Windows Analysis Report
2N Driver for External USB Readers.exe

Overview

General Information

Sample name:	2N Driver for External USB Readers.exe
Analysis ID:	1432058
MD5:	e3dd4a7013de228f707e6acacd69acce
SHA1:	3bfc3ebc9be3747e4dc88cb822c26e20715e1110
SHA256:	aa4d8231efa01b1e141dbd392c8bff871c7692b04e0de8e14bcca2c71ee5d146
Infos:

Detection

Score:	32
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	49
Range:	0 - 100

Signatures

Submitted sample is a known malware sample

Drops executables to the windows directory (C:\Windows) and starts them

Installs new ROOT certificates

Modifies the hosts file

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Yara detected Generic Downloader

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the driver directory

Creates files inside the system directory

Creates processes with suspicious names

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DCA096 DecryptFileW,	8_2_00DCA096
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEFE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	8_2_00DEFE7F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DC9E7B DecryptFileW,DecryptFileW,	8_2_00DC9E7B
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B3A096 DecryptFileW,	9_2_00B3A096
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B39E7B DecryptFileW,DecryptFileW,	9_2_00B39E7B
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5FE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	9_2_00B5FE7F
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9FE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	10_2_00E9FE7F
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E79E7B DecryptFileW,DecryptFileW,	10_2_00E79E7B
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E7A096 DecryptFileW,	10_2_00E7A096
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CEA096 DecryptFileW,	15_2_00CEA096
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0FE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	15_2_00D0FE7F
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CE9E7B DecryptFileW,DecryptFileW,	15_2_00CE9E7B
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A7E7F HeapSetInformation,LoadStringW,LoadStringW,LoadStringW,LoadStringA,LoadStringW,LoadStringW,LoadStringW,CryptUIDlgCertMgr,CryptMsgClose,CertCloseStore,	29_2_004A7E7F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A644E CryptMsgGetParam,printf,printf,printf,CryptMsgGetAndVerifySigner,CertFreeCertificateContext,	29_2_004A644E
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A1A5B strtok,strtok,strtok,SetLastError,CryptEncodeObject,CryptEncodeObject,CryptEncodeObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertSetCertificateContextProperty,CertSetCertificateContextProperty,CertSetCertificateContextProperty,CertEnumCertificatesInStore,CertFreeCertificateContext,	29_2_004A1A5B
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A8163 CryptFindOIDInfo,	29_2_004A8163
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A2B61 CryptDecodeObject,printf,	29_2_004A2B61
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A3C7E CryptSIPRetrieveSubjectGuid,CryptSIPLoad,memset,CertOpenStore,CryptMsgOpenToDecode,CertCloseStore,CryptMsgUpdate,CertCloseStore,CryptMsgClose,	29_2_004A3C7E
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A3272 CryptFindOIDInfo,	29_2_004A3272
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A82C8 CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,	29_2_004A82C8
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A22DB CryptStringToBinaryA,CryptStringToBinaryA,GetLastError,CryptStringToBinaryA,GetLastError,	29_2_004A22DB
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A81D0 printf,CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,	29_2_004A81D0
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A5CD6 printf,CertGetCertificateContextProperty,CertGetCertificateContextProperty,CertGetCertificateContextProperty,CryptAcquireContextA,CryptHashPublicKeyInfo,CryptReleaseContext,CertGetCertificateContextProperty,CertGetCertificateContextProperty,printf,printf,printf,CertGetPublicKeyLength,printf,printf,printf,	29_2_004A5CD6
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A2BFA CryptDecodeObject,printf,	29_2_004A2BFA
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A17F3 GetModuleHandleA,CryptInitOIDFunctionSet,CryptInstallOIDFunctionAddress,	29_2_004A17F3
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A2FF4 CryptDecodeObject,printf,printf,printf,	29_2_004A2FF4
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A2390 CryptStringToBinaryW,CryptStringToBinaryW,GetLastError,CryptStringToBinaryW,GetLastError,	29_2_004A2390
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A81A9 CryptFindOIDInfo,	29_2_004A81A9
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A32A1 CryptGetOIDFunctionAddress,wprintf,CryptFreeOIDFunctionAddress,	29_2_004A32A1

Compliance

Uses 32bit PE files

Source: 2N Driver for External USB Readers.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\DPDrv\DPInst64.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\E8FD6EF8CC869DE121501FB543A7C0674D30756F

Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\eula.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\LICENSE.txt	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\eula.rtf

Source: 2N Driver for External USB Readers.exe

Static PE information: certificate valid

Source: 2N Driver for External USB Readers.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\Workspaces\zkteco svn\libfpsensor\trunk\libfpsensor\x64\Release\ZKFPSensors\libzklibcap.pdb source: setup.tmp, 00000025.00000003.3058605092.00000000056E0000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000002.3061790570.000000000018E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpDevDat.pdb source: DPInst64.exe, 00000028.00000003.2964085180.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006547610.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2998219929.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpd00701.pdb source: drvinst.exe, 00000029.00000003.2999026102.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdbH source: drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\GitLab-Runner\builds\WzT4ZGRf\1\ac\secured-card-tool\src\Shared\Rfid.Encryption\obj\x86\Release\net6.0\Nn.Rfid.Encryption.pdbSHA256 source: is-77UBH.tmp.2.dr
Source:	Binary string: CertMgr.pdb source: CertMgr.Exe, CertMgr.Exe, 0000001D.00000000.2767345124.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001D.00000002.2768431869.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001F.00000002.2769914048.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001F.00000000.2769071550.00000000004A1000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.11.dr
Source:	Binary string: e:\TeamBuilds\Core\DP_ENT_WS_MAIN\Binaries\Win32\Release\DPDevTS.pdbD source: is-I03EA.tmp.37.dr
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpDevDatx64.pdb source: DPInst64.exe, 00000028.00000003.2965141208.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006784725.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2999546158.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: g:\fingerpr\mars\src\usbscan\objfre_wlh_amd64\amd64\usbdpfp.pdb source: DPInst64.exe, 00000028.00000003.2963361782.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3005824851.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997532265.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdb source: drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpi00701x64.pdb source: DPInst64.exe, 00000028.00000003.2963704354.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997861422.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006443858.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Thomas\source\repos\winusbnet\WinUSBNet\obj\Release\netcoreapp3.1\WinUSBNet.pdbSHA256 source: is-HP6R9.tmp.2.dr
Source:	Binary string: e:\TeamBuilds\SDKUI\DP_ENT_WS\Binaries\Win32\Release\DPPTUtils.pdb source: regsvr32.exe, 0000002C.00000002.3042172324.000000006FB88000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpi00701.pdb source: DPInst64.exe, 00000028.00000003.2965474924.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3000014532.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006880739.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpd00701x64.pdb source: drvinst.exe, 00000029.00000003.2996375367.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3005824851.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdb source: drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\NightBuild\Installer\obj\checkout\IDKit\bin\x64\IDKit (Release)\IDKit64.pdb source: setup.tmp, 00000025.00000003.3058605092.0000000005C0C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Work\usb-driver\utils\HostsHelper\obj\Release\HostsHelper.pdb source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, HostsHelper.exe, 0000001B.00000000.2761274455.000001827EE32000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: DpInst.pdb source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, dpinst.exe, dpinst.exe, 00000021.00000002.2794901615.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, dpinst.exe, 00000021.00000000.2770689280.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, DPInst64.exe, 00000028.00000000.2933095406.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, DPInst64.exe, 00000028.00000002.3038803899.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, is-AL0OI.tmp.2.dr
Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: dotnet60desktop.exe, 00000008.00000000.2400540946.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000008.00000002.2711992523.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000009.00000000.2402564744.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, dotnet60desktop.exe, 00000009.00000002.2709096535.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000000.2408799844.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2428045478.000000000070B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2706196116.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000000.2555007939.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000002.2562073815.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000000.2556098265.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000002.2763904316.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000000.2560776999.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759042141.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000000.2659402740.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2753814866.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: g:\fingerpr\mars\src\mp\sputniki\kdevice\dp4000x\objfre_wlh_amd64\amd64\dpK00701.pdb source: DPInst64.exe, 00000028.00000003.2966647351.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006988043.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3001362963.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\native\net6.0-windows-Release-x86\System.IO.Compression.Native\System.IO.Compression.Native.pdbXXXGCTL source: System.IO.Compression.Native.dll.11.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: api-ms-win-core-handle-l1-1-0.dll.11.dr
Source:	Binary string: e:\TeamBuilds\SDKUI\DP_ENT_WS\Binaries\Win32\Release\DPPTUtils.pdb source: regsvr32.exe, 0000002C.00000002.3042172324.000000006FB88000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: E:\Repos\deployment-tools\fork\deployment-tools\artifacts\obj\win-x86.Release\native\projects\NetCoreCheck\Release\NetCoreCheck.pdb source: netcorecheck.exe, 00000003.00000000.2134110976.0000000001010000.00000002.00000001.01000000.00000008.sdmp, netcorecheck.exe, 00000003.00000002.2135710507.0000000001010000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: System.IO.FileSystem.AccessControl.dll.11.dr
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpDevCtl.pdb source: DPInst64.exe, 00000028.00000003.2964431689.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006655772.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2998634796.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Thomas\source\repos\winusbnet\WinUSBNet\obj\Release\netcoreapp3.1\WinUSBNet.pdb source: is-HP6R9.tmp.2.dr
Source:	Binary string: C:\GitLab-Runner\builds\WzT4ZGRf\1\ac\secured-card-tool\src\Shared\Rfid.Encryption\obj\x86\Release\net6.0\Nn.Rfid.Encryption.pdb source: is-77UBH.tmp.2.dr
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpDevCtlx64.pdb source: DPInst64.exe, 00000028.00000003.2965863378.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006988043.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3000450737.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\native\net6.0-windows-Release-x86\System.IO.Compression.Native\System.IO.Compression.Native.pdb source: System.IO.Compression.Native.dll.11.dr
Source:	Binary string: e:\TeamBuilds\Core\DP_ENT_WS_MAIN\Binaries\Win32\Release\DPDevTS.pdb source: is-I03EA.tmp.37.dr
Source:	Binary string: DpInst.pdbH source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794901615.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, dpinst.exe, 00000021.00000000.2770689280.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, DPInst64.exe, 00000028.00000000.2933095406.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, DPInst64.exe, 00000028.00000002.3038803899.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, is-AL0OI.tmp.2.dr
Source:	Binary string: E:\Workspaces\C++\zkidentify_openssl\x64\Release\fpslib.pdb source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdbP source: drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\net6.0-windows-Release\System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.11.dr
Source:	Binary string: E:\Repos\deployment-tools\fork\deployment-tools\artifacts\obj\win-x86.Release\native\projects\NetCoreCheck\Release\NetCoreCheck.pdbiiiGCTL source: netcorecheck.exe, 00000003.00000000.2134110976.0000000001010000.00000002.00000001.01000000.00000008.sdmp, netcorecheck.exe, 00000003.00000002.2135710507.0000000001010000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: dotnet60desktop.exe, 00000008.00000000.2400540946.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000008.00000002.2711992523.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000009.00000000.2402564744.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, dotnet60desktop.exe, 00000009.00000002.2709096535.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000000.2408799844.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2428045478.000000000070B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2706196116.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000000.2555007939.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000002.2562073815.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000000.2556098265.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000002.2763904316.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000000.2560776999.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759042141.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000000.2659402740.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2753814866.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpi00701x64.pdb source: DPInst64.exe, 00000028.00000003.2963704354.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997861422.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006443858.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\NightBuild\Installer\obj\checkout\IDKit\bin\x64\IDKit (Release)\IDKit64.pdb \( source: setup.tmp, 00000025.00000003.3058605092.0000000005C0C000.00000004.00001000.00020000.00000000.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100698F __EH_prolog3_GS,FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,__EH_prolog3_GS,_invalid_parameter_noinfo_noreturn,	3_2_0100698F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DB3D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	8_2_00DB3D89
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DF488B FindFirstFileW,FindClose,	8_2_00DF488B
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE7857 FindFirstFileExW,	8_2_00DE7857
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DC9B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	8_2_00DC9B24
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B6488B FindFirstFileW,FindClose,	9_2_00B6488B
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B39B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	9_2_00B39B24
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B23D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	9_2_00B23D89
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B57857 FindFirstFileExW,	9_2_00B57857
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00EA488B FindFirstFileW,FindClose,	10_2_00EA488B
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E79B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	10_2_00E79B24
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E63D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	10_2_00E63D89
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E97857 FindFirstFileExW,	10_2_00E97857
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D1488B FindFirstFileW,FindClose,	15_2_00D1488B
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D07857 FindFirstFileExW,	15_2_00D07857
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CE9B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	15_2_00CE9B24
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CD3D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	15_2_00CD3D89
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00452AD4 FindFirstFileA,GetLastError,	37_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	37_2_00475798
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	37_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	37_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	37_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	37_2_00498FDC

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\NULL	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.dll, type: DROPPED

Source: System.IO.Compression.Native.dll.11.dr	String found in binary or memory: http://.css
Source: System.IO.Compression.Native.dll.11.dr	String found in binary or memory: http://.jpg
Source: windowsdesktop-runtime-6.0.4-win-x86.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: dotnet60desktop.exe, 00000008.00000000.2400540946.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000008.00000002.2711992523.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000009.00000000.2402564744.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, dotnet60desktop.exe, 00000009.00000002.2709096535.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000000.2408799844.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2428045478.000000000070B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2706196116.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000000.2555007939.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000002.2562073815.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000000.2556098265.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000002.2763904316.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000000.2560776999.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759042141.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000000.2659402740.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2753814866.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.2712304320.0000000000871000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3191090059.0000000000892000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3175444140.0000000000892000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 2N Driver for External USB Readers.tmp, 00000002.00000002.3192968875.0000000004870000.00000004.00000020.00020000.00000000.sdmp, CertMgr.Exe, 0000001D.00000002.2768834531.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000002.2789179117.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000003.2788067294.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886224881.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000002.2892572494.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2890795608.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3019442083.0000026964E3F000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000002.3022171824.0000026964E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: CertMgr.Exe, 0000001D.00000002.2768834531.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, CertMgr.Exe, 0000001F.00000002.2770070849.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000002.2789179117.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000003.2788067294.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886224881.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000002.2892572494.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2890795608.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3019442083.0000026964E3F000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000002.3022171824.0000026964E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0P
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: drvinst.exe, 00000027.00000002.2892572494.00000240A8850000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2891246833.00000240A8850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp, is-I03EA.tmp.37.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: setup.tmp, 00000025.00000003.3058605092.00000000056E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crm.innovatrics.com
Source: setup.tmp, 00000025.00000003.3058605092.00000000056E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crm.innovatrics.com/
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: dpinst.exe, 00000021.00000002.2793695970.000000000056B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabt
Source: System.IO.Compression.Native.dll.11.dr	String found in binary or memory: http://html4/loose.dtd
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://libusb-win32.sourceforge.netN
Source: drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://libusb-win32.sourceforge.netb
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.2712304320.0000000000871000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3191090059.0000000000892000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3175444140.0000000000892000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035586309.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp, is-I03EA.tmp.37.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt
Source: CertMgr.Exe, 0000001D.00000002.2768834531.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, CertMgr.Exe, 0000001F.00000002.2770070849.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000002.2789179117.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000003.2788067294.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886224881.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000002.2892572494.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2890795608.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3019442083.0000026964E3F000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000002.3022171824.0000026964E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt0
Source: dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt9W
Source: dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crtP
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2015/sc0
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760897614.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2562791382.000000000110D000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2752977068.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2754280071.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2660004896.00000000014DD000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2753298811.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2660004896.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2752630825.0000000003510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2015/schema.xsd
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcb.com/sw.crl0f
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcd.com0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp, is-I03EA.tmp.37.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp, is-I03EA.tmp.37.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp, is-I03EA.tmp.37.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: dotnet60desktop.exe, 00000009.00000002.2708076898.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, dotnet60desktop.exe, 00000009.00000002.2709413064.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761197407.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761380592.0000000003860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: dotnet60desktop.exe, 00000009.00000002.2709413064.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761197407.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010Hd
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.2130779171.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.2n.cz
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3183334708.00000000025A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.2n.cz1RZ
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3183334708.00000000025A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.2n.cz32
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3183334708.00000000025A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.2n.cziRZ
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globalsign.net/repository/0
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globalsign.net/repository/03
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globalsign.net/repository09
Source: setup.tmp, setup.tmp, 00000025.00000000.2797910641.0000000000401000.00000020.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: setup.exe, setup.exe, 00000024.00000002.3063856766.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: setup.exe, 00000024.00000002.3063856766.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html.
Source: setup.exe, 00000024.00000003.2797211868.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000024.00000003.2797392558.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, setup.tmp, 00000025.00000000.2797910641.0000000000401000.00000020.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: setup.exe, 00000024.00000003.2797211868.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000024.00000003.2797392558.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000000.2797910641.0000000000401000.00000020.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758696473.000000000111C000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/20-p2-rel-notes
Source: dotnet60desktop.exe, 00000009.00000002.2708114386.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/20-p2-rel-notesi
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758696473.000000000111C000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/dev-privacy
Source: dotnet60desktop.exe, 00000009.00000002.2708340549.0000000000709000.00000004.00000020.00020000.00000000.sdmp, dotnet60desktop.exe, 00000009.00000002.2709413064.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761197407.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760318936.000000000112B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758490285.000000000110D000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758490285.000000000112B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758004763.0000000001142000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760318936.0000000001142000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760318936.000000000111D000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758696473.000000000111C000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/dotnet-cli-telemetry
Source: netcorecheck.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: netcorecheck.exe, 00000003.00000000.2134110976.0000000001010000.00000002.00000001.01000000.00000008.sdmp, netcorecheck.exe, 00000003.00000002.2135710507.0000000001010000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=&rid=hXReading
Source: netcorecheck.exe, 00000003.00000002.2135554084.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=5.0
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/dotnet-docs
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761380592.0000000003860000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760318936.000000000111D000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758696473.000000000111C000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/dotnet-license-windows
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760318936.000000000111D000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758696473.000000000111C000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/dotnet-tutorials
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.3193501314.0000000002260000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.exe, 00000000.00000003.2125775570.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3183334708.00000000024F7000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.2130779171.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3181172089.0000000003862000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3181172089.00000000038E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.3193501314.0000000002260000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.exe, 00000000.00000003.2125775570.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3183334708.00000000024F7000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.2130779171.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3181172089.0000000003862000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3181172089.00000000038E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x86.exe
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000003.2763134408.0000000000E6C000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000003.2761955887.000000000350A000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761197407.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2753072927.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2752283030.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2752630825.0000000003510000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2754157109.00000000014CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dot.net/core
Source: dotnet60desktop.exe, 00000009.00000002.2708114386.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dot.net/core2
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2704627944.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2705444131.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dot.net/core7
Source: System.IO.FileSystem.AccessControl.dll.11.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: 2N Driver for External USB Readers.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repo
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, CertMgr.Exe, 0000001D.00000002.2768834531.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, CertMgr.Exe, 0000001F.00000002.2770070849.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000002.2789179117.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000003.2788067294.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886224881.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000002.2892572494.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2890795608.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.2127173120.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.exe, 00000000.00000003.2127593853.000000007FB20000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000000.2128996068.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.2127173120.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.exe, 00000000.00000003.2127593853.000000007FB20000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000000.2128996068.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\is-279IB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpersona_x64.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\usbserial.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\is-ADA36.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\dfu.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\siliconLabs.cer (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-ASR1N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\symantec.cer (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	File created: C:\Users\user\AppData\Local\Temp\{086a8776-17e2-2141-ba4a-f3610c91f26a}\SET773C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\ServerSSL.pfx (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\is-DKDRB.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpersona_x64.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\zkfp.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-N73BK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\is-CFPTC.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SET9FE3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\elatec.cer (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCC51.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\is-6D6F7.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{9c8edb3f-4625-0f40-84f0-5e11f5d680a8}\SET7A78.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{9c8edb3f-4625-0f40-84f0-5e11f5d680a8}\twn4cdc.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\zkfp.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	File created: C:\Users\user\AppData\Local\Temp\{086a8776-17e2-2141-ba4a-f3610c91f26a}\twn4cdc.cat (copy)	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	File created: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpersona_x64.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\is-DO317.tmp	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	File created: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETBEB5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\twn4cdc.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-6EMJM.tmp	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

File written: C:\Windows\System32\drivers\etc\hosts

System Summary

Submitted sample is a known malware sample

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped file: MD5: 181c8f19f974ad8a84b8673d487bbf0d Family: Metamorfo Description: The attackers used various techniques to evade detection and infect unsuspecting Portuguese-speaking users with banking Trojans. Public cloud infrastructure is utilized to help deliver the different stages and play a particularly big role in delivering the malicious payload. Legitimate signed binaries are also abused to load malicious code. References: https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped file: MD5: 181c8f19f974ad8a84b8673d487bbf0d Family: Metamorfo Description: The attackers used various techniques to evade detection and infect unsuspecting Portuguese-speaking users with banking Trojans. Public cloud infrastructure is utilized to help deliver the different stages and play a particularly big role in delivering the malicious payload. Legitimate signed binaries are also abused to load malicious code. References: https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0042F594 NtdllDefWindowProc_A,	37_2_0042F594
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00423B94 NtdllDefWindowProc_A,	37_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004125E8 NtdllDefWindowProc_A,	37_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00479380 NtdllDefWindowProc_A,	37_2_00479380
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	37_2_0045763C

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp

Code function: 37_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

37_2_0042E944

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		36_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		37_2_0045568C

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{9c8edb3f-4625-0f40-84f0-5e11f5d680a8}

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df02a.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{8075C447-DEF3-4DCC-BB39-8497717BE91E}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF56A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df02d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df02d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16AE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df02e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{61373008-0285-40B8-93C2-26C8110BC4ED}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1BA1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df031.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df031.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1C5D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df032.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{DB82E9AB-01DC-4F99-A6C7-67CDDF90AAD9}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F0E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df035.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df035.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI21ED.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df036.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{28F5CA46-286A-4C61-A86E-525F06E456DD}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2847.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df039.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df039.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI563E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI689E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI69A9.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	File created: C:\Windows\DPINST.LOG
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-1KSCE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-OHV6A.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-APUGU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-J3PKB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-EL1CK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-DQHA8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-6EMJM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-GC5D4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-ECSVK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-NEUSB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-JPCD5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-5NC7F.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-RD0A7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-RULKA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-KMSK2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-S4LL1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-NR955.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-8O2DU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-H2VJ6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-A1JBL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-N97T5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-8NF8V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-52V98.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-GVF50.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-0V5J0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-LV194.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-NTD91.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-59OUT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-4C9RD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-JDKR1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-1C0V4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-PR4RR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-5B4KM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-U28V6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-DG1QU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-S6M9U.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-DSTA3.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-1GES6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-C6HAI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-LRLHQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-MEAI8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-ASR1N.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-HGQH9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-7O1AC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-8VQ00.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-AP1V0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-IPKM0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-591T5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-TGQ65.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-HAADG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-E9LLE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-IGODE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-702MI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-C1CQG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-FDOTF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-FVSOJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-OJSTD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-US67P.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\is-4L7MR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\is-43LAD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\is-0I0LF.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\zkfp.inf_amd64_ab1035548178aff8
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem5.inf

Deletes files inside the Windows folder

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

File deleted: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100CAF0	3_2_0100CAF0
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DD4085	8_2_00DD4085
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDC132	8_2_00DDC132
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEF2A2	8_2_00DEF2A2
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DB635B	8_2_00DB635B
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE26D1	8_2_00DE26D1
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEA600	8_2_00DEA600
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDF9D3	8_2_00DDF9D3
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE2905	8_2_00DE2905
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEAA98	8_2_00DEAA98
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEDC1E	8_2_00DEDC1E
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEDD42	8_2_00DEDD42
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B44085	9_2_00B44085
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4C132	9_2_00B4C132
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5F2A2	9_2_00B5F2A2
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B2635B	9_2_00B2635B
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B526D1	9_2_00B526D1
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5A600	9_2_00B5A600
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4F9D3	9_2_00B4F9D3
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B52905	9_2_00B52905
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5AA98	9_2_00B5AA98
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5DC1E	9_2_00B5DC1E
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5DD42	9_2_00B5DD42
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E84085	10_2_00E84085
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8C132	10_2_00E8C132
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9F2A2	10_2_00E9F2A2
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E6635B	10_2_00E6635B
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E926D1	10_2_00E926D1
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9A600	10_2_00E9A600
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8F9D3	10_2_00E8F9D3
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E92905	10_2_00E92905
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9AA98	10_2_00E9AA98
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9DC1E	10_2_00E9DC1E
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9DD42	10_2_00E9DD42
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CF4085	15_2_00CF4085
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFC132	15_2_00CFC132
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0F2A2	15_2_00D0F2A2
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CD635B	15_2_00CD635B
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D026D1	15_2_00D026D1
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0A600	15_2_00D0A600
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFF9D3	15_2_00CFF9D3
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D02905	15_2_00D02905
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0AA98	15_2_00D0AA98
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0DC1E	15_2_00D0DC1E
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0DD42	15_2_00D0DD42
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A57BD	29_2_004A57BD
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_0040840C	36_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00470C74	37_2_00470C74
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0048ED0C	37_2_0048ED0C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004813C4	37_2_004813C4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00467848	37_2_00467848
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004303D0	37_2_004303D0
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0044453C	37_2_0044453C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004885E0	37_2_004885E0
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00434638	37_2_00434638
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00444AE4	37_2_00444AE4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00430F5C	37_2_00430F5C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0045F16C	37_2_0045F16C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004451DC	37_2_004451DC
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0045B21C	37_2_0045B21C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0043533C	37_2_0043533C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004455E8	37_2_004455E8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00487680	37_2_00487680
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0046989C	37_2_0046989C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00451A30	37_2_00451A30
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0043DDC4	37_2_0043DDC4

Enables security privileges

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00408C1C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00406AD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 0040596C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00407904 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00445E48 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00457FC4 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00457DB8 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00434550 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00403494 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 004533B8 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00446118 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00403684 appears 229 times
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: String function: 00B60657 appears 682 times
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: String function: 00B238F5 appears 502 times
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: String function: 00B60B3E appears 34 times
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: String function: 00B63770 appears 79 times
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: String function: 00B2204D appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: String function: 0100E196 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: String function: 00DB38F5 appears 502 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: String function: 00DF0B3E appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: String function: 00DF3770 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: String function: 00DB204D appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: String function: 00DF0657 appears 682 times
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00D13770 appears 79 times
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00CD38F5 appears 502 times
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00CD204D appears 54 times
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00D10657 appears 682 times
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00D10B3E appears 34 times
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00EA3770 appears 81 times
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00EA0B3E appears 34 times
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00EA0657 appears 682 times
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00E6204D appears 54 times
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00E638F5 appears 502 times

PE file contains executable resources (Code or Archives)

Source: 2N Driver for External USB Readers.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-0DRB9.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-BQ92G.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1639755 bytes, 2 files, at 0x44 +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Win2k-WinXP-Win2k3.exe" +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Vista.msu", flags 0x4, ID 12343, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
Source: is-H5954.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Microsoft Standalone Update, 256987 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows6.0-KB971286-x64.cab", flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
Source: is-H5954.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-5KKTG.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1384567 bytes, 2 files, at 0x44 +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Win2k-WinXP-Win2k3.exe" +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Vista.msu", flags 0x4, ID 12343, number 1, extra bytes 20 in head, 43 datablocks, 0x1503 compression
Source: is-NEGFN.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Microsoft Standalone Update, 240840 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows6.0-KB971286-x86.cab", flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
Source: is-NEGFN.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows

PE file contains more sections than normal

Source: is-JBSJJ.tmp.2.dr	Static PE information: Number of sections : 15 > 10
Source: is-P6L7J.tmp.2.dr	Static PE information: Number of sections : 16 > 10
Source: is-00NGS.tmp.2.dr	Static PE information: Number of sections : 15 > 10
Source: is-18QUK.tmp.2.dr	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: 2N Driver for External USB Readers.exe, 00000000.00000003.3193501314.0000000002298000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs 2N Driver for External USB Readers.exe
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.2127173120.0000000002619000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 2N Driver for External USB Readers.exe
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.2127593853.000000007FE05000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 2N Driver for External USB Readers.exe
Source: 2N Driver for External USB Readers.exe, 00000000.00000000.2125477292.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs 2N Driver for External USB Readers.exe
Source: 2N Driver for External USB Readers.exe	Binary or memory string: OriginalFileName vs 2N Driver for External USB Readers.exe

Uses 32bit PE files

Source: 2N Driver for External USB Readers.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: is-SD9NL.tmp.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: is-BQ92G.tmp.2.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9985629322738576
Source: is-5KKTG.tmp.2.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9981172708256713

Source: is-2J23P.tmp.2.dr, Crypto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: is-2J23P.tmp.2.dr, Crypto.cs	Cryptographic APIs: 'TransformBlock'
Source: is-2J23P.tmp.2.dr, Crypto.cs	Cryptographic APIs: 'TransformBlock'

Source: classification engine

Classification label: sus32.troj.adwa.evad.winEXE@95/1072@0/0

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DB20A3 FormatMessageW,GetLastError,LocalFree,

8_2_00DB20A3

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DB4674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	8_2_00DB4674
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B24674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	9_2_00B24674
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E64674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	10_2_00E64674
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CD4674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	15_2_00CD4674
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	36_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	37_2_0045568C

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp

Code function: 37_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

37_2_00455EB4

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DF34D0 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

8_2_00DF34D0

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe

Code function: 36_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,

36_2_00409C34

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DD6A02 ChangeServiceConfigW,GetLastError,

8_2_00DD6A02

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

File created: C:\Program Files (x86)\2N TELEKOMUNIKACE

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\DPDrv\DPInst64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\DPINST_LOG_SCROLLER_MUTEX
Source: C:\Windows\DPDrv\DPInst64.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3780:120:WilError_03
Source: C:\Windows\DPDrv\DPInst64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\DIFX_PROGRAM_FILES_MUTEX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\5924
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\5800
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\6528

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe

File created: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp

Jump to behavior

Source: Yara match	File source: C:\Windows\SysWOW64\is-4C9RD.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\FPSensor\Biokey\is-IO0QL.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: cabinet.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: msi.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: version.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: wininet.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: comres.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: clbcatq.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: msasn1.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: crypt32.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: feclient.dll	8_2_00DB1070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: cabinet.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: msi.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: version.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: wininet.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: comres.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: clbcatq.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: msasn1.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: crypt32.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: feclient.dll	9_2_00B21070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: cabinet.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: msi.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: version.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: wininet.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: comres.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: clbcatq.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: msasn1.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: crypt32.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: feclient.dll	10_2_00E61070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: cabinet.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: msi.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: version.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: wininet.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: comres.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: clbcatq.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: msasn1.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: crypt32.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: feclient.dll	15_2_00CD1070

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\ZKFP.inf

Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: create table iuser_info(title varchar(32) primary key,value varchar(32));
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_idkit values (:001,:002,:003);
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_idkit_images_backup select userid,templateid,image from iuser_idkit_images;
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_idkit_images select * from iuser_idkit_images_backup;
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_tags values (:001,:002,:003);
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: select value from iuser_info where title='db version';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: update iuser_info set 'value'='1.4' where title='db version';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_idkit values (:001,:002,:003);insert into iuser_idkit_images values (:001,:002,:003);delete from iuser_idkit_images where userid=:001delete from iuser_idkit where userid=:001insert into iuser_tags values (:001,:002,:003);delete from iuser_tags where userid=:001vacuumdelete from iuser_tagsdelete from iuser_idkit_imagesdelete from iuser_idkitselect custom_data from iuser_idkit where userid=:001select templateid,image from iuser_idkit_images where userid=:001select userid, name, value from iuser_tagsselect userid,record from iuser_idkit
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: create table iuser_idkit_images (userid integer NOT NULL,templateid integer NOT NULL,image blob NOT NULL,PRIMARY KEY (userid, templateid));
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: update iuser_info set 'value'='1.3' where title='db version';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_idkit_images values (:001,:002,:003);
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: create table iuser_idkit (userid integer primary key,record blob NOT NULL,custom_data blob);
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: update iuser_info set 'value'='1.2' where title='db version';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: select type from sqlite_master where name='%s';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: create table iuser_tags(userid integer NOT NULL,name varchar(100) NOT NULL,value varchar(4000) NOT NULL,PRIMARY KEY (userid, name));
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: update iuser_info set 'value'='1.1' where title='db version';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into %s values('%s','%d.%d');
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into %s values('%s','%02d/%02d/%02d %02d:%02d:%02d');

Source: dotnet60desktop.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: dotnet60desktop.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: windowsdesktop-runtime-6.0.4-win-x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: windowsdesktop-runtime-6.0.4-win-x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: dpinst.exe	String found in binary or memory: Some post-install cleanup tasks failed. Error code is 0x%X
Source: dpinst.exe	String found in binary or memory: Could not re-add '%s' to reference list of driver store entry '%s'
Source: dpinst.exe	String found in binary or memory: Successfully re-added '%s' to reference list of driver store entry '%s'
Source: dpinst.exe	String found in binary or memory: Install option set: Suppress pre-install of Plug and Play drivers if no matching devices are present.
Source: dpinst.exe	String found in binary or memory: During undo of install, we failed to re-install the driver. Error code 0x%X
Source: dpinst.exe	String found in binary or memory: Error 0x%X - Could not delete service info key for '%ws', even though there are no more DIFx-installed driver stores using this se
Source: setup.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: 2N Driver for External USB Readers.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe

File read: C:\Users\user\Desktop\2N Driver for External USB Readers.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2N Driver for External USB Readers.exe "C:\Users\user\Desktop\2N Driver for External USB Readers.exe"
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Process created: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp "C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp" /SL5="$103E4,35010763,947200,C:\Users\user\Desktop\2N Driver for External USB Readers.exe"
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe" Microsoft.WindowsDesktop.App 6.0.4
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" /lcid 2057 /passive /norestart
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Process created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe" -q -burn.elevated BurnPipe.{4C86AD50-ECFF-4E0C-8859-69C2F732A1B6} {4190C1E9-DF0B-4777-B67E-25C22799E37B} 6884
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F08179E706612A6B7A04DE10E46E3A3
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0AE14355DA77B8EC5D78BBA627A31F90
Source: unknown	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" /passive /norestart /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /passive /norestart /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9A6BE86B09F849551CC63C9676854998
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -q -burn.elevated BurnPipe.{5B3AA127-E574-49A0-B320-16AAE8743C18} {B68FB661-CED6-45D2-8A04-5EF32E491C00} 2896
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 029EEC1918DF13259116589682A83A05
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 42ABA69F9D42EED2BA1E1226AEC89AC1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\system32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.exe" "2N USB Driver" DISABLE ALL
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe" C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.exe" -add -c "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\elatec.cer" -s -r localMachine ROOT
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.exe" -add -c "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\elatec.cer" -s -r localMachine TrustedPublisher
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe" /SA /SE /SW /F /C /PATH C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{086a8776-17e2-2141-ba4a-f3610c91f26a}\twn4cdc.inf" "9" "42c8444f7" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "c:\users\user\appdata\local\temp\is-clj4h.tmp\twn4"
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe" /VERYSILENT /NORESTART /SP-
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp "C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp" /SL5="$705E0,17762851,56832,C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe" /VERYSILENT /NORESTART /SP-
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\ZKFP.inf
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{09607da7-062f-814c-af33-b727806a2bd1}\ZKFP.inf" "9" "429e2a833" "0000000000000184" "WinSta0\Default" "0000000000000168" "208" "C:\Windows\zkdrv"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\DPDrv\DPInst64.exe "C:\Windows\dpdrv\DPInst64.exe" /s
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "8" "C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpersona_x64.inf" "9" "47ae312af" "000000000000018C" "WinSta0\Default" "0000000000000194" "208" "c:\windows\dpdrv"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPDevTS.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DpFnd2.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll"
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Process created: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp "C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp" /SL5="$103E4,35010763,947200,C:\Users\user\Desktop\2N Driver for External USB Readers.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe" Microsoft.WindowsDesktop.App 6.0.4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\system32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.exe" "2N USB Driver" DISABLE ALL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe" C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.exe" -add -c "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\elatec.cer" -s -r localMachine ROOT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.exe" -add -c "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\elatec.cer" -s -r localMachine TrustedPublisher	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe" /SA /SE /SW /F /C /PATH C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe" /VERYSILENT /NORESTART /SP-	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Process created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe" -q -burn.elevated BurnPipe.{4C86AD50-ECFF-4E0C-8859-69C2F732A1B6} {4190C1E9-DF0B-4777-B67E-25C22799E37B} 6884	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F08179E706612A6B7A04DE10E46E3A3	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0AE14355DA77B8EC5D78BBA627A31F90	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9A6BE86B09F849551CC63C9676854998	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 029EEC1918DF13259116589682A83A05	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 42ABA69F9D42EED2BA1E1226AEC89AC1	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" /passive /norestart /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /passive /norestart /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{086a8776-17e2-2141-ba4a-f3610c91f26a}\twn4cdc.inf" "9" "42c8444f7" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "c:\users\user\appdata\local\temp\is-clj4h.tmp\twn4"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{09607da7-062f-814c-af33-b727806a2bd1}\ZKFP.inf" "9" "429e2a833" "0000000000000184" "WinSta0\Default" "0000000000000168" "208" "C:\Windows\zkdrv"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "8" "C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpersona_x64.inf" "9" "47ae312af" "000000000000018C" "WinSta0\Default" "0000000000000194" "208" "c:\windows\dpdrv"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp "C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp" /SL5="$705E0,17762851,56832,C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe" /VERYSILENT /NORESTART /SP-
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\ZKFP.inf
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\DPDrv\DPInst64.exe "C:\Windows\dpdrv\DPInst64.exe" /s
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPDevTS.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DpFnd2.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: usoapi.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msimg32.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: explorerframe.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: propsys.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: edputil.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: slc.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: sppc.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: mpr.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: pcacli.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: srclient.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: spp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: vssapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: vsstrace.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: usoapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: srpapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: tsappcmp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wkscli.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Section loaded: cryptui.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Section loaded: cryptui.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: drvstore.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: devrtl.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: spinf.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: apphelp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: apphelp.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: aclayers.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: sfc.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: sfc_os.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: version.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: msasn1.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: uxtheme.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: msxml3.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: drvstore.dll

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe

Window detected: Number of UI elements: 21

Source: C:\Windows\DPDrv\DPInst64.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\E8FD6EF8CC869DE121501FB543A7C0674D30756F

Source: 2N Driver for External USB Readers.exe

Static PE information: certificate valid

Source: 2N Driver for External USB Readers.exe

Static file information: File size 35906760 > 1048576

Source: 2N Driver for External USB Readers.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\Workspaces\zkteco svn\libfpsensor\trunk\libfpsensor\x64\Release\ZKFPSensors\libzklibcap.pdb source: setup.tmp, 00000025.00000003.3058605092.00000000056E0000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000002.3061790570.000000000018E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpDevDat.pdb source: DPInst64.exe, 00000028.00000003.2964085180.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006547610.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2998219929.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpd00701.pdb source: drvinst.exe, 00000029.00000003.2999026102.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdbH source: drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\GitLab-Runner\builds\WzT4ZGRf\1\ac\secured-card-tool\src\Shared\Rfid.Encryption\obj\x86\Release\net6.0\Nn.Rfid.Encryption.pdbSHA256 source: is-77UBH.tmp.2.dr
Source:	Binary string: CertMgr.pdb source: CertMgr.Exe, CertMgr.Exe, 0000001D.00000000.2767345124.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001D.00000002.2768431869.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001F.00000002.2769914048.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001F.00000000.2769071550.00000000004A1000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.11.dr
Source:	Binary string: e:\TeamBuilds\Core\DP_ENT_WS_MAIN\Binaries\Win32\Release\DPDevTS.pdbD source: is-I03EA.tmp.37.dr
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpDevDatx64.pdb source: DPInst64.exe, 00000028.00000003.2965141208.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006784725.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2999546158.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: g:\fingerpr\mars\src\usbscan\objfre_wlh_amd64\amd64\usbdpfp.pdb source: DPInst64.exe, 00000028.00000003.2963361782.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3005824851.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997532265.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdb source: drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpi00701x64.pdb source: DPInst64.exe, 00000028.00000003.2963704354.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997861422.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006443858.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Thomas\source\repos\winusbnet\WinUSBNet\obj\Release\netcoreapp3.1\WinUSBNet.pdbSHA256 source: is-HP6R9.tmp.2.dr
Source:	Binary string: e:\TeamBuilds\SDKUI\DP_ENT_WS\Binaries\Win32\Release\DPPTUtils.pdb source: regsvr32.exe, 0000002C.00000002.3042172324.000000006FB88000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpi00701.pdb source: DPInst64.exe, 00000028.00000003.2965474924.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3000014532.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006880739.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpd00701x64.pdb source: drvinst.exe, 00000029.00000003.2996375367.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3005824851.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdb source: drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\NightBuild\Installer\obj\checkout\IDKit\bin\x64\IDKit (Release)\IDKit64.pdb source: setup.tmp, 00000025.00000003.3058605092.0000000005C0C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Work\usb-driver\utils\HostsHelper\obj\Release\HostsHelper.pdb source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, HostsHelper.exe, 0000001B.00000000.2761274455.000001827EE32000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: DpInst.pdb source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, dpinst.exe, dpinst.exe, 00000021.00000002.2794901615.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, dpinst.exe, 00000021.00000000.2770689280.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, DPInst64.exe, 00000028.00000000.2933095406.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, DPInst64.exe, 00000028.00000002.3038803899.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, is-AL0OI.tmp.2.dr
Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: dotnet60desktop.exe, 00000008.00000000.2400540946.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000008.00000002.2711992523.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000009.00000000.2402564744.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, dotnet60desktop.exe, 00000009.00000002.2709096535.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000000.2408799844.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2428045478.000000000070B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2706196116.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000000.2555007939.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000002.2562073815.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000000.2556098265.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000002.2763904316.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000000.2560776999.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759042141.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000000.2659402740.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2753814866.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: g:\fingerpr\mars\src\mp\sputniki\kdevice\dp4000x\objfre_wlh_amd64\amd64\dpK00701.pdb source: DPInst64.exe, 00000028.00000003.2966647351.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006988043.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3001362963.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\native\net6.0-windows-Release-x86\System.IO.Compression.Native\System.IO.Compression.Native.pdbXXXGCTL source: System.IO.Compression.Native.dll.11.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: api-ms-win-core-handle-l1-1-0.dll.11.dr
Source:	Binary string: e:\TeamBuilds\SDKUI\DP_ENT_WS\Binaries\Win32\Release\DPPTUtils.pdb source: regsvr32.exe, 0000002C.00000002.3042172324.000000006FB88000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: E:\Repos\deployment-tools\fork\deployment-tools\artifacts\obj\win-x86.Release\native\projects\NetCoreCheck\Release\NetCoreCheck.pdb source: netcorecheck.exe, 00000003.00000000.2134110976.0000000001010000.00000002.00000001.01000000.00000008.sdmp, netcorecheck.exe, 00000003.00000002.2135710507.0000000001010000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: System.IO.FileSystem.AccessControl.dll.11.dr
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpDevCtl.pdb source: DPInst64.exe, 00000028.00000003.2964431689.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006655772.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2998634796.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Thomas\source\repos\winusbnet\WinUSBNet\obj\Release\netcoreapp3.1\WinUSBNet.pdb source: is-HP6R9.tmp.2.dr
Source:	Binary string: C:\GitLab-Runner\builds\WzT4ZGRf\1\ac\secured-card-tool\src\Shared\Rfid.Encryption\obj\x86\Release\net6.0\Nn.Rfid.Encryption.pdb source: is-77UBH.tmp.2.dr
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpDevCtlx64.pdb source: DPInst64.exe, 00000028.00000003.2965863378.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006988043.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3000450737.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\native\net6.0-windows-Release-x86\System.IO.Compression.Native\System.IO.Compression.Native.pdb source: System.IO.Compression.Native.dll.11.dr
Source:	Binary string: e:\TeamBuilds\Core\DP_ENT_WS_MAIN\Binaries\Win32\Release\DPDevTS.pdb source: is-I03EA.tmp.37.dr
Source:	Binary string: DpInst.pdbH source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794901615.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, dpinst.exe, 00000021.00000000.2770689280.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, DPInst64.exe, 00000028.00000000.2933095406.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, DPInst64.exe, 00000028.00000002.3038803899.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, is-AL0OI.tmp.2.dr
Source:	Binary string: E:\Workspaces\C++\zkidentify_openssl\x64\Release\fpslib.pdb source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdbP source: drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\net6.0-windows-Release\System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.11.dr
Source:	Binary string: E:\Repos\deployment-tools\fork\deployment-tools\artifacts\obj\win-x86.Release\native\projects\NetCoreCheck\Release\NetCoreCheck.pdbiiiGCTL source: netcorecheck.exe, 00000003.00000000.2134110976.0000000001010000.00000002.00000001.01000000.00000008.sdmp, netcorecheck.exe, 00000003.00000002.2135710507.0000000001010000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: dotnet60desktop.exe, 00000008.00000000.2400540946.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000008.00000002.2711992523.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000009.00000000.2402564744.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, dotnet60desktop.exe, 00000009.00000002.2709096535.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000000.2408799844.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2428045478.000000000070B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2706196116.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000000.2555007939.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000002.2562073815.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000000.2556098265.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000002.2763904316.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000000.2560776999.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759042141.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000000.2659402740.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2753814866.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpi00701x64.pdb source: DPInst64.exe, 00000028.00000003.2963704354.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997861422.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006443858.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\NightBuild\Installer\obj\checkout\IDKit\bin\x64\IDKit (Release)\IDKit64.pdb \( source: setup.tmp, 00000025.00000003.3058605092.0000000005C0C000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Binary contains a suspicious time stamp

Source: is-N07MR.tmp.2.dr

Static PE information: 0xB7DA1635 [Thu Sep 29 11:57:41 2067 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_010063B3 __EH_prolog3_GS,LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

3_2_010063B3

PE file contains sections with non-standard names

Source: 2N Driver for External USB Readers.exe	Static PE information: section name: .didata
Source: 2N Driver for External USB Readers.tmp.0.dr	Static PE information: section name: .didata
Source: is-JBLBK.tmp.2.dr	Static PE information: section name: .wixburn
Source: is-0DRB9.tmp.2.dr	Static PE information: section name: .didata
Source: is-6H63V.tmp.2.dr	Static PE information: section name: .eh_fram
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: .rodata
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /4
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /14
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /29
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /41
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /55
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /67
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /4
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /14
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /29
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /41
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /55
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /67
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /4
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /14
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /29
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /41
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /55
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /67
Source: is-SBU6E.tmp.2.dr	Static PE information: section name: /4
Source: is-K2MUR.tmp.2.dr	Static PE information: section name: /4
Source: is-18QUK.tmp.2.dr	Static PE information: section name: .eh_fram

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp

Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100E13C push ecx; ret	3_2_0100E14F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100A3E4 push ecx; ret	3_2_0100A3F6
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDE916 push ecx; ret	8_2_00DDE929
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4E916 push ecx; ret	9_2_00B4E929
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8E916 push ecx; ret	10_2_00E8E929
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFE916 push ecx; ret	15_2_00CFE929
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A8B99 push ecx; ret	29_2_004A8BAC
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_004065C8 push 00406605h; ret	36_2_004065FD
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_004040B5 push eax; ret	36_2_004040F1
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00408104 push ecx; mov dword ptr [esp], eax	36_2_00408109
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00404185 push 00404391h; ret	36_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00404206 push 00404391h; ret	36_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_0040C218 push eax; ret	36_2_0040C219
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_004042E8 push 00404391h; ret	36_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00404283 push 00404391h; ret	36_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00408F38 push 00408F6Bh; ret	36_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004849F4 push 00484B02h; ret	37_2_00484AFA
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0040995C push 00409999h; ret	37_2_00409991
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00458060 push 00458098h; ret	37_2_00458090
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004860E4 push ecx; mov dword ptr [esp], ecx	37_2_004860E9
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004062C4 push ecx; mov dword ptr [esp], eax	37_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004783C8 push ecx; mov dword ptr [esp], edx	37_2_004783C9
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004104F0 push ecx; mov dword ptr [esp], edx	37_2_004104F5
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00412938 push 0041299Bh; ret	37_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0049AD44 pushad ; retf	37_2_0049AD53
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0040CE48 push ecx; mov dword ptr [esp], edx	37_2_0040CE4A
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00459378 push 004593BCh; ret	37_2_004593B4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0040F3A8 push ecx; mov dword ptr [esp], edx	37_2_0040F3AA
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0040546D push eax; ret	37_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004434B4 push ecx; mov dword ptr [esp], ecx	37_2_004434B8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0040553D push 00405749h; ret	37_2_00405741

Source: is-SD9NL.tmp.2.dr

Static PE information: section name: .text entropy: 7.409859269142881

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Executable created and started: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Executable created and started: C:\Windows\DPDrv\DPInst64.exe
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Executable created and started: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Jump to behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8C18F347CF57959E4DD189A7D79464ED795064D6 Blob
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8C18F347CF57959E4DD189A7D79464ED795064D6 Blob
Source: C:\Windows\System32\drvinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\Windows\System32\drvinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob

Creates processes with suspicious names

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	File created: \2n driver for external usb readers.exe
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	File created: \2n driver for external usb readers.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.VisualBasic.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordaccore_x86_x86_6.0.422.16404.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Interop.ZKFPEngXControl.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Transactions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.Design.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-VLAJN.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Emit.ILGeneration.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-2J23P.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\is-H9DJS.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-1MLIS.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Design.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\BgApiDriver.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-ELJA9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ReachFramework.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\twn4\is-G5MOI.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\dfutool.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\is-13VD6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\is-5KKTG.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\UIAutomationClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-0DRB9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\is-NEGFN.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.VisualBasic.Forms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ObjectModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Globalization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Twn4.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.Win32.Registry.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-F7ES3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Presentation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.Xml.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-18QUK.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.AeroLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemXmlLinq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\wpfgfx_cor3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ServiceModel.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemXml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Common.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\is-AL0OI.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-9GLPD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-P6L7J.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Classic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Compression.Brotli.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Ping.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Accessibility.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscorrc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\vcruntime140_cor3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Diagnostics.PerformanceCounter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\coreclr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\D3DCompiler_47_cor3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\NLog.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\WindowsBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.CodeDom.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Quic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\UIAutomationTypes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Web.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-00NGS.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemDrawing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-5RQKA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-77UBH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Emit.Lightweight.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\twn4\flash.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.DiaSymReader.Native.x86.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Cryptography.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.DirectoryServices.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-1B30B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\dotnet.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\is-JBLBK.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.Dataflow.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-T8KB1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16AE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\dbgshim.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Formats.Asn1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\BouncyCastle.Crypto.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\WindowsBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Royale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Console.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Permissions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI21ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Threading.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Luna.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscorlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\is-98D8J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-PU0A1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-6MAU7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Encryption.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\System.Management.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\DirectWriteForwarder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\icuin53.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Collections.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\API-MS-Win-core-xstate-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemData.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Metadata.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationNative_cor3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Requests.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	File created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Drawing.Design.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Compression.Native.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.Uri.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\icudt53.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.VisualBasic.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\libgcc_s_dw2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-SD9NL.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.Cng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.Win32.SystemEvents.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\libstdc++-6.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\icuuc53.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Data.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.DispatchProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Loader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Http.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.HttpListener.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Security.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\clrjit.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\WindowsFormsIntegration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Drawing.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-V72H2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-HP6R9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Cryptography.Pkcs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\WdfCoInstaller01009.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\WinUSBNet.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.DataAnnotations.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Xaml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-SBU6E.tmp	Jump to dropped file
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\UIAutomationProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\hostpolicy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\is-H5954.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\is-BQ92G.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Resources.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PenImc_cor3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Controls.Ribbon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Claims.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.Design.Editors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\winusbcoinstaller2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Collections.Immutable.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordbi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\netstandard.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI69A9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\host\fxr\6.0.4\hostfxr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Mail.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-JBSJJ.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Input.Manipulations.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Aero.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\System.IO.Ports.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-6H63V.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	File created: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\UIAutomationClientSideProviders.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Drawing.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Fleck.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Configuration.ConfigurationManager.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.WebClient.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Hardcodet.NotifyIcon.Wpf.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\winusbcoinstaller2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Aero2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\WdfCoInstaller01009.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordaccore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.AppContext.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Cryptography.ProtectedData.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Printing.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1C5D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-K2MUR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI563E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ServiceProcess.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Numerics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.IO.Packaging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-N07MR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe

File created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\zkfinger10.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\libcorrect.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\dpfj.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI21ED.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\fpslib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-5B4KM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\fppswsk.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\libzkfpcsharp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\libdpcap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-NTD91.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-RD0A7.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD70.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\dpuvc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-LV194.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\DpClback.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-TGQ65.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-LRLHQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\DPFPApi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\dpuvc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\libcorrect.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-A1JBL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\ZKFPSensors\is-4L7MR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\libdpcap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-8VQ00.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI69A9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-IGODE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\usbdpfp.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-AP1V0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-E9LLE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\DPFPApi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\match.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpDevDat.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-1GES6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-8NF8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpDevCtlx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\ZKFPSensors\is-0I0LF.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\usbdpfp.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-OHV6A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpi00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\libusb0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-S6M9U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	File created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\libzkfp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpi00701x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\dpfpdd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-ECSVK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-1KSCE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-4C9RD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpd00701x64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpD00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\ZKFPSensors\is-43LAD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-52V98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\libusb0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\libzkfpcsharp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-59OUT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\libusb0.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-8O2DU.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCDF0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\DPInst64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-702MI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-1C0V4.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SETA004.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-S4LL1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-APUGU.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD20.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-591T5.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCDC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPCap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\DPClback.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpK00701.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-HAADG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-JDKR1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-EL1CK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\dpfpdd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-PR4RR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-DQHA8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\libusb0_x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpDevCtl.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpdevctlx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\dpfpdd5000.dll (copy)	Jump to dropped file
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-DG1QU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpk00701.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCC82.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-H2VJ6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-NEUSB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\fppswsk.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-IPKM0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\dpfpdd5000.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-0V5J0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-FDOTF.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpdevctl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\libsilkid.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD91.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-GVF50.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\libzklibcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD00.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-OJSTD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\zkfpslibLow.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpI00701x64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpD00701x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpDevDatx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-MEAI8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\libsilkidcap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-RULKA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1C5D.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD41.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-J3PKB.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SET9FC3.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpI00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\zkfinger10.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-7O1AC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-U28V6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\libsilkid.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\libusb0_x64.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI563E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\dpfj.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\zkfinger10-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\libusb0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-US67P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-JPCD5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-DSTA3.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCE20.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\matchdll.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPCap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpdevdat.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-FVSOJ.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\libusb0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-5NC7F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpd00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-KMSK2.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\libusb0_x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\libsilkidcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCE7F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-N97T5.tmp	Jump to dropped file
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\zkfpslibLow.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\libzklibcap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\fpslib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-NR955.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpdevdatx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\libzkfp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\libusb0_x64.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-C1CQG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\FPCom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-C6HAI.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SETA025.tmp	Jump to dropped file

Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\eula.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\LICENSE.txt	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\eula.rtf

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2N TELEKOMUNIKACE			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2N TELEKOMUNIKACE\2N USB Driver.lnk			Jump to behavior

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {ff0d7b6b-8624-42f0-b961-69e6cbf896c1}	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {ff0d7b6b-8624-42f0-b961-69e6cbf896c1}	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {ff0d7b6b-8624-42f0-b961-69e6cbf896c1}	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {ff0d7b6b-8624-42f0-b961-69e6cbf896c1}	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	37_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	37_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004241EC IsIconic,SetActiveWindow,SetFocus,	37_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004241A4 IsIconic,SetActiveWindow,	37_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	37_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	37_2_004843A8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	37_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	37_2_0042F2F0
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004175A8 IsIconic,GetCapture,	37_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00417CDE IsIconic,SetWindowPos,	37_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	37_2_00417CE0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_0100B050 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0100B050

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\DPDrv\DPInst64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\DPDrv\DPInst64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\DPDrv\DPInst64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Memory allocated: 1827F060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Memory allocated: 1827F7F0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-JSTVD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\fpslib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\bin\iZHost.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\msquic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordaccore_x86_x86_6.0.422.16404.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.VisualBasic.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostW.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ja\is-8OPPC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Interop.ZKFPEngXControl.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Transactions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\en-US\is-B5VTT.tmp	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETC063.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\ZKFPSensors\is-4L7MR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\ZKFPSensors\libdpcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-8VQ00.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-67MM5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-7FPM7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\match.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-VLAJN.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Emit.ILGeneration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-8NF8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-OHV6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Design.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\BgApiDriver.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-ELJA9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-E3UT2.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-ECSVK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-0DRB9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.VisualBasic.Forms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPCOper2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-J12JI.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCDC1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ObjectModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-JDKR1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\libsilkid.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpDevCtl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\dpfpdd5000.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Globalization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-H2VJ6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-NEUSB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-F7ES3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpI00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-5ERSO.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ja\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Encoding.CodePages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-0P6R4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.Xml.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-I03EA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevice2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-18QUK.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.AeroLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Serialization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemXmlLinq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\wpfgfx_cor3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-U28V6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemXml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Common.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationCore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-DSTA3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.OpenSsl.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpdevdat.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\ZKFPSensors\libsilkidcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Classic.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\es\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\fpslib.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\libzkfp.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Ping.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SETA025.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Accessibility.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscorrc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\usb_dll.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Configuration.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-NTD91.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\coreclr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\D3DCompiler_47_cor3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\unins000.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.VisualBasic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\WindowsBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Quic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\zkdrv\is-1GES6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpDevCtlx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\ZKFPSensors\is-0I0LF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.TypeExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemDrawing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-5RQKA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-GVGJE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpi00701x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\de\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Emit.Lightweight.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-52V98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPFstCon.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-EL1CK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-LSDUN.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-DQHA8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\is-SPF5F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\pt-BR\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.Dataflow.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\wd_utils.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-IPKM0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-0V5J0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-T8KB1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI16AE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-UU74L.tmp	Jump to dropped file
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\BouncyCastle.Crypto.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-OEOP9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpI00701.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\zkfinger10-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\dpfj.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpd00701.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCE7F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Console.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\ZKFPSensors\libzklibcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETBFF2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\FPCom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\zkdrv\is-C6HAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\fr\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI21ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\ZKFPCap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Threading.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-DN8K5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Luna.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-7A44I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-6MAU7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\en-US\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Encryption.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\icuin53.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Collections.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\API-MS-Win-core-xstate-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-fibers-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Metadata.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\ZKFPSensors\is-E9LLE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\de\is-ET7KT.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\es\is-36K99.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPMux.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpi00701.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\libzkfp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-9FD24.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\dpfpdd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevTS.dll (copy)	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETBEF5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.Uri.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCDF0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SETA004.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Transactions.Local.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-591T5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\biokey.ocx (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\icudt53.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.VisualBasic.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\libgcc_s_dw2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-SD9NL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ko\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-PR4RR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\pt-BR\is-AICLH.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.Win32.SystemEvents.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\libstdc++-6.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Data.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.DispatchProxy.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpdevctl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-9VQTH.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Http.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\mi.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Channels.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\ZKFPSensors\libsilkidcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-KCOJ9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-V72H2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\libusb0_x64.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-IO0QL.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-HP6R9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Cryptography.Pkcs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\WdfCoInstaller01009.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\WinUSBNet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ko\is-FJUTH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-KMSK2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\zkfpslibLow.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\dpfj.dll (copy)	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpK00701.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PenImc_cor3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Controls.Ribbon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-LV194.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\libcorrect.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordbi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\netstandard.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI69A9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpSvInfo2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.DataContractSerialization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\libsilkidcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\host\fxr\6.0.4\hostfxr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-FCT4U.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Input.Manipulations.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\usbdpfp.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\zkfputil.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-VSTNL.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\usbdpfp.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-6H63V.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-1KSCE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Intrinsics.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpD00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpd00701x64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.Serialization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Drawing.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Fleck.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.WebClient.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD20.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hans\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-J8TFA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\winusbcoinstaller2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-G6VA9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\WdfCoInstaller01009.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordaccore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-E3UT2.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPTSClnt.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hant\is-VJQOH.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD91.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\ZKFPSensors\libzklibcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Cryptography.ProtectedData.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1C5D.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{09607da7-062f-814c-af33-b727806a2bd1}\SET9D66.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\zkfinger10.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-K2MUR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ServiceProcess.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Data.DataSetExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCE20.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-FVSOJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-ENNLB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-NR955.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\zkdrv\libusb0_x64.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\fppswsk.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-RD0A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\dpuvc.dll (copy)	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpI00701x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\DpClback.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-TGQ65.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\DPFPApi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\dpuvc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-A1JBL.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETC0A3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\usbdpfp.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPAppSyn.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\DPFPApi.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.Design.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-2J23P.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-1MLIS.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ReachFramework.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPJasPer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\twn4\is-G5MOI.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\createdump.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\libcorrect.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\dfutool.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\libzklibcap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\is-5KKTG.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\UIAutomationClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\is-NEGFN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hans\is-O6TTQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\zkdrv\libusb0.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-1C0V4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\fr\is-DO8PA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\zkdrv\libusb0_x64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Twn4.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.Win32.Registry.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-FDOTF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Presentation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.WebProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Web.HttpUtility.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETC033.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpI00701x64.dll (copy)	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Evasive API call chain: GetSystemTime,DecisionNodes

Found evasive API chain checking for process token information

Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	API coverage: 9.0 %
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	API coverage: 9.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp TID: 2884	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe TID: 760	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DF02DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00DF0378h	8_2_00DF02DD
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DF02DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00DF0371h	8_2_00DF02DD
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B602DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00B60378h	9_2_00B602DD
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B602DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00B60371h	9_2_00B602DD
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00EA02DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00EA0378h	10_2_00EA02DD
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00EA02DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00EA0371h	10_2_00EA02DD
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D102DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00D10378h	15_2_00D102DD
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D102DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00D10371h	15_2_00D102DD

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100698F __EH_prolog3_GS,FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,__EH_prolog3_GS,_invalid_parameter_noinfo_noreturn,	3_2_0100698F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DB3D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	8_2_00DB3D89
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DF488B FindFirstFileW,FindClose,	8_2_00DF488B
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE7857 FindFirstFileExW,	8_2_00DE7857
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DC9B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	8_2_00DC9B24
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B6488B FindFirstFileW,FindClose,	9_2_00B6488B
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B39B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	9_2_00B39B24
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B23D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	9_2_00B23D89
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B57857 FindFirstFileExW,	9_2_00B57857
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00EA488B FindFirstFileW,FindClose,	10_2_00EA488B
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E79B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	10_2_00E79B24
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E63D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	10_2_00E63D89
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E97857 FindFirstFileExW,	10_2_00E97857
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D1488B FindFirstFileW,FindClose,	15_2_00D1488B
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D07857 FindFirstFileExW,	15_2_00D07857
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CE9B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	15_2_00CE9B24
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CD3D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	15_2_00CD3D89
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00452AD4 FindFirstFileA,GetLastError,	37_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	37_2_00475798
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	37_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	37_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	37_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	37_2_00498FDC

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DF9B11 VirtualQuery,GetSystemInfo,

8_2_00DF9B11

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\NULL	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL	Jump to behavior

Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3175444140.0000000000874000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3191090059.0000000000874000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.2712304320.0000000000871000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\\.\PhysicalDrive%d\\.\IDE21201.VXDERROR: Could not open IDE21201.VXD fileDiskId32\\.\Scsi%d:SCSIDISK%uDrive%dModelNumberDrive%dSerialNumberDrive%dControllerRevisionNumberDrive%dControllerBufferSizeDrive%dTypeRemovableFixedUnknownHardDriveSerialNumberWD-WTAP-WinVirtualVMwareTeamViewer
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3177553492.0000000000848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_0100A1D1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0100A1D1

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_010063B3 __EH_prolog3_GS,LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

3_2_010063B3

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE8581 mov eax, dword ptr fs:[00000030h]	8_2_00DE8581
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE4503 mov eax, dword ptr fs:[00000030h]	8_2_00DE4503
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B58581 mov eax, dword ptr fs:[00000030h]	9_2_00B58581
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B54503 mov eax, dword ptr fs:[00000030h]	9_2_00B54503
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E98581 mov eax, dword ptr fs:[00000030h]	10_2_00E98581
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E94503 mov eax, dword ptr fs:[00000030h]	10_2_00E94503
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D08581 mov eax, dword ptr fs:[00000030h]	15_2_00D08581
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D04503 mov eax, dword ptr fs:[00000030h]	15_2_00D04503

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DB3ADF GetProcessHeap,RtlFreeHeap,GetLastError,

8_2_00DB3ADF

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100A1D1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0100A1D1
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100A333 SetUnhandledExceptionFilter,	3_2_0100A333
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_01009E98 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_01009E98
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDE1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00DDE1B8
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDE684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00DDE684
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00DE389A
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDE817 SetUnhandledExceptionFilter,	8_2_00DDE817
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4E1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00B4E1B8
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4E684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00B4E684
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00B5389A
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4E817 SetUnhandledExceptionFilter,	9_2_00B4E817
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8E1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00E8E1B8
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8E684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00E8E684
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00E9389A
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8E817 SetUnhandledExceptionFilter,	10_2_00E8E817
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFE1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00CFE1B8
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFE684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00CFE684
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00D0389A
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFE817 SetUnhandledExceptionFilter,	15_2_00CFE817
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A8A1F SetUnhandledExceptionFilter,	29_2_004A8A1F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A86C7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_004A86C7

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

File written: C:\Windows\System32\drivers\etc\hosts

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp

Code function: 37_2_00478DC4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

37_2_00478DC4

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe" Microsoft.WindowsDesktop.App 6.0.4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Process created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe" -q -burn.elevated BurnPipe.{4C86AD50-ECFF-4E0C-8859-69C2F732A1B6} {4190C1E9-DF0B-4777-B67E-25C22799E37B} 6884	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /passive /norestart /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "c:\windows\temp\{833d38b6-ef1e-40e4-8c3b-08bef0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="c:\users\user\appdata\local\temp\is-clj4h.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" /passive /norestart /burn.log.append "c:\users\user\appdata\local\temp\microsoft_windows_desktop_runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.clean.room="c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /passive /norestart /burn.log.append "c:\users\user\appdata\local\temp\microsoft_windows_desktop_runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "c:\windows\temp\{833d38b6-ef1e-40e4-8c3b-08bef0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="c:\users\user\appdata\local\temp\is-clj4h.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "c:\windows\temp\{833d38b6-ef1e-40e4-8c3b-08bef0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="c:\users\user\appdata\local\temp\is-clj4h.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" /passive /norestart /burn.log.append "c:\users\user\appdata\local\temp\microsoft_windows_desktop_runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.clean.room="c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /passive /norestart /burn.log.append "c:\users\user\appdata\local\temp\microsoft_windows_desktop_runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DF1BB9 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

8_2_00DF1BB9

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DF3ED2 AllocateAndInitializeSid,CheckTokenMembership,

8_2_00DF3ED2

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_01009FF1 cpuid

3_2_01009FF1

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: GetLocaleInfoA,	36_2_0040520C
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: GetLocaleInfoA,	36_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: GetLocaleInfoA,	37_2_00408578
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: GetLocaleInfoA,	37_2_004085C4

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\twn4cdc.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\twn4cdc.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\zkfp.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpersona_x64.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DC4F5A ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

8_2_00DC4F5A

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_0100A3FD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_0100A3FD

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DB623E GetUserNameW,GetLastError,

8_2_00DB623E

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DF8C56 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

8_2_00DF8C56

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DB520D GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

8_2_00DB520D

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

File written: C:\Windows\System32\drivers\etc\hosts

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\system32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.exe" "2N USB Driver" DISABLE ALL

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Adds / modifies Windows certificates

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\8C18F347CF57959E4DD189A7D79464ED795064D6 Blob

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DCA096 DecryptFileW,	8_2_00DCA096
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEFE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	8_2_00DEFE7F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DC9E7B DecryptFileW,DecryptFileW,	8_2_00DC9E7B
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B3A096 DecryptFileW,	9_2_00B3A096
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B39E7B DecryptFileW,DecryptFileW,	9_2_00B39E7B
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5FE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	9_2_00B5FE7F
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9FE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	10_2_00E9FE7F
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E79E7B DecryptFileW,DecryptFileW,	10_2_00E79E7B
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E7A096 DecryptFileW,	10_2_00E7A096
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CEA096 DecryptFileW,	15_2_00CEA096
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0FE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	15_2_00D0FE7F
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CE9E7B DecryptFileW,DecryptFileW,	15_2_00CE9E7B
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A7E7F HeapSetInformation,LoadStringW,LoadStringW,LoadStringW,LoadStringA,LoadStringW,LoadStringW,LoadStringW,CryptUIDlgCertMgr,CryptMsgClose,CertCloseStore,	29_2_004A7E7F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A644E CryptMsgGetParam,printf,printf,printf,CryptMsgGetAndVerifySigner,CertFreeCertificateContext,	29_2_004A644E
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A1A5B strtok,strtok,strtok,SetLastError,CryptEncodeObject,CryptEncodeObject,CryptEncodeObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertSetCertificateContextProperty,CertSetCertificateContextProperty,CertSetCertificateContextProperty,CertEnumCertificatesInStore,CertFreeCertificateContext,	29_2_004A1A5B
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A8163 CryptFindOIDInfo,	29_2_004A8163
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A2B61 CryptDecodeObject,printf,	29_2_004A2B61
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A3C7E CryptSIPRetrieveSubjectGuid,CryptSIPLoad,memset,CertOpenStore,CryptMsgOpenToDecode,CertCloseStore,CryptMsgUpdate,CertCloseStore,CryptMsgClose,	29_2_004A3C7E
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A3272 CryptFindOIDInfo,	29_2_004A3272
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A82C8 CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,	29_2_004A82C8
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A22DB CryptStringToBinaryA,CryptStringToBinaryA,GetLastError,CryptStringToBinaryA,GetLastError,	29_2_004A22DB
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A81D0 printf,CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,	29_2_004A81D0
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A5CD6 printf,CertGetCertificateContextProperty,CertGetCertificateContextProperty,CertGetCertificateContextProperty,CryptAcquireContextA,CryptHashPublicKeyInfo,CryptReleaseContext,CertGetCertificateContextProperty,CertGetCertificateContextProperty,printf,printf,printf,CertGetPublicKeyLength,printf,printf,printf,	29_2_004A5CD6
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A2BFA CryptDecodeObject,printf,	29_2_004A2BFA
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A17F3 GetModuleHandleA,CryptInitOIDFunctionSet,CryptInstallOIDFunctionAddress,	29_2_004A17F3
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A2FF4 CryptDecodeObject,printf,printf,printf,	29_2_004A2FF4
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A2390 CryptStringToBinaryW,CryptStringToBinaryW,GetLastError,CryptStringToBinaryW,GetLastError,	29_2_004A2390
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A81A9 CryptFindOIDInfo,	29_2_004A81A9
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A32A1 CryptGetOIDFunctionAddress,wprintf,CryptFreeOIDFunctionAddress,	29_2_004A32A1

Compliance

Uses 32bit PE files

Source: 2N Driver for External USB Readers.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\DPDrv\DPInst64.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\E8FD6EF8CC869DE121501FB543A7C0674D30756F

Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\eula.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\LICENSE.txt	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\eula.rtf

Source: 2N Driver for External USB Readers.exe

Static PE information: certificate valid

Source: 2N Driver for External USB Readers.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\Workspaces\zkteco svn\libfpsensor\trunk\libfpsensor\x64\Release\ZKFPSensors\libzklibcap.pdb source: setup.tmp, 00000025.00000003.3058605092.00000000056E0000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000002.3061790570.000000000018E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpDevDat.pdb source: DPInst64.exe, 00000028.00000003.2964085180.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006547610.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2998219929.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpd00701.pdb source: drvinst.exe, 00000029.00000003.2999026102.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdbH source: drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\GitLab-Runner\builds\WzT4ZGRf\1\ac\secured-card-tool\src\Shared\Rfid.Encryption\obj\x86\Release\net6.0\Nn.Rfid.Encryption.pdbSHA256 source: is-77UBH.tmp.2.dr
Source:	Binary string: CertMgr.pdb source: CertMgr.Exe, CertMgr.Exe, 0000001D.00000000.2767345124.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001D.00000002.2768431869.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001F.00000002.2769914048.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001F.00000000.2769071550.00000000004A1000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.11.dr
Source:	Binary string: e:\TeamBuilds\Core\DP_ENT_WS_MAIN\Binaries\Win32\Release\DPDevTS.pdbD source: is-I03EA.tmp.37.dr
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpDevDatx64.pdb source: DPInst64.exe, 00000028.00000003.2965141208.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006784725.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2999546158.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: g:\fingerpr\mars\src\usbscan\objfre_wlh_amd64\amd64\usbdpfp.pdb source: DPInst64.exe, 00000028.00000003.2963361782.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3005824851.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997532265.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdb source: drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpi00701x64.pdb source: DPInst64.exe, 00000028.00000003.2963704354.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997861422.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006443858.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Thomas\source\repos\winusbnet\WinUSBNet\obj\Release\netcoreapp3.1\WinUSBNet.pdbSHA256 source: is-HP6R9.tmp.2.dr
Source:	Binary string: e:\TeamBuilds\SDKUI\DP_ENT_WS\Binaries\Win32\Release\DPPTUtils.pdb source: regsvr32.exe, 0000002C.00000002.3042172324.000000006FB88000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpi00701.pdb source: DPInst64.exe, 00000028.00000003.2965474924.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3000014532.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006880739.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpd00701x64.pdb source: drvinst.exe, 00000029.00000003.2996375367.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3005824851.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdb source: drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\NightBuild\Installer\obj\checkout\IDKit\bin\x64\IDKit (Release)\IDKit64.pdb source: setup.tmp, 00000025.00000003.3058605092.0000000005C0C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Work\usb-driver\utils\HostsHelper\obj\Release\HostsHelper.pdb source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, HostsHelper.exe, 0000001B.00000000.2761274455.000001827EE32000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: DpInst.pdb source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, dpinst.exe, dpinst.exe, 00000021.00000002.2794901615.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, dpinst.exe, 00000021.00000000.2770689280.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, DPInst64.exe, 00000028.00000000.2933095406.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, DPInst64.exe, 00000028.00000002.3038803899.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, is-AL0OI.tmp.2.dr
Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: dotnet60desktop.exe, 00000008.00000000.2400540946.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000008.00000002.2711992523.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000009.00000000.2402564744.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, dotnet60desktop.exe, 00000009.00000002.2709096535.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000000.2408799844.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2428045478.000000000070B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2706196116.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000000.2555007939.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000002.2562073815.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000000.2556098265.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000002.2763904316.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000000.2560776999.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759042141.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000000.2659402740.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2753814866.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: g:\fingerpr\mars\src\mp\sputniki\kdevice\dp4000x\objfre_wlh_amd64\amd64\dpK00701.pdb source: DPInst64.exe, 00000028.00000003.2966647351.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006988043.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3001362963.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\native\net6.0-windows-Release-x86\System.IO.Compression.Native\System.IO.Compression.Native.pdbXXXGCTL source: System.IO.Compression.Native.dll.11.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: api-ms-win-core-handle-l1-1-0.dll.11.dr
Source:	Binary string: e:\TeamBuilds\SDKUI\DP_ENT_WS\Binaries\Win32\Release\DPPTUtils.pdb source: regsvr32.exe, 0000002C.00000002.3042172324.000000006FB88000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: E:\Repos\deployment-tools\fork\deployment-tools\artifacts\obj\win-x86.Release\native\projects\NetCoreCheck\Release\NetCoreCheck.pdb source: netcorecheck.exe, 00000003.00000000.2134110976.0000000001010000.00000002.00000001.01000000.00000008.sdmp, netcorecheck.exe, 00000003.00000002.2135710507.0000000001010000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: System.IO.FileSystem.AccessControl.dll.11.dr
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpDevCtl.pdb source: DPInst64.exe, 00000028.00000003.2964431689.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006655772.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2998634796.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Thomas\source\repos\winusbnet\WinUSBNet\obj\Release\netcoreapp3.1\WinUSBNet.pdb source: is-HP6R9.tmp.2.dr
Source:	Binary string: C:\GitLab-Runner\builds\WzT4ZGRf\1\ac\secured-card-tool\src\Shared\Rfid.Encryption\obj\x86\Release\net6.0\Nn.Rfid.Encryption.pdb source: is-77UBH.tmp.2.dr
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpDevCtlx64.pdb source: DPInst64.exe, 00000028.00000003.2965863378.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006988043.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3000450737.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\native\net6.0-windows-Release-x86\System.IO.Compression.Native\System.IO.Compression.Native.pdb source: System.IO.Compression.Native.dll.11.dr
Source:	Binary string: e:\TeamBuilds\Core\DP_ENT_WS_MAIN\Binaries\Win32\Release\DPDevTS.pdb source: is-I03EA.tmp.37.dr
Source:	Binary string: DpInst.pdbH source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794901615.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, dpinst.exe, 00000021.00000000.2770689280.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, DPInst64.exe, 00000028.00000000.2933095406.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, DPInst64.exe, 00000028.00000002.3038803899.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, is-AL0OI.tmp.2.dr
Source:	Binary string: E:\Workspaces\C++\zkidentify_openssl\x64\Release\fpslib.pdb source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdbP source: drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\net6.0-windows-Release\System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.11.dr
Source:	Binary string: E:\Repos\deployment-tools\fork\deployment-tools\artifacts\obj\win-x86.Release\native\projects\NetCoreCheck\Release\NetCoreCheck.pdbiiiGCTL source: netcorecheck.exe, 00000003.00000000.2134110976.0000000001010000.00000002.00000001.01000000.00000008.sdmp, netcorecheck.exe, 00000003.00000002.2135710507.0000000001010000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: dotnet60desktop.exe, 00000008.00000000.2400540946.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000008.00000002.2711992523.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000009.00000000.2402564744.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, dotnet60desktop.exe, 00000009.00000002.2709096535.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000000.2408799844.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2428045478.000000000070B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2706196116.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000000.2555007939.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000002.2562073815.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000000.2556098265.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000002.2763904316.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000000.2560776999.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759042141.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000000.2659402740.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2753814866.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpi00701x64.pdb source: DPInst64.exe, 00000028.00000003.2963704354.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997861422.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006443858.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\NightBuild\Installer\obj\checkout\IDKit\bin\x64\IDKit (Release)\IDKit64.pdb \( source: setup.tmp, 00000025.00000003.3058605092.0000000005C0C000.00000004.00001000.00020000.00000000.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100698F __EH_prolog3_GS,FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,__EH_prolog3_GS,_invalid_parameter_noinfo_noreturn,	3_2_0100698F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DB3D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	8_2_00DB3D89
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DF488B FindFirstFileW,FindClose,	8_2_00DF488B
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE7857 FindFirstFileExW,	8_2_00DE7857
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DC9B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	8_2_00DC9B24
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B6488B FindFirstFileW,FindClose,	9_2_00B6488B
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B39B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	9_2_00B39B24
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B23D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	9_2_00B23D89
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B57857 FindFirstFileExW,	9_2_00B57857
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00EA488B FindFirstFileW,FindClose,	10_2_00EA488B
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E79B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	10_2_00E79B24
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E63D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	10_2_00E63D89
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E97857 FindFirstFileExW,	10_2_00E97857
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D1488B FindFirstFileW,FindClose,	15_2_00D1488B
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D07857 FindFirstFileExW,	15_2_00D07857
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CE9B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	15_2_00CE9B24
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CD3D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	15_2_00CD3D89
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00452AD4 FindFirstFileA,GetLastError,	37_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	37_2_00475798
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	37_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	37_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	37_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	37_2_00498FDC

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\NULL	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.dll, type: DROPPED

Source: System.IO.Compression.Native.dll.11.dr	String found in binary or memory: http://.css
Source: System.IO.Compression.Native.dll.11.dr	String found in binary or memory: http://.jpg
Source: windowsdesktop-runtime-6.0.4-win-x86.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: dotnet60desktop.exe, 00000008.00000000.2400540946.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000008.00000002.2711992523.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000009.00000000.2402564744.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, dotnet60desktop.exe, 00000009.00000002.2709096535.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000000.2408799844.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2428045478.000000000070B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2706196116.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000000.2555007939.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000002.2562073815.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000000.2556098265.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000002.2763904316.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000000.2560776999.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759042141.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000000.2659402740.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2753814866.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.2712304320.0000000000871000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3191090059.0000000000892000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3175444140.0000000000892000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 2N Driver for External USB Readers.tmp, 00000002.00000002.3192968875.0000000004870000.00000004.00000020.00020000.00000000.sdmp, CertMgr.Exe, 0000001D.00000002.2768834531.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000002.2789179117.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000003.2788067294.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886224881.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000002.2892572494.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2890795608.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3019442083.0000026964E3F000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000002.3022171824.0000026964E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: CertMgr.Exe, 0000001D.00000002.2768834531.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, CertMgr.Exe, 0000001F.00000002.2770070849.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000002.2789179117.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000003.2788067294.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886224881.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000002.2892572494.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2890795608.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3019442083.0000026964E3F000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000002.3022171824.0000026964E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0P
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: drvinst.exe, 00000027.00000002.2892572494.00000240A8850000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2891246833.00000240A8850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp, is-I03EA.tmp.37.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: setup.tmp, 00000025.00000003.3058605092.00000000056E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crm.innovatrics.com
Source: setup.tmp, 00000025.00000003.3058605092.00000000056E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crm.innovatrics.com/
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: dpinst.exe, 00000021.00000002.2793695970.000000000056B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabt
Source: System.IO.Compression.Native.dll.11.dr	String found in binary or memory: http://html4/loose.dtd
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://libusb-win32.sourceforge.netN
Source: drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://libusb-win32.sourceforge.netb
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.2712304320.0000000000871000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3191090059.0000000000892000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3175444140.0000000000892000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035586309.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp, is-I03EA.tmp.37.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt
Source: CertMgr.Exe, 0000001D.00000002.2768834531.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, CertMgr.Exe, 0000001F.00000002.2770070849.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000002.2789179117.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000003.2788067294.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886224881.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000002.2892572494.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2890795608.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3019442083.0000026964E3F000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000002.3022171824.0000026964E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt0
Source: dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt9W
Source: dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crtP
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2015/sc0
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760897614.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2562791382.000000000110D000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2752977068.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2754280071.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2660004896.00000000014DD000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2753298811.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2660004896.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2752630825.0000000003510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2015/schema.xsd
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcb.com/sw.crl0f
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw.symcd.com0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp, is-I03EA.tmp.37.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp, is-I03EA.tmp.37.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp, is-I03EA.tmp.37.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: dotnet60desktop.exe, 00000009.00000002.2708076898.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, dotnet60desktop.exe, 00000009.00000002.2709413064.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761197407.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761380592.0000000003860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: dotnet60desktop.exe, 00000009.00000002.2709413064.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761197407.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010Hd
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.2130779171.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.2n.cz
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3183334708.00000000025A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.2n.cz1RZ
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3183334708.00000000025A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.2n.cz32
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3183334708.00000000025A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.2n.cziRZ
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globalsign.net/repository/0
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globalsign.net/repository/03
Source: rundll32.exe, 00000026.00000003.2894277733.000002CF4272E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globalsign.net/repository09
Source: setup.tmp, setup.tmp, 00000025.00000000.2797910641.0000000000401000.00000020.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: setup.exe, setup.exe, 00000024.00000002.3063856766.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: setup.exe, 00000024.00000002.3063856766.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html.
Source: setup.exe, 00000024.00000003.2797211868.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000024.00000003.2797392558.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, setup.tmp, 00000025.00000000.2797910641.0000000000401000.00000020.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: setup.exe, 00000024.00000003.2797211868.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000024.00000003.2797392558.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000000.2797910641.0000000000401000.00000020.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758696473.000000000111C000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/20-p2-rel-notes
Source: dotnet60desktop.exe, 00000009.00000002.2708114386.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/20-p2-rel-notesi
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758696473.000000000111C000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/dev-privacy
Source: dotnet60desktop.exe, 00000009.00000002.2708340549.0000000000709000.00000004.00000020.00020000.00000000.sdmp, dotnet60desktop.exe, 00000009.00000002.2709413064.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761197407.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760318936.000000000112B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758490285.000000000110D000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758490285.000000000112B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758004763.0000000001142000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760318936.0000000001142000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760318936.000000000111D000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758696473.000000000111C000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/dotnet-cli-telemetry
Source: netcorecheck.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: netcorecheck.exe, 00000003.00000000.2134110976.0000000001010000.00000002.00000001.01000000.00000008.sdmp, netcorecheck.exe, 00000003.00000002.2135710507.0000000001010000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=&rid=hXReading
Source: netcorecheck.exe, 00000003.00000002.2135554084.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=5.0
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/dotnet-docs
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761380592.0000000003860000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760318936.000000000111D000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758696473.000000000111C000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/dotnet-license-windows
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2760318936.000000000111D000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000003.2758696473.000000000111C000.00000004.00000020.00020000.00000000.sdmp, thm.wxl13.17.dr	String found in binary or memory: https://aka.ms/dotnet-tutorials
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.3193501314.0000000002260000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.exe, 00000000.00000003.2125775570.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3183334708.00000000024F7000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.2130779171.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3181172089.0000000003862000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3181172089.00000000038E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.3193501314.0000000002260000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.exe, 00000000.00000003.2125775570.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3183334708.00000000024F7000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.2130779171.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3181172089.0000000003862000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.3181172089.00000000038E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x86.exe
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005D01000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000003.2763134408.0000000000E6C000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000003.2761955887.000000000350A000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2761197407.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759309905.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2753072927.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2752283030.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000003.2752630825.0000000003510000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2754157109.00000000014CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dot.net/core
Source: dotnet60desktop.exe, 00000009.00000002.2708114386.00000000006B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dot.net/core2
Source: windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2704627944.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2705444131.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dot.net/core7
Source: System.IO.FileSystem.AccessControl.dll.11.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: 2N Driver for External USB Readers.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-77UBH.tmp.2.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repo
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, CertMgr.Exe, 0000001D.00000002.2768834531.00000000013AE000.00000004.00000020.00020000.00000000.sdmp, CertMgr.Exe, 0000001F.00000002.2770070849.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000002.2789179117.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000023.00000003.2788067294.00000238D4376000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886224881.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000002.2892572494.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2890795608.00000240A87FC000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3036874849.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000003.3035189642.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, DPInst64.exe, 00000028.00000002.3037536715.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: dpinst.exe, 00000021.00000003.2778350520.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792320215.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2793695970.0000000000602000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000003.2792952819.000000000061D000.00000004.00000020.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794625288.0000000002D76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.2127173120.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.exe, 00000000.00000003.2127593853.000000007FB20000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000000.2128996068.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.2127173120.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.exe, 00000000.00000003.2127593853.000000007FB20000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000000.2128996068.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\is-279IB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpersona_x64.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\usbserial.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\is-ADA36.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\dfu.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\siliconLabs.cer (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-ASR1N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\symantec.cer (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	File created: C:\Users\user\AppData\Local\Temp\{086a8776-17e2-2141-ba4a-f3610c91f26a}\SET773C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\ServerSSL.pfx (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\is-DKDRB.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpersona_x64.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\zkfp.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-N73BK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\is-CFPTC.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SET9FE3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\elatec.cer (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCC51.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\is-6D6F7.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{9c8edb3f-4625-0f40-84f0-5e11f5d680a8}\SET7A78.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{9c8edb3f-4625-0f40-84f0-5e11f5d680a8}\twn4cdc.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\zkfp.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	File created: C:\Users\user\AppData\Local\Temp\{086a8776-17e2-2141-ba4a-f3610c91f26a}\twn4cdc.cat (copy)	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	File created: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpersona_x64.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\is-DO317.tmp	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	File created: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETBEB5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\twn4cdc.cat (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-6EMJM.tmp	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

File written: C:\Windows\System32\drivers\etc\hosts

System Summary

Submitted sample is a known malware sample

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped file: MD5: 181c8f19f974ad8a84b8673d487bbf0d Family: Metamorfo Description: The attackers used various techniques to evade detection and infect unsuspecting Portuguese-speaking users with banking Trojans. Public cloud infrastructure is utilized to help deliver the different stages and play a particularly big role in delivering the malicious payload. Legitimate signed binaries are also abused to load malicious code. References: https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped file: MD5: 181c8f19f974ad8a84b8673d487bbf0d Family: Metamorfo Description: The attackers used various techniques to evade detection and infect unsuspecting Portuguese-speaking users with banking Trojans. Public cloud infrastructure is utilized to help deliver the different stages and play a particularly big role in delivering the malicious payload. Legitimate signed binaries are also abused to load malicious code. References: https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0042F594 NtdllDefWindowProc_A,	37_2_0042F594
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00423B94 NtdllDefWindowProc_A,	37_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004125E8 NtdllDefWindowProc_A,	37_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00479380 NtdllDefWindowProc_A,	37_2_00479380
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	37_2_0045763C

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp

Code function: 37_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

37_2_0042E944

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		36_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		37_2_0045568C

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{9c8edb3f-4625-0f40-84f0-5e11f5d680a8}

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df02a.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{8075C447-DEF3-4DCC-BB39-8497717BE91E}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF56A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df02d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df02d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16AE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df02e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{61373008-0285-40B8-93C2-26C8110BC4ED}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1BA1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df031.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df031.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1C5D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df032.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{DB82E9AB-01DC-4F99-A6C7-67CDDF90AAD9}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F0E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df035.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df035.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI21ED.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df036.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{28F5CA46-286A-4C61-A86E-525F06E456DD}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2847.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df039.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6df039.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI563E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI689E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI69A9.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	File created: C:\Windows\DPINST.LOG
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-1KSCE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-OHV6A.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-APUGU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-J3PKB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-EL1CK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-DQHA8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-6EMJM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-GC5D4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-ECSVK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-NEUSB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-JPCD5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-5NC7F.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-RD0A7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-RULKA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-KMSK2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-S4LL1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-NR955.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-8O2DU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-H2VJ6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-A1JBL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-N97T5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-8NF8V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-52V98.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-GVF50.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\is-0V5J0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-LV194.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-NTD91.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-59OUT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-4C9RD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-JDKR1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-1C0V4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-PR4RR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-5B4KM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-U28V6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-DG1QU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-S6M9U.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-DSTA3.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-1GES6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-C6HAI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-LRLHQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-MEAI8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-ASR1N.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-HGQH9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-7O1AC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-8VQ00.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-AP1V0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-IPKM0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-591T5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-TGQ65.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-HAADG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-E9LLE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-IGODE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-702MI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-C1CQG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-FDOTF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-FVSOJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-OJSTD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\is-US67P.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\is-4L7MR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\is-43LAD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\is-0I0LF.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\zkfp.inf_amd64_ab1035548178aff8
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem5.inf

Deletes files inside the Windows folder

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

File deleted: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100CAF0	3_2_0100CAF0
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DD4085	8_2_00DD4085
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDC132	8_2_00DDC132
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEF2A2	8_2_00DEF2A2
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DB635B	8_2_00DB635B
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE26D1	8_2_00DE26D1
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEA600	8_2_00DEA600
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDF9D3	8_2_00DDF9D3
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE2905	8_2_00DE2905
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEAA98	8_2_00DEAA98
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEDC1E	8_2_00DEDC1E
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DEDD42	8_2_00DEDD42
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B44085	9_2_00B44085
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4C132	9_2_00B4C132
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5F2A2	9_2_00B5F2A2
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B2635B	9_2_00B2635B
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B526D1	9_2_00B526D1
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5A600	9_2_00B5A600
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4F9D3	9_2_00B4F9D3
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B52905	9_2_00B52905
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5AA98	9_2_00B5AA98
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5DC1E	9_2_00B5DC1E
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5DD42	9_2_00B5DD42
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E84085	10_2_00E84085
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8C132	10_2_00E8C132
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9F2A2	10_2_00E9F2A2
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E6635B	10_2_00E6635B
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E926D1	10_2_00E926D1
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9A600	10_2_00E9A600
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8F9D3	10_2_00E8F9D3
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E92905	10_2_00E92905
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9AA98	10_2_00E9AA98
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9DC1E	10_2_00E9DC1E
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9DD42	10_2_00E9DD42
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CF4085	15_2_00CF4085
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFC132	15_2_00CFC132
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0F2A2	15_2_00D0F2A2
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CD635B	15_2_00CD635B
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D026D1	15_2_00D026D1
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0A600	15_2_00D0A600
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFF9D3	15_2_00CFF9D3
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D02905	15_2_00D02905
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0AA98	15_2_00D0AA98
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0DC1E	15_2_00D0DC1E
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0DD42	15_2_00D0DD42
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A57BD	29_2_004A57BD
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_0040840C	36_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00470C74	37_2_00470C74
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0048ED0C	37_2_0048ED0C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004813C4	37_2_004813C4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00467848	37_2_00467848
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004303D0	37_2_004303D0
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0044453C	37_2_0044453C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004885E0	37_2_004885E0
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00434638	37_2_00434638
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00444AE4	37_2_00444AE4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00430F5C	37_2_00430F5C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0045F16C	37_2_0045F16C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004451DC	37_2_004451DC
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0045B21C	37_2_0045B21C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0043533C	37_2_0043533C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004455E8	37_2_004455E8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00487680	37_2_00487680
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0046989C	37_2_0046989C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00451A30	37_2_00451A30
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0043DDC4	37_2_0043DDC4

Enables security privileges

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00408C1C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00406AD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 0040596C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00407904 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00445E48 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00457FC4 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00457DB8 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00434550 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00403494 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 004533B8 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00446118 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: String function: 00403684 appears 229 times
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: String function: 00B60657 appears 682 times
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: String function: 00B238F5 appears 502 times
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: String function: 00B60B3E appears 34 times
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: String function: 00B63770 appears 79 times
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: String function: 00B2204D appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: String function: 0100E196 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: String function: 00DB38F5 appears 502 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: String function: 00DF0B3E appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: String function: 00DF3770 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: String function: 00DB204D appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: String function: 00DF0657 appears 682 times
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00D13770 appears 79 times
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00CD38F5 appears 502 times
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00CD204D appears 54 times
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00D10657 appears 682 times
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00D10B3E appears 34 times
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00EA3770 appears 81 times
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00EA0B3E appears 34 times
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00EA0657 appears 682 times
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00E6204D appears 54 times
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: String function: 00E638F5 appears 502 times

PE file contains executable resources (Code or Archives)

Source: 2N Driver for External USB Readers.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-0DRB9.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-BQ92G.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1639755 bytes, 2 files, at 0x44 +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Win2k-WinXP-Win2k3.exe" +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Vista.msu", flags 0x4, ID 12343, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
Source: is-H5954.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Microsoft Standalone Update, 256987 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows6.0-KB971286-x64.cab", flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
Source: is-H5954.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-5KKTG.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1384567 bytes, 2 files, at 0x44 +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Win2k-WinXP-Win2k3.exe" +A "Microsoft Kernel-Mode Driver Framework Install-v1.9-Vista.msu", flags 0x4, ID 12343, number 1, extra bytes 20 in head, 43 datablocks, 0x1503 compression
Source: is-NEGFN.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Microsoft Standalone Update, 240840 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows6.0-KB971286-x86.cab", flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1 compression
Source: is-NEGFN.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows

PE file contains more sections than normal

Source: is-JBSJJ.tmp.2.dr	Static PE information: Number of sections : 15 > 10
Source: is-P6L7J.tmp.2.dr	Static PE information: Number of sections : 16 > 10
Source: is-00NGS.tmp.2.dr	Static PE information: Number of sections : 15 > 10
Source: is-18QUK.tmp.2.dr	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: 2N Driver for External USB Readers.exe, 00000000.00000003.3193501314.0000000002298000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs 2N Driver for External USB Readers.exe
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.2127173120.0000000002619000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 2N Driver for External USB Readers.exe
Source: 2N Driver for External USB Readers.exe, 00000000.00000003.2127593853.000000007FE05000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs 2N Driver for External USB Readers.exe
Source: 2N Driver for External USB Readers.exe, 00000000.00000000.2125477292.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs 2N Driver for External USB Readers.exe
Source: 2N Driver for External USB Readers.exe	Binary or memory string: OriginalFileName vs 2N Driver for External USB Readers.exe

Uses 32bit PE files

Source: 2N Driver for External USB Readers.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: is-SD9NL.tmp.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: is-BQ92G.tmp.2.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9985629322738576
Source: is-5KKTG.tmp.2.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9981172708256713

Source: is-2J23P.tmp.2.dr, Crypto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: is-2J23P.tmp.2.dr, Crypto.cs	Cryptographic APIs: 'TransformBlock'
Source: is-2J23P.tmp.2.dr, Crypto.cs	Cryptographic APIs: 'TransformBlock'

Source: classification engine

Classification label: sus32.troj.adwa.evad.winEXE@95/1072@0/0

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DB20A3 FormatMessageW,GetLastError,LocalFree,

8_2_00DB20A3

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DB4674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	8_2_00DB4674
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B24674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	9_2_00B24674
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E64674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	10_2_00E64674
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CD4674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	15_2_00CD4674
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	36_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	37_2_0045568C

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp

Code function: 37_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

37_2_00455EB4

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DF34D0 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

8_2_00DF34D0

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe

Code function: 36_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,

36_2_00409C34

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DD6A02 ChangeServiceConfigW,GetLastError,

8_2_00DD6A02

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

File created: C:\Program Files (x86)\2N TELEKOMUNIKACE

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\DPDrv\DPInst64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\DPINST_LOG_SCROLLER_MUTEX
Source: C:\Windows\DPDrv\DPInst64.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3780:120:WilError_03
Source: C:\Windows\DPDrv\DPInst64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\DIFX_PROGRAM_FILES_MUTEX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\5924
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\5800
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\6528

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe

File created: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp

Jump to behavior

Source: Yara match	File source: C:\Windows\SysWOW64\is-4C9RD.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\FPSensor\Biokey\is-IO0QL.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: cabinet.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: msi.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: version.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: wininet.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: comres.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: clbcatq.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: msasn1.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: crypt32.dll	8_2_00DB1070
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Command line argument: feclient.dll	8_2_00DB1070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: cabinet.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: msi.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: version.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: wininet.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: comres.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: clbcatq.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: msasn1.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: crypt32.dll	9_2_00B21070
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Command line argument: feclient.dll	9_2_00B21070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: cabinet.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: msi.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: version.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: wininet.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: comres.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: clbcatq.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: msasn1.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: crypt32.dll	10_2_00E61070
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: feclient.dll	10_2_00E61070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: cabinet.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: msi.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: version.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: wininet.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: comres.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: clbcatq.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: msasn1.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: crypt32.dll	15_2_00CD1070
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Command line argument: feclient.dll	15_2_00CD1070

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\ZKFP.inf

Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: create table iuser_info(title varchar(32) primary key,value varchar(32));
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_idkit values (:001,:002,:003);
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_idkit_images_backup select userid,templateid,image from iuser_idkit_images;
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_idkit_images select * from iuser_idkit_images_backup;
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_tags values (:001,:002,:003);
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: select value from iuser_info where title='db version';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: update iuser_info set 'value'='1.4' where title='db version';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_idkit values (:001,:002,:003);insert into iuser_idkit_images values (:001,:002,:003);delete from iuser_idkit_images where userid=:001delete from iuser_idkit where userid=:001insert into iuser_tags values (:001,:002,:003);delete from iuser_tags where userid=:001vacuumdelete from iuser_tagsdelete from iuser_idkit_imagesdelete from iuser_idkitselect custom_data from iuser_idkit where userid=:001select templateid,image from iuser_idkit_images where userid=:001select userid, name, value from iuser_tagsselect userid,record from iuser_idkit
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: create table iuser_idkit_images (userid integer NOT NULL,templateid integer NOT NULL,image blob NOT NULL,PRIMARY KEY (userid, templateid));
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: update iuser_info set 'value'='1.3' where title='db version';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into iuser_idkit_images values (:001,:002,:003);
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: create table iuser_idkit (userid integer primary key,record blob NOT NULL,custom_data blob);
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: update iuser_info set 'value'='1.2' where title='db version';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: select type from sqlite_master where name='%s';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: create table iuser_tags(userid integer NOT NULL,name varchar(100) NOT NULL,value varchar(4000) NOT NULL,PRIMARY KEY (userid, name));
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: update iuser_info set 'value'='1.1' where title='db version';
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into %s values('%s','%d.%d');
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: insert into %s values('%s','%02d/%02d/%02d %02d:%02d:%02d');

Source: dotnet60desktop.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: dotnet60desktop.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: windowsdesktop-runtime-6.0.4-win-x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: windowsdesktop-runtime-6.0.4-win-x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: dpinst.exe	String found in binary or memory: Some post-install cleanup tasks failed. Error code is 0x%X
Source: dpinst.exe	String found in binary or memory: Could not re-add '%s' to reference list of driver store entry '%s'
Source: dpinst.exe	String found in binary or memory: Successfully re-added '%s' to reference list of driver store entry '%s'
Source: dpinst.exe	String found in binary or memory: Install option set: Suppress pre-install of Plug and Play drivers if no matching devices are present.
Source: dpinst.exe	String found in binary or memory: During undo of install, we failed to re-install the driver. Error code 0x%X
Source: dpinst.exe	String found in binary or memory: Error 0x%X - Could not delete service info key for '%ws', even though there are no more DIFx-installed driver stores using this se
Source: setup.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: 2N Driver for External USB Readers.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe

File read: C:\Users\user\Desktop\2N Driver for External USB Readers.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2N Driver for External USB Readers.exe "C:\Users\user\Desktop\2N Driver for External USB Readers.exe"
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Process created: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp "C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp" /SL5="$103E4,35010763,947200,C:\Users\user\Desktop\2N Driver for External USB Readers.exe"
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe" Microsoft.WindowsDesktop.App 6.0.4
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" /lcid 2057 /passive /norestart
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Process created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe" -q -burn.elevated BurnPipe.{4C86AD50-ECFF-4E0C-8859-69C2F732A1B6} {4190C1E9-DF0B-4777-B67E-25C22799E37B} 6884
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F08179E706612A6B7A04DE10E46E3A3
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0AE14355DA77B8EC5D78BBA627A31F90
Source: unknown	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" /passive /norestart /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /passive /norestart /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9A6BE86B09F849551CC63C9676854998
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -q -burn.elevated BurnPipe.{5B3AA127-E574-49A0-B320-16AAE8743C18} {B68FB661-CED6-45D2-8A04-5EF32E491C00} 2896
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 029EEC1918DF13259116589682A83A05
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 42ABA69F9D42EED2BA1E1226AEC89AC1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\system32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.exe" "2N USB Driver" DISABLE ALL
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe" C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.exe" -add -c "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\elatec.cer" -s -r localMachine ROOT
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.exe" -add -c "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\elatec.cer" -s -r localMachine TrustedPublisher
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe" /SA /SE /SW /F /C /PATH C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{086a8776-17e2-2141-ba4a-f3610c91f26a}\twn4cdc.inf" "9" "42c8444f7" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "c:\users\user\appdata\local\temp\is-clj4h.tmp\twn4"
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe" /VERYSILENT /NORESTART /SP-
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp "C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp" /SL5="$705E0,17762851,56832,C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe" /VERYSILENT /NORESTART /SP-
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\ZKFP.inf
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{09607da7-062f-814c-af33-b727806a2bd1}\ZKFP.inf" "9" "429e2a833" "0000000000000184" "WinSta0\Default" "0000000000000168" "208" "C:\Windows\zkdrv"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\DPDrv\DPInst64.exe "C:\Windows\dpdrv\DPInst64.exe" /s
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "8" "C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpersona_x64.inf" "9" "47ae312af" "000000000000018C" "WinSta0\Default" "0000000000000194" "208" "c:\windows\dpdrv"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPDevTS.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DpFnd2.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll"
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Process created: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp "C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp" /SL5="$103E4,35010763,947200,C:\Users\user\Desktop\2N Driver for External USB Readers.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe" Microsoft.WindowsDesktop.App 6.0.4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\system32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.exe" "2N USB Driver" DISABLE ALL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe" C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.exe" -add -c "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\elatec.cer" -s -r localMachine ROOT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.exe" -add -c "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\elatec.cer" -s -r localMachine TrustedPublisher	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe" /SA /SE /SW /F /C /PATH C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe" /VERYSILENT /NORESTART /SP-	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Process created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe" -q -burn.elevated BurnPipe.{4C86AD50-ECFF-4E0C-8859-69C2F732A1B6} {4190C1E9-DF0B-4777-B67E-25C22799E37B} 6884	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5F08179E706612A6B7A04DE10E46E3A3	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0AE14355DA77B8EC5D78BBA627A31F90	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9A6BE86B09F849551CC63C9676854998	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 029EEC1918DF13259116589682A83A05	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 42ABA69F9D42EED2BA1E1226AEC89AC1	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" /passive /norestart /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /passive /norestart /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{086a8776-17e2-2141-ba4a-f3610c91f26a}\twn4cdc.inf" "9" "42c8444f7" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "c:\users\user\appdata\local\temp\is-clj4h.tmp\twn4"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{09607da7-062f-814c-af33-b727806a2bd1}\ZKFP.inf" "9" "429e2a833" "0000000000000184" "WinSta0\Default" "0000000000000168" "208" "C:\Windows\zkdrv"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "8" "C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpersona_x64.inf" "9" "47ae312af" "000000000000018C" "WinSta0\Default" "0000000000000194" "208" "c:\windows\dpdrv"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp "C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp" /SL5="$705E0,17762851,56832,C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe" /VERYSILENT /NORESTART /SP-
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\ZKFP.inf
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\DPDrv\DPInst64.exe "C:\Windows\dpdrv\DPInst64.exe" /s
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPDevTS.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DpFnd2.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll"
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process created: unknown unknown

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: usoapi.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msimg32.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: explorerframe.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: propsys.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: edputil.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: slc.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: sppc.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: mpr.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: pcacli.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: srclient.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: spp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: vssapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: vsstrace.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: usoapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: srpapi.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: tsappcmp.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: wkscli.dll
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Section loaded: cryptui.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Section loaded: cryptui.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: drvstore.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: devrtl.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: spinf.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Section loaded: apphelp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: apphelp.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: aclayers.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: sfc.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: sfc_os.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: version.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: msasn1.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: uxtheme.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: msxml3.dll
Source: C:\Windows\DPDrv\DPInst64.exe	Section loaded: drvstore.dll

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Automated click: Next

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe

Window detected: Number of UI elements: 21

Source: C:\Windows\DPDrv\DPInst64.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\E8FD6EF8CC869DE121501FB543A7C0674D30756F

Source: 2N Driver for External USB Readers.exe

Static PE information: certificate valid

Source: 2N Driver for External USB Readers.exe

Static file information: File size 35906760 > 1048576

Source: 2N Driver for External USB Readers.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\Workspaces\zkteco svn\libfpsensor\trunk\libfpsensor\x64\Release\ZKFPSensors\libzklibcap.pdb source: setup.tmp, 00000025.00000003.3058605092.00000000056E0000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000025.00000002.3061790570.000000000018E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpDevDat.pdb source: DPInst64.exe, 00000028.00000003.2964085180.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006547610.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2998219929.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpd00701.pdb source: drvinst.exe, 00000029.00000003.2999026102.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdbH source: drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\GitLab-Runner\builds\WzT4ZGRf\1\ac\secured-card-tool\src\Shared\Rfid.Encryption\obj\x86\Release\net6.0\Nn.Rfid.Encryption.pdbSHA256 source: is-77UBH.tmp.2.dr
Source:	Binary string: CertMgr.pdb source: CertMgr.Exe, CertMgr.Exe, 0000001D.00000000.2767345124.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001D.00000002.2768431869.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001F.00000002.2769914048.00000000004A1000.00000020.00000001.01000000.00000016.sdmp, CertMgr.Exe, 0000001F.00000000.2769071550.00000000004A1000.00000020.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.11.dr
Source:	Binary string: e:\TeamBuilds\Core\DP_ENT_WS_MAIN\Binaries\Win32\Release\DPDevTS.pdbD source: is-I03EA.tmp.37.dr
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpDevDatx64.pdb source: DPInst64.exe, 00000028.00000003.2965141208.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006784725.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2999546158.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: g:\fingerpr\mars\src\usbscan\objfre_wlh_amd64\amd64\usbdpfp.pdb source: DPInst64.exe, 00000028.00000003.2963361782.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3005824851.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997532265.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdb source: drvinst.exe, 00000027.00000003.2882947095.00000240A87FE000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886636864.00000240A87CC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2886584676.00000240A8859000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000027.00000003.2882990701.00000240A87AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpi00701x64.pdb source: DPInst64.exe, 00000028.00000003.2963704354.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997861422.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006443858.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Thomas\source\repos\winusbnet\WinUSBNet\obj\Release\netcoreapp3.1\WinUSBNet.pdbSHA256 source: is-HP6R9.tmp.2.dr
Source:	Binary string: e:\TeamBuilds\SDKUI\DP_ENT_WS\Binaries\Win32\Release\DPPTUtils.pdb source: regsvr32.exe, 0000002C.00000002.3042172324.000000006FB88000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpi00701.pdb source: DPInst64.exe, 00000028.00000003.2965474924.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3000014532.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006880739.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpd00701x64.pdb source: drvinst.exe, 00000029.00000003.2996375367.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3005824851.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdb source: drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\NightBuild\Installer\obj\checkout\IDKit\bin\x64\IDKit (Release)\IDKit64.pdb source: setup.tmp, 00000025.00000003.3058605092.0000000005C0C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Work\usb-driver\utils\HostsHelper\obj\Release\HostsHelper.pdb source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3188302279.000000000018C000.00000004.00000010.00020000.00000000.sdmp, HostsHelper.exe, 0000001B.00000000.2761274455.000001827EE32000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: DpInst.pdb source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, dpinst.exe, dpinst.exe, 00000021.00000002.2794901615.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, dpinst.exe, 00000021.00000000.2770689280.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, DPInst64.exe, 00000028.00000000.2933095406.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, DPInst64.exe, 00000028.00000002.3038803899.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, is-AL0OI.tmp.2.dr
Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: dotnet60desktop.exe, 00000008.00000000.2400540946.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000008.00000002.2711992523.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000009.00000000.2402564744.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, dotnet60desktop.exe, 00000009.00000002.2709096535.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000000.2408799844.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2428045478.000000000070B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2706196116.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000000.2555007939.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000002.2562073815.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000000.2556098265.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000002.2763904316.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000000.2560776999.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759042141.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000000.2659402740.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2753814866.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: g:\fingerpr\mars\src\mp\sputniki\kdevice\dp4000x\objfre_wlh_amd64\amd64\dpK00701.pdb source: DPInst64.exe, 00000028.00000003.2966647351.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006988043.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3001362963.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\native\net6.0-windows-Release-x86\System.IO.Compression.Native\System.IO.Compression.Native.pdbXXXGCTL source: System.IO.Compression.Native.dll.11.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: api-ms-win-core-handle-l1-1-0.dll.11.dr
Source:	Binary string: e:\TeamBuilds\SDKUI\DP_ENT_WS\Binaries\Win32\Release\DPPTUtils.pdb source: regsvr32.exe, 0000002C.00000002.3042172324.000000006FB88000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: E:\Repos\deployment-tools\fork\deployment-tools\artifacts\obj\win-x86.Release\native\projects\NetCoreCheck\Release\NetCoreCheck.pdb source: netcorecheck.exe, 00000003.00000000.2134110976.0000000001010000.00000002.00000001.01000000.00000008.sdmp, netcorecheck.exe, 00000003.00000002.2135710507.0000000001010000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: System.IO.FileSystem.AccessControl.dll.11.dr
Source:	Binary string: G:\fingerpr\Mars\Run32\Release\dpDevCtl.pdb source: DPInst64.exe, 00000028.00000003.2964431689.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006655772.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2998634796.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Thomas\source\repos\winusbnet\WinUSBNet\obj\Release\netcoreapp3.1\WinUSBNet.pdb source: is-HP6R9.tmp.2.dr
Source:	Binary string: C:\GitLab-Runner\builds\WzT4ZGRf\1\ac\secured-card-tool\src\Shared\Rfid.Encryption\obj\x86\Release\net6.0\Nn.Rfid.Encryption.pdb source: is-77UBH.tmp.2.dr
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpDevCtlx64.pdb source: DPInst64.exe, 00000028.00000003.2965863378.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006988043.0000026965321000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3000450737.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\native\net6.0-windows-Release-x86\System.IO.Compression.Native\System.IO.Compression.Native.pdb source: System.IO.Compression.Native.dll.11.dr
Source:	Binary string: e:\TeamBuilds\Core\DP_ENT_WS_MAIN\Binaries\Win32\Release\DPDevTS.pdb source: is-I03EA.tmp.37.dr
Source:	Binary string: DpInst.pdbH source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3171515255.00000000039C0000.00000004.00001000.00020000.00000000.sdmp, dpinst.exe, 00000021.00000002.2794901615.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, dpinst.exe, 00000021.00000000.2770689280.00007FF79B131000.00000020.00000001.01000000.00000017.sdmp, DPInst64.exe, 00000028.00000000.2933095406.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, DPInst64.exe, 00000028.00000002.3038803899.00007FF6BEA11000.00000020.00000001.01000000.0000001B.sdmp, is-AL0OI.tmp.2.dr
Source:	Binary string: E:\Workspaces\C++\zkidentify_openssl\x64\Release\fpslib.pdb source: setup.tmp, 00000025.00000003.3058605092.0000000005740000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdbP source: drvinst.exe, 00000027.00000003.2886532790.00000240A8859000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\net6.0-windows-Release\System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.11.dr
Source:	Binary string: E:\Repos\deployment-tools\fork\deployment-tools\artifacts\obj\win-x86.Release\native\projects\NetCoreCheck\Release\NetCoreCheck.pdbiiiGCTL source: netcorecheck.exe, 00000003.00000000.2134110976.0000000001010000.00000002.00000001.01000000.00000008.sdmp, netcorecheck.exe, 00000003.00000002.2135710507.0000000001010000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: dotnet60desktop.exe, 00000008.00000000.2400540946.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000008.00000002.2711992523.0000000000DFB000.00000002.00000001.01000000.00000009.sdmp, dotnet60desktop.exe, 00000009.00000000.2402564744.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, dotnet60desktop.exe, 00000009.00000002.2709096535.0000000000B6B000.00000002.00000001.01000000.0000000B.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000000.2408799844.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000003.2428045478.000000000070B000.00000004.00000020.00020000.00000000.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000A.00000002.2706196116.0000000000EAB000.00000002.00000001.01000000.0000000F.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000000.2555007939.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 0000000F.00000002.2562073815.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000000.2556098265.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000010.00000002.2763904316.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000000.2560776999.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000011.00000002.2759042141.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000000.2659402740.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp, windowsdesktop-runtime-6.0.4-win-x86.exe, 00000015.00000002.2753814866.0000000000D1B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: G:\fingerpr\Mars\Run64\Release\dpi00701x64.pdb source: DPInst64.exe, 00000028.00000003.2963704354.0000000002D51000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.2997861422.0000026964E8B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000029.00000003.3006443858.0000026965321000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\NightBuild\Installer\obj\checkout\IDKit\bin\x64\IDKit (Release)\IDKit64.pdb \( source: setup.tmp, 00000025.00000003.3058605092.0000000005C0C000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Binary contains a suspicious time stamp

Source: is-N07MR.tmp.2.dr

Static PE information: 0xB7DA1635 [Thu Sep 29 11:57:41 2067 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_010063B3 __EH_prolog3_GS,LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

3_2_010063B3

PE file contains sections with non-standard names

Source: 2N Driver for External USB Readers.exe	Static PE information: section name: .didata
Source: 2N Driver for External USB Readers.tmp.0.dr	Static PE information: section name: .didata
Source: is-JBLBK.tmp.2.dr	Static PE information: section name: .wixburn
Source: is-0DRB9.tmp.2.dr	Static PE information: section name: .didata
Source: is-6H63V.tmp.2.dr	Static PE information: section name: .eh_fram
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: .rodata
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /4
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /14
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /29
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /41
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /55
Source: is-P6L7J.tmp.2.dr	Static PE information: section name: /67
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /4
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /14
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /29
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /41
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /55
Source: is-00NGS.tmp.2.dr	Static PE information: section name: /67
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /4
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /14
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /29
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /41
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /55
Source: is-JBSJJ.tmp.2.dr	Static PE information: section name: /67
Source: is-SBU6E.tmp.2.dr	Static PE information: section name: /4
Source: is-K2MUR.tmp.2.dr	Static PE information: section name: /4
Source: is-18QUK.tmp.2.dr	Static PE information: section name: .eh_fram

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp

Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100E13C push ecx; ret	3_2_0100E14F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100A3E4 push ecx; ret	3_2_0100A3F6
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDE916 push ecx; ret	8_2_00DDE929
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4E916 push ecx; ret	9_2_00B4E929
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8E916 push ecx; ret	10_2_00E8E929
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFE916 push ecx; ret	15_2_00CFE929
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A8B99 push ecx; ret	29_2_004A8BAC
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_004065C8 push 00406605h; ret	36_2_004065FD
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_004040B5 push eax; ret	36_2_004040F1
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00408104 push ecx; mov dword ptr [esp], eax	36_2_00408109
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00404185 push 00404391h; ret	36_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00404206 push 00404391h; ret	36_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_0040C218 push eax; ret	36_2_0040C219
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_004042E8 push 00404391h; ret	36_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00404283 push 00404391h; ret	36_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: 36_2_00408F38 push 00408F6Bh; ret	36_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004849F4 push 00484B02h; ret	37_2_00484AFA
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0040995C push 00409999h; ret	37_2_00409991
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00458060 push 00458098h; ret	37_2_00458090
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004860E4 push ecx; mov dword ptr [esp], ecx	37_2_004860E9
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004062C4 push ecx; mov dword ptr [esp], eax	37_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004783C8 push ecx; mov dword ptr [esp], edx	37_2_004783C9
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004104F0 push ecx; mov dword ptr [esp], edx	37_2_004104F5
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00412938 push 0041299Bh; ret	37_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0049AD44 pushad ; retf	37_2_0049AD53
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0040CE48 push ecx; mov dword ptr [esp], edx	37_2_0040CE4A
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00459378 push 004593BCh; ret	37_2_004593B4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0040F3A8 push ecx; mov dword ptr [esp], edx	37_2_0040F3AA
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0040546D push eax; ret	37_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004434B4 push ecx; mov dword ptr [esp], ecx	37_2_004434B8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0040553D push 00405749h; ret	37_2_00405741

Source: is-SD9NL.tmp.2.dr

Static PE information: section name: .text entropy: 7.409859269142881

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Executable created and started: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Executable created and started: C:\Windows\DPDrv\DPInst64.exe
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Executable created and started: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Jump to behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8C18F347CF57959E4DD189A7D79464ED795064D6 Blob
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8C18F347CF57959E4DD189A7D79464ED795064D6 Blob
Source: C:\Windows\System32\drvinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\Windows\System32\drvinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob

Creates processes with suspicious names

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	File created: \2n driver for external usb readers.exe
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	File created: \2n driver for external usb readers.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: \2n driver for external usb readers.tmp	Jump to behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.VisualBasic.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordaccore_x86_x86_6.0.422.16404.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Interop.ZKFPEngXControl.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Transactions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.Design.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-VLAJN.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Emit.ILGeneration.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-2J23P.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\is-H9DJS.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-1MLIS.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Design.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\BgApiDriver.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-ELJA9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ReachFramework.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\twn4\is-G5MOI.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\dfutool.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\is-13VD6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\is-5KKTG.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\UIAutomationClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-0DRB9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\is-NEGFN.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.VisualBasic.Forms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ObjectModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Globalization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Twn4.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.Win32.Registry.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-F7ES3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Presentation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.Xml.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-18QUK.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.AeroLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemXmlLinq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\wpfgfx_cor3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ServiceModel.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemXml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Common.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\is-AL0OI.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-9GLPD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-P6L7J.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Classic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Compression.Brotli.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Ping.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Accessibility.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscorrc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\vcruntime140_cor3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Diagnostics.PerformanceCounter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\coreclr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\D3DCompiler_47_cor3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\NLog.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\WindowsBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.CodeDom.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Quic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\UIAutomationTypes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Web.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-00NGS.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemDrawing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-5RQKA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-77UBH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Emit.Lightweight.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\twn4\flash.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.DiaSymReader.Native.x86.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Cryptography.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.DirectoryServices.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-1B30B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\dotnet.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\is-JBLBK.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.Dataflow.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-T8KB1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16AE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\dbgshim.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Formats.Asn1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\BouncyCastle.Crypto.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\WindowsBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Royale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Console.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Permissions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI21ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Threading.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Luna.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscorlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\is-98D8J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-PU0A1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-6MAU7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Encryption.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\System.Management.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\DirectWriteForwarder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\icuin53.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Collections.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\API-MS-Win-core-xstate-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemData.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Metadata.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemCore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationNative_cor3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Requests.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	File created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Drawing.Design.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Compression.Native.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.Uri.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\icudt53.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.VisualBasic.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\libgcc_s_dw2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-SD9NL.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.Cng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.Win32.SystemEvents.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\libstdc++-6.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\icuuc53.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Data.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.DispatchProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Loader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Http.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.HttpListener.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Security.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\clrjit.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\WindowsFormsIntegration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Drawing.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-V72H2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-HP6R9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Cryptography.Pkcs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\WdfCoInstaller01009.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\WinUSBNet.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.DataAnnotations.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Xaml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-SBU6E.tmp	Jump to dropped file
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\UIAutomationProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\hostpolicy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\is-H5954.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\is-BQ92G.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Resources.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PenImc_cor3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Controls.Ribbon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Claims.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.Design.Editors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\winusbcoinstaller2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Collections.Immutable.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordbi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\netstandard.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI69A9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\host\fxr\6.0.4\hostfxr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Mail.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-JBSJJ.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Input.Manipulations.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Aero.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\System.IO.Ports.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-6H63V.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	File created: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\UIAutomationClientSideProviders.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Drawing.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Fleck.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Configuration.ConfigurationManager.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.WebClient.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Hardcodet.NotifyIcon.Wpf.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\winusbcoinstaller2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Aero2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\WdfCoInstaller01009.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordaccore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.AppContext.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Cryptography.ProtectedData.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Printing.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1C5D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-K2MUR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI563E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ServiceProcess.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Numerics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.IO.Packaging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-N07MR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe

File created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\zkfinger10.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\libcorrect.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\dpfj.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI21ED.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\fpslib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-5B4KM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\fppswsk.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\libzkfpcsharp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\libdpcap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-NTD91.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-RD0A7.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD70.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\dpuvc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-LV194.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\DpClback.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-TGQ65.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-LRLHQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\DPFPApi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\dpuvc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\libcorrect.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-A1JBL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\ZKFPSensors\is-4L7MR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\libdpcap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-8VQ00.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI69A9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-IGODE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\usbdpfp.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-AP1V0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-E9LLE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\DPFPApi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\match.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpDevDat.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-1GES6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-8NF8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpDevCtlx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\ZKFPSensors\is-0I0LF.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\usbdpfp.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-OHV6A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpi00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\libusb0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-S6M9U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	File created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\libzkfp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpi00701x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\dpfpdd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-ECSVK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-1KSCE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-4C9RD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpd00701x64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpD00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\ZKFPSensors\is-43LAD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-52V98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\libusb0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\libzkfpcsharp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-59OUT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\libusb0.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-8O2DU.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCDF0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\DPInst64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\is-702MI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-1C0V4.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SETA004.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-S4LL1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-APUGU.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD20.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-591T5.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCDC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPCap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\DPClback.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpK00701.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-HAADG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-JDKR1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-EL1CK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\dpfpdd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-PR4RR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-DQHA8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\libusb0_x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpDevCtl.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpdevctlx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\dpfpdd5000.dll (copy)	Jump to dropped file
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-DG1QU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpk00701.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCC82.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-H2VJ6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-NEUSB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\fppswsk.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-IPKM0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\dpfpdd5000.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-0V5J0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-FDOTF.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpdevctl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\libsilkid.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD91.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-GVF50.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\libzklibcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD00.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-OJSTD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\zkfpslibLow.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpI00701x64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpD00701x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpDevDatx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-MEAI8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPSensors\libsilkidcap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-RULKA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1C5D.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD41.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-J3PKB.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SET9FC3.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpI00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\zkfinger10.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-7O1AC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-U28V6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\libsilkid.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\libusb0_x64.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI563E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\syswow64\dpfj.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\zkfinger10-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\libusb0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-US67P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-JPCD5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-DSTA3.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCE20.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\matchdll.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\ZKFPCap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpdevdat.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-FVSOJ.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\libusb0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\is-5NC7F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\DPDrv\dpd00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-KMSK2.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\libusb0_x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\libsilkidcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCE7F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\is-N97T5.tmp	Jump to dropped file
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\zkfpslibLow.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\system32\ZKFPSensors\libzklibcap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\fpslib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-NR955.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpdevdatx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\libzkfp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\libusb0_x64.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\System32\is-C1CQG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\SysWOW64\FPCom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	File created: C:\Windows\zkdrv\is-C6HAI.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SETA025.tmp	Jump to dropped file

Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	File created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\eula.rtf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\dotnet\LICENSE.txt	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	File created: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\eula.rtf

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2N TELEKOMUNIKACE			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2N TELEKOMUNIKACE\2N USB Driver.lnk			Jump to behavior

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {ff0d7b6b-8624-42f0-b961-69e6cbf896c1}	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {ff0d7b6b-8624-42f0-b961-69e6cbf896c1}	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {ff0d7b6b-8624-42f0-b961-69e6cbf896c1}	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {ff0d7b6b-8624-42f0-b961-69e6cbf896c1}	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	37_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	37_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004241EC IsIconic,SetActiveWindow,SetFocus,	37_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004241A4 IsIconic,SetActiveWindow,	37_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	37_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	37_2_004843A8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	37_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	37_2_0042F2F0
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004175A8 IsIconic,GetCapture,	37_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00417CDE IsIconic,SetWindowPos,	37_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	37_2_00417CE0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

3_2_0100B050

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\2N Driver for External USB Readers.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\DPDrv\DPInst64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\DPDrv\DPInst64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\DPDrv\DPInst64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Memory allocated: 1827F060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Memory allocated: 1827F7F0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-JSTVD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\fpslib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\bin\iZHost.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\msquic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordaccore_x86_x86_6.0.422.16404.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.VisualBasic.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostW.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ja\is-8OPPC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Interop.ZKFPEngXControl.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Transactions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\en-US\is-B5VTT.tmp	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETC063.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\ZKFPSensors\is-4L7MR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\ZKFPSensors\libdpcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-8VQ00.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-67MM5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-7FPM7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\match.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-VLAJN.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Emit.ILGeneration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-8NF8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-OHV6A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Design.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\BgApiDriver.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-ELJA9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-E3UT2.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-ECSVK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-0DRB9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.VisualBasic.Forms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPCOper2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-J12JI.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCDC1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ObjectModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-JDKR1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\libsilkid.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Usbdrv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpDevCtl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\dpfpdd5000.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Globalization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-H2VJ6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-NEUSB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-F7ES3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpI00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-5ERSO.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ja\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Encoding.CodePages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-0P6R4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.Xml.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-I03EA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevice2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-18QUK.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.AeroLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Serialization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemXmlLinq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\wpfgfx_cor3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-U28V6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemXml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Common.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationCore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-DSTA3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.Cryptography.OpenSsl.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpdevdat.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\ZKFPSensors\libsilkidcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Classic.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\es\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\fpslib.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\libzkfp.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Ping.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SETA025.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Accessibility.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscorrc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\usb_dll.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Configuration.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-NTD91.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\tr\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\coreclr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\D3DCompiler_47_cor3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\unins000.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.VisualBasic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\WindowsBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Quic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\zkdrv\is-1GES6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpDevCtlx64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\ZKFPSensors\is-0I0LF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.TypeExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework-SystemDrawing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-5RQKA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-GVGJE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpi00701x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\de\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Emit.Lightweight.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-52V98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPFstCon.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-EL1CK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-LSDUN.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-DQHA8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\is-SPF5F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\pt-BR\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.Dataflow.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\wd_utils.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-IPKM0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-0V5J0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-T8KB1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI16AE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-UU74L.tmp	Jump to dropped file
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\BouncyCastle.Crypto.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-OEOP9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpI00701.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\zkfinger10-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\dpfj.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationTypes.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpd00701.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCE7F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Console.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\ZKFPSensors\libzklibcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETBFF2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\FPCom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\zkdrv\is-C6HAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\fr\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI21ED.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\ZKFPCap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Threading.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-DN8K5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.Luna.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-7A44I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-6MAU7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\en-US\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Encryption.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\icuin53.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Collections.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\API-MS-Win-core-xstate-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-fibers-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Metadata.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\ZKFPSensors\is-E9LLE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\de\is-ET7KT.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\es\is-36K99.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPMux.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpi00701.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\libzkfp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-9FD24.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\dpfpdd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevTS.dll (copy)	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETBEF5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.Uri.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCDF0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\SETA004.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Transactions.Local.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-591T5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\biokey.ocx (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\icudt53.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.VisualBasic.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\libgcc_s_dw2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-SD9NL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ko\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-PR4RR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PresentationFramework.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\pt-BR\is-AICLH.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.Win32.SystemEvents.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\libstdc++-6.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Data.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.DispatchProxy.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpdevctl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-9VQTH.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.Http.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\mi.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Channels.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\ZKFPSensors\libsilkidcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\UIAutomationClient.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\System.Windows.Input.Manipulations.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-KCOJ9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-V72H2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\libusb0_x64.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\is-IO0QL.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-HP6R9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Cryptography.Pkcs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\WdfCoInstaller01009.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\WinUSBNet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ko\is-FJUTH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-KMSK2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\zkfpslibLow.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ru\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\dpfj.dll (copy)	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpK00701.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\PenImc_cor3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Controls.Ribbon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pl\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-LV194.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\libcorrect.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordbi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\netstandard.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI69A9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpSvInfo2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\UIAutomationClientSideProviders.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Private.DataContractSerialization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\libsilkidcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\host\fxr\6.0.4\hostfxr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-FCT4U.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Input.Manipulations.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\usbdpfp.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\zkfputil.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-VSTNL.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\usbdpfp.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-6H63V.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\fr\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-1KSCE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Intrinsics.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpD00701.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\dpd00701x64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.Serialization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Drawing.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Fleck.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.WebClient.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD20.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hans\DpHostW.exe.mui (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-J8TFA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\amd64\winusbcoinstaller2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-G6VA9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\WdfCoInstaller01009.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\mscordaccore.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-E3UT2.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPTSClnt.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hant\is-VJQOH.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCD91.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\ZKFPSensors\libzklibcap.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Security.Cryptography.ProtectedData.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hans\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1C5D.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{09607da7-062f-814c-af33-b727806a2bd1}\SET9D66.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\zkfinger10.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\is-K2MUR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.ServiceProcess.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Data.DataSetExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\SETCE20.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-FVSOJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-ENNLB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-NR955.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\zkdrv\libusb0_x64.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\fppswsk.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\is-RD0A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Xaml.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\dpuvc.dll (copy)	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\dpI00701x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\DpClback.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-TGQ65.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\Microsoft.VisualBasic.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\DPFPApi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\syswow64\dpuvc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-A1JBL.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETC0A3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ko\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\DPDrv\usbdpfp.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\de\System.Windows.Forms.Primitives.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\WindowsBase.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPAppSyn.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\system32\DPFPApi.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.Design.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-2J23P.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Forms.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\is-1MLIS.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\UIAutomationProvider.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ReachFramework.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\ja\PresentationUI.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\cs\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPJasPer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\twn4\is-G5MOI.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\createdump.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\System.Windows.Controls.Ribbon.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\libcorrect.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\dfu\dfutool.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\pt-BR\ReachFramework.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\libzklibcap.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\is-5KKTG.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Forms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\UIAutomationClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\bled112\dfu\x86\is-NEGFN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hans\is-O6TTQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\zkdrv\libusb0.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-1C0V4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FPSensor\support\u.are.u\win64\fr\is-DO8PA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\zkdrv\libusb0_x64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationCore.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\zh-Hant\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\2N TELEKOMUNIKACE\2N USB Driver\Nn.Rfid.Twn4.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\Microsoft.Win32.Registry.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\PresentationFramework.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-FDOTF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\it\WindowsFormsIntegration.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\System.Windows.Presentation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.4\es\System.Windows.Forms.Design.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Net.WebProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Web.HttpUtility.dll	Jump to dropped file
Source: C:\Windows\DPDrv\DPInst64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6f710580-cd7c-a041-8cb9-c2dfc257af95}\SETC033.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.4\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpI00701x64.dll (copy)	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Evasive API call chain: GetSystemTime,DecisionNodes

Found evasive API chain checking for process token information

Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	API coverage: 9.0 %
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	API coverage: 9.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp TID: 2884	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe TID: 760	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DF02DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00DF0378h	8_2_00DF02DD
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DF02DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00DF0371h	8_2_00DF02DD
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B602DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00B60378h	9_2_00B602DD
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B602DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00B60371h	9_2_00B602DD
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00EA02DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00EA0378h	10_2_00EA02DD
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00EA02DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00EA0371h	10_2_00EA02DD
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D102DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00D10378h	15_2_00D102DD
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D102DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00D10371h	15_2_00D102DD

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100698F __EH_prolog3_GS,FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,__EH_prolog3_GS,_invalid_parameter_noinfo_noreturn,	3_2_0100698F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DB3D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	8_2_00DB3D89
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DF488B FindFirstFileW,FindClose,	8_2_00DF488B
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE7857 FindFirstFileExW,	8_2_00DE7857
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DC9B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	8_2_00DC9B24
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B6488B FindFirstFileW,FindClose,	9_2_00B6488B
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B39B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	9_2_00B39B24
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B23D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	9_2_00B23D89
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B57857 FindFirstFileExW,	9_2_00B57857
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00EA488B FindFirstFileW,FindClose,	10_2_00EA488B
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E79B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	10_2_00E79B24
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E63D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	10_2_00E63D89
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E97857 FindFirstFileExW,	10_2_00E97857
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D1488B FindFirstFileW,FindClose,	15_2_00D1488B
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D07857 FindFirstFileExW,	15_2_00D07857
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CE9B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	15_2_00CE9B24
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CD3D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	15_2_00CD3D89
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00452AD4 FindFirstFileA,GetLastError,	37_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	37_2_00475798
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	37_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	37_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	37_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: 37_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	37_2_00498FDC

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DF9B11 VirtualQuery,GetSystemInfo,

8_2_00DF9B11

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\NULL	Jump to behavior
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL	Jump to behavior

Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3175444140.0000000000874000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000002.3191090059.0000000000874000.00000004.00000020.00020000.00000000.sdmp, 2N Driver for External USB Readers.tmp, 00000002.00000003.2712304320.0000000000871000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: setup.tmp, 00000025.00000003.3058605092.0000000005B8E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\\.\PhysicalDrive%d\\.\IDE21201.VXDERROR: Could not open IDE21201.VXD fileDiskId32\\.\Scsi%d:SCSIDISK%uDrive%dModelNumberDrive%dSerialNumberDrive%dControllerRevisionNumberDrive%dControllerBufferSizeDrive%dTypeRemovableFixedUnknownHardDriveSerialNumberWD-WTAP-WinVirtualVMwareTeamViewer
Source: 2N Driver for External USB Readers.tmp, 00000002.00000003.3177553492.0000000000848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_0100A1D1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0100A1D1

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_010063B3 __EH_prolog3_GS,LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

3_2_010063B3

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE8581 mov eax, dword ptr fs:[00000030h]	8_2_00DE8581
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE4503 mov eax, dword ptr fs:[00000030h]	8_2_00DE4503
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B58581 mov eax, dword ptr fs:[00000030h]	9_2_00B58581
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B54503 mov eax, dword ptr fs:[00000030h]	9_2_00B54503
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E98581 mov eax, dword ptr fs:[00000030h]	10_2_00E98581
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E94503 mov eax, dword ptr fs:[00000030h]	10_2_00E94503
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D08581 mov eax, dword ptr fs:[00000030h]	15_2_00D08581
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D04503 mov eax, dword ptr fs:[00000030h]	15_2_00D04503

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DB3ADF GetProcessHeap,RtlFreeHeap,GetLastError,

8_2_00DB3ADF

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100A1D1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0100A1D1
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_0100A333 SetUnhandledExceptionFilter,	3_2_0100A333
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe	Code function: 3_2_01009E98 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_01009E98
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDE1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00DDE1B8
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDE684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00DDE684
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DE389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00DE389A
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Code function: 8_2_00DDE817 SetUnhandledExceptionFilter,	8_2_00DDE817
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4E1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00B4E1B8
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4E684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00B4E684
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B5389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00B5389A
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Code function: 9_2_00B4E817 SetUnhandledExceptionFilter,	9_2_00B4E817
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8E1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00E8E1B8
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8E684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00E8E684
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E9389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00E9389A
Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 10_2_00E8E817 SetUnhandledExceptionFilter,	10_2_00E8E817
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFE1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00CFE1B8
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFE684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00CFE684
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00D0389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00D0389A
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Code function: 15_2_00CFE817 SetUnhandledExceptionFilter,	15_2_00CFE817
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A8A1F SetUnhandledExceptionFilter,	29_2_004A8A1F
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe	Code function: 29_2_004A86C7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_004A86C7

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

File written: C:\Windows\System32\drivers\etc\hosts

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp

Code function: 37_2_00478DC4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

37_2_00478DC4

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe" Microsoft.WindowsDesktop.App 6.0.4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe "C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Process created: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe" -q -burn.elevated BurnPipe.{4C86AD50-ECFF-4E0C-8859-69C2F732A1B6} {4190C1E9-DF0B-4777-B67E-25C22799E37B} 6884	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /passive /norestart /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "c:\windows\temp\{833d38b6-ef1e-40e4-8c3b-08bef0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="c:\users\user\appdata\local\temp\is-clj4h.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" /passive /norestart /burn.log.append "c:\users\user\appdata\local\temp\microsoft_windows_desktop_runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.clean.room="c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /passive /norestart /burn.log.append "c:\users\user\appdata\local\temp\microsoft_windows_desktop_runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "c:\windows\temp\{833d38b6-ef1e-40e4-8c3b-08bef0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="c:\users\user\appdata\local\temp\is-clj4h.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe	Process created: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe "c:\windows\temp\{833d38b6-ef1e-40e4-8c3b-08bef0235559}\.cr\dotnet60desktop.exe" -burn.clean.room="c:\users\user\appdata\local\temp\is-clj4h.tmp\dotnet60desktop.exe" -burn.filehandle.attached=520 -burn.filehandle.self=516 /lcid 2057 /passive /norestart	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" /passive /norestart /burn.log.append "c:\users\user\appdata\local\temp\microsoft_windows_desktop_runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Process created: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe "c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.clean.room="c:\programdata\package cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /passive /norestart /burn.log.append "c:\users\user\appdata\local\temp\microsoft_windows_desktop_runtime_-_6.0.4_(x86)_20240426111336.log" /lcid 2057

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

8_2_00DF1BB9

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DF3ED2 AllocateAndInitializeSid,CheckTokenMembership,

8_2_00DF3ED2

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_01009FF1 cpuid

3_2_01009FF1

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: GetLocaleInfoA,	36_2_0040520C
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\silk\setup.exe	Code function: GetLocaleInfoA,	36_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: GetLocaleInfoA,	37_2_00408578
Source: C:\Users\user\AppData\Local\Temp\is-BED4C.tmp\setup.tmp	Code function: GetLocaleInfoA,	37_2_004085C4

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{833D38B6-EF1E-40E4-8C3B-08BEF0235559}\.cr\dotnet60desktop.exe	Queries volume information: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.ba\bg.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{ff0d7b6b-8624-42f0-b961-69e6cbf896c1}\windowsdesktop-runtime-6.0.4-win-x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{A287890D-DBAC-4823-84AD-E84F6FE6DAFE}\.ba\bg.png VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\twn4cdc.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dpinst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\twn4\twn4cdc.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{e375881d-67e7-5545-8051-4ea2d8d54c16}\zkfp.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{a8580a04-6b60-8249-86f2-a6693406c210}\dpersona_x64.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DC4F5A ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

8_2_00DC4F5A

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\netcorecheck.exe

Code function: 3_2_0100A3FD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_0100A3FD

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DB623E GetUserNameW,GetLastError,

8_2_00DB623E

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DF8C56 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

8_2_00DF8C56

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\dotnet60desktop.exe

Code function: 8_2_00DB520D GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

8_2_00DB520D

Source: C:\Windows\Temp\{CC0C35BE-EF85-42EF-A7AF-66B76F732AF7}\.be\windowsdesktop-runtime-6.0.4-win-x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\HostsHelper.exe

File written: C:\Windows\System32\drivers\etc\hosts

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\is-H9TV7.tmp\2N Driver for External USB Readers.tmp

Adds / modifies Windows certificates

Source: C:\Users\user\AppData\Local\Temp\is-CLJ4H.tmp\CertMgr.Exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\8C18F347CF57959E4DD189A7D79464ED795064D6 Blob

ID:	1432058
Product:	CloudBasic
Start time:	11:12:17
Start date:	26.04.2024
Sample:	2N Driver for External USB Readers.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e3dd4a7013de228f707e6acacd69acce
SHA1:	3bfc3ebc9be3747e4dc88cb822c26e20715e1110
SHA256:	aa4d8231efa01b1e141dbd392c8bff871c7692b04e0de8e14bcca2c71ee5d146
Filetype:	Win32 Executable (generic) a (10002005/4) 98.04%

Windows Analysis Report 2N Driver for External USB Readers.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
2N Driver for External USB Readers.exe