
String ID: logName != NULL$main.c
API String ID: 805232850-4035294649
Opcode ID: d06006a28612ebbaa38e800c9836e341549ca1e7c9252f700fca6468652c183f
Instruction ID: 66167dbc3f1944252a9ed3b2d4c4b85a33f5340e4c886932b932fdbe62b15ed1
Opcode Fuzzy Hash: d06006a28612ebbaa38e800c9836e341549ca1e7c9252f700fca6468652c183f
Instruction Fuzzy Hash: F02141B1D40208FBDB10DBA0DC86BEE77749B54704F60416AFA057A2C1E6B86B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401310 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040133B
__wsplitpath_s.LIBCMT ref: 00401370

Strings

hdA, xrefs: 00401394
ldA, xrefs: 004013BC
8QA, xrefs: 004013DB
dpinst, xrefs: 004013FC

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: FileModuleName__wsplitpath_s
String ID: 8QA$dpinst$hdA$ldA
API String ID: 1484437298-957887093
Opcode ID: 8c8b16ad581bf5b7d60825decf6549e9e687a637472e1f702b90c00870508684
Instruction ID: 7b619116ead3ceb45440403cc3a701ae282bacb6441f781067402afd167572f9
Opcode Fuzzy Hash: 8c8b16ad581bf5b7d60825decf6549e9e687a637472e1f702b90c00870508684
Instruction Fuzzy Hash: BC2149B1E40218AAEB20CF51CC85BED73B4AB58704F5081EEF609661D1D7B45AC4CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 004049F5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__calloc_crt.LIBCMT ref: 00404A17
__calloc_crt.LIBCMT ref: 00404A30

Strings

`qA, xrefs: 00404A47
@XA, xrefs: 00404A99
PZA, xrefs: 00404A5C
WA, xrefs: 00404A69

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: __calloc_crt
String ID: @XA$PZA$`qA$WA
API String ID: 3494438863-2457306366
Opcode ID: 69431cfb514836f49a17becffea1442253718ff18f1140519ad8e4bee2f650c8
Instruction ID: 0b9293aa400fd5d4561111f83208c45616b306ae5218db8544ff208d5f7a754f
Opcode Fuzzy Hash: 69431cfb514836f49a17becffea1442253718ff18f1140519ad8e4bee2f650c8
Instruction Fuzzy Hash: 2A11ABB27846119BE7148E5EBC516D72695A7C4724B24413BE711EB3D0E778CC414A4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401960 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00401995
__wassert.LIBCMT ref: 004019B5

Strings

main.c, xrefs: 004019AB
argLen > 0, xrefs: 004019B0
s, xrefs: 004019FD

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: __wassert_wcslen
String ID: argLen > 0$main.c$s
API String ID: 1319387696-1683257864
Opcode ID: d0dada5579b9b6d9739650150b4592d0d078d0c3a01b67bf551b65ab7316492a
Instruction ID: a46aed434699db92c8989c26b899086ba9f161fe337e7a5c5d7438da38d65dd2
Opcode Fuzzy Hash: d0dada5579b9b6d9739650150b4592d0d078d0c3a01b67bf551b65ab7316492a
Instruction Fuzzy Hash: C54132B4A04108DBCB14CF84C591AAEB7B1FF45305F1481ABE8466B3A4D778AE91DF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00401A80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wassert.LIBCMT ref: 00401AAF

Part of subcall function 00402439: __set_error_mode.LIBCMT ref: 00402465
Part of subcall function 00402439: __set_error_mode.LIBCMT ref: 00402476
Part of subcall function 00402439: __invoke_watson.LIBCMT ref: 004024B2
Part of subcall function 00402439: __invoke_watson.LIBCMT ref: 004024D9
Part of subcall function 00402439: __invoke_watson.LIBCMT ref: 004024FF
Part of subcall function 00402439: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040251D
Part of subcall function 00402439: __invoke_watson.LIBCMT ref: 00402549

__wfullpath.LIBCMT ref: 00401AC7
__wcsdup.LIBCMT ref: 00401ADE

Strings

main.c, xrefs: 00401AA5
inputPath != NULL, xrefs: 00401AAA

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: __invoke_watson$__set_error_mode$FileModuleName__wassert__wcsdup__wfullpath
String ID: inputPath != NULL$main.c
API String ID: 3732416915-3945383671
Opcode ID: 6419b95fe5d0e8b75fabdc104451437e162cc7f9823befeffa96ecbac4201fca
Instruction ID: 914e62909fb7dc97830072c4585825e423a64a22a180969a02ffc6e128853863
Opcode Fuzzy Hash: 6419b95fe5d0e8b75fabdc104451437e162cc7f9823befeffa96ecbac4201fca
Instruction Fuzzy Hash: 390167B0E4120CEBDB10DBE0C945BEE77B4AB54344F50447EE909B62C1E6F85A849A95

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00401018
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00401034

Strings

kernel32.dll, xrefs: 00401013
GetSystemWow64DirectoryW, xrefs: 0040102B

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 1646373207-1816364905
Opcode ID: ea6039910fb004354b57d25e5b93fcb5a2d6650296fb91b71c0a30b516fc4e3d
Instruction ID: d3ead10bd348eb2871986d51bf03d60be2c0891af79030d98874855ff79828fd
Opcode Fuzzy Hash: ea6039910fb004354b57d25e5b93fcb5a2d6650296fb91b71c0a30b516fc4e3d
Instruction Fuzzy Hash: BE016770E00248EFCB10DFB0C9487ED7BB4AB08305F504576D542F65D0DB788AC49B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0B1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 0040D0BD

Part of subcall function 00408D21: __getptd_noexit.LIBCMT ref: 00408D24
Part of subcall function 00408D21: __amsg_exit.LIBCMT ref: 00408D31

__getptd.LIBCMT ref: 0040D0D4
__amsg_exit.LIBCMT ref: 0040D0E2
__lock.LIBCMT ref: 0040D0F2

Strings

0`A, xrefs: 0040D0FF

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: 0`A
API String ID: 3521780317-3205244451
Opcode ID: f4938d2bd1b828bacbd7ad545ef203ae448925ff2766fe8f4e43841991c42f38
Instruction ID: 8a50fc5c6cf24bc3e1f4629c987d5ceb0c5a446d7643dca26329b77e4d7aca42
Opcode Fuzzy Hash: f4938d2bd1b828bacbd7ad545ef203ae448925ff2766fe8f4e43841991c42f38
Instruction Fuzzy Hash: FAF09071D407049BEB20BFE5940274937A06F44729F11823FE944BB2D2CB3CA946DA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401DF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00401BDF,CreateProcess), ref: 00401DF6
FormatMessageW.KERNEL32(00001100,00000000,00000000,00000400,00000000,00000000,00000000), ref: 00401E17
MessageBoxW.USER32(00000000,00000000,GetLastError,00000000), ref: 00401E2E
LocalFree.KERNEL32(?), ref: 00401E38

Strings

GetLastError, xrefs: 00401E23

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: Message$ErrorFormatFreeLastLocal
String ID: GetLastError
API String ID: 2195691534-3538237111
Opcode ID: 9c05d61351b602662142ab80d13ac2b806e296be404d18cbf378bcb513e131dc
Instruction ID: e3ed02225cc40f927312e780d87c6f66bc5b2afc75476b16e5e441ce6aeda54b
Opcode Fuzzy Hash: 9c05d61351b602662142ab80d13ac2b806e296be404d18cbf378bcb513e131dc
Instruction Fuzzy Hash: 43F01C74B40308BBE710DBD09E0AFEE7B78EB48B01F104165BB00E62C0D6F06A10CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C945 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040C951

Part of subcall function 00408D21: __getptd_noexit.LIBCMT ref: 00408D24
Part of subcall function 00408D21: __amsg_exit.LIBCMT ref: 00408D31

__amsg_exit.LIBCMT ref: 0040C971
__lock.LIBCMT ref: 0040C981
InterlockedDecrement.KERNEL32(?), ref: 0040C99E
InterlockedIncrement.KERNEL32(02082D08), ref: 0040C9C9

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 00655ec1678064faaedfc10e6b097968f079007e94bcf95313a5ebe14d9b038e
Instruction ID: 11204d5c9a5a25d21db1a7cfa5822357e150be6cf17aa59c9f24a34599d32d9b
Opcode Fuzzy Hash: 00655ec1678064faaedfc10e6b097968f079007e94bcf95313a5ebe14d9b038e
Instruction Fuzzy Hash: 0A01A1B1901A11EBCB11ABA5994679A7760AF54720F04433BE900B32D0CB3CA981CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00401EA4 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00401EC2

Part of subcall function 0040358B: __mtinitlocknum.LIBCMT ref: 004035A1
Part of subcall function 0040358B: __amsg_exit.LIBCMT ref: 004035AD
Part of subcall function 0040358B: EnterCriticalSection.KERNEL32(?,?,?,0040E293,00000004,00413C08,0000000C,0040915F,004010FC,?,00000000,00000000,00000000,?,00408CD3,00000001), ref: 004035B5

___sbh_find_block.LIBCMT ref: 00401ECD
___sbh_free_block.LIBCMT ref: 00401EDC
HeapFree.KERNEL32(00000000,004010FC,00413740,0000000C,0040356C,00000000,00413808,0000000C,004035A6,004010FC,?,?,0040E293,00000004,00413C08,0000000C), ref: 00401F0C
GetLastError.KERNEL32(?,0040E293,00000004,00413C08,0000000C,0040915F,004010FC,?,00000000,00000000,00000000,?,00408CD3,00000001,00000214), ref: 00401F1D

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 29d72d71572c3c26d61ddddef0081ff42c0127134f7c485e224ce45e977da913
Instruction ID: ef7d3cb33ffc2cc5027f2f15be3cc7e00135dab692b9e3e761cd16df0c660e95
Opcode Fuzzy Hash: 29d72d71572c3c26d61ddddef0081ff42c0127134f7c485e224ce45e977da913
Instruction Fuzzy Hash: A6016271905202EBDF21AF729D0679E7EA8AF0076AF14413FFA14B71E1DB7C86408A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D073 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 0040D085

Part of subcall function 0040CF4B: InterlockedIncrement.KERNEL32(004010FC), ref: 0040CF5D
Part of subcall function 0040CF4B: InterlockedIncrement.KERNEL32(000000F8), ref: 0040CF6A
Part of subcall function 0040CF4B: InterlockedIncrement.KERNEL32(00000000), ref: 0040CF77
Part of subcall function 0040CF4B: InterlockedIncrement.KERNEL32(E845C700), ref: 0040CF84
Part of subcall function 0040CF4B: InterlockedIncrement.KERNEL32(62681775), ref: 0040CF91
Part of subcall function 0040CF4B: InterlockedIncrement.KERNEL32(62681775), ref: 0040CFAD
Part of subcall function 0040CF4B: InterlockedIncrement.KERNEL32(DBE852F4), ref: 0040CFBD
Part of subcall function 0040CF4B: InterlockedIncrement.KERNEL32(C482FF4C), ref: 0040CFD3

___removelocaleref.LIBCMT ref: 0040D090

Part of subcall function 0040CFDA: InterlockedDecrement.KERNEL32(0040D408), ref: 0040CFF4
Part of subcall function 0040CFDA: InterlockedDecrement.KERNEL32(76C13B66), ref: 0040D001
Part of subcall function 0040CFDA: InterlockedDecrement.KERNEL32(76FB3B0F), ref: 0040D00E
Part of subcall function 0040CFDA: InterlockedDecrement.KERNEL32(74F33B36), ref: 0040D01B
Part of subcall function 0040CFDA: InterlockedDecrement.KERNEL32(FF5913E8), ref: 0040D028
Part of subcall function 0040CFDA: InterlockedDecrement.KERNEL32(FF5913E8), ref: 0040D044
Part of subcall function 0040CFDA: InterlockedDecrement.KERNEL32(C33B0845), ref: 0040D054
Part of subcall function 0040CFDA: InterlockedDecrement.KERNEL32(FFFF5E02), ref: 0040D06A

___freetlocinfo.LIBCMT ref: 0040D0A4

Part of subcall function 0040CE02: ___free_lconv_mon.LIBCMT ref: 0040CE48
Part of subcall function 0040CE02: ___free_lconv_num.LIBCMT ref: 0040CE69
Part of subcall function 0040CE02: ___free_lc_time.LIBCMT ref: 0040CEEE

Strings

0`A, xrefs: 0040D09B

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: 0`A
API String ID: 467427115-3205244451
Opcode ID: 81e306bc9b5dc51fb59e922de5f1cdf4dab2cf5a8d9cd7fe421858cac6b5b766
Instruction ID: 06b2654e136eaaf5f79b2036e2af7c109ff259228391912bd834fad636ddfff3
Opcode Fuzzy Hash: 81e306bc9b5dc51fb59e922de5f1cdf4dab2cf5a8d9cd7fe421858cac6b5b766
Instruction Fuzzy Hash: 30E04832F0582289C635365DD44065B52D51F91719F16017BF419B72CCDB7C8C87C1DD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2C4 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040D2F8
__isleadbyte_l.LIBCMT ref: 0040D32C
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,75FF5003,00BFBBEF,00000000,?,?,?,0040A2FA,00000109,00BFBBEF,00000003), ref: 0040D35D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,0040A2FA,00000109,00BFBBEF,00000003), ref: 0040D3CB

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 303501950a8e62d9866493ac393c92a1afa166bd2f80d6f956b2138c125a569c
Instruction ID: 2c0db2c687950d5bd7c3cfb4ad51ed7b489591e3544c8b7699c32fb2097b5c30
Opcode Fuzzy Hash: 303501950a8e62d9866493ac393c92a1afa166bd2f80d6f956b2138c125a569c
Instruction Fuzzy Hash: F5319D31E00246EFDB21DFE4C8809AE7BA5BF01310B1585BEF861AB2D1D734D944DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040187A
_fprintf.LIBCMT ref: 004018FC

Strings

%S: %S, xrefs: 004018F3

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: _fprintf_memset
String ID: %S: %S
API String ID: 3021507156-2392186759
Opcode ID: cd24ebeb26f2e573dc3b130efb563529e20cb6b483258561b9948dad08a503e1
Instruction ID: 9ee0eab4f8e4c53a91baa93b3fd0f0a323340b18a8a5e3189bf63d28241d28d1
Opcode Fuzzy Hash: cd24ebeb26f2e573dc3b130efb563529e20cb6b483258561b9948dad08a503e1
Instruction Fuzzy Hash: 6E213D71D0020CEADB10EFD1D985BEE77B4AB44304F20846AE506AB291D7789B45DB89

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?,?,0040836F,00000000,?,?,00000000,?,00401ACC,?,00000000), ref: 0040E41F

Strings

\, xrefs: 0040E417
:, xrefs: 0040E413

Memory Dump Source

Source File: 00000001.00000002.1869672502.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1869640615.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869710759.0000000000412000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1869744562.0000000000415000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_dp-chooser.jbxd

Similarity

API ID: DriveType
String ID: :$\
API String ID: 338552980-1166558509
Opcode ID: 85c62079cab3b0618b3e987199a2b29ebd2f3d2a7b590a72069c6b932e1edd3d
Instruction ID: 8c0b51ff719e0afaf133a46607e8d7b38eee9f72d9495b930bef74de6b125482
Opcode Fuzzy Hash: 85c62079cab3b0618b3e987199a2b29ebd2f3d2a7b590a72069c6b932e1edd3d
Instruction Fuzzy Hash: 78E048312082886EEF21CEB6944879B3FCC9B51698F04C476F94CDE242D275D6568756

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dpinst-amd64.exePID: 7372, Parent PID: 7360COMMON

Non-executed Functions

Function 00007FF6D891D440 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6D891D477
GetCurrentProcessId.KERNEL32 ref: 00007FF6D891D482
GetCurrentThreadId.KERNEL32 ref: 00007FF6D891D48E
GetTickCount.KERNEL32 ref: 00007FF6D891D49A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6D891D4AB

Memory Dump Source

Source File: 00000002.00000002.1869175378.00007FF6D88C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6D88C0000, based on PE: true

Associated: 00000002.00000002.1869138157.00007FF6D88C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1869263285.00007FF6D8941000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1869298216.00007FF6D8943000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1869298216.00007FF6D8958000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff6d88c0000_dpinst-amd64.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 404986f5cc30a85b1b110af08f269cf27d5de7fe2ab396615c35e90afeb4e3b4
Instruction ID: 3d1df895e8d2cd6c72bb33c7c87ae31485570d61fb4e0d9d2b473b4de9fb4f8c
Opcode Fuzzy Hash: 404986f5cc30a85b1b110af08f269cf27d5de7fe2ab396615c35e90afeb4e3b4
Instruction Fuzzy Hash: 3901A525B18B0682E7508F35E4981692360FB49FD6F042632EE9E87795CF3CD8A48308

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CDM212364_Setup.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\FE5EB6.tmp

C:\Users\user\AppData\Local\Temp\FTDI-Driver\Static\amd64\ftd2xx.lib

C:\Users\user\AppData\Local\Temp\FTDI-Driver\Static\i386\ftd2xx.lib

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftbusui.dll

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftcserco.dll

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftd2xx.lib

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftd2xx64.dll

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftdibus.sys

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftlang.dll

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftser2k.sys

C:\Users\user\AppData\Local\Temp\FTDI-Driver\amd64\ftserui2.dll

C:\Users\user\AppData\Local\Temp\FTDI-Driver\dp-chooser.exe

C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-amd64.exe

C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst-x86.exe

C:\Users\user\AppData\Local\Temp\FTDI-Driver\dpinst.xml

C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftd2xx.h

C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftdibus.cat

C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftdibus.inf

C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftdiport.cat

C:\Users\user\AppData\Local\Temp\FTDI-Driver\ftdiport.inf

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftbusui.dll

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftcserco.dll

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftd2xx.dll

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftd2xx.lib

C:\Users\user\AppData\Local\Temp\FTDI-Driver\i386\ftdibus.sys

Windows Analysis Report
CDM212364_Setup.exe